Hi there,
I am one of the directory authority operators, so while I don't claim to know what the collective community wants, I am one of the people who are asked to make these decisions.
On 22 Dec 2016, at 10:25, Rana ranaventures@gmail.com wrote:
So my question to the community is as follows: does the Tor community want these small, cheap relays scattered in large quantity around the world, or not?
Executive Summary: On balance, the very small relays do not contribute enough resources compared to the associated costs to be worthwhile. Details below.
I realize there could be pros and contras. Among the contras there could be (for example) many small relays overloading the dirauths. I would like to hear more about the contras.
The dirauths are indeed a bottleneck in the Tor relay ecosystem, as they have to reguarly contact each relay, measure its bandwidth, check for malicious behaviour etc. But the dirauths are doing fine. The load my dirauth receives is negligible compared to what it could handle. There's a much bigger contributing factor here, however: The information about all relays must be made available to all clients, in a somewhat synchronized fashion. Tor has recently improved its design in this regard massively with the introduction of microdescriptors, and since then it's become somewhat more tolerable to have many small relays. In the past, we allowed relays in the network that were a net drain on available bandwidth, because just distributing their key material used up more bandwidth than they provided in total.
Residental lines in particular are typically very bad choices for relays, because they are much more prone to fluctuations in available bandwidth, the hardware caves when too many connections are open in parallel, and if the connection (which most often is asymmetric, with less upload capacity than down) were any near saturated using the internet would become a horribly slow and unpleasant experience.
This last point is also the reason why any time you build any kind of network, you overprovision like crazy. The de-cix (largest internet exchange currently in existence) has a peak traffic that exceeds the average by a factor of roughly 1.75. The connected capacity is larger by a factor of 3.5. This is just so that you don't experience service degradation, and it's very common in computer networking. In the past, Tor was massively overloaded and very slow to use, which was a very real obstacle to getting it used, even in places that heavily censor or surveill internet usage.
I have a relay on a symmetric 1gbit/s connection, yet the average traffic I push with that relay is just 16MB/s per direction. It is a non-exit relay, if it were used to exit I suspect it would maybe double or quadruple that utilization, but probably get noewhere near line capacity. If more people wanted to make use of it they could, but currently they don't - that's OK, there's no obligation for the Tor network to fill my relay with traffic that it shouldn't get. It is not just the small relays that don't get as much traffic as they could handle.
Among the pros there could be increased security and anonymity, as it would take adversaries a bigger effort to infiltrate the network by establishing rogue relays. Also could be invaluable as bridges to help people under repressive regimes overcome censorship. Tor is gradually getting killed there.
To me, the biggest pro is that the number of relay operators, of people who care enough to support the Tor network, is great politically. It's awesome that so many people want to help by providing some of the bandwidth they pay for. It's amazing that Exit operators make their connections endpoints of a public network.
Robustness of the network is a comparatively much smaller factor. Needing to re-distribute information about changed IP adresses is a major hurdle towards bridge adoption. We've actually found that large bridges runnning one of the obfuscation protocols have massively higher chances of being useful than small and unreliable bridges, which is why Isis, the bridge db and bridge authority operator, has asked us not to recommend people run bridges on their small residental connections.
I want to dispute the claim that unreliable relays (those either too slow or changing their IP too often to be used as Guards) contribute much anonymity-wise. The biggest protection you get is from your guard, and if you need to roll the dice more often (to pick a new guard more often), the chance that you pick one that is controlled by an adversary of yours increases.
My general impression is that the current DirAuth and bwauths policies are stuck at some old paradigm where small bandwidth relays are dismissed without good reason, and tons of bandwidth gains and especially diversity and anonymity benefits are foregone
The reasons I have presented above are good enough for me, personally. It seems I am not alone in this assessment. Perhaps I have been able to convince you, or at least explain my personal reasoning in a way that allows you to find some reason in it.
Thanks for being a supporter of privacy, anonymity and human rights.
Cheers Sebastian