[tor-bugs] #23863 [Core Tor/Tor]: When our directory guards don't have each others' microdescs, we should mark some dead
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Nov 17 13:19:28 UTC 2017
#23863: When our directory guards don't have each others' microdescs, we should
mark some dead
-----------------------------------------------+---------------------------
Reporter: teor | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor:
| 0.3.2.x-final
Component: Core Tor/Tor | Version: Tor:
| 0.3.0.6
Severity: Normal | Resolution:
Keywords: tor-guard, tor-bridge, tor-client | Actual Points:
Parent ID: #21969 | Points: 1
Reviewer: | Sponsor:
-----------------------------------------------+---------------------------
Comment (by teor):
Replying to [comment:9 asn]:
> Replying to [comment:8 teor]:
> > I think we should implement an authority md fetch for clients that run
out of microdesc attempts. And I think they can easily handle the load of
a few mds, because they are handling a similar consensus load from clients
and relays already.
> >
> > I also don't think removing fallbacks from the list will help much,
because bootstrapping clients try authorities anyway.
> >
>
> I'm continuing the discussion here altho it's worth mentioning that teor
also added some more calculations in #24113.
>
> I think I can get behind doing an authority md fetch for clients that
have failed too many microdesc attempts. To further reduce the load on
dirauths, perhaps we should do this only if we are missing descriptors for
some of our primary guards (i.e. only if we are missing very crucial mds),
since clients can/should usually tolerate missing a few random mds.
I think asking an authority is a good idea.
Is it also worth asking a fallback first?
This might be another way to reduce load on the authorities.
And I think it would really help some clients if we do it, because some
networks block authority addresses.
If we only ask an authority or fallback when we are missing a guard
microdesc, this leaks our guards to the authority or fallback.
I think that is probably ok. Because these queries are mixed in with a
bunch of other client queries.
(Authorities see about as many client queries as they see relay queries.)
But here's what we can do to make the leak less obvious:
* ask for all the missing microdescs, not just the primary guard ones
* this has a very low impact, because we are already doing a request -
we should definitely do it.
* ask all the time, not just when we are missing primary guards
* this has a higher impact, but I think we can easily afford to do it if
we want to,
* but I agree with you - I don't think we need to do it, so let's not
bother right now.
Some detailed questions about the md request:
What if we are missing more microdescs than fit in a single request?
How do we make sure our primary guards are in that request?
What order do we usually use for md hashes in requests?
When we make multiple requests, do we usually split mds between them at
random?
Do we usually sort the hashes to destroy ordering information?
(I can imagine myself writing a request that starts with the guard md
hashes, and not realising I was leaking them.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23863#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list