[or-cvs] r12599: more progress on the geoip proposal (tor/trunk/doc/spec/proposals)

Roger Dingledine arma at mit.edu
Fri Nov 30 08:13:18 UTC 2007

For those following along at home, we're discussing my in-progress
draft at

On Thu, Nov 29, 2007 at 08:58:16PM +0000, Robert Hogan wrote:
> >Is it sufficient just to add a new GETINFO command?
> >    GETINFO ip-to-country/
> >  250+ip-to-country/"US","USA","UNITED STATES"
> Other commands that would be useful:
> 1. 'getinfo servers/[COUNTRYCODE]' giving a list of servers with that 
> countrycode

True. I guess it depends how much work we want to do inside Tor vs how
much we want to expect the controller to do. If we offer this, don't we
also want to offer getinfo countrycode/names and other options like this?
We could instead just let the controller do a lookup on each server it
cares about, and keep its own lists.

> 2. setconf  ExcludeCountryCodes
> 3. setconf IncludeCountryCodes

Hm. Most people I've talked to care about the position in the path too --
they don't just want to skip a given country entirely, they want to only
skip it at the beginning, or the end, or something like that.

And what would IncludeCountryCodes do? Only use relays from those
countries in all positions in the circuit? 

> But why not absorb the countrycode into the server descriptor and have it 
> assigned by the authorities?
> This would:
> - prevent possible partitioning attacks arising from different versions of the 
> geoip db floating around (if bootstrap versions are supplied).
> - save bandwidth (the db would be shared by authorities only)
> - save client/relay processing power
> Something like:
> @downloaded-at 2007-11-29 19:45:13
> @source ""
> @geoip US Boston X-ordinate Y-ordinate

The "router annotations" you describe here are added locally by the Tor
that receives the router descriptor. They're not published in any signed
way. If we were to add the countrycode into the server descriptor, then
we would have to trust the server to write the correct countrycode into
his signed descriptor, and if we decided he was lying our only recourse
would be to not list that descriptor.

If we want to provide the countrycode info for each router, signed by
authorities, we could put it into that router's entry in the networkstatus
consensus -- that's my "Option B" in Section 4.2.

But I'm still not very happy about putting it in the networkstatus,
since the IP to GeoIP mapping will be relatively static, so we'll be
wasting a lot of bandwidth as caches mirror redundant information,
and as clients fetch information they already know.

Since most of the answers won't change from hour to hour, the obvious
solution is to only ask questions about the ones you don't already know
the answer to -- which is exactly what Vidalia already does.

But I haven't thought of a better way yet. Perhaps we'll have found one
by the time we get around to switching from "Option A" to "Option B". :)


More information about the tor-dev mailing list