This has probably been addressed before but why isn't the MyFamily value just a single, unique ID?
If I have the relays with the fingerprints "John", "Jane", and "Alice" and I want to add "Bob", wouldn't it be simpler (and more logical) to add the unique MyFamily "Smith" to each torrc file than listing all fingerprints?
What do you do when you have 50 relays and want to add or remove a relay? You must modify 50 torrc files and restart all 50 relays? That seems tedious and unnecessary. I'm trying to find a way to automate this process and I can wrap my head around the complexity of the problem, especially with multiple servers.
I could just use the fingerprint of my first relay as MyFamily (to ensure uniqueness) and then add it to every other torrc file I create in the future. Even if I remove the first relay from the network, the MyFamily value is still valid as a unique "family" name.
I don't know the particular procedure, but even the process of blacklisting relays based on MyFamily, when selecting a relay, seems tedious. For example, the entry relay has 50 family members and the middle relay has 50 other family members, so I have to compare the potential exit relay "first" name to 100 "first" names instead of comparing its "family" name to two "family" names.
Is this too complicated to implement or am I missing something?
I believe the reason for the current setup is to prevent randos from adding
themselves to your family of relays, and then causing problems.
- Matt
···
On Sat, May 13, 2023 at 12:55:17PM -0400, denny.obreham@a-n-o-n-y-m-e.net wrote:
This has probably been addressed before but why isn't the MyFamily value
just a single, unique ID?
If I have the relays with the fingerprints "John", "Jane", and "Alice" and
I want to add "Bob", wouldn't it be simpler (and more logical) to add the
unique MyFamily "Smith" to each torrc file than listing all fingerprints?
This has probably been addressed before but why isn't the MyFamily value just a single, unique ID?
There is a proposal to have some way of doing that in the future, but
that proposal isn't implemented
. It's not as easy as having a unique ID, you need to make sure a
relay can't spoof being part of a family, that's why it requires a two
way relationship for now, and will probably use some form of signature
in the future.
What do you do when you have 50 relays and want to add or remove a relay? You must modify 50 torrc files and restart all 50 relays? That seems tedious and unnecessary.
Sadly, yes it is. You can reload the relays instead of restarting
them, which is somewhat better but still not great. On thing that can
help is using the %include feature of torrc to have your MyFamily line
in a distinct file you can easily copy around. That's not great, but
still easier/safer than editing a configuration file automatically.
regards,
trinity-1686a
···
On Mon, 15 May 2023 at 11:22, Matt Palmer <mpalmer@hezmatt.org> wrote:
On Sat, May 13, 2023 at 12:55:17PM -0400, denny.obreham@a-n-o-n-y-m-e.net wrote:
> This has probably been addressed before but why isn't the MyFamily value
> just a single, unique ID?
>
> If I have the relays with the fingerprints "John", "Jane", and "Alice" and
> I want to add "Bob", wouldn't it be simpler (and more logical) to add the
> unique MyFamily "Smith" to each torrc file than listing all fingerprints?
I believe the reason for the current setup is to prevent randos from adding
themselves to your family of relays, and then causing problems.
- Matt
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org tor-relays Info Page
That's correct: if an attacker can add their relay to a family without
the rest of the family's consent, they can use that to influence
routing and do some kinds of path-selection attacks.
For an easy example, let's imagine that we let any relay put itself
into any family. Now suppose the attacker starts three relays A1, A2,
and A3. Then, since nothing stops them, they put A1 into a family
with every relay on the network, except for A2 and A3. Now, any time
a user (randomly) selects A1, they will find that the only other
relays they can use on that circuit are A2 and A3; this will build a
completely attacker-controlled path, they will get no privacy.
That said, there's an open proposal to try to make it so relays can
use a cryptographic identifier instead of a unique ID or a list:
I'd be curious to know whether relay operators think this proposal
would be usable for them; when I first circulated it, I didn't get a
lot of feedback.
(Oh, I see that Trinity has mentioned this too. Hi, Trinity!)
cheers,
···
On Mon, May 15, 2023 at 5:21 AM Matt Palmer <mpalmer@hezmatt.org> wrote:
On Sat, May 13, 2023 at 12:55:17PM -0400, denny.obreham@a-n-o-n-y-m-e.net wrote:
> This has probably been addressed before but why isn't the MyFamily value
> just a single, unique ID?
>
> If I have the relays with the fingerprints "John", "Jane", and "Alice" and
> I want to add "Bob", wouldn't it be simpler (and more logical) to add the
> unique MyFamily "Smith" to each torrc file than listing all fingerprints?
I believe the reason for the current setup is to prevent randos from adding
themselves to your family of relays, and then causing problems.
What do you do when you have 50 relays and want to add or remove a relay? You must modify 50 torrc files and restart all 50 relays? That seems tedious and unnecessary. I'm trying to find a way to automate this process and I can wrap my head around the complexity of the problem, especially with multiple servers.
I maintain my MyFamily completely automated using puppet. So once I add new relays to my infrastructure, all the torrc files automatically get updated and the relays reload (or restart?).
If you really do run >5 relays, I'd highly suggest to use whatever automation (puppet, ansible, salt, chef,...) that suits you. But don't even try to manually maintain that amount of relays by hand.
As a bonus you can have a unified setup of unattended upgrades and such things too.
Best regards, Matthias
···
On 5/13/23 18:55, denny.obreham@a-n-o-n-y-m-e.net wrote: