Fwd: Tor family graphs
Hello tor-relays@ We are still working on your nice relay incentive as and part of that we've been looking at how to partition relays into different families with it's not 100% obvious what that groupings should be. For those that are interested in the family connections, I have some pretty PDFs for you. I present three graphs of all Tor relays (nodes) with at least one family connection (edge). (1) only symmetric edges shown (black) -- http://dl.dropbox.com/u/3308162/sym.pdf (2) only asymmetric edges shown (red) -- http://dl.dropbox.com/u/3308162/asym.pdf (3) both symmetric (black) and asymmetric (red) shown -- http://dl.dropbox.com/u/3308162/both.pdf Notes: * A node is colored red if and only if it is the origin of an asymmetric connection. Ergo, every red node has at least one red edge, and vice-versa. * Blue edges are self-connections. I presume the Tor directory authorities should be excluding should these edges from the consensus---unless you all like being cute? Unfortunately you cannot click to see where you are in the graph. Hopefully in a future version you'll be able to click-around using D3.js or some such. -V
On Wed, Jul 22, 2015 at 09:31:58PM +0800, Virgil Griffith wrote:
I present three graphs of all Tor relays (nodes) with at least one family connection (edge).
Thanks Virgil! I think the clear first conclusion here is that our current method, writing symmetric fingerprints into torrcs, is not consistently easy for relay operators to use. I don't have a fix -- but if anybody out there has been working on a proposal for a better design, they should point to these graphs as justification that it is a real issue worth solving. --Roger
Thanks Virgil! Anytime.
I don't know the opportunity cost for implementing it, but there's always proposal #242 ;) https://gitweb.torproject.org/torspec.git/tree/proposals/242-better-families... -V On Thu, Jul 23, 2015 at 3:11 AM, Roger Dingledine <arma@mit.edu> wrote:
On Wed, Jul 22, 2015 at 09:31:58PM +0800, Virgil Griffith wrote:
I present three graphs of all Tor relays (nodes) with at least one family connection (edge).
Thanks Virgil!
I think the clear first conclusion here is that our current method, writing symmetric fingerprints into torrcs, is not consistently easy for relay operators to use.
I don't have a fix -- but if anybody out there has been working on a proposal for a better design, they should point to these graphs as justification that it is a real issue worth solving.
--Roger
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Out of curiosity, what is the need for ensuring a node cannot be put into a family without its consent? What would be wrong with, say, a FamilyName directive? Set the same FamilyName on each node you control, and routes will avoid multiples. On 07/22/2015 03:48 PM, Virgil Griffith wrote:
Thanks Virgil! Anytime.
I don't know the opportunity cost for implementing it, but there's always proposal #242 ;)
https://gitweb.torproject.org/torspec.git/tree/proposals/242-better-families...
-V
On Thu, Jul 23, 2015 at 3:11 AM, Roger Dingledine <arma@mit.edu> wrote:
On Wed, Jul 22, 2015 at 09:31:58PM +0800, Virgil Griffith wrote:
I present three graphs of all Tor relays (nodes) with at least one family connection (edge).
Thanks Virgil!
I think the clear first conclusion here is that our current method, writing symmetric fingerprints into torrcs, is not consistently easy for relay operators to use.
I don't have a fix -- but if anybody out there has been working on a proposal for a better design, they should point to these graphs as justification that it is a real issue worth solving.
--Roger
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Out of curiosity, what is the need for ensuring a node cannot be put into a family without its consent? What would be wrong with, say, a FamilyName directive? Set the same FamilyName on each node you control, and routes will avoid multiples.
That would give an adversary the ability to reduce the likelihood of your relays being chosen in a path by adding many relays to your family (without requiring your consent).. and probably many other things.
True, but unless one family controls a large part of the network (which is bad even with the current system), this is barely worse than an attacker flooding the current network with new relays in a family. I believe what you describe is possible in the current system as well. The only thing I can imagine that would make a "FamilyName" system problematic would be if a lot of people left a default or something like "FamilyName family". On 07/22/2015 04:33 PM, nusenu wrote:
Out of curiosity, what is the need for ensuring a node cannot be put into a family without its consent? What would be wrong with, say, a FamilyName directive? Set the same FamilyName on each node you control, and routes will avoid multiples.
That would give an adversary the ability to reduce the likelihood of your relays being chosen in a path by adding many relays to your family (without requiring your consent).. and probably many other things.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
I believe what you describe is possible in the current system as well.
No it is currently not possible, since the current MyFamily design requires mutual consent. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVsAFrAAoJEFv7XvVCELh0Cv8P/1a/TFS6wsFBjQia+3zw1tE+ MJdTivYyJtD8cGppxKyGTWSXI4o62/o9gB+BRnj05anileMoTCVUf/6LQh5v50PN CK0+CbBxeJQX2y3gOgzClogB+MlYKuMF0CqMorlDBlk5bcezb7BohlsaoHN7+eic 9zXJ+qh7IkmirhMeRivuhE60Iuen9hoGLQ6kbNcvolbXEbRIz7pUkf41vo4rkYh3 B+Z7s3UCbSkWYXWfclF9iiuGPtg54lvS+kP0kOnYK+Pr3jeW4xjBeJkkbwhlN7FT FcTL7uPfGXGdpIhmEIDaPyfG9ObS57kHobAzvPMI8EsDBaMSgJkxMgx14TcU2m8V em5H8vvmgQyukkpt8nG6LgxHWUWVNSZFDY3wglbZ3MzSL/BjkT3eW97kWKitwrHU 9piP559rzWhASNiqsyfPmcc6uvhTm5OFNSLBFWv8iUbF8mGnHneRK1UvSopatXPn +iu8O23bbkk4LLwlkxs5eevjKZyRdyafn1aXpi+ukAlGjQxHfzvhmfcv3K9AqE/E gYFyELIvuD4/4LrFLC9yyNj7k/GZODEzGdeC/Fq1Xgn1mZSgC6goZIQtLyvPPxtJ hbsPOzilVYp/soWAjmt1SNAQh735SeRTl7Q5ehfFsfi1O7sJ6OZRH04TeqCocV7d SP9lHBhEXeck7kvwvHgW =Wl/U -----END PGP SIGNATURE-----
Okay, I'm not familiar with the implementation. That leaves the other point and question though: - The attack described would require a lot of resources to significantly pull down the utilization of one family (and adding those relays to the network might help it more than hurt). - Are there any other reasons the family system needs to prevent relays from being included in a family against their consent? Thanks! On 07/22/2015 04:47 PM, nusenu wrote:
I believe what you describe is possible in the current system as well.
No it is currently not possible, since the current MyFamily design requires mutual consent. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
participants (4)
-
JovianMallard -
nusenu -
Roger Dingledine -
Virgil Griffith