[tor-dev] Desired exit node diversity

Virgil Griffith i at virgil.gr
Wed Sep 23 11:34:54 UTC 2015


> because "the right distribution" is a function of which adversary you're
> considering, and once you consider k adversaries at once, no single
> distribution will be optimal for all of them.)

Granted.  But since we're speaking idealizations, I say take that the
expected-value over the distributions weighted by the probability of each
adversary.  In application this would be a distribution that although
unlikely to be optimal against any specific adversary, it's has robust
hardness across a wide variety of adversaries.

Or, if that distribution is unclear, pick the distribution of exit-relay
with the highest minimum hardness.  This reminds me of the average-entropy
vs min-entropy question for quantifying anonymity.  I'd be content with
either solution, and in regards to Roster I'm not sure the difference will
matter much.  I am simply asking the more knowledgeable for their opinion
and recommendation.  Is there one?

-V



On Wed, Sep 23, 2015 at 2:47 PM Roger Dingledine <arma at mit.edu> wrote:

> On Wed, Sep 23, 2015 at 06:26:47AM +0000, Yawning Angel wrote:
> > On Wed, 23 Sep 2015 06:18:58 +0000
> > Virgil Griffith <i at virgil.gr> wrote:
> > > * Would the number of exit nodes constitute exactly 1/3 of all Tor
> > > nodes? Would the total exit node bandwidth constitute 1/3 of all Tor
> > > bandwidth?
> >
> > No. There needs to be more interior bandwidth than externally facing
> > bandwidth since not all Tor traffic traverses through an Exit
> > (Directory queries, anything to do with HSes).
> >
> > The total Exit bandwidth required is always <= the total amount of Guard
> > + Bridge bandwidth, but I do not have HS utilization or Directory query
> > overhead figures to give an accurate representation of how much less.
>
> On the flip side, in *my* idealized Tor network, all of the relays are
> exit relays.
>
> If only 1/3 of all Tor relays are exit relays, then the diversity of
> possible exit points is much lower than if you could exit from all the
> relays. That lack of diversity would mean that it's easier for a relay
> adversary to operate or compromise relays to attack traffic, and it's
> easier for a network adversary to see more of the network than we'd like.
>
> (In an idealized Tor network, the claim about the network adversary
> might not actually be true. If you have exit relays in just the right
> locations, and capacity is infinite compared to demand, then the network
> adversary will learn the same amount whether the other relays are exit
> relays are not. But I think it is a stronger assumption to assume that we
> have exactly the right distribution of exit relay locations -- especially
> because "the right distribution" is a function of which adversary you're
> considering, and once you consider k adversaries at once, no single
> distribution will be optimal for all of them.)
>
> --Roger
>
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150923/b509d420/attachment.html>


More information about the tor-dev mailing list