[tor-relays] About relay size

Scott Bennett bennett at sdf.org
Wed Oct 4 04:49:51 UTC 2017


teor <teor2345 at gmail.com> wrote:

>
> > On 3 Oct 2017, at 08:52, Scott Bennett <bennett at sdf.org> wrote:
> > 
> > teor <teor2345 at gmail.com> wrote:
> > 
> >> 
> >> On 3 Oct 2017, at 03:07, Scott Bennett <bennett at sdf.org> wrote:
> >> 
> >>>>> In the meantime, I think it would be great to have IPv6-only relays, to
> >>>>> avoid this kind of NAT-related issues.
> >>>> 
> >>>> We'd love to make this happen, but the anonymity implications
> >>>> of mixed IPv4-only and IPv6-only (non-clique) networks need
> >>>> further research. Search the list archives for details.
> >>>> 
> >>>    Couldn't that be taken care of in the tor client code?  For example, a
> >>> client, having chosen a path through which an IPv6-only relay, could extend
> >>> the path by one hop to tunnel through a node with both types of interface
> >>> published?
> >> 
> >> Yes, clients choose paths, and could choose them using these kinds of
> >> restrictions. But current tor relay versions won't extend to other relays
> >> over IPv6. Because we don't understand the anonymity implications of
> >> restricting the next relay in the path based on the previous relay. Which
> >> is why we need further research.
> > 
> >     Here's a procedure:  if the next hop/destination does not use a protocol
> > in common with the client/current hop, a dual-protocoled node must be
> > interposed; else use the originally selected hop/destination directly.
>
> But is this procedure safe?

     Why might it not be safe?

> And is it an efficient use of resources to add extra hops?

     Well, the additional hops ought to increase the safety.  Wouldn't that
have to be considered in an efficiency calculation?

> (That is, is there a more efficient 3-hop algorithm that's just as safe?)
> We need research to answer these questions.

     It seems to me that a) using a small number (i.e., 3) of hops reduces
safety and b) a constant number of hops also reduces safety.  Added hops to
make an unpredictable path length ought to counter the alleged safety issues
in choosing hops from a smaller pool.  Also, unless the pool of dual-protocol
hops is much smaller than the number of relays available, say, ten years ago,
I don't see a reason to worry.  (We were thrilled to have 900 - 1300 up at
any one time.)
>
> > The client-to-first-hop situation is analogous to using a set of entry guards
> > today, so that much should be okay.  What do IPv6-only clients currently do?
>
> Choose a relay with an IPv6 ORPort.
> (Or configure a bridge with an IPv6 ORPort or pluggable transport.)
>
> IPv6-only clients need to be manually configured using "ClientUseIPv4 0",
> because this feature is still experimental. We think it will be safer when all
> dual-stack clients use some IPv6 guards.
>
     Dual-protocol clients connecting to dual-protocol entry nodes ought to
choose randomly which protocol to use.  Similarly, a dual-protocol relay
extending to another dual-protocol relay ought to choose randomly which
protocol to use for the connection.  Both clients and relays would have the
option of retrying the attempt via the other protocol in the event a failed
attempt to connect.  This ought to have been implemented already, but can
still be done soon.

> >     Allowing IPv6 destinations today limits exit-hop selections to dual-
> > protocol-capable exit nodes
>
> No, IPv4-only exits are still useful and used, because tor clients typically
> send DNS names to exits. IPv6 DNS records typically have IPv4 as well,
> so any exit will work. (There's a ticket for better handling of DNS that
> only resolves to IPv6.)
>
> And in the rare case of address literals, the client can choose a capable
> exit. (I think there's a ticket for this, too.)

     Okay, but those circuits are incidental to the circuit that a user wants,
which is limited to dual-protocol-capable nodes.
>
> > which is like using an "ExitNodesIPv6" (if there
> > were such a thing) line in torrc with a long and growing list of nodes.
>
> There are flags on SOCKSPort for IP versions, including PreferIPv6, which
> is the default.
>
> > How
> > long would that list have to be for the warning on the man page under the
> > ExitNodes statement definition to become unimportant?  How many were there
> > when IPv6 destinations were first allowed?
>
> The situation isn't analogous.
>
> For safety, IPv6 exit destinations were turned off by default until we had enough
> IPv6 exits. Now they are on by default.

     I repeat:  how many were there when IPv6 destinations were first allowed?
How many when the default was changed?
>
> But we haven't done the same thing for relays, because we don't know how to
> design the feature so it's safe.

     As soon as there are as many IPv6-capable relays as there were IPv4
relays ten years ago, there will no longer be any reason not to enable their
use.  How close are we to reaching that number now?  Or have we already
passed it?
>
> >     For interposing dual-protocoled nodes along the way, how many do there
> > have to be for it to become "not too limiting"?
>
> This is one of the questions we need researchers to answer.
>
     Maybe.  That depends upon whether we already have at least as many as
were considered safe for IPv4.

> >>> A related question is can a relay with only an IPv4 address
> >>> published currently set an IPv6 OutboundBindAddress?
> >> 
> >> Yes. This is useful for IPv6 exits without a fixed IPv6 ORPort address.
> >> 
> >     That's okay, but what if the node is an entry-and-middle node only?
>
> Relays don't extend to IPv6, so you can set the option, but it won't do
> anything, because there are no outbound IPv6 connections.
>
    But they could, and ought to, be doing that, at least in some
circumstances, as noted above.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:   bennett at sdf.org   *xor*   bennett at freeshell.org  *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************


More information about the tor-relays mailing list