Remove relays that fail to rotate onion keys from the consensus

On #7164 (moved), a cypherpunks notes that ~40 relays fail to rotate their onion keys. This should be addressed by identifying these relays, and adding them to the DirAuths' AuthDirInvalid or AuthDirReject lists.

First, we need to update torspec/dir-spec.txt to say that relays SHOULD rotate their onion keys every 7 days, and MUST rotate them every N days. (I suggest 14 or 28.)

Then we can modify DocTor to check for relays in the consensus that have had the same onion key for N days. (I think DocTor is the right place for this check.)

This won't catch cases where relays repeat onion keys, but it will suffice to catch the most obvious misconfiguration - a read-only onion key file.

changed milestone to %Tor: unspecified

added component::core tor/tor key-rotation milestone::Tor: unspecified network-health points::1 priority::medium security severity::normal status::new tor-dirauth tor-spec type::enhancement labels

Actually, I think the correct fix is to say that onion keys MUST be rotated every 7 days in the spec. And then ban keys that haven't been rotated for 7*N days, where N is in (2,3,4).

I don't think I would object to that.

Milestone renamed

Trac:
Milestone: Tor: 0.2.??? to Tor: 0.3.???

Opened #20969 (moved) for DocTor so this ticket becomes an important spec change.

Trac:
Milestone: Tor: 0.3.??? to Tor: 0.3.0.x-final
Keywords: 030-proposed, torspec deleted, tor-spec added
Points: 2 to 0.1

Trac:
Points: 0.1 to 1

Actually, I think the correct fix is to say that onion keys MUST be rotated every 7 days in the spec. And then ban keys that haven't been rotated for 7*N days, where N is in (2,3,4).

Fine with me. I'd take a patch for this.

Golly. Can you point to some relays that have this behavior? Then we can try to investigate why it's happening.

Replying to arma:

Golly. Can you point to some relays that have this behavior? Then we can try to investigate why it's happening.

This task needs someone who is good at writing stem scripts. We need to compare the onion keys (TAP & ntor) for each relay in full consensuses spaced 7 days + 1 hour apart, and make sure they are different.

batch modify: I think these are "enhancement", though I could be wrong about some.

Trac:
Type: defect to enhancement

Trac:
Keywords: N/A deleted, triaged-out-20160116 added
Milestone: Tor: 0.3.0.x-final to Tor: unspecified

Trac:
Keywords: triaged-out-20160116 deleted, triaged-out-20170116 added

We might want to raise the permissible interval for onion key rotation, actually. It appears to be the leading cause of microdescriptor replacement, and the security benefit for rotating onion keys frequently is not all that high.

But FWIW, here are the relays that appeared in at least 400 consensuses in January, but rotated their onion key either only once, or not at all:

0572dcfe4ba472e02389499d0c30e9be41e0170a => 2 2 / 716 oO
1f45542a24a61bf9408f1c05e0dce4e29f2cba11 => 1 1 / 744 
3b4e3571662ad6759d9b3df454d281e16672f49e => 2 2 / 744 oO
4b7f7d1c10e80f8bb947ba6cbeec6ab50dd2e1be => 2 2 / 518 oO
59f16177e3b3d1979da56642e6044e266473ef2a => 1 1 / 739 
697d7612a5eb6db98226e98d180a779cb341c655 => 2 2 / 744 oO
8bdb5ec87abe18cc11ea22ac8153fa9be8678091 => 1 1 / 505 
8f029d39141c7a7bce3c64e0865c28c752f53650 => 2 2 / 515 oO
9d446e2c88ba5ae596101fe43bd07ef07e9f87f2 => 1 1 / 407 
a271979245a0f27246a75e5b7003f1a9dbbaa6b5 => 2 2 / 742 oO
a43f89ca39a127f0ec7793936451ef862a856d79 => 2 2 / 528 oO
a74e40c37958d1bbab36c2e0d78216f823e24d0b => 1 1 / 744 
ad5730ca65160f63269833a14cfe12b3a578c667 => 2 2 / 744 oO
b5ec038b6f90be09e7f0bd62ad0e54a59c7d4243 => 1 1 / 741 
c147c73d388b6ea0cde0cd67b4a2149cd6ae0b66 => 2 2 / 744 oO
ea070bb67442bdae49bdd86ac4277ae1db8b912d => 2 2 / 714 oO
efdeb09ffd0c569afabfe00ed870d088ecca6f7f => 1 1 / 744 

(Every oO is a key rotation.)

Once we define an acceptable rotation range (for example, 7-30 days), we can develop exclusion criteria like:

• rotates more than twice in 7 days (places too much load on the network), or
• has not rotated in 60 days (no forward secrecy).

Key pinning will also exclude some of the frequent relays.

Trac:
Keywords: triaged-out-20170116 deleted, key-rotation, tor-dirauth, security added

Trac:
Keywords: N/A deleted, network-health added
Cc: N/A to gk

changed time estimate to 8h

mentioned in issue #20969 (moved)

moved to tpo/core/tor#20055 (moved)

mentioned in issue tpo/core/tor#20969 (closed)