Inicio Explorar Ayuda
Iniciar sesión
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Árbol: c05b7fbc7a
Ramas Etiquetas
tor-parallel...
/
doc
/
incentives.txt

incentives.txt 15 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301 
  1. 

  2.                  Tor Incentives Design Brainstorms
    3. 

  3. 

  4. 1. Goals: what do we want to achieve with an incentive scheme?
    5. 

  5. 

  6. 1.1. Encourage users to provide good relay service (throughput, latency).
    7. 

  7. 1.2. Encourage users to allow traffic to exit the Tor network from
    8. 

  8.      their node.
    9. 

  9. 

  10. 2. Approaches to learning who should get priority.
    11. 

  11. 

  12. 2.1. "Hard" or quantitative reputation tracking.
    13. 

  13. 

  14.    In this design, we track the number of bytes and throughput in and
    15. 

  15.    out of nodes we interact with. When a node asks to send or receive
    16. 

  16.    bytes, we provide service proportional to our current record of the
    17. 

  17.    node's value. One approach is to let each circuit be either a normal
    18. 

  18.    circuit or a premium circuit, and nodes can "spend" their value by
    19. 

  19.    sending and receiving bytes on premium circuits: see section 4.1 for
    20. 

  20.    details of this design. Another approach (section 4.2) would treat
    21. 

  21.    all traffic from the node with the same priority class, and so nodes
    22. 

  22.    that provide resources will get and provide better service on average.
    23. 

  23. 

  24.    This approach could be complemented with an anonymous e-cash
    25. 

  25.    implementation to let people spend reputations gained in one context
    26. 

  26.    in another context.
    27. 

  27. 

  28. 2.2. "Soft" or qualitative reputation tracking.
    29. 

  29. 

  30.    Rather than accounting for every byte (if I owe you a byte, I don't
    31. 

  31.    owe it anymore once you've spent it), instead I keep a general opinion
    32. 

  32.    about each server: my opinion increases when they do good work for me,
    33. 

  33.    and it decays with time, but it does not decrease as they send traffic.
    34. 

  34.    Therefore we reward servers who provide value to the system without
    35. 

  35.    nickle and diming them at each step. We also let them benefit from
    36. 

  36.    relaying traffic for others without having to "reserve" some of the
    37. 

  37.    payment for their own use. See section 4.3 for a possible design.
    38. 

  38. 

  39. 2.3. Centralized opinions from the reputation servers.
    40. 

  40. 

  41.    The above approaches are complex and we don't have all the answers
    42. 

  42.    for them yet. A simpler approach is just to let some central set
    43. 

  43.    of trusted servers (say, the Tor directory servers) measure whether
    44. 

  44.    people are contributing to the network, and provide a signal about
    45. 

  45.    which servers should be rewarded. They can even do the measurements
    46. 

  46.    via Tor so servers can't easily perform only when they're being
    47. 

  47.    tested. See section 4.4.
    48. 

  48. 

  49. 2.4. Reputation servers that aggregate opinions.
    50. 

  50. 

  51.    The option above has the directory servers doing all of the
    52. 

  52.    measurements. This doesn't scale. We can set it up so we have "deputy
    53. 

  53.    testers" -- trusted other nodes that do performance testing and report
    54. 

  54.    their results. If we want to be really adventurous, we could even
    55. 

  55.    accept claims from every Tor user and build a complex weighting /
    56. 

  56.    reputation system to decide which claims are "probably" right.
    57. 

  57. 

  58. 3. Related issues we need to keep in mind.
    59. 

  59. 

  60. 3.1. Relay and exit configuration needs to be easy and usable.
    61. 

  61. 

  62.    Implicit in all of the above designs is the need to make it easy to
    63. 

  63.    run a Tor server out of the box. We need to make it stable on all
    64. 

  64.    common platforms (including XP), it needs to detect its available
    65. 

  65.    bandwidth and not overreach that, and it needs to help the operator
    66. 

  66.    through opening up ports on his firewall. Then we need a slick GUI
    67. 

  67.    that lets people click a button or two rather than editing text files.
    68. 

  68. 

  69.    Once we've done all this, we'll hit our first big question: is
    70. 

  70.    most of the barrier to growth caused by the unusability of the current
    71. 

  71.    software? If so, are the rest of these incentive schemes superfluous?
    72. 

  72. 

  73. 3.2. The network effect: how many nodes will you interact with?
    74. 

