nusenu
2018-08-21 07:36:00 UTC
Hi,
I looked at the routing security state
of the >3k BGP prefixes that make up the tor network [1].
I believe it is important for tor to have a discussion on how
the network should deal with relays that will increasingly be only partially reachable
due to the increase of RPKI route origin validation (ROV) in big IXPs (AMS-IX to name one).
non-BGP-router perspective, but they are solvable.
There is no need to panic - this affects less than 5 relays currently but
we should have a discussion and reach some form of consensus on the topic
to move forward instead of waiting until it significantly affects reachability.
Would be nice to have an initial discussion even before writing a proposal to
gather opinions if that would be actually worth doing.
kind regards,
nusenu
[1] https://medium.com/@nusenu/how-vulnerable-is-the-tor-network-to-bgp-hijacking-attacks-56d3b2ebfd92
I looked at the routing security state
of the >3k BGP prefixes that make up the tor network [1].
I believe it is important for tor to have a discussion on how
the network should deal with relays that will increasingly be only partially reachable
due to the increase of RPKI route origin validation (ROV) in big IXPs (AMS-IX to name one).
âVirtualâ Route Origin Validation in the Tor Context
The are two good reasons why Tor should care about relays located in
It will eventually break the âthe Tor network is a full meshâ
assumption. Relays in such RPKI âinvalidâ prefixes with no
alternative valid route will not be reachable from ASes performing
ROV, but the Tor network assumes that every relay can reach every
other relay. When ROV breaks that assumption it is better to exclude
these relays than to keep only partially reachable relays. An RPKI
âInvalidâ route might as well be an actual BGP hijacking attempt and
why not stop that?
The obvious place to enforce ROV for the Tor network would be the Tor
directory authorities that would run RPKI validators and vote for
relays accordingly. At this point this is no more than an idea.
There are certainly some challenges and trade-offs when doing ROV from aThe are two good reasons why Tor should care about relays located in
It will eventually break the âthe Tor network is a full meshâ
assumption. Relays in such RPKI âinvalidâ prefixes with no
alternative valid route will not be reachable from ASes performing
ROV, but the Tor network assumes that every relay can reach every
other relay. When ROV breaks that assumption it is better to exclude
these relays than to keep only partially reachable relays. An RPKI
âInvalidâ route might as well be an actual BGP hijacking attempt and
why not stop that?
The obvious place to enforce ROV for the Tor network would be the Tor
directory authorities that would run RPKI validators and vote for
relays accordingly. At this point this is no more than an idea.
non-BGP-router perspective, but they are solvable.
There is no need to panic - this affects less than 5 relays currently but
we should have a discussion and reach some form of consensus on the topic
to move forward instead of waiting until it significantly affects reachability.
Would be nice to have an initial discussion even before writing a proposal to
gather opinions if that would be actually worth doing.
kind regards,
nusenu
[1] https://medium.com/@nusenu/how-vulnerable-is-the-tor-network-to-bgp-hijacking-attacks-56d3b2ebfd92
--
https://twitter.com/nusenu_
https://mastodon.social/@nusenu
https://twitter.com/nusenu_
https://mastodon.social/@nusenu