[tor-bugs] #8240 [Tor]: Raise our guard rotation period

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Feb 15 21:42:36 UTC 2013 

#8240: Raise our guard rotation period
---------------------------------------+------------------------------------
 Reporter:  arma                       |          Owner:                    
     Type:  defect                     |         Status:  new               
 Priority:  normal                     |      Milestone:  Tor: 0.2.4.x-final
Component:  Tor                        |        Version:                    
 Keywords:  tor-client needs-proposal  |         Parent:                    
   Points:                             |   Actualpoints:                    
---------------------------------------+------------------------------------
 Tariq's COGS paper from WPES 2012 shows that a significant component of
 guard churn is due to voluntary rotation, rather than actual network
 changes:
 http://freehaven.net/anonbib/#wpes12-cogs

 In short, if the target client makes sensitive connections continuously
 every day for months, and you (the attacker) run some fast guards, the
 odds get pretty good that you'll become the client's guard at some point
 and get to do a correlation attack.

 We could argue that the "continuously every day for months" assumption is
 unrealistic, so in practice we don't know how bad this issue really is.
 But for hidden services, it could well be a realistic assumption.

 There are going to be (at least) two problems with raising the guard
 rotation period. The first is that we unbalance the network further wrt
 old guards vs new guards, and I'm not sure by how much, so I'm not sure
 how much our bwauth measurers will have to compensate. The second
 (related) problem is that we'll expand the period during which new guards
 don't get as much load as they will eventually get. This issue already
 results in confused relay operators trying to shed their Guard flag so
 they can resume having load.

 In sum, if we raise the rotation period enough that it really results in
 load changes, then we could have unexpected side effects like having the
 bwauths raise the weights of new (and thus totally unloaded) guards to
 huge numbers, thus ensuring that anybody who rotates a guard will
 basically for sure get one of these new ones.

 The real plan here needs a proposal, and should be for 0.2.5 or later. I
 wonder if we can raise it 'some but not too much' in the 0.2.4 timeframe
 though?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8240>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list