  74. 

  75.    One of the concerns with pairwise reputation systems is that as the
    76. 

  76.    network gets thousands of servers, the chance that you're going to
    77. 

  77.    interact with a given server decreases. So if 90% of interactions
    78. 

  78.    don't have any prior information, the "local" incentive schemes above
    79. 

  79.    are going to degrade. This doesn't mean they're pointless -- it just
    80. 

  80.    means we need to be aware that this is a limitation, and plan in the
    81. 

  81.    background for what step to take next. (It seems that e-cash solutions
    82. 

  82.    would scale better, though they have issues of their own.)
    83. 

  83. 

  84. 3.3. Guard nodes
    85. 

  85. 

  86.    As of Tor 0.1.1.11, Tor users pick from a small set of semi-permanent
    87. 

  87.    "guard nodes" for their first hop of each circuit. This seems to have
    88. 

  88.    a big impact on pairwise reputation systems since you will only be
    89. 

  89.    cashing in on your reputation to a few people, and it is unlikely
    90. 

  90.    that a given pair of nodes will use each other as guard nodes.
    91. 

  91. 

  92.    What does this imply? For one, it means that we don't care at all
    93. 

  93.    about the opinions of most of the servers out there -- we should
    94. 

  94.    focus on keeping our guard nodes happy with us.
    95. 

  95. 

  96.    One conclusion from that is that our design needs to judge performance
    97. 

  97.    not just through direct interaction (beginning of the circuit) but
    98. 

  98.    also through indirect interaction (middle of the circuit). That way
    99. 

  99.    you can never be sure when your guards are measuring you.
    100. 

  100. 

  101. 3.4. Restricted topology: benefits and roadmap.
    102. 

  102. 

  103.    As the Tor network continues to grow, we will need to make design
    104. 

  104.    changes to the network topology so that each node does not need
    105. 

  105.    to maintain connections to an unbounded number of other nodes. For
    106. 

  106.    anonymity's sake, we may partition the network such that all
    107. 

  107.    the nodes have the same belief about the divisions and each node is
    108. 

  108.    in only one partition. (The alternative is that every user fetches
    109. 

  109.    his own random subset of the overall node list -- this is bad because
    110. 

  110.    of intersection attacks.)
    111. 

  111. 

  112.    Therefore the "network horizon" for each user will stay bounded,
    113. 

  113.    which helps against the above issues in 3.2 and 3.3.
    114. 

  114. 

  115.    It could be that the core of long-lived servers will all get to know
    116. 

  116.    each other, and so the critical point that decides whether you get
    117. 

  117.    good service is whether the core likes you. Or perhaps it will turn
    118. 

  118.    out to work some other way.
    119. 

  119. 

  120.    A special case here is the social network, where the network isn't
    121. 

  121.    partitioned randomly but instead based on some external properties.
    122. 

  122.    Social network topologies can provide incentives in other ways, because
    123. 

  123.    people may be more inclined to help out their friends, and more willing
    124. 

  124.    to relay traffic if only their friends are relaying through them. It
    125. 

  125.    also opens the door for out-of-band incentive schemes because of the
    126. 

  126.    out-of-band links in the graph.
    127. 

  127. 

  128. 3.5. Profit-maximizing vs. Altruism.
    129. 

  129. 

  130.    There are some interesting game theory questions here.
    131. 

  131. 

  132.    First, in a volunteer culture, success is measured in public utility
    133. 

  133.    or in public esteem. If we add a reward mechanism, there's a risk that
    134. 

  134.    reward-maximizing behavior will surpass utility- or esteem-maximizing
    135. 

  135.    behavior.
    136. 

  136. 

  137.    Specifically, if most of our servers right now are relaying traffic
    138. 

  138.    for the good of the community, we may actually *lose* those volunteers
    139. 

  139.    if we turn the act of relaying traffic into a selfish act.
    140. 

  140. 

  141.    I am not too worried about this issue for now, since we're aiming
    142. 

  142.    for an incentive scheme so effective that it produces thousands of
    143. 

  143.    new servers.
    144. 

  144. 

  145. 3.6. What part of the node's performance do you measure?
    146. 

  146. 

  147.    We keep referring to having a node measure how well the other nodes
    148. 

  148.    receive bytes. But don't leeching clients receive bytes just as well
    149. 

  149.    as servers?
    150. 

  150. 

