GitLab

Imagine the following scenario: Oscar runs a fast relay that gets the Guard flag and accumulates some users, including a user Alice. Then some attacker does a guard enumeration attack to identify that his victim is using Oscar's relay as her guard. He can get a warrant to collect Oscar's computer, but for whatever reason he's not allowed to tap the relay in-place. So he steals the computer, takes it to his location, turns it back on, and the relay starts up again. Alice then says "oh good, my guard is back online" and moves back to using it.

One straightforward option to reduce the risk of this scenario happening in practice is for relays that intend to have a static IP address to set a line in their descriptor that tells the directory authorities to refuse them if they show up from a different IP address. The implementation on the directory authority side would be to add the IP address to fingerprint mapping to the router-stability file or equivalent, and then check whether there's a mapping when considering newly published descriptors.

This idea wouldn't handle the attack when done on relays with dynamic or varying IP addresses.

Another avenue for addressing the attack is the encrypted identity key proposal and friends. I'm not sure if they handle this issue, or are orthogonal, or would supersede this idea.