[tor-dev] Latest state of the guard algorithm proposal (prop259) (April 2016)

George Kadianakis desnacked at riseup.net
Fri Apr 15 10:37:35 UTC 2016

Fan Jiang <fanjiang at thoughtworks.com> writes:

> [ text/plain ]
> Thanks for the insights.
>> >> It seems like the latest version of prop259 was posted a few weeks ago:
>> >>
>> https://lists.torproject.org/pipermail/tor-dev/2016-March/010625.html
>> >>
>> > <snip>
>> >
>> >> A few things:
>> >>
>> >> a) Are there still proposal design decisions that need to be taken and
>> we
>> >> are
>> >>    unclear on? I admit I'm a bit lost in the latest [tor-dev] thread, so
>> >> maybe
>> >>    I can be of help somehow here?
>> >>
>> >> There are still some issues, like for_directory may leads to maintain
>> two
>> > sets of
>> > sampled_set independently, which is not yet defined clearly in proposal.
>> >
>> Hm, how come this is happening?
>> I would think that for_directory would now be just another filter (like the
>> ipv6 one etc.) that can be applied on top of the sampled list.
> The problem here is for_directory is a parameter of function call, that
> means we can't do filter
> before the call happens. Now the filter action only happens at START stage.
> Maybe do a check before we return the selected guard (if not valid, then
> continue picking new one)
> can be a solution.


hm, that's an interesting problem...

So we learn whether a circuit is for_directory when
choose_random_entry_prop259() is called, but at that point the prop259
algorithm has already STARTed and its filtering parameters have been

So if some part of tor calls choose_random_entry_prop259() quickly twice, first
with for_directory set, and the second time with for_directory unset, the guard
algorithm will proceed in both cases with for_directory being set? Because the
context has been set in the first call to choose_random_entry_prop259()?

This seems like a problem to me, and I'm not sure how to solve it well...

One way could be to use the 'cpath_build_state_t *state' in
choose_random_entry_prop259() to be able to understand whether each call is
about a different circuit or not. Then you could start a separate algorithm
invocation (so new START) for each new circuit you see.

But then I'm not sure how to do this without each separate algorithm call
wrecking up the sampled_guards and used_guards lists... In the dev meeting in
Valencia, we discussed with Ola and Reinaldo about using locking and blocking
for this, but I'm not sure how much that would impact the performance...

Do you guys have any plans here?


BTW, I also noticed that you have various global structures in prop259.c, like
entry_guard_selection and used_guards and sampled_guards. I see you've been
working hard on un-globalizing the entry_guards list, but I'm not sure if there
is value to that if all those other structures are global. Do you have plans
for making those structures local to each specific algorithm instance?


More information about the tor-dev mailing list