[tor-dev] Entry guards, primary guards, dir guards

George Kadianakis desnacked at riseup.net
Tue Feb 9 16:16:03 UTC 2016

Ola Bini <obini at thoughtworks.com> writes:

> Hey,
> Maybe I misunderstood the hard part - I thought the problem was to
> choose the NUM longlived vanguards - since there are only ever NUM
> possible guards at each level, not to choose which one to use among
> the NUM guards. For the first, it felt like using 259 would work, and
> the for the second use case, just randomly choose one of the NUM
> guards.

Hmm, let's try to formalize this slightly. Maybe it's helpful. I'm doing this a
bit rushed, so maybe I'm wrong.

So far we've been designing an algorithm that:
     a) populates and manages our guardlist
     b) picks the right guard to use from our guardlist
We could in theory decouple these two steps, but so far we've been mixing them

Step (b) has been easy so far because Tor uses a single guard node for general
circuits, so we always pick the very first reachable guard from our guardlist
every time.

However, when we consider prop247 or directory guards we don't always want to
pick the very first available guard. For example, when considering the layer-3
guards of prop247, we want to pick amongst N guards everytime we build a
circuit so that we load balance our traffic amongst the guards. When
considering directory guards, we want to pick randomly amongst the first 3
directory guards every time, so that if the first guard lied to us, we will
also try the second one who might not lie.

So maybe the simple answer here is that if prop247 is enabled (this could be a
NumGuards=N argument to our algorithm), instead of always returning the first
reachable guard, we instead build a list of the first N reachable guards, and
randomly choose one of them. Could this work? (see #12466 for a weird behavior
that will make us skip bugs if NumEntryGuards != 1)

> The other alternative is to simply initialize USED_GUARDS to be
> layer-2 guardlist and run the algorithm, then init USED_GUARDS to be
> layer-3 guardlist and run the algorithm. Makes sense or am I missing
> something?

Hmm, in this case we would just use the first reachable guard from USED_GUARDS.
We would only reach other guards if the first guards are unreachable. That will
not work for load balancing prop247 for example.

(got to go. will be back later!)

More information about the tor-dev mailing list