[tor-dev] routing security handling in the tor network
nusenu-lists at riseup.net
Tue Aug 21 07:36:00 UTC 2018
I looked at the routing security state
of the >3k BGP prefixes that make up the tor network .
I believe it is important for tor to have a discussion on how
the network should deal with relays that will increasingly be only partially reachable
due to the increase of RPKI route origin validation (ROV) in big IXPs (AMS-IX to name one).
to quote the relevant part from :
> “Virtual” Route Origin Validation in the Tor Context
> The are two good reasons why Tor should care about relays located in
> RPKI ‘Invalid’ prefixes:
> It will eventually break the “the Tor network is a full mesh”
> assumption. Relays in such RPKI ‘invalid’ prefixes with no
> alternative valid route will not be reachable from ASes performing
> ROV, but the Tor network assumes that every relay can reach every
> other relay. When ROV breaks that assumption it is better to exclude
> these relays than to keep only partially reachable relays. An RPKI
> ‘Invalid’ route might as well be an actual BGP hijacking attempt and
> why not stop that?
> The obvious place to enforce ROV for the Tor network would be the Tor
> directory authorities that would run RPKI validators and vote for
> relays accordingly. At this point this is no more than an idea.
There are certainly some challenges and trade-offs when doing ROV from a
non-BGP-router perspective, but they are solvable.
There is no need to panic - this affects less than 5 relays currently but
we should have a discussion and reach some form of consensus on the topic
to move forward instead of waiting until it significantly affects reachability.
Would be nice to have an initial discussion even before writing a proposal to
gather opinions if that would be actually worth doing.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the tor-dev