[tor-dev] Update on 259

[George Kadianakis]

Ola Bini <obini at thoughtworks.com> writes:

> [ text/plain ]
> Hey,
>
>> <snip>
>>
>> That's not very nice because the USED_GUARDS set that was created when
>> ClientsUseIPv6 or FascistFirewall were on will have reduced diversity. Then
>> even if we switch off those options, we are still stuck with reduced diversity.
>>
>> I'm not sure what's the right way to do this here!
>>
>> We could imagine having multiple USED_GUARDS sets, where we make a new set for
>> each possible filter. This might be worth considering, but I imagine there will
>> be technical difficulties. e.g. when a guard goes down, you need to update its
>> state in all the USED_GUARDS sets that it's in. Also, a person who toggles the
>> FascistFirewall option frequently, will end up using two different sets of
>> guards all the time which is suboptimal.
> Well, one thing you could do is hash the settings (and maybe also
> reachable ports) and use that as a key to differentiate the different
> USED_GUARDS. That would solve the problem, but might lead to a single
> client using lots of different guards in different locations. Might
> that be OK?
>

Hmm, it could be that in some cases the USED_GUARDS list of settings A would
also work fine under settings B. For example, an 80/443 guard might be our top
guard under vanilla settings, which would also work fine under FascistFirewall
settings.

In those cases (which are not all that rare), it would be suboptimal to use a
different guardlist, since you are going to expose yourself to more guards than
required.

>> > - Can we make the lists smaller?
>> > Probably. Maybe a sampled set of 30 guards? Or 1.5%?
>> >
>>
>> Plausible. However, if we take the filtering approach but use a small sampled
>> guards list, it could happen that the list is not able to satisfy some of our
>> filtering restrictions.
>>
>> e.g. maybe in our 30 guards there are no IPv6 guards at all, and the user just
>>      turned on ClientUseIPv6. What to do now?
>>
>> This is important to understand, because currently there is no mechanism to add
>> stuff to the sampled guards list if a restriction cannot be satisfied. So what
>> will Tor do, if a user enables ClientsUseIPv6 _and_ FascistFirewall but there
>> are no IPv6+80/443 guards in our sampled guards list?
> Yeah, we talked about that yesterday. Our suggestion is to do
> something like this:
> - if the filtered/reduced sample-set contains less than X (5?) guards,
> expand SAMPLED guards using the regular process.
> - If SAMPLE guards reach SAMPLED_MAX (50?) size, we fail closed with
> an error saying something like "your current network settings make it
> impossible for us to safely choose an entry guard. If you really need
> to connect under these circumstances, consider explicitly setting the
> EntryGuards configuration option"
>

I share the same concerns as teor here.

As you said, I think it's important to keep the property of restricting the
total number of guards we connect to, as to avoid the attacks you mentioned.

Of course, the above property also carries the inherent risk of potentially
failing closed. For example, consider the unlikely scenario where _all_ the
relays in your sampled set suddenly go offline while your network is fine.

That said, we should be very careful of failing closed like that just because
the user changed some torrc options and moved around a bit.

I will try to think more about this problem and write something tomorrow or the
day after.

>> I think it asks "What happens when guards in our sampled set drop out of the
>> consensus and get marked as bad?" (see bad_since in entrynodes.c) .
>>
>> This is also a great question. Especially when combined with the planned
>> "ensure a min percentage of X in our sampled set" logic.
>>
>> Like, what happens if suddenly most of our sampled IPv6 guards drop out of the
>> consensus when we have ClientsUseIPv6 on? Should we replace them? And if yes,
>> don't we need to replace them with other IPv6 guards to maintain the minimum
>> percentage?
> Well, I think if we replace, we should just replace randomly just like
> we always expand the sampled set. If most ipv6 guards drop out, we
> will have fewer ipv6 guards in our sampled set, but that also reflects
> the Tor network.
>
> I suspect a plausible thing to do is to wait a few consensus rounds
> with expanding the sampled set to replace "bad" guards - they might
> come back, and under most circumstances we shouldn't need to use the
> sampled set anyway.
>

I think that's a good idea.  We shouldn't just drop guards from memory the
moment they leave the consensus.

For example, the current Tor codebase keeps them around for ever but marked as bad. 

>> The current proposal says the following about SAMPLED_UTOPIC_GUARDS:
>>
>>       It will be filled in by the algorithm if it's empty, or if it contains
>>       less than SAMPLE_SET_THRESHOLD guards after winnowing out older guards.
>>
>> which I think is a good suggestion. However, what should we do if we end up
>> going with the "ensure minimum percentage" logic?
> Yeah, my suggestion is not have minimum percentage of X type guards -
> instead just fill it randomly, and use the expanding process if we
> can't find enough guards for a specific purpose.
>
>> > - EntryNodes
>> > If this is set, never use the algorithm for regular circuits - we should still use it for directory server connections though.
>>
>> If this is set we should not use our algorithm, but we should instead pick one
>> of the guards in the EntryNodes list. This is for people who want to hardcode
>> their guard.  It's used a lot by people currently.
> Yeah. Is the guard picked randomly from this list, or using something
> more complicated?
>

The guard is picked randomly from the list.

>> > - UseEntryGuardsAsDirGuards
>> > I don't understand exactly what this settings does.
>>
>> I'm not sure either. I'd just let it keep the exact same semantics it currently has.
> Yeah, except we don't exactly understand what does semantics are, and
> if we need to change something in our code to match it. =)
>

OK, I looked a bit more at should_use_directory_guards().

I think that config option basically enables the directory guard feature. The
option name is a bit confusing, I agree.

If that config option is turned off, Tor will just choose a random directory
node from the network, instead of using the entry guard list.

> Thanks for all the feedback! Hopefully we're getting close to the
> final iteration of this spec. =)
>
> Cheers
> -- 
>  Ola Bini (https://olabini.se)
>
>  "Yields falsehood when quined" yields falsehood when quined.
> [ signature.asc: application/pgp-signature ]