Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 5519e633ec
Branches Tags
tor
/
doc
/
spec
/
proposals
/
ideas
/
xxx-geoip-survey-plan.txt

xxx-geoip-survey-plan.txt 6.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137 
  1. 

  2. 

  3. Abstract
    4. 

  4. 

  5.    This document explains how to tell about how many Tor users there
    6. 

  6.    are, and how many there are in which country.  Statistics are
    7. 

  7.    involved.
    8. 

  8. 

  9. Motivation
    10. 

  10. 

  11.    There are a few reasons we need to keep track of which countries
    12. 

  12.    Tor users (in aggregate) are coming from:
    13. 

  13. 

  14.       - Resource allocation.  Knowing about underserved countries with
    15. 

  15.         lots of users can let us know about where we need to direct
    16. 

  16.         translation and outreach efforts.
    17. 

  17. 

  18.       - Anticensorship.  Sudden drops in usage on a national basis can
    19. 

  19.         indicate the arrival of a censorious firewall.
    20. 

  20. 

  21.       - Sponsor outreach and self-evalutation.  Many people and
    22. 

  22.         organizations who are interested in funding The Tor Project's
    23. 

  23.         work want to know that we're successfully serving parts of the
    24. 

  24.         world they're interested in, and that efforts to expand our
    25. 

  25.         userbase are actually succeeding.  So do we.
    26. 

  26. 

  27. Goals
    28. 

  28. 

  29.    We want to know approximately how many Tor users there are, and which
    30. 

  30.    countries they're in, even in the presence of a hypothetical
    31. 

  31.    "directory guard" feature.  Some uncertainty is okay, but we'd like
    32. 

  32.    to be able to put a bound on the uncertainty.
    33. 

  33. 

  34.    We need to make sure this information isn't exposed in a way that
    35. 

  35.    helps an adversary.
    36. 

  36. 

  37. Methods for current clients:
    38. 

  38. 

  39.    Every client downloads network status documents.  There are
    40. 

  40.    currently three methods (one hypothetical) for clients to get them.
    41. 

  41.       - 0.1.2.x clients (and earlier) fetch a v2 networkstatus
    42. 

  42.         document about every NETWORKSTATUS_CLIENT_DL_INTERVAL [30
    43. 

  43.         minutes].
    44. 

  44. 

  45.       - 0.2.0.x clients fetch a v3 networkstatus consensus document
    46. 

  46.         at a random interval between when their current document is no
    47. 

  47.         longer freshest, and when their current document is about to
    48. 

  48.         expire.
    49. 

  49. 

  50.         [In both of the above cases, clients choose a running
    51. 

  51.         directory cache at random with odds roughly proportional to
    52. 

  52.         its bandwidth.  If they're just starting, they know a XXXX FIXME -NM]
    53. 

  53. 

  54.       - In some future version, clients will choose directory caches
    55. 

  55.         to serve as their "directory guards" to avoid profiling
    56. 

  56.         attacks, similarly to how clients currently start all their
    57. 

  57.         circuits at guard nodes.
    58. 

  58. 

  59.     We assume that a directory cache can tell which of these three
    60. 

  60.     categories a client is in by the format of its status request.
    61. 

  61. 

  62.     A directory cache can be made to count distinct client IP
    63. 

  63.     addresses that make a certain request of it in a given timeframe,
    64. 

  64.     and total requests made to it over that timeframe.  For the first
    65. 

  65.     two cases, a cache can get a  picture of the overall
    66. 

  66.     number and countries of users in the network by dividing the IP
    67. 

  67.     count by the probability with which they (as a cache) would be
    68. 

  68.     chosen.  Assuming that our listed bandwidth is such that we expect
    69. 

  69.     to be chosen with probability P for any given request, and we've
    70. 

  70.     been counting IPs for long enough that we expect the average
    71. 

  71.     client to have made N requests, they will have visited us at least
    72. 

  72.     once with probability P' = 1-(1-P)^N, and so we divide the IP
    73. 

  73.     counts we've seen by P' for our estimate.  To estimate total
    74. 

  74.     number of clients of a given type, determine how many requests a
    75. 

  75.     client of that type will make over that time, and assume we'll
    76. 

  76.     have seen P of them.
    77. 

  77. 

  78.     Both of these numbers are useful: the IP counts will give the
    79. 

  79.     total number of IPs connecting to the network, and the request
    80. 

  80.     counts will give the total number of users on the network at any
    81. 

  81.     given time.
    82. 

  82. 

  83.     Notes:
    84. 

  84.        - [Over H hours, the N for V2 clients is 2*H, and the N for V3
    85. 

  85.          clients is currently around H/2 or H/3.]
    86. 

  86. 

  87.        - (We should only count requests that we actually intend to answer;
    88. 

  88.          503 requests shouldn't count.)
    89. 

  89. 

  90.        - These measurements should also be taken at a directory
    91. 

  91.          authority if possible: their picture of the network is skewed
    92. 

  92.          by clients that fetch from them directly.  These clients,
    93. 

  93.          however, are all the clients that are just bootstrapping
    94. 

  94.          (assuming that the fallback-consensus feature isn't yet used
    95. 

  95.          much).
    96. 

  96. 

  97.        - These measurements also overestimate the V2 download rate if
    98. 

  98.          some downloads fail and clients retry them later after backing
    99. 

  99.          off.
    100. 

  100. 

  101. Methods for directory guards:
    102. 

  102. 

  103.     If directory guards are in use, directory guards get a picture of
    104. 

  104.     all those users who chose them as a guard when they were listed
    105. 

  105.     as a good choice for a guard, and who are also on the network
    106. 

  106.     now.  The cleanest data here will come from nodes that were listed
    107. 

  107.     as good new-guards choices for a while, and have not been so for a
    108. 

  108.     while longer (to study decay rates); nodes that have been listed
    109. 

  109.     as good new-guard choices consistently for a long time (to get a
    110. 

  110.     sample of the network); and nodes that have been listed as good
    111. 

  111.     new-guard choices only recently (to get a sample of new users and
    112. 

  112.     users whose guards have died out.)
    113. 

  113. 

  114.     Since directory guards are currently unspecified, we'll need to
    115. 

  115.     make some guesses about how they'll turn out to work.  Here are
    116. 

  116.     a couple of approaches that could work.
    117. 

  117.        - We could have clients pick completely new directory guards on
    118. 

  118.          a rolling basis every two months or so.  This would ensure
    119. 

  119.          that staying as a guard for a while would be sufficient to
    120. 

  120.          see a sample of users.  This is potentially advantageous for
    121. 

  121.          load-balancing the network as well, though it might lose some
    122. 

  122.          of the benefits of directory guard.  We need to quantify the
    123. 

  123.          impact of this; it might not actually make stuff worse in
    124. 

  124.          practice, if most guards don't stay good guards for a month
    125. 

  125.          or two.
    126. 

  126. 

  127.        - We could try to collect statistics at several directory
    128. 

  128.          guards and combine their statisics, but we would need to make
    129. 

  129.          sure that for all time, at least one of the directory guards
    130. 

  130.          had been recommended as a good choice for new guards.  By
    131. 

  131.          looking at new-IP rates for guards, we could get an idea of
    132. 

  132.          user uptake; for looking at old-IP decay rates, we could get
    133. 

  133.          an idea of turnover.  This approach would entail significant
    134. 

  134.          complexity, and we'd probably need to record more information
    135. 

  135.          than we'd really like to.
    136. 

  136. 

  137.