Hi,

I looked at the routing security state of the >3k BGP prefixes that make up the tor network [1].

I believe it is important for tor to have a discussion on how the network should deal with relays that will increasingly be only partially reachable due to the increase of RPKI route origin validation (ROV) in big IXPs (AMS-IX to name one).

to quote the relevant part from [1]:

“Virtual” Route Origin Validation in the Tor Context

The are two good reasons why Tor should care about relays located in RPKI ‘Invalid’ prefixes:

It will eventually break the “the Tor network is a full mesh” assumption. Relays in such RPKI ‘invalid’ prefixes with no alternative valid route will not be reachable from ASes performing ROV, but the Tor network assumes that every relay can reach every other relay. When ROV breaks that assumption it is better to exclude these relays than to keep only partially reachable relays. An RPKI ‘Invalid’ route might as well be an actual BGP hijacking attempt and why not stop that?

The obvious place to enforce ROV for the Tor network would be the Tor directory authorities that would run RPKI validators and vote for relays accordingly. At this point this is no more than an idea.

There are certainly some challenges and trade-offs when doing ROV from a non-BGP-router perspective, but they are solvable.

There is no need to panic - this affects less than 5 relays currently but we should have a discussion and reach some form of consensus on the topic to move forward instead of waiting until it significantly affects reachability.

Would be nice to have an initial discussion even before writing a proposal to gather opinions if that would be actually worth doing.

kind regards, nusenu

[1] https://medium.com/@nusenu/how-vulnerable-is-the-tor-network-to-bgp-hijackin...