Opened 5 years ago

Closed 4 years ago

#16297 closed enhancement (not a bug)

Reduce Sybil harm while still getting use out of them

Reported by: phw Owned by: phw
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Keywords: sybil
Cc: arma, weasel, Sebastian, teor Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

With the exception of bad exit relays, we have a binary approach to dealing with bad relays; we either let them be, or remove them from the network. That's not always appropriate because Sybils can be useful, provided we strip them of power. In particular, we probably want to prevent them from becoming:

  • Anything hidden service-related (HSDirs, introduction points, rendezvous points)
  • Exit relays
  • Guard relays
  • Maybe even directory mirrors?

One possibility would be an option such as AuthDirRestrain, that specifies which relay should be stripped of powers. Another possibility would be a set of more fine-grained options but that sounds less useful because it assumes that we know what a bad relays is up to. Often, however, we are only aware of a subset of the actual attack.

If we indeed want something like AuthDirRestrain, we should also think about the voting process. The AuthDirBadExit process works well so far because we have three voters, whereof two are typically quick to act. It doesn't work that well for AuthDirReject where we need the majority of all nine authority operators.

Child Tickets

Change History (11)

comment:1 Changed 5 years ago by nickm

It's potentially worth pursuing this, but I'm not 100% sure that we can actually do it safely. In the past, there have been many times when we didn't realize in advance how problematic it might be to let a large number of untrustworthy hosts occupy some innocuous-seeming network position. So if we're going to pursue this line of thought, we've got to figure out what a "Restrained" relay is allowed to do, and have a very convincing rationale for thinking it's safe.

comment:2 Changed 5 years ago by arma

Does the Valid flag still do what it used to do?

That is, unless something changed, we have a substantial amount of this infrastructure in place, in that clients already know how to avoid nodes the lack the Valid flag for the entry or exit point.

The HSDir part is tricky, first because I don't think Valid has much to do with it in its current definition, and second for the reason Nick points out, that our past definition of 'not valid' didn't consider HSDir a threatening role, so odds are good we'll miss some future similar case. It's not that tricky though since auths could choose to stop voting HSDir for a relay if they don't vote Valid for it.

The DirPort one might be a bit trickier, since I don't think we have a "voting" procedure in the consensus about whether to list a dirport for a given relay or not. Rather, it's a deterministic process based on what the (signed) relay descriptor says. We could teach clients not to use inValid relays for directory questions, but that will splinter the anonymity sets. We could note that proper clients use directory guards, which have the Guard flag, and thus have the Valid flag, so we accidentally already solved it. Or we could make a new consensus method to put a '0' into the consensus instead of the dirport for inValid relays.

So, in summary, let's use AuthDirInvalid and !invalid more often?

comment:3 in reply to:  2 ; Changed 5 years ago by arma

Replying to arma:

So, in summary, let's use AuthDirInvalid and !invalid more often?

And also maybe file a ticket saying "Don't give HSDir if you don't give Valid".

And then we could go much crazier and design a new consensus method that takes away the Valid flag if three or more dir auths don't assign it (rather than waiting for a majority of dir auths).

comment:4 Changed 5 years ago by yawning

One other thing that might be neat/useful along this line of thought is something like:

AuthDirForceFamily name node,node,...
   Declare that the listed Tor servers belong to a certain family,
   overriding the `MyFamily` as self reported by the servers in question.

Might be hard to implement. I'd feel a lot better about "sketch nodes of doom" getting to be relays if they could be forcefully tagged as sketch nodes of doom. With the proposed AuthDirRestrain option, all they'll get to be is the middle hop so this may be redundant and needlessly overcomplicated (I have no idea how voting would work here).

comment:5 in reply to:  3 Changed 4 years ago by arma

Replying to arma:

And also maybe file a ticket saying "Don't give HSDir if you don't give Valid".

Done: #16524

comment:6 Changed 4 years ago by teor

Cc: teor added

comment:7 in reply to:  4 Changed 4 years ago by arma

Replying to yawning:

With the proposed AuthDirRestrain option, all they'll get to be is the middle hop

To be clear, this proposed feature has been in Tor for 10+ years. It's what the Valid flag is all about.

comment:8 in reply to:  4 Changed 4 years ago by arma

Replying to yawning:

One other thing that might be neat/useful along this line of thought is something like:

AuthDirForceFamily name node,node,...
   Declare that the listed Tor servers belong to a certain family,
   overriding the `MyFamily` as self reported by the servers in question.

Might be hard to implement.

Indeed it would be a bit tricky -- we could try to stick the family lines into the microdescriptor, but right now the relay descriptor includes a hash of the microdescriptor, so the dir auths can't just fake it. And in any case the microdescriptor is meant to be a deterministic transform of the normal descriptor.

comment:9 in reply to:  3 Changed 4 years ago by arma

Replying to arma:

And then we could go much crazier and design a new consensus method that takes away the Valid flag if three or more dir auths don't assign it (rather than waiting for a majority of dir auths).

Opened as #16558.

comment:10 Changed 4 years ago by arma

Philipp, is there anything left here from the original ticket?

comment:11 in reply to:  10 Changed 4 years ago by phw

Resolution: not a bug
Status: newclosed

Replying to arma:

Philipp, is there anything left here from the original ticket?

I don't think so.

Note: See TracTickets for help on using tickets.