[tor-bugs] #7798 [Core Tor/Tor]: Use directory guards even when consensus isn't live

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu May 19 18:45:54 UTC 2016 

#7798: Use directory guards even when consensus isn't live
--------------------------+-----------------------------------
 Reporter:  nickm         |          Owner:
     Type:  defect        |         Status:  needs_information
 Priority:  Medium        |      Milestone:  Tor: unspecified
Component:  Core Tor/Tor  |        Version:
 Severity:  Normal        |     Resolution:
 Keywords:  tor-client    |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+-----------------------------------
Changes (by teor):

 * status:  new => needs_information


Comment:

 Replying to [comment:1 arma]:
 > Agreed!
 >
 > I wonder how this should relate to the fallbackdir design now that there
 is one.
 >
 > Can we add the directory guards from our state file to the fallbackdir
 list, with higher priority than the other ones on the list?

 There is no priority in the fallback directory design, there is only
 weight.
 But I think this is a nice way of resolving the privacy issues mentioned
 in #18084.

 What we could do is add to the state file one or more `FallbackDir` lines
 describing our directory guards. The format is `address:port orport=port
 id=fingerprint [ipv6=ipv6address:ipv6orport] [weight=num]`. The fallbacks
 will have to have a DirPort, even though clients never use it (see
 #19129). (We're only doing this for clients, right?)

 The current total fallback weight is 1009 (10*100 + 1*9), but it could go
 as high as ~3000 if we ever include 300 fallbacks, as in the original "20%
 of guards" design.

 We might have 3 directory guards, or in future, we might only have 1.
 So let's weight each directory guard at 10,000. Then we will only choose a
 fallback 10% of the time. (Or 3% of the time with 3 directory guards.)

 Then, when we load the state file, we use our standard fallback parsing
 function to add them to the list. And our standard bootstrapping sequence
 will use them like any other fallbacks.

 Should we do this automatically, or should their be an option to turn it
 off?
 The existing `UseDefaultFallbackDirs` doesn't really cover this, so we
 probably need `UseDirGuardsAsFallbackDirs`. (This should control both the
 writing to the state file, and the reading from it.) This way, someone can
 refuse the default fallbacks, but still use their directory guards as
 fallbacks.

 When should these fallback directory guards expire?
 (When do guards in our state file expire?)
 If they're too old, we should ignore them and just try the fallbacks.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7798#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list