[tor-dev] Notes from the prop259 proposal reading group

Fri Mar 25 11:51:53 UTC 2016

Hello,

we had a meeting about proposal 259 "New Guard Selection Behaviour". You can
see the logs here: http://meetbot.debian.net/tor-dev/2016/tor-dev.2016-03-23-15.01.log.txt

Some notes:

- The latest version of the proposal can be found here:
     https://lists.torproject.org/pipermail/tor-dev/2016-March/010625.html
  There is also some discussion with Tim that has been happening in that thread
  since yesterday.

  It's likely that the proposal will be slightly changed (read: improved) as
  implementation and testing proceeds.

  The implementation of the proposal is currently happening here:
    https://github.com/twstrike/tor_for_patching/tree/prop259

- We discussed whether the guard algorithm should care about circuit
  restrictions like requiring that the guard of a circuit needs to be Stable
  (needs_uptime) or Fast (needs_capacity).

  We decided that for now the algorithm should be able to handle these
  restrictions, by skipping to the next guard that satisfies the conditions in
  case the top guard does not. This is also how the current guard algorithm works.

  In the future we should make it so that all Guards are both Stable and Fast,
  so that this stupid check does not need to happen [TODO: I should open a
  ticket for this if it doesn't already exist].

- We discussed how ReachableAddresses should work with regards to guardlists.

  A suggestion by Tim came from here: https://lists.torproject.org/pipermail/tor-dev/2016-March/010630.html
  who says:
   "I suggest that we compose the set of UTOPIC guards based on addresses that
    are reachable and preferred (or, if there are no guards with preferred
    addresses, those guards that are reachable). I suggest that we use the same
    mechanism with DYSTOPIC guards, but add a port restriction to 80 & 443 to all
    the other restrictions. (This may result in the empty set.)"

  I think this suggstion makes sense for now.

- We also talked about directory guards and how they should work but we didn't
  come to a conclusion.

  My current intuition is that if a directory circuit appears that requires a
  directory guard, we treat it as a constraint the same way we treat
  needs_capacity and needs_uptime. So if our top guard cannot be a directory
  guard (is not a V2Dir), we skip it and go down our list till we find a guard
  that does.

  In the future (almost) all guards will be directory guards so this should
  become less of an issue (see #12538).

- Finally, a topic that came up after the meeting in: 
    https://lists.torproject.org/pipermail/tor-dev/2016-March/010635.html
  had to do with how we treat bad guards in SAMPLED_UTOPIC_GUARDS and
  SAMPLED_DYSTOPIC_GUARDS.

  So if suddenly 90% of the guards in SAMPLED_UTOPIC_GUARDS drop out of the
  consensus, what do we do? We mark them as bad, and then what? Do we remove
  them from the sampled list? Or do we keep them in there in case they come
  back? (This latter behavior is what tor currently does).

  But then if we keep them, don't we also need to add some more guards in there
  to make up for the bad ones? How exactly should this work? Some thinking
  needs to be done here.

- We also discussed the need for good debug logging in the prop259 tor branch,
  so that we can test it ourselves. Ideally, the logging should be nice and
  intuitive, so that we can monitor the logs every now and then and check if
  the guard picking works properly.

  For example, if the algorithm keeps on switching guards all the time, there
  is a problem. If the algo is using the 5th guard while the 1st guard is up,
  it's a problem. Good logging should be able to reveal all these problems
  without having to spend 20 minutes investigating every new log message.