  151.    Further, many transactions in Tor involve fetching lots of
    152. 

  152.    bytes and not sending very many. So it seems that we want to turn
    153. 

  153.    things around: we need to measure how quickly a node can _send_
    154. 

  154.    us bytes, and then only send it bytes in proportion to that.
    155. 

  155. 

  156.    However, a sneaky user could simply connect to a node and send some
    157. 

  157.    traffic through it, and voila, he has performed for the network. This
    158. 

  158.    is no good. The first fix is that we only count if you're receiving
    159. 

  159.    bytes "backwards" in the circuit. Now the sneaky user needs to
    160. 

  160.    construct a circuit such that his node appears later in the circuit,
    161. 

  161.    and then send some bytes back quickly.
    162. 

  162. 

  163.    Maybe that complexity is sufficient to deter most lazy users. Or
    164. 

  164.    maybe it's an argument in favor of a more penny-counting reputation
    165. 

  165.    approach.
    166. 

  166. 

  167. 3.7. What is the appropriate resource balance for servers vs. clients?
    168. 

  168. 

  169.    If we build a good incentive system, we'll still need to tune it
    170. 

  170.    to provide the right bandwidth allocation -- if we reserve too much
    171. 

  171.    bandwidth for fast servers, then we're wasting some potential, but we
    172. 

  172.    if we reserve too little, then fewer people will opt to become servers.
    173. 

  173.    In fact, finding an optimum balance is especially hard because it's
    174. 

  174.    a moving target: the better our incentive mechanism (and the lower
    175. 

  175.    the barrier to setup), the more servers there will be. How do we find
    176. 

  176.    the right balance?
    177. 

  177. 

  178.    One answer is that it doesn't have to be perfect: we can err on the
    179. 

  179.    side of providing extra resources to servers. Then we will achieve our
    180. 

  180.    desired goal -- when people complain about speed, we can tell them to
    181. 

  181.    run a server, and they will in fact get better performance.
    182. 

  182. 

  183. 3.8. Anonymity attack: fast connections probably come from good servers.
    184. 

  184. 

  185.    If only fast servers can consistently get good performance in the
    186. 

  186.    network, they will stand out. "Oh, that connection probably came from
    187. 

  187.    one of the top ten servers in the network." Intersection attacks over
    188. 

  188.    time can improve the certainty of the attack.
    189. 

  189. 

  190.    I'm not too worried about this. First, in periods of low activity,
    191. 

  191.    many different people might be getting good performance. This dirties
    192. 

  192.    the intersection attack. Second, with many of these schemes, we will
    193. 

  193.    still be uncertain whether the fast node originated the traffic, or
    194. 

  194.    was the entry node for some other lucky user -- and we already accept
    195. 

  195.    this level of attack in other cases such as the Murdoch-Danezis attack
    196. 

  196.    (http://freehaven.net/anonbib/#torta05).
    197. 

  197. 

  198. 3.9. How do we allocate bandwidth over the course of a second?
    199. 

  199. 

  200.    This may be a simple matter of engineering, but it still needs to be
    201. 

  201.    addressed. Our current token bucket design refills each bucket once a
    202. 

  202.    second. If we have N tokens in our bucket, and we don't know ahead of
    203. 

  203.    time how many connections are going to want to send how many bytes,
    204. 

  204.    how do we balance providing quick service to the traffic that is
    205. 

  205.    already here compared to providing service to potential high-importance
    206. 

  206.    future traffic?
    207. 

  207. 

  208.    If we have only two classes of service, here is a simple design:
    209. 

  209.    At each point, when we are 1/t through the second, the total number
    210. 

  210.    of non-priority bytes we are willing to accept is N/t. Thus if N
    211. 

  211.    priority bytes arrive at the beginning of the second, we drain our
    212. 

  212.    whole bucket then, and otherwise we provide some delayed service to
    213. 

  213.    the non-priority bytes.
    214. 

  214. 

  215.    Does this design expand to cover the case of three priority classes?
    216. 

  216.    Ideally we'd give each remote server its own priority number. Or
    217. 

  217.    hopefully there's an easy design in the literature to point to --
    218. 

  218.    this is clearly not my field.
    219. 

  219. 

  220. 4. Sample designs.
    221. 

  221. 

  222. 4.1. Two classes of service for circuits.
    223. 

  223. 

  224. 4.2. Treat all the traffic from the node with the same service;
    225. 

