[tor-dev] Proposal 334: A flag to mark Relays as middle-only

Neel Chauhan neel at neelc.org
Sun Sep 12 19:17:37 UTC 2021 

Hi,

I have an updated proposal.

On 2021-09-07 13:52, s7r wrote:
> Don't worry -- it's glad to have you back always. Thanks. No judging
> anywhere around here by any means :)

No problem!

> The proposal looks much better with the motivation section, at least
> me know what's all about.

Thanks!

> So the DirAuths will just vote about MiddleOnly like they vote about
> BadExit, based on internal communication. Sounds plausible for the
> desired goal.

Makes sense

> I saw you mentioned on the list of position where we will NOT use
> MiddleOnly relays RendezVous Points. Please add a note to it that in
> order to enforce this particular requirement, we need to teach the
> onion service server that receives the INTRODUCE2 cell to a rend point
> with MiddleOnly flag to not proceed with the rend protocol and close
> that circuit. Otherwise the requirement enforcement won't work because
> anybody doing any attack would probably use modified clients that
> don't follow the rules to not select a MiddleOnly as rend point.

I've added that section.

> I don't see any major blockers for this proposal, because if it's
> voted at DirAuth level only, in case it makes troubles for us in a
> perfect future (walking onions / all exits) we can simply decide at
> DirAuth level to not vote on it any more and remove the code that
> parses it.

Makes sense.

Although being a realist here, all exits aren't likely, mainly for 
relays hosted on residential ISPs as well as hosts less supportive of 
exit relays. But hey, we never know, we should prepare for any scenario, 
good or bad.

Both are very common. The former IMHO is very good as it helps 
decentralize/diversify the network away from big datacenters, even if 
only for non-exits. It's harder to surveil every ISP in NA and EU than 
it it to surveil a few OVH, Scaleway, and Hetzner datacenters. However 
the latter still sucks period, all hosts should allow exits.

For me, I'd love to have an exit from home, but there are too many 
blockers in that. My home middle relay is off right now mainly because 
of severe ping spikes when it's on [1].

> What will the consensus requirement be for this flag? 50%+1? IIRC the
> BadExit flag can be assigned with less than 50%+1 DirAuths.

To stay safe from malicious relays, like BadExit, my updated proposal 
says that if one dirauth gives a relay the MiddleOnly flag, then it's 
set for that relay. This is to prevent harm while all (or the majority 
of) dirauths give the relay that flag.

-Neel

Tidbits if you're interested (feel free to ignore if you aren't):

[1] - The CenturyLink tech said they need to add capacity to the 
neighborhood's GPON splitter node. And no, I'm not signing up for 
Comcast since Tor+WFH would saturate the DOCSIS upstream assuming I 
won't go over the cap (which I will).
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 334-middle-only-flag.txt
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20210912/440f5b30/attachment.txt>

More information about the tor-dev mailing list