[tor-relays] Bridge clients don't *really* update dynamic bridge IPs from fingerprints?

[Rick Huebner]

I run a bridge from a "semi-static" home internet account, where the 
address is dynamically assigned but only changes when either the ISP or 
my hardware router goes down and forces a reconnect, which only happens 
maybe once every several months. I've read in a few places that Tor 
bridges with dynamic IP addresses are just as useful as those with 
static addresses, even if their address changes pretty often, because 
the bridge user's client will use the bridge's fingerprint to look up 
its current address and port from the bridge authority if it fails to 
connect.

How certain are we that this is actually happening? It's not the 
behavior I'm seeing here. My IP address has changed maybe 3 times in the 
last year, once for an ISP outage after a storm, and for a couple of 
hardware router firmware updates on my end. In each case, my bridge's 
traffic plummeted back to essentially nil, with a long slow regrowth 
over several weeks (or months!) as the new address slowly propagated 
around to a new set of users. I like to monitor the "Who has used my 
bridge?" status from Vidalia, and I get a real heartwarming glow when I 
see places like Syria and Iran showing up regularly. I've had a nice 
steady clientele keeping my bridge pretty busy for the past few months, 
and then yesterday I needed to do a firmware update, and *pfft* all my 
clients are gone again and I'm back to square one. Sigh. What's worse, I 
then picture that hypothetical Syrian civil rights dissident who's come 
to rely on my bridge always being there, suddenly being stranded without 
a connection and needing to scramble to find another one. Unnecessarily, 
as I was back up in minutes, just with a new address.

It's pretty clear that the mechanism for clients to refresh their 
bridge's addresses is there, but I'm doubting that it's actually working 
right. I can think of two main failure modes: either the fingerprint 
isn't being distributed (or entered), leaving the user with just the 
current IP address and port with no way to query the bridge authority 
for an update. Or it's being entered, but not actually used by the client.

For the first, BridgeDB does distribute the fingerprints, but I note 
that the docs/bridges.html.en page mentions that it's optional, but then 
doesn't say anything about what it's good for or why you should include 
it, so I wonder if many users just don't bother, especially if they need 
to query BridgeDB from a different PC than they run their own copy of 
TBB on and can't easily copy & paste the whole thing. Also, it seems the 
email responder channel doesn't even give out the fingerprints at all, 
leaving all those users automatically without updates. I don't know the 
distribution split between BridgeDB site queries and email queries, so 
it's hard to guess the impact of that lack, but it seems like something 
that could be easily fixed regardless.

Probably more critical though, is the second option. Why would the 
fingerprint not be used if it was entered? Maybe some key option got 
disabled somehow? If I'm reading the torrc manual right, there's an 
option called UpdateBridgesFromAuthority that controls exactly this 
behavior... and it defaults to off. And to see how it ends up being set 
in the actual TBB, I installed that and checked its torrc, and it's not 
in there either, so apparently it stays disabled. "Well, there's your 
problem..."

So am I missing something, or has this feature somehow fallen through 
the cracks and ended up accidentally disabled for the vast majority of 
all bridge users? It seems like this must be having a pretty serious 
impact on overall bridge usage, as I was under the impression that a big 
percentage of bridges are run off of dynamic address accounts, and many 
of those will be changing addresses more often than mine, maybe as 
frequently as daily in the worst cases. And every time they do, they 
lose their entire clientele and have to restart the long, slow ramp up 
to a new user base again from scratch. This kind of forced, pointless 
churn can't possibly be good for the network. How many bridge operators 
are we losing every year because they never see significant traffic due 
to changing IP addresses too often? And if they ask about it, they're 
just told, "Sure, dynamic IP is fine, just be patient and they will 
come." And what's the impact on the bridge users of having their bridge 
connections going bad so much more often than they should? I think 
simply getting a bridge address might be a risk exposure for many of 
these people, and making them do it more often could be dangerous for them.

Or maybe I'm just totally misreading this, and my own experiences of 
losing all my bridge clients on each change aren't typical, but are due 
to some other unknown singular issue. How about you other bridge 
providers, how many of you are on dynamic IP addresses, and have you 
noticed a similar huge drop in traffic after a change, or does your 
traffic seem to snap back pretty quickly as it should?