  225.      hard reputation system.
    226. 

  226. 

  227. 4.3. Treat all the traffic from the node with the same service;
    228. 

  228.      soft reputation system.
    229. 

  229. 

  230.    Rather than a guaranteed system with accounting (as 4.1 and 4.2),
    231. 

  231.    we instead try for a best-effort system. All bytes are in the same
    232. 

  232.    class of service. You keep track of other Tors by key, and give them
    233. 

  233.    service proportional to the service they have given you. That is, in
    234. 

  234.    the past when you have tried to push bytes through them, you track the
    235. 

  235.    number of bytes and the average bandwidth, and use that to weight the
    236. 

  236.    priority of their connections if they try to push bytes through you.
    237. 

  237. 

  238.    Now you're going to get minimum service if you don't ever push bytes
    239. 

  239.    for other people, and you get increasingly improved service the more
    240. 

  240.    active you are. We should have memories fade over time (we'll have
    241. 

  241.    to tune that, which could be quite hard).
    242. 

  242. 

  243.    Pro: Sybil attacks are pointless because new identities get lowest
    244. 

  244.    priority.
    245. 

  245. 

  246.    Pro: Smoothly handles periods of both low and high network load. Rather
    247. 

  247.    than keeping track of the ratio/difference between what he's done for
    248. 

  248.    you and what you've done for him, simply keep track of what he's done
    249. 

  249.    for you, and give him priority based on that.
    250. 

  250. 

  251.    Based on 3.3 above, it seems we should reward all the nodes in our
    252. 

  252.    path, not just the first one -- otherwise the node can provide good
    253. 

  253.    service only to its guards. On the other hand, there might be a
    254. 

  254.    second-order effect where you want nodes to like you so that *when*
    255. 

  255.    your guards choose you for a circuit, they'll be able to get good
    256. 

  256.    performance. This tradeoff needs more simulation/analysis.
    257. 

  257. 

  258.    This approach focuses on incenting people to relay traffic, but it
    259. 

  259.    doesn't do much for incenting them to allow exits. It may help in
    260. 

  260.    one way through: if there are few exits, then they will attract a
    261. 

  261.    lot of use, so lots of people will like them, so when they try to
    262. 

  262.    use the network they will find their first hop to be particularly
    263. 

  263.    pleasant. After that they're like the rest of the world though.
    264. 

  264. 

  265.    Pro: this is a pretty easy design to add; and it can be phased in
    266. 

  266.    incrementally simply by having new nodes behave differently.
    267. 

  267. 

  268. 4.4. Centralized opinions from the reputation servers.
    269. 

  269. 

  270.    Have a set of official measurers who spot-check servers from the
    271. 

  271.    directory to see if they really do offer roughly the bandwidth
    272. 

  272.    they advertise. Include these observations in the directory. (For
    273. 

  273.    simplicity, the directory servers could be the measurers.) Then Tor
    274. 

  274.    servers give priority to other servers. We'd like to weight the
    275. 

  275.    priority by advertised bandwidth to encourage people to donate more,
    276. 

  276.    but it seems hard to distinguish between a slow server and a busy
    277. 

  277.    server.
    278. 

  278. 

  279.    The spot-checking can be done anonymously to prevent selectively
    280. 

  280.    performing only for the measurers, because hey, we have an anonymity
    281. 

  281.    network.
    282. 

  282. 

  283.    We could also reward exit nodes by giving them better priority, but
    284. 

  284.    like above this only will affect their first hop. Another problem
    285. 

  285.    is that it's darn hard to spot-check whether a server allows exits
    286. 

  286.    to all the pieces of the Internet that it claims to. If necessary,
    287. 

  287.    perhaps this can be solved by a distributed reporting mechanism,
    288. 

  288.    where clients that can reach a site from one exit but not another
    289. 

  289.    anonymously submit that site to the measurers, who verify.
    290. 

  290. 

  291.    A last problem is that since directory servers will be doing their
    292. 

  292.    tests directly (easy to detect) or indirectly (through other Tor
    293. 

  293.    servers), then we know that we can get away with poor performance for
    294. 

  294.    people that aren't listed in the directory. Maybe we can turn this
    295. 

  295.    around and call it a feature though -- another reason to get listed
    296. 

  296.    in the directory.
    297. 

  297. 

  298. 5. Recommendations and next steps.
    299. 

  299. 

  300. 

  301.