[tor-relays] Unwarranted discrimination of relays with dynamic IP

[Sebastian Hahn]

Hi there,

I am one of the directory authority operators, so while I don't
claim to know what the collective community wants, I am one of
the people who are asked to make these decisions.

> On 22 Dec 2016, at 10:25, Rana <ranaventures at gmail.com> wrote:
> 
> So my question to the community is as follows: does the Tor community want these small, cheap relays scattered in large quantity around the world, or not?

Executive Summary:
On balance, the very small relays do not contribute enough resources
compared to the associated costs to be worthwhile. Details below.

> I realize there could be pros and contras. Among the contras there could be (for example) many small relays overloading the dirauths. I would like to hear more about the contras.

The dirauths are indeed a bottleneck in the Tor relay ecosystem, as they
have to reguarly contact each relay, measure its bandwidth, check for
malicious behaviour etc. But the dirauths are doing fine. The load my
dirauth receives is negligible compared to what it could handle. There's
a much bigger contributing factor here, however: The information about
all relays must be made available to all clients, in a somewhat
synchronized fashion. Tor has recently improved its design in this
regard massively with the introduction of microdescriptors, and since
then it's become somewhat more tolerable to have many small relays. In
the past, we allowed relays in the network that were a net drain on
available bandwidth, because just distributing their key material used
up more bandwidth than they provided in total.

Residental lines in particular are typically very bad choices for
relays, because they are much more prone to fluctuations in available
bandwidth, the hardware caves when too many connections are open in
parallel, and if the connection (which most often is asymmetric, with
less upload capacity than down) were any near saturated using the
internet would become a horribly slow and unpleasant experience.

This last point is also the reason why any time you build any kind of
network, you overprovision like crazy. The de-cix (largest internet
exchange currently in existence) has a peak traffic that exceeds the
average by a factor of roughly 1.75. The connected capacity is larger by
a factor of 3.5. This is just so that you don't experience service
degradation, and it's very common in computer networking. In the past,
Tor was massively overloaded and very slow to use, which was a very real
obstacle to getting it used, even in places that heavily censor or
surveill internet usage.

I have a relay on a symmetric 1gbit/s connection, yet the average
traffic I push with that relay is just 16MB/s per direction. It is a
non-exit relay, if it were used to exit I suspect it would maybe double
or quadruple that utilization, but probably get noewhere near line
capacity. If more people wanted to make use of it they could, but
currently they don't - that's OK, there's no obligation for the Tor
network to fill my relay with traffic that it shouldn't get. It is not
just the small relays that don't get as much traffic as they could
handle.

> Among the pros there could be increased security and anonymity, as it would take adversaries a bigger effort to infiltrate the network by establishing rogue relays. Also could be invaluable as bridges to help people under repressive regimes overcome censorship. Tor is gradually getting killed there.

To me, the biggest pro is that the number of relay operators, of people
who care enough to support the Tor network, is great politically. It's
awesome that so many people want to help by providing some of the
bandwidth they pay for. It's amazing that Exit operators make their
connections endpoints of a public network.

Robustness of the network is a comparatively much smaller factor.
Needing to re-distribute information about changed IP adresses is a major
hurdle towards bridge adoption. We've actually found that large bridges
runnning one of the obfuscation protocols have massively higher chances
of being useful than small and unreliable bridges, which is why Isis, the
bridge db and bridge authority operator, has asked us not to recommend
people run bridges on their small residental connections.

I want to dispute the claim that unreliable relays (those either too
slow or changing their IP too often to be used as Guards) contribute
much anonymity-wise. The biggest protection you get is from your guard,
and if you need to roll the dice more often (to pick a new guard more
often), the chance that you pick one that is controlled by an adversary
of yours increases.

> My general impression is that the current DirAuth and bwauths policies are stuck at some old paradigm where small bandwidth relays are dismissed without good reason, and tons of bandwidth gains and especially diversity and anonymity benefits are foregone

The reasons I have presented above are good enough for me, personally.
It seems I am not alone in this assessment. Perhaps I have been able to
convince you, or at least explain my personal reasoning in a way that
allows you to find some reason in it.

Thanks for being a supporter of privacy, anonymity and human rights.

Cheers
Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161222/b0ab567e/attachment.sig>