[tor-dev] Proposal 334: A flag to mark Relays as middle-only

Tue Sep 7 20:52:05 UTC 2021

Neel Chauhan wrote:
> 
> I believe it shouldn't affect these scenarios, but have mentioned we 
> should look out for them.
> 
>> P.S. Rendezvous point is NOT a less powerful position (at least from
>> an onion service server/operator point of view), unless you are using
>> vanguards plugin by Mike with rendguard component activated. Because
>> it's always chosen by the client connecting to the onion service, and
>> we should assume the client is always ~LE~ evil. Trust me on this :)
> 
> I have also updated this to be a strictly Middle-only flag, and am not 
> giving rendezvous capabilities to MiddleOnly relays.
> 
> Sorry about this, but I have taken more-or-less a so-called "break" from 
> Tor development for a while. I am technically a volunteer, and my 
> $DAYJOB is at "Big Tech" (don't judge, that's where I found work).
> 
> I also got FreeBSD "commit bit" (not every Tor developer uses Debian) 
> which took time away from Tor volunteer efforts. I am only getting back 
> to Tor development as of the past week or two, so I need to refresh my 
> memory.
> 
> Going back, this update also completes the missing paragraph reported by 
> Ian, that seemed to miss me in the original proposal.
> 

Don't worry -- it's glad to have you back always. Thanks. No judging 
anywhere around here by any means :)

The proposal looks much better with the motivation section, at least me 
know what's all about.

So the DirAuths will just vote about MiddleOnly like they vote about 
BadExit, based on internal communication. Sounds plausible for the 
desired goal.

I saw you mentioned on the list of position where we will NOT use 
MiddleOnly relays RendezVous Points. Please add a note to it that in 
order to enforce this particular requirement, we need to teach the onion 
service server that receives the INTRODUCE2 cell to a rend point with 
MiddleOnly flag to not proceed with the rend protocol and close that 
circuit. Otherwise the requirement enforcement won't work because 
anybody doing any attack would probably use modified clients that don't 
follow the rules to not select a MiddleOnly as rend point.

I don't see any major blockers for this proposal, because if it's voted 
at DirAuth level only, in case it makes troubles for us in a perfect 
future (walking onions / all exits) we can simply decide at DirAuth 
level to not vote on it any more and remove the code that parses it.

What will the consensus requirement be for this flag? 50%+1? IIRC the 
BadExit flag can be assigned with less than 50%+1 DirAuths.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20210907/60b069a6/attachment-0001.sig>