Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
Trac
Trac
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Create a new issue
  • Issue Boards

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • Legacy
  • TracTrac
  • Issues
  • #13705

Closed (moved)
Open
Opened Nov 07, 2014 by Roger Dingledine@arma

Allow relays to promise in their descriptor that their IP address won't change

Imagine the following scenario: Oscar runs a fast relay that gets the Guard flag and accumulates some users, including a user Alice. Then some attacker does a guard enumeration attack to identify that his victim is using Oscar's relay as her guard. He can get a warrant to collect Oscar's computer, but for whatever reason he's not allowed to tap the relay in-place. So he steals the computer, takes it to his location, turns it back on, and the relay starts up again. Alice then says "oh good, my guard is back online" and moves back to using it.

One straightforward option to reduce the risk of this scenario happening in practice is for relays that intend to have a static IP address to set a line in their descriptor that tells the directory authorities to refuse them if they show up from a different IP address. The implementation on the directory authority side would be to add the IP address to fingerprint mapping to the router-stability file or equivalent, and then check whether there's a mapping when considering newly published descriptors.

This idea wouldn't handle the attack when done on relays with dynamic or varying IP addresses.

Another avenue for addressing the attack is the encrypted identity key proposal and friends. I'm not sure if they handle this issue, or are orthogonal, or would supersede this idea.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Tor: unspecified
Milestone
Tor: unspecified
Assign milestone
Time tracking
None
Due date
None
Reference: legacy/trac#13705