Ola Bini obini@thoughtworks.com writes:

Hey,

Maybe I misunderstood the hard part - I thought the problem was to choose the NUM longlived vanguards - since there are only ever NUM possible guards at each level, not to choose which one to use among the NUM guards. For the first, it felt like using 259 would work, and the for the second use case, just randomly choose one of the NUM guards.

Hmm, let's try to formalize this slightly. Maybe it's helpful. I'm doing this a bit rushed, so maybe I'm wrong.

So far we've been designing an algorithm that: a) populates and manages our guardlist b) picks the right guard to use from our guardlist We could in theory decouple these two steps, but so far we've been mixing them together.

Step (b) has been easy so far because Tor uses a single guard node for general circuits, so we always pick the very first reachable guard from our guardlist every time.

However, when we consider prop247 or directory guards we don't always want to pick the very first available guard. For example, when considering the layer-3 guards of prop247, we want to pick amongst N guards everytime we build a circuit so that we load balance our traffic amongst the guards. When considering directory guards, we want to pick randomly amongst the first 3 directory guards every time, so that if the first guard lied to us, we will also try the second one who might not lie.

So maybe the simple answer here is that if prop247 is enabled (this could be a NumGuards=N argument to our algorithm), instead of always returning the first reachable guard, we instead build a list of the first N reachable guards, and randomly choose one of them. Could this work? (see #12466 for a weird behavior that will make us skip bugs if NumEntryGuards != 1)

The other alternative is to simply initialize USED_GUARDS to be layer-2 guardlist and run the algorithm, then init USED_GUARDS to be layer-3 guardlist and run the algorithm. Makes sense or am I missing something?

Hmm, in this case we would just use the first reachable guard from USED_GUARDS. We would only reach other guards if the first guards are unreachable. That will not work for load balancing prop247 for example.

(got to go. will be back later!)