[tor-dev] Proposal 236, Single-guard designs, and directory guards

Thu Jun 5 16:50:32 UTC 2014

Nick Mathewson <nickm at torproject.org> writes:

> Hi, all!
>
> I noticed that proposal 236 doesn't mention directory guards. (See
> proposal 207, implemented in Tor 0.2.4.)  I think that we should
> consider retaining multiple directory guards while going to a single
> guard for multi-hop circuits.
>
> My rationale here is that when we have only a single directory guard,
> it can more easily perform hard-to-detect route biasing attacks by
> pretending not to have descriptors for nodes it doesn't like.  Its
> ability to do this is limited by fact that we won't build circuits
> unless 95% of all paths are buildable (see
> get_frac_paths_needed_for_circuits() and its users). But still,
> trusting a single source for the completeness and freshness of your
> directory info is suboptimal.
>

> Hi, all!
> 
> I noticed that proposal 236 doesn't mention directory guards. (See
> proposal 207, implemented in Tor 0.2.4.)  I think that we should
> consider retaining multiple directory guards while going to a single
> guard for multi-hop circuits.
> 
> My rationale here is that when we have only a single directory
> guard,
> it can more easily perform hard-to-detect route biasing attacks by
> pretending not to have descriptors for nodes it doesn't like.  Its
> ability to do this is limited by fact that we won't build circuits
> unless 95% of all paths are buildable (see
> get_frac_paths_needed_for_circuits() and its users). But still,
> trusting a single source for the completeness and freshness of your
> directory info is suboptimal.
> 

I discussed this a bit with Roger yesterday, who helped me understand
the issue.

It seems to me that from a security prespective it makes sense to use
our circuit guard as our directory guard (assuming that it's a
DirCache). This is to minimize our network fingerprint, and we also
trust our guard to not selectively deny EXTEND requests anyway (which
is a form of a path bias attack).

So, IIUC, the path bias attack Nick is worrying about is:
a) Client fetches consensus from dirguard.

b) Client walks consensus and asks the dirguard for router
   microdescriptors in batches.

c) The attack is that a dirguard can now selectively claim that it
   doesn't have some microdescriptors, in an attempt to influence the
   path selection of the client.

The attack is not a big problem in the current architecture, since the
client will go ahead and ask another directory guard for the missing
descriptors. However, it becomes a problem when we have a single
directory guard since there is no one else to talk to.

IIUC, the problem stems from the fact that even honest directory
servers might not have the microdescriptors that a client asks for:

This might happen when a dirserv fetches a new consensus from the
auths, the new consensus contains some unknown routers, and the
dirserver hasn't fetched the descriptors for these unknown routers
yet. So there is a race condition between the dirserv fetching a
consensus, and the dirserv downloading all the missing descriptors,
during which it will serve a consensus containing routers that it
doesn't have the descriptors for.

Are there other legitimate cases where an honest directory server can
claim to not have a descriptor?

If the above is the only case, we can fix it by making sure that
directory servers start serving a consensus _only after_ they have
downloaded the descriptors of all the routers mentioned in that
consensus.

If the above behavior is applied, it means that honest directory
servers don't have any excuse for not having a descriptor mentioned in
a consensus they just served. Hence, a directory server that claims
that, is an evil directory server.

But that's too easy, isn't it? I wonder how the above idea interacts
when multiple consensuses are valid at the same time. And also if the
above idea gets implemented, non-upgraded directory servers will be
flagged as evil by upgraded clients.

.oO(I wonder how frequent it is for an honest dirguard to not have the
descriptors a client is asking for.)