[tor-talk] Tor routing algorithm questions

Roger Dingledine arma at mit.edu
Thu Jul 7 23:51:26 UTC 2016

On Thu, Jul 07, 2016 at 10:57:00PM +0000, Patrick Schleizer wrote:
> scenario A)
> Let's assume someone's Tor client picked an entry guard on IP
> AAA.BBB.CCC.EEE. And then [without knowing and/or by chance] tried to
> make a torified connection to [1] IP AAA.BBB.CCC.EEE.
> - Would Tor use that entry guard to establish the connection?


In fact, generally Tor clients go to domain names, not to straight
IP addresses, so the client wouldn't even know whether it's in this
situation until it was most of the way through making the request.

(Also, DNS isn't signed or anything, so you should imagine all the
terrible things that could happen if we make clients change their guard
selection based on destination IP address, yet exit relays can lie however
they like about what IP address the destination supposedly maps to.)

> - If so, wouldn't that open up for an end-to-end corelation attack?


> - Does it make a difference if the torified connection is to


But speaking of all this, see also the research papers proposing to modify
route selection to reduce the chance of the same Autonomous System (AS)
appearing on two parts of the path. The most recent one is "DeNASA:
Destination-Naive AS-Awareness in Anonymous Communications" by Armon
Barton and Matthew Wright, and it should become available shortly as it
will be presented at PETS in just a few weeks. But the summary of that
paper is that clients should pick their guard based on their local IP
address and on the common destinations that clients might often go to,
to reduce the chance of picking a guard from a network location that
will see a lot of their exit traffic too.

> #####
> difference scenario B)
> Let's assume someone using WiFi with IP WWW.XXX.YYY.ZZZ starts Tor for
> the first time. Its Tor client picked an entry guard on IP
> AAA.BBB.CCC.EEE. Now, the user leaves that WiFi and uses another Wifi
> - Would Tor be clever enough to move on to another entry guard?

No. How can we know whether the user has changed location a lot or a
little? IP addresses can be wildly different yet still located in the
same building, and we certainly wouldn't want to keep shifting guards
too much.

Also, if we *did* shift guards, should we shift back if we went back
to the old location? Does that mean Tor should keep track (on disk of
course) of its previous locations? Can a hostile DHCP server offer an
IP address from a suspected previous location and then see which guard
the client opts to use?

> - What if the user was using a bridge on IP AAA.BBB.CCC.EEE? Would to be
> refusing that bridge?


For a related (not the same) edge case, see also


More information about the tor-talk mailing list