What could bring several exits at different providers and different operating systems (Linux and FreeBSD) down on the same day, Jan 21st?
Since, while they still run as relays, they don’t show as exits any more without any change from my side.
They do run on Tor 0.3.1.9 or 0.3.2.9 in the same Family.
Thanks Paul
On 09 Feb (19:06:23), Paul wrote:
What could bring several exits at different providers and different operating systems (Linux and FreeBSD) down on the same day, Jan 21st?
Since, while they still run as relays, they don’t show as exits any more without any change from my side.
They do run on Tor 0.3.1.9 or 0.3.2.9 in the same Family.
They could have been flagged as BadExit.
Can you provide the list of fingerprints or/and IPs of your Exits?
Thanks! David
Thanks Paul _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Paul:
What could bring several exits at different providers and different operating systems (Linux and FreeBSD) down on the same day, Jan 21st?
Since, while they still run as relays, they don’t show as exits any more without any change from my side.
They do run on Tor 0.3.1.9 or 0.3.2.9 in the same Family.
I'm not sure if you are referring to your relays or someone else's relays?
I assume you talk about: https://atlas.torproject.org/#search/contact:1K38x9xqK3YDzjehYFAEPzsESEC4ScH...
it is indeed interesting why some of them have no exit flag, example: https://atlas.torproject.org/#details/B27509F6D6233ACD2EAC8936D5FE7CBF009163...
@David: they don't have badexit flags
2018-01-21 appeas to have been an interesting day indeed https://twitter.com/nusenu_/status/960176185954242560
reject 80
Thats why.
On 9. Feb 2018, at 19:25, nusenu nusenu-lists@riseup.net wrote:
Paul:
What could bring several exits at different providers and different operating systems (Linux and FreeBSD) down on the same day, Jan 21st?
Since, while they still run as relays, they don’t show as exits any more without any change from my side.
They do run on Tor 0.3.1.9 or 0.3.2.9 in the same Family.
I'm not sure if you are referring to your relays or someone else's relays?
I assume you talk about: https://atlas.torproject.org/#search/contact:1K38x9xqK3YDzjehYFAEPzsESEC4ScH...
it is indeed interesting why some of them have no exit flag, example: https://atlas.torproject.org/#details/B27509F6D6233ACD2EAC8936D5FE7CBF009163...
@David: they don't have badexit flags
2018-01-21 appeas to have been an interesting day indeed https://twitter.com/nusenu_/status/960176185954242560
-- https://mastodon.social/@nusenu twitter: @nusenu_
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Am 09.02.2018 um 19:28 schrieb niftybunny:
reject 80
Thats why.
Was there a change of rules on that day? Reject 80 was always the case in those settings.
On 9. Feb 2018, at 19:25, nusenu nusenu-lists@riseup.net wrote:
Paul:
What could bring several exits at different providers and different operating systems (Linux and FreeBSD) down on the same day, Jan 21st?
Since, while they still run as relays, they don’t show as exits any more without any change from my side.
They do run on Tor 0.3.1.9 or 0.3.2.9 in the same Family.
I'm not sure if you are referring to your relays or someone else's relays?
I assume you talk about: https://atlas.torproject.org/#search/contact:1K38x9xqK3YDzjehYFAEPzsESEC4ScH...
it is indeed interesting why some of them have no exit flag, example: https://atlas.torproject.org/#details/B27509F6D6233ACD2EAC8936D5FE7CBF009163...
@David: they don't have badexit flags
2018-01-21 appeas to have been an interesting day indeed https://twitter.com/nusenu_/status/960176185954242560
-- https://mastodon.social/@nusenu twitter: @nusenu_
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Minimum is:
accept *:53 accept *:80 accept *:443
On 9. Feb 2018, at 19:35, Paul pa011@web.de wrote:
Am 09.02.2018 um 19:28 schrieb niftybunny:
reject 80
Thats why.
Was there a change of rules on that day? Reject 80 was always the case in those settings.
On 9. Feb 2018, at 19:25, nusenu nusenu-lists@riseup.net wrote:
Paul:
What could bring several exits at different providers and different operating systems (Linux and FreeBSD) down on the same day, Jan 21st?
