[tor-relays] Running 5000 relays...

Sun Mar 6 13:21:12 UTC 2016

Moritz wrote:
> Maybe this is better taken to tor-relays.

Ok.

url to the tor-dev thread:
https://lists.torproject.org/pipermail/tor-dev/2016-March/010473.html

Brian didn't say anything about planed deployment locations, but if
_all_ relays are within a single /16 network you might skip MyFamily
altogether, but I assume they are not.

> In my case machines have a lifecycle.  They come and they
> go

out of curiosity:
What percentage of them do you expect to be online concurrently?
(starting when)
Are planing to rekey when "coming back" or resume with the former?

> On 03/05/2016 10:31 PM, Brian "redbeard" Harrington wrote:
>> "Lets say you are about to deploy 100 relays within the next week." -
>>  Take this an order of magnitude greater and we're on the right track
>> with the correct scale.  It is a regular occurrence for our users to
>> deploy 500 to 5000 nodes at a time.

This is why I said "and maybe set yourself an upper boundary as to how
big you want to grow"

A single entity deploying 5000 relays isn't very sane at the current
network size I guess,
but instead of speaking of relay counts using CW fraction/exit/guard
probability as upper boundaries makes more sense. <10% might be a worthy
upper boundary for exit/guard probability.

The biggest (known) exit operator is currently at 7-8% exit probability.

teor wrote:
> And there's likely some limit on MyFamily or on descriptor size that would stop
> you listing 1000 fingerprints.

That is actually another good use-case for replacing the current
MyFamily design with something that scales better with family size like
Mike's proposed design (#5565), but we did not see declared families
that big so far. It was no problem in practice.

https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n364
> Server descriptors may not exceed 20,000 bytes in length; [...] If they do, the
> authorities SHOULD reject them.

So the max family size would be something around 400 relays?

(20000 - 1250) / 42 = 446

(1250 bytes was the size of a non-exit sample descriptor without family)

> generating 1000 relay keys and coordinating that key
> distribution dance across the same number of nodes (more than likely in
> highly distributed environments) seems to bring more questions than it
> answers (securing the keys for those nodes, securely distributing them,
> etc)

What problems do you expect when generating and transferring 1000 relay
keys? (besides the descriptor limit)
... but before trying to solve any problems it is probably best to
answer the question whether a single entities should run >5% CW fraction
at all.

> There are about 7000 relays in
> total, with over 1000 of them (almost 40% of the capacity) at only three
> ASes.

Top 3 ASes currently account for 32% cw fraction.
https://compass.torproject.org/#?exit_filter=all_relays&links&sort=cw&sort_reverse=true&country=&top=3&by_as

but the top 1000 relays account for >72% cw fraction

https://compass.torproject.org/#?exit_filter=all_relays&links&sort=cw&sort_reverse=true&country=&top=1000&by_as=false

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160306/edbb1400/attachment.sig>