[tor-commits] [torspec/main] Add Prop334: A Directory Authority Flag To Mark Relays As Middle-only
dgoulet at torproject.org
dgoulet at torproject.org
Thu Sep 30 12:34:40 UTC 2021
commit b0e26eac5f3224553b58efb1fde6c8d90dd8adbe
Author: Neel Chauhan <neel at neelc.org>
Date: Fri Sep 17 16:07:40 2021 -0700
Add Prop334: A Directory Authority Flag To Mark Relays As Middle-only
---
proposals/334-middle-only-flag.txt | 115 +++++++++++++++++++++++++++++++++++++
1 file changed, 115 insertions(+)
diff --git a/proposals/334-middle-only-flag.txt b/proposals/334-middle-only-flag.txt
new file mode 100644
index 0000000..ed5de42
--- /dev/null
+++ b/proposals/334-middle-only-flag.txt
@@ -0,0 +1,115 @@
+Filename: 334-middle-only-flag.txt
+Title: A Directory Authority Flag To Mark Relays As Middle-only
+Author: Neel Chauhan
+Created: 2021-09-07
+Status: Open
+
+1. Introduction
+
+ The Health Team often deals with a large number of relays with an incorrect
+ configuration (e.g. not all relays in MyFamily), or needs validation that
+ requires contacting the relay operator. It is desirable to put the said
+ relays in a less powerful position, such as a middle only flag that prevents
+ a relay from being used in more powerful positions like an entry guard or an
+ exit relay. [1]
+
+1.1. Motivation
+
+ The proposed middle-only flag is needed by the Health Team to prevent
+ misconfigured relays from being used in positions capable of deanonymizing
+ users while the team evaluates the relay's risk to the network. An example
+ of this scenario is when a guard and exit relay run by the same operator
+ has an incomplete MyFamily, and the same operator's guard and exit are used
+ in a circuit.
+
+ The reason why we won't play with the Guard and Exit flags or weights to
+ achieve the same goal is because even if we were to reduce the guard and
+ exit weights of a misconfigured relay, it could keep some users at risk of
+ deanonymization. Even a small fraction of users at risk of deanonymization
+ isn't something we should aim for.
+
+ One case we could look out for is if all relays are exit relays (unlikely),
+ or if walking onions are working on the current Tor network. This proposal
+ should not affect those scenarios, but we should watch out for these cases.
+
+2. The MiddleOnly Flag
+
+ We propose a consensus flag MiddleOnly. As mentioned earlier, relays will be
+ assigned this flag from the directory authorities.
+
+ What this flag does is that a relay must not be used as an entry guard or
+ exit relay. This is to prevent issues with a misconfigured relay as described
+ in Section 1 (Introduction) while the Health Team assesses the risk with the
+ relay.
+
+3. Implementation details
+
+ The MiddleOnly flag can be assigned to relays whose IP addresses and/or
+ fingerprints are configured at the directory authority level, similar to
+ how the BadExit flag currently works. In short, if a relay's IP is
+ designated as middle-only, it must assign the MiddleOnly flag, otherwise
+ we must not assign it.
+
+ Relays which haven't gotten the Guard or Exit flags yet but have IP addresses
+ that aren't designated as middle-only in the dirauths must not get the
+ MiddleOnly flag. This is to allow new entry guards and exit relays to enter
+ the Tor network, while giving relay administrators flexibility to increase
+ and reduce bandwidth, or change their exit policy.
+
+3.1. Client Implementation
+
+ Clients should interpret the MiddleOnly flag while parsing relay descriptors
+ to determine whether a relay is to be avoided for non-middle purposes. If
+ a client parses the MiddleOnly flag, it must not use MiddleOnly-designated
+ relays as entry guards or exit relays.
+
+3.2. MiddleOnly Relay Purposes
+
+ If a relay has the MiddleOnly flag, we do not allow it to be used for the
+ following purposes:
+
+ * Entry Guard
+
+ * Directory Guard
+
+ * Exit Relay
+
+ The reason for this is to prevent a misconfigured relay from being used
+ in places where they may know about clients or destination traffic. This
+ is in case certain misconfigured relays are used to deanonymize clients.
+
+ We could also bar a MiddleOnly relay from other purposes such as rendezvous
+ and fallback directory purposes. However, while more secure in theory, this
+ adds unnecessary complexity to the Tor design and has the possibility of
+ breaking clients that aren't MiddleOnly-aware [2].
+
+4. Consensus Considerations
+
+4.1. Consensus Methods
+
+ We propose a new consensus method 32, which is to only use this flag if and
+ when all authorities understand the flag and agree on it. This is because the
+ MiddleOnly flag impacts path selection for clients.
+
+4.2. Consensus Requirements
+
+ The MiddleOnly flag would work like most other consensus flags where a
+ majority of dirauths have to assign a relay the flag in order for a relay
+ to have the MiddleOnly flag.
+
+ Another approach is to make it that only one dirauth is needed to give
+ relays this flag, however it would put too much power in the hands of a
+ single directory authority servre [3].
+
+5. Acknowledgements
+
+ Thank you so much to nusenu, s7r, David Goulet, and Roger Dingledine for your
+ suggestions to Prop334. My proposal wouldn't be what it is without you.
+
+6. Citations
+
+ [1] - https://gitlab.torproject.org/tpo/core/tor/-/issues/40448
+
+ [2] - https://lists.torproject.org/pipermail/tor-dev/2021-September/014627.html
+
+ [3] - https://lists.torproject.org/pipermail/tor-dev/2021-September/014630.html
More information about the tor-commits
mailing list