[tor-bugs] #3678 [Tor Client]: Disallow more than one relay per country in a circuit

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Wed Aug 3 01:17:38 UTC 2011

#3678: Disallow more than one relay per country in a circuit
 Reporter:  cypherpunks  |          Owner:     
     Type:  enhancement  |         Status:  new
 Priority:  major        |      Milestone:     
Component:  Tor Client   |        Version:     
 Keywords:               |         Parent:     
   Points:               |   Actualpoints:     
Changes (by nickm):

  * priority:  normal => major


 This one is a lot more complicated than it sounds.

 Please take the following concerns not as arguing that the idea of
 country-aware routing is broken or unworkable, but as an explanation for
 why the simple version of it is not necessarily a good idea, and why the
 complex version of it that _might_ be a good idea still has a bunch of
 unsolved problems.

 You not only need to think about the countries used by your Tor relays,
 but the country that you're in ''and'' the country that your destination
 is in.  For example, if you and your destination are in the same country,
 and some agency in that country is monitoring and correlating its internal
 communications, then current low-latency anonymity designs can't help
 against them.

 And it gets even more complicated: internet topology does not obey
 national borders (it's not uncommon for a connection between two places in
 one country to travel through a third country -- I hear it happens in
 Canada a lot), and nations are not connected in a clique (traffic from
 country A to county B often goes through some other country C).

 And to add a new fun complication, there are agencies out there who
 allegedly do most of their snooping at national borders and IX exchanges.
 Maximizing country-to-country transitions would seem to _increase_
 exposure to such attackers rather than limit it.

 And finally, nobody's done the math as far as I know to show whether and
 under what circumstances a routing algorithm of this style would give you
 observably different results from using the regular path generation
 algorithm in a way that would allow an attacker to separate your traffic
 from the rest of the network and thereby actually make your anonymity


 In spite of all of that, this is research that we '''do''' need to do.
 Murdoch and Zelinski have some important observations
 (http://freehaven.net/anonbib/#murdoch-pet2007).  I think that one of the
 most promising directions I know of right now for topology-aware routing
 is the kind of work done by Edman and Syverson
 (http://freehaven.net/anonbib/#DBLP:conf/ccs/EdmanS09); I think some other
 groups are poking on it too.  A forthcoming paper I did with Roger
 Dingledine, Paul Syverson, and Aaron Turner (assuming that it gets in
 where we submitted it) might also have some relevance, though it's more
 about mistrusting some countries more than others than it is about what to
 do if you mistrust all countries equally but think that they don't

 Anything that can be done to pick up the analysis work of any of these
 threads would be greatly helpful.


 Oh! And as a workaround, if none of the above issues concern you, then you
 '''can''' get something  close to what you want here by splitting
 countries with lots of Tor nodes into two halves, and saying
 EntryNodes {aa},{bb},{cc},...
 ExitNodes {nn},{oo},{pp},...
 You'll need to use Tor 0.2.3.x for support for country codes in your
 EntryNodes list, and you might want to decide whether to use "StrictNodes
 1" to make sure that Tor forbids circuits you don't want even when they
 would be needed to connect to a directory or hidden service.

 Anybody else got observations here?  Was there anything I missed?

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3678#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list