[tor-dev] Desired exit node diversity

Roger Dingledine arma at mit.edu
Wed Sep 23 06:47:17 UTC 2015

On Wed, Sep 23, 2015 at 06:26:47AM +0000, Yawning Angel wrote:
> On Wed, 23 Sep 2015 06:18:58 +0000
> Virgil Griffith <i at virgil.gr> wrote:
> > * Would the number of exit nodes constitute exactly 1/3 of all Tor
> > nodes? Would the total exit node bandwidth constitute 1/3 of all Tor
> > bandwidth?
> No. There needs to be more interior bandwidth than externally facing
> bandwidth since not all Tor traffic traverses through an Exit
> (Directory queries, anything to do with HSes).
> The total Exit bandwidth required is always <= the total amount of Guard
> + Bridge bandwidth, but I do not have HS utilization or Directory query
> overhead figures to give an accurate representation of how much less.

On the flip side, in *my* idealized Tor network, all of the relays are
exit relays.

If only 1/3 of all Tor relays are exit relays, then the diversity of
possible exit points is much lower than if you could exit from all the
relays. That lack of diversity would mean that it's easier for a relay
adversary to operate or compromise relays to attack traffic, and it's
easier for a network adversary to see more of the network than we'd like.

(In an idealized Tor network, the claim about the network adversary
might not actually be true. If you have exit relays in just the right
locations, and capacity is infinite compared to demand, then the network
adversary will learn the same amount whether the other relays are exit
relays are not. But I think it is a stronger assumption to assume that we
have exactly the right distribution of exit relay locations -- especially
because "the right distribution" is a function of which adversary you're
considering, and once you consider k adversaries at once, no single
distribution will be optimal for all of them.)


More information about the tor-dev mailing list