[tor-dev] Proposal 236, Single-guard designs, and directory guards

[Nick Mathewson]

Hi, all!

I noticed that proposal 236 doesn't mention directory guards. (See
proposal 207, implemented in Tor 0.2.4.)  I think that we should
consider retaining multiple directory guards while going to a single
guard for multi-hop circuits.

My rationale here is that when we have only a single directory guard,
it can more easily perform hard-to-detect route biasing attacks by
pretending not to have descriptors for nodes it doesn't like.  Its
ability to do this is limited by fact that we won't build circuits
unless 95% of all paths are buildable (see
get_frac_paths_needed_for_circuits() and its users). But still,
trusting a single source for the completeness and freshness of your
directory info is suboptimal.

I also think that most of the arguments for single-guard apply to
circuit guards more than to directory guards.  But there could be some
left, and we should figure those out.

peace,
-- 
Nick