[tor-bugs] #3678 [Tor Client]: Disallow more than one relay per country in a circuit
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Aug 3 01:17:38 UTC 2011
#3678: Disallow more than one relay per country in a circuit
-------------------------+--------------------------------------------------
Reporter: cypherpunks | Owner:
Type: enhancement | Status: new
Priority: major | Milestone:
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
-------------------------+--------------------------------------------------
Changes (by nickm):
* priority: normal => major
Comment:
This one is a lot more complicated than it sounds.
Please take the following concerns not as arguing that the idea of
country-aware routing is broken or unworkable, but as an explanation for
why the simple version of it is not necessarily a good idea, and why the
complex version of it that _might_ be a good idea still has a bunch of
unsolved problems.
You not only need to think about the countries used by your Tor relays,
but the country that you're in ''and'' the country that your destination
is in. For example, if you and your destination are in the same country,
and some agency in that country is monitoring and correlating its internal
communications, then current low-latency anonymity designs can't help
against them.
And it gets even more complicated: internet topology does not obey
national borders (it's not uncommon for a connection between two places in
one country to travel through a third country -- I hear it happens in
Canada a lot), and nations are not connected in a clique (traffic from
country A to county B often goes through some other country C).
And to add a new fun complication, there are agencies out there who
allegedly do most of their snooping at national borders and IX exchanges.
Maximizing country-to-country transitions would seem to _increase_
exposure to such attackers rather than limit it.
And finally, nobody's done the math as far as I know to show whether and
under what circumstances a routing algorithm of this style would give you
observably different results from using the regular path generation
algorithm in a way that would allow an attacker to separate your traffic
from the rest of the network and thereby actually make your anonymity
worse.
...
In spite of all of that, this is research that we '''do''' need to do.
Murdoch and Zelinski have some important observations
(http://freehaven.net/anonbib/#murdoch-pet2007). I think that one of the
most promising directions I know of right now for topology-aware routing
is the kind of work done by Edman and Syverson
(http://freehaven.net/anonbib/#DBLP:conf/ccs/EdmanS09); I think some other
groups are poking on it too. A forthcoming paper I did with Roger
Dingledine, Paul Syverson, and Aaron Turner (assuming that it gets in
where we submitted it) might also have some relevance, though it's more
about mistrusting some countries more than others than it is about what to
do if you mistrust all countries equally but think that they don't
cooperate.
Anything that can be done to pick up the analysis work of any of these
threads would be greatly helpful.
...
Oh! And as a workaround, if none of the above issues concern you, then you
'''can''' get something close to what you want here by splitting
countries with lots of Tor nodes into two halves, and saying
EntryNodes {aa},{bb},{cc},...
ExitNodes {nn},{oo},{pp},...
You'll need to use Tor 0.2.3.x for support for country codes in your
EntryNodes list, and you might want to decide whether to use "StrictNodes
1" to make sure that Tor forbids circuits you don't want even when they
would be needed to connect to a directory or hidden service.
Anybody else got observations here? Was there anything I missed?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3678#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list