[tor-relays] Next Tor Relay Operator Meetup - March 4, 2023 (19 UTC)

Hello,

Thanks all for joining the Tor Relay Operator Meetup!
You can find the meetup notes below.
The next meetup will be at the beginning of April (1st or 8th, date TBD).

cheers,
Gus

## Tor Relay Operator Meetup - 2023-03-04

### Before we start

Tor operators are recommended to read the Tor Code of Conduct and
Expectations of Tor Operators.

Tor Code of Conduct:

Expectations for Relay Operators:

### Announcements

1) The amount of Tor relays per IP address has been increased from 2 to
4. Increase the amount of allowed relays per IP address to 8 (#40744) · Issues · The Tor Project / Core / Tor · GitLab. We will
discuss further increasing this limitation during Questions & Answers
section.

2) Tor version 0.4.5 has reached end-of-life status. There is no plan to
create a new LTS (long term support) version. In 2-3 weeks Tor project
starts the usual process of gathering the EOL relays and contacting
their operators to ask if they would please upgrade. Do you run a EOL
version yourself? Please update as soon as possible.

3) The aim of the Run a Tor relay (EFF Challenge @ Universities) is to
give students and universities hands-on experience with Tor. For example
letting students and/or labs run relays, proxies or experiment with Tor
in other ways. The Tor Project made a letter to send to their closest
contacts, but the difficulty is: what do you ask for?

There is a large difference between educational institutions, some of
them for example work together with LEA (law enforcement agencies) to
deanonymize Tor users while others work on new privacy-by-design
technologies. If you're interested you can follow the mailinglist[1] or
post on the forums. If you have pointers or specific input, you can also
contact gman999 on IRC directly.

[1]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays-universities

4) The internet in Turkmenistan is mostly censored[1], to the point
where even Snowflake[2] and most Obfs4 bridges are blocked (because most
of the internet is actually blocked by their government). Obfs4 bridges
running from residential IP address space seems to still work. Help is
greatly needed appreciated.

[1] Information about censorship in Turkmenistan:

[2] Snowflake is blocked:

### Collecting proposals for improving the health of Tor

The Tor Project want to invite[1] the community (which of course
includes the Tor operators) to have a discussion and creating proposals
to improve the health of the Tor network by creating a healthy and
trustworthy Tor operator community. Bad actors are trying frequently to
hurt Tor, Tor users and Tor's community and we should try to mitigate
these efforts more effectively.

This effort is part of the Community and Network Health teams their 2023
roadmap. Some of these activities are also part of sponsor work[2]. This
is only the start of this process and right now proposals are only
gathered (and not yet discussed/considered).

Some relevant documents and currently gathered proposals are the
Expectations for Relay Operators[3], proposal for Exit relay
lifecycle[4], proposal for using CISS[5], proposal for verified physical
address for large operators[6] and a proposal for limiting unverified
relay families[7]. Note that this call of proposals is certainly not
meant to yield only technical solutions, but also social, community and
other solutions to improve the Tor network health and Tor's community.

The Tor Project wants a lot of involvement from the community during
this process. Don't hesitate to submit your own proposals, ideas,
opinions, discussions via the usual channels. Concrete proposals can be
added to GitLab[8] or the tor-relays mailing list. The proposals will
also be discussed and evaluated during Tor relay operator meetups (both
online and offline).

Timeframe/planing (TBD):
    - March 2023 - June 2023: Call for proposals (collecting/gathering)

[1] Collect proposals towards a more trusted relay operator community (#55) · Issues · The Tor Project / Community / Relays · GitLab
[2] Full project: Sponsor 112 : Combating Malicious Relays · The Tor Project · GitLab
[3] https://gitlab.torproject.org/tpo/community/relays/-/issues/18
[4] Exit relay lifecycle (#220) · Issues · The Tor Project / Network Health / Team · GitLab
[5] [tor-relays] ContactInfo Spec Version 2 is released
[6] [tor-relays] >23% Tor exit relay capacity found to be malicious - call for support for proposal to limit large scale attacks
[7] [tor-relays] >23% Tor exit relay capacity found to be malicious - call for support for proposal to limit large scale attacks
[8] