[tor-dev] Proposal: All Relays are Directory Servers

Nick Mathewson nickm at freehaven.net
Mon Aug 18 18:17:28 UTC 2014

On Wed, Aug 13, 2014 at 11:53 AM, Matthew Finkel
<matthew.finkel at gmail.com> wrote:
> Hi All,
> Below is the proposal for #12538 [0], with some changes after George's
> review and some other revisions.
> Feedback welcome!
> Thanks,
> Matt
> [0] https://trac.torproject.org/projects/tor/ticket/12538

Thanks! This is now proposal 237. Any revisions should be sent in as
patches against the one in the torspec repository.

> Filename: xxx-directory-servers-for-all.txt
> Title: All relays are directory servers
> Author: Matthew Finkel
> Created: 29-Jul-2014
> Status:
> Target: 0.2.6.x
> Overview:
>     This proposal aims at removing part of the distinction between the
> relay and the directory server. Currently operators have the options
> of being one of: a relay, a directory server, or both.  With the
> acceptance of this proposal the options will be simplified to being
> either only a directory server or a combined relay and directory
> server. All relays will serve directory requests.

FWIW, we don't support being only a directory server right now, do we?

>     Clients choose a directory by using the current criteria with the
> additional criterion that a server only needs the V2Dir status flag
> instead of requiring an open DirPort. When the client chooses which
> directory server it will query, it checks if the server has an open
> directory port and uses begindir if it does not have one. Directory
> servers should not be able to determine which version of Tor the client
> is using (or a lower-bound on the version), if possible. Continuing to
> prefer direct directory connections over begin may help mitigate a
> potential partitioning attack.

Well, the partitioning attack is going to be rendered possible here by
the fact that an 0.2.5 client won't send a RELAY_BEGIN_DIR cell to a
node with DirPort=0, V2Dir=1, but an 0.2.6 client might.

I think this is not too bad, though: alpha users are typically visible
as alpha users for other reasons as well, and when everybody upgrades
to the next stable Tor version, they usually do so en masse.

> Impact on local resources:
>     Should relays attempt to download documents from another mirror
> before asking an authority? All relays will now prefer contacting the
> authorities first, but this will not scale well and will partition users
> from relays.

Partitioning users from relays is inevitable.  If you're not sure
whether somebody is a relay, just send them a CREATE_FAST cell and see
what they do.

>     If all relays become directory servers, they will choose to
> download all documents, regardless of whether they are useful, in case
> another client does want them. This will have very little impact on the
> "typical" relay, however on memory constrained relays (BeagleBone,
> Raspberry Pi, and similar), every megabyte allocated to directory
> documents is not available for new circuits. Should we add a config
> option that allows operators to disable being a directory server?  Is
> it more worthwhile for them to serve these documents or to relay cells?

Maybe only relays with a threshold of bandwidth or memory should be
guards?  Dunno.


More information about the tor-dev mailing list