[tor-relays] Is the public information for relays trustable?

Roger Dingledine arma at mit.edu
Sat Nov 24 22:37:28 UTC 2018


On Fri, Nov 23, 2018 at 01:30:12PM -0600, Gunnar Wolf wrote:
> I am working together with some other people to increase the number of
> relays in Mexico. We have finally started to increase the number -
> from our usual two active relays to four, still WAY too low, but it's
> a beginning:
> 
>     https://metrics.torproject.org/rs.html#search/country:mx

Cool!

> But there are some issues / questions bugging me:
> 
> When we set out to pursue this, we faced the reality that most Mexican
> ISPs block Tor relays in some way or another: The main ISP in the
> country (Telmex / Infinitum / Uninet, depending on the business branch
> in question) blocks all communication to seven of the dirauths,
> thereby making it impossible to operate a relay

Ok. There are two pieces to how this could be a problem. The first piece
is that when the relay tries to publish its descriptor, it can't reach
the directory authorities, so they never learn that it exists.  For this
side, even being able tor each one of them would technically be enough,
because that one will get the word to the rest of them.

The second piece is that the directory authorities need to be able to
reach the relay, to decide that it's Running. So if the blocking goes
both ways, and a majority of the dir auths can't reach the relay, it
won't get the Running flag in the consensus.

> (although bridges do
> work); many other ISPs employ a set of nested NAT systems, making it
> impossible for external computers to reach a server inside it...
> 
> However, we have at least one relay claiming to be from Uninet
> (5F6E720D7F0A95D6276B6F6DF8C210735A331B9D - Not currently online, but
> made it to the consensus at least at several points over the past
> months).

It's online as I write this. I can reach it from moria1.

https://metrics.torproject.org/rs.html#details/5F6E720D7F0A95D6276B6F6DF8C210735A331B9D

$ host 189.144.191.183
183.191.144.189.in-addr.arpa domain name pointer dsl-189-144-191-183-dyn.prod-infinitum.com.mx.

(I don't know enough about the Mexico ISP world to know if prod-infinitum
is the same as Uninet.)

> We also have some in an ISP that gives addresses behind multiple
> layers of NAT and are unworkable
> (FF3FF664B0811B2E3C237BECA4382966AD9E393C,
> 6E483A91105C647A65ED04E1CB637AAD84F5943F)

Those are indeed publishing to moria1, but they're not currently reachable
(probably because they're not currently up). They look like they're at
DSL providers. Have any of them actually been marked Running?

Btw, all of these UbuntuCore relays are from snap packages run by Tor
enthusiasts -- but in general the UbuntuCore Tor relays aren't stable
or around for a long time, since people who want to run a real Tor relay
tend to use the more traditional Tor packages.

> So... Is this information right? Can this be in some way spoofed? How
> should I interpret this?

I haven't seen anything weird yet. There's a relay, it's running; there
are some other relays that aren't currently online and may not ever have
been reachable or may have figured out some sort of port forwarding /
firewall piercing trick to be reachable.

(Relays try not to publish their descriptor until their self-reachability
test works, so it seems likely that at some point in the past they managed
to get a connection to their IP:ORPort to work. That or the UbuntuCore
snap package does something weird like setting AssumeReachable to 1.)

--Roger



More information about the tor-relays mailing list