GitLab

There are a couple of cases where the path bias "use" accounting from #7440 (moved) can run into issues. In particular, circuits used in attempts to connect to unresponsive external hosts are indistinguishable from malicious failure. Also, cannibalized circuits have a similar problem, in that they are technically immediately "dirty" but they are actually unused.

So the plan is to issue a probe RELAY_BEGIN cell upon circuit close to an internal address such as 0.a.b.c:25. This will cause well-behaved exit nodes to kick us an EXITPOLICY RELAY_END cell back, which we can then use to declare the circuit as functional, avoiding the path bias false positive.

For some additional best-practice checks, we should perhaps locally track the a.b.c tuple for each probe to ensure it is the same in the response (yes, the IP is echoed, but not the port), and we should ensure no other unexpected/corrupted RELAY cells arrive on that same circuit, otherwise we should close it and mark it failed. Hopefully this latter property is already always enforced. If not, we should probably enforce it while we're at it.