This has probably been addressed before but why isn't the MyFamily value just a single, unique ID? If I have the relays with the fingerprints "John", "Jane", and "Alice" and I want to add "Bob", wouldn't it be simpler (and more logical) to add the unique MyFamily "Smith" to each torrc file than listing all fingerprints? What do you do when you have 50 relays and want to add or remove a relay? You must modify 50 torrc files and restart all 50 relays? That seems tedious and unnecessary. I'm trying to find a way to automate this process and I can wrap my head around the complexity of the problem, especially with multiple servers. I could just use the fingerprint of my first relay as MyFamily (to ensure uniqueness) and then add it to every other torrc file I create in the future. Even if I remove the first relay from the network, the MyFamily value is still valid as a unique "family" name. I don't know the particular procedure, but even the process of blacklisting relays based on MyFamily, when selecting a relay, seems tedious. For example, the entry relay has 50 family members and the middle relay has 50 other family members, so I have to compare the potential exit relay "first" name to 100 "first" names instead of comparing its "family" name to two "family" names. Is this too complicated to implement or am I missing something? Denny
On Sat, May 13, 2023 at 12:55:17PM -0400, denny.obreham@a-n-o-n-y-m-e.net wrote:
This has probably been addressed before but why isn't the MyFamily value just a single, unique ID?
If I have the relays with the fingerprints "John", "Jane", and "Alice" and I want to add "Bob", wouldn't it be simpler (and more logical) to add the unique MyFamily "Smith" to each torrc file than listing all fingerprints?
I believe the reason for the current setup is to prevent randos from adding themselves to your family of relays, and then causing problems. - Matt
This has probably been addressed before but why isn't the MyFamily value just a single, unique ID?
There is a proposal to have some way of doing that in the future, but that proposal isn't implemented https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/proposals/321-hap... . It's not as easy as having a unique ID, you need to make sure a relay can't spoof being part of a family, that's why it requires a two way relationship for now, and will probably use some form of signature in the future.
What do you do when you have 50 relays and want to add or remove a relay? You must modify 50 torrc files and restart all 50 relays? That seems tedious and unnecessary.
Sadly, yes it is. You can reload the relays instead of restarting them, which is somewhat better but still not great. On thing that can help is using the %include feature of torrc to have your MyFamily line in a distinct file you can easily copy around. That's not great, but still easier/safer than editing a configuration file automatically. regards, trinity-1686a On Mon, 15 May 2023 at 11:22, Matt Palmer <mpalmer@hezmatt.org> wrote:
On Sat, May 13, 2023 at 12:55:17PM -0400, denny.obreham@a-n-o-n-y-m-e.net wrote:
This has probably been addressed before but why isn't the MyFamily value just a single, unique ID?
If I have the relays with the fingerprints "John", "Jane", and "Alice" and I want to add "Bob", wouldn't it be simpler (and more logical) to add the unique MyFamily "Smith" to each torrc file than listing all fingerprints?
I believe the reason for the current setup is to prevent randos from adding themselves to your family of relays, and then causing problems.
- Matt
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Mon, May 15, 2023 at 5:21 AM Matt Palmer <mpalmer@hezmatt.org> wrote:
On Sat, May 13, 2023 at 12:55:17PM -0400, denny.obreham@a-n-o-n-y-m-e.net wrote:
This has probably been addressed before but why isn't the MyFamily value just a single, unique ID?
If I have the relays with the fingerprints "John", "Jane", and "Alice" and I want to add "Bob", wouldn't it be simpler (and more logical) to add the unique MyFamily "Smith" to each torrc file than listing all fingerprints?
I believe the reason for the current setup is to prevent randos from adding themselves to your family of relays, and then causing problems.
That's correct: if an attacker can add their relay to a family without the rest of the family's consent, they can use that to influence routing and do some kinds of path-selection attacks. For an easy example, let's imagine that we let any relay put itself into any family. Now suppose the attacker starts three relays A1, A2, and A3. Then, since nothing stops them, they put A1 into a family with every relay on the network, except for A2 and A3. Now, any time a user (randomly) selects A1, they will find that the only other relays they can use on that circuit are A2 and A3; this will build a completely attacker-controlled path, they will get no privacy. That said, there's an open proposal to try to make it so relays can use a cryptographic identifier instead of a unique ID or a list: https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/proposals/321-hap... I'd be curious to know whether relay operators think this proposal would be usable for them; when I first circulated it, I didn't get a lot of feedback. (Oh, I see that Trinity has mentioned this too. Hi, Trinity!) cheers, -- Nick
Hi, On 5/13/23 18:55, denny.obreham@a-n-o-n-y-m-e.net wrote:
What do you do when you have 50 relays and want to add or remove a relay? You must modify 50 torrc files and restart all 50 relays? That seems tedious and unnecessary. I'm trying to find a way to automate this process and I can wrap my head around the complexity of the problem, especially with multiple servers.
I maintain my MyFamily completely automated using puppet. So once I add new relays to my infrastructure, all the torrc files automatically get updated and the relays reload (or restart?). If you really do run >5 relays, I'd highly suggest to use whatever automation (puppet, ansible, salt, chef,...) that suits you. But don't even try to manually maintain that amount of relays by hand. As a bonus you can have a unified setup of unattended upgrades and such things too. Best regards, Matthias
participants (5)
-
denny.obreham@a-n-o-n-y-m-e.net -
Matt Palmer -
Matthias Fetzer -
Nick Mathewson -
trinity pointard