Since, while they still run as relays, they don’t show as exits any more without any change from my side.
They do run on Tor 0.3.1.9 or 0.3.2.9 in the same Family.
I'm not sure if you are referring to your relays or someone else's relays?
I assume you talk about: https://atlas.torproject.org/#search/contact:1K38x9xqK3YDzjehYFAEPzsESEC4ScH...
it is indeed interesting why some of them have no exit flag, example: https://atlas.torproject.org/#details/B27509F6D6233ACD2EAC8936D5FE7CBF009163...
@David: they don't have badexit flags
2018-01-21 appeas to have been an interesting day indeed https://twitter.com/nusenu_/status/960176185954242560
-- https://mastodon.social/@nusenu twitter: @nusenu_
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Fri, Feb 09, 2018 at 07:37:09PM +0100, niftybunny wrote:
Minimum is:
accept *:53 accept *:80 accept *:443
(A) Correct, we recently changed it so both 80 and 443 are required: https://bugs.torproject.org/23637
(B) Port 53 has nothing to do with the exit flag, and it goes mostly unused anyway -- you might think 53 is dns, but most dns is not done in the form of tunneled tcp connections to tcp port 53.
--Roger
Am 09.02.2018 um 19:41 schrieb Roger Dingledine:
On Fri, Feb 09, 2018 at 07:37:09PM +0100, niftybunny wrote:
Minimum is:
accept *:53 accept *:80 accept *:443
(A) Correct, we recently changed it so both 80 and 443 are required: https://bugs.torproject.org/23637
--Roger
Thank you for that explanation - how long should it take to get the exit flag back when opening port 80 ?
Paul
On Sun, Feb 11, 2018 at 11:55:44AM +0100, Paul wrote:
(A) Correct, we recently changed it so both 80 and 443 are required: https://bugs.torproject.org/23637
Thank you for that explanation - how long should it take to get the exit flag back when opening port 80 ?
How long *should* it take? At most an hour -- your relay publishes a new descriptor with the new exit policy, and on the next consensus vote (which happens at the top of each hour), all the dir auths who have seen the new descriptor vote the Exit flag for you.
If you meant "how long until Atlas shows that I have it", add a few hours to that, since it pulls its data from onionoo, which pulls from whatever on the metrics side is doing the data fetching and collection.
There have been some other issues here and there lately, where your relay publishes a new descriptor, but some of the dir auths decide that it isn't interesting compared to the one they've already got. Your relay publishes a new descriptor every 18 hours in any case, so these rare situations generally work themselves out within a day.
So: it should be within an hour, and it likely will be within a day. :)
If you want to debug it more, you can fetch the recent votes from https://collector.torproject.org/recent/relay-descriptors/votes/ and see what each of the votes says about your "s" lines.
I try to put moria1's most recently seen votes at https://www.freehaven.net/~arma/moria1-v3-status-votes every hour if you want extra fresh data.
--Roger
niftybunny:
reject 80
Thats why.
good catch :)
yes, I can confirm that, but it was already there on 2018-01-19 13:00
so on that day I guess dir auths updated to the version enforcing 80+443 for exit flag
so on that day I guess dir auths updated to the version enforcing 80+443 for exit flag
to confirm this:
Dir Auth Tor versions as of 2018-01-19 13:00 +-------------------+------------+ | tor_version | nickname | +-------------------+------------+ | 0.3.1.9 | dannenberg | | 0.3.1.9 | longclaw | | 0.3.1.9 | dizum | | 0.3.1.9 | gabelmoo | | 0.3.1.9 | Bifroest | | 0.3.1.9 | Faravahar | | 0.3.1.9 | maatuska |
| 0.3.2.9 | tor26 | | 0.3.3.0-alpha-dev | moria1 |
| 0.3.2.9 | bastet | bridge dirauth +-------------------+------------+
Dir Auth Tor versions as of 2018-01-20 12:00
An hour after you lost the exit flag: +-------------------+------------+ | tor_version | nickname | +-------------------+------------+ | 0.3.1.9 | dannenberg | | 0.3.1.9 | longclaw | | 0.3.1.9 | dizum | | 0.3.1.9 | Bifroest | | 0.3.1.9 | Faravahar | | 0.3.1.9 | maatuska |
| 0.3.2.9 | gabelmoo | | 0.3.2.9 | tor26 | | 0.3.3.0-alpha-dev | moria1 |
| 0.3.2.9 | bastet | bridge dirauth +-------------------+------------+
I'm curious: Why did this change come into effect after only 3/9 having the change deployed? Are only a subset of dir auths responsible for voting about the exit flag?
