[tor-relays] pinning relay keys to IPs (or not)

Pascal Terjan pterjan at gmail.com
Sun Jul 26 21:32:18 UTC 2015


On 26 July 2015 at 17:48, Yawning Angel <yawning at schwanenlied.me> wrote:
> On Sun, 26 Jul 2015 16:11:56 +0200
> nusenu <nusenu at openmailbox.org> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> [split from 'Giving away some "pre-warmed" relay keys for adoption']
>
> Ok.
>
>> > I'm of the opinion that it may be worth adding code to pin relay
>> > identities to IP addresses on the DirAuth side so that consensus
>> > weight and flag assignment gets totally reset if the ORPort IP
>> > changes, but if there's too much churn already it may cause more
>> > trouble than it's worth.
>>
>> I hope such code will not be added, because it renders relays on
>> dynamic IPs basically useless.
>> In the past ~week only there were >1000 fingerprints (<3% cw fraction)
>> using more than one IP address (in that timeframe)
>
> Hey neat, numbers, thanks. <3% cw doesn't seem that bad.
>
> I will reiterate that such a thing only will become viable once the
> bandwidth measurement stuff sees massive improvement (and it is being
> worked on), so this isn't a short term thing, and is just an idea.
>
> I question the usefulness of most of the relays running on residential
> lines in the first place for other reasons (Eg: most consumer routers
> are crap, and will probably not be able to simultaneously maintain a
> connection to every single other relay + bridge, which is rather
> unhealthy to the network overall.  Being able to measure this and
> delist/reduce consensus weight here would be good as well.).

It seems my relay at home is doing quite well (but my IP even if not
static has never changed so far so it's not very relevant to the
discussion).
It currently has 5763 open tcp connections in the tor container, 3116
are to my port 9001 (mix of guard and other relays I believe) and I
guess the 2647 others are outgoing to other relays.

It seems the router is a
http://enterprise.zte.com.cn/en/products/network_lnfrastructure/cpe/broadband/201404/t20140418_422573.html
rebranded by my ISP and it has no problem with that amount of NAT.

Uptime: 34 days
Consensus Weight: 45000

> If the relay's IP is constantly changing significantly faster than the
> Guard rotation interval (needs more numbers here), I'm not sure if they
> make great Guards, but this is an arma/asn type question since they
> think more about Guards than I do.
>
> Under a Tor that has the sort of pinning behavior I envision, a relay
> that changes an IP once in a blue moon still remains useful, a relay
> that changes an IP frequently (for some definition of frequently) will
> be used as a middle only (which is still useful).


More information about the tor-relays mailing list