thanks!
the change was in 0.3.2.9:
Minor features (directory authority):
Make the "Exit" flag assignment only depend on whether the exit policy allows connections to ports 80 and 443. Previously relays would get the Exit flag if they allowed connections to one of these ports and also port 6667. Resolves ticket 23637.
The thing is, someone should scan all relays and inform them that their exit flag is gone. We need every exit we can get.
On 11. Feb 2018, at 00:37, nusenu nusenu-lists@riseup.net wrote:
so on that day I guess dir auths updated to the version enforcing 80+443 for exit flag
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
niftybunny:
The thing is, someone should scan all relays and inform them that their exit flag is gone. We need every exit we can get.
thank you for your input - I sent out that other email to address it (luckily we do not need to scan to gather that kind of data).
So back to my question:
Why did this change come into effect after only 3/9 [dirauths] having the change deployed? Are only a subset of dir auths responsible for voting about the exit flag?
On Sat, Feb 10, 2018 at 11:37:00PM +0000, nusenu wrote:
| 0.3.1.9 | Bifroest | | 0.3.2.9 | bastet | bridge dirauth
Careful, it's Bifroest that's the bridge auth. bastet is just a normal v3 auth.
I'm curious: Why did this change come into effect after only 3/9 having the change deployed? Are only a subset of dir auths responsible for voting about the exit flag?
From https://collector.torproject.org/archive/relay-descriptors/votes/votes-2018-... it looks like on 2018-01-20-12-00-00, mandela had the following status flag votes:
dannenberg: s Fast Guard Stable V2Dir Valid tor26: s Fast Guard HSDir Running Stable V2Dir Valid longclaw: s Exit Fast HSDir Running Stable V2Dir Valid bastet: s Fast HSDir Running Stable V2Dir Valid maatuska: s Exit Fast HSDir Running Stable V2Dir Valid moria1: s Fast Guard Running Stable V2Dir Valid dizum: s Exit Fast Guard HSDir Running Stable V2Dir Valid gabelmoo: s Fast Guard HSDir Running Stable V2Dir Valid Faravahar: s Exit Fast HSDir Running Stable V2Dir Valid
So 4 of 9 votes for the Exit flag, and that's not enough.
In this case, 4 of the 9 were running a new enough version to withhold the Exit flag, and dannenberg was the surprise fifth that withheld it.
In fact, dannenberg withheld the Exit flag from *every* relay in its vote, that hour!
dannenberg gave out Exit flags from 00 to 10 on the 20th, but not at 11am, or anytime else that day, until noon on the 21st when it resumed.
And when it resumed at noon on the 21st, it was running 0.3.2.9 (and so even though it was voting Exit for many relays, it was no longer voting Exit for mandela).
My first guess for the culprit would be bug 24137, which went into 0.3.3.1-alpha so only moria1 will have the fix. That bug basically made dir auths not vote Exit when the relay's bandwidth is too low. But that bug doesn't fit this situation perfectly.
I wonder if dannenberg dabbled in using the output of a bandwidth authority (bwauth) during that time -- if so, then bug 24137 would be a good match.
It's a good mystery. :) Maybe we can find more recent situations where directory authorities completely left out the Exit flags from their votes?
--Roger
It's a good mystery. :) Maybe we can find more recent situations where directory authorities completely left out the Exit flags from their votes?
thanks for your analysis. maybe we can DocTor checks for this and graphs on consensus-health https://lists.torproject.org/pipermail/tor-dev/2018-February/012918.html
tor-relays@lists.torproject.org
-
David Goulet -
niftybunny -
nusenu -
Paul -
Roger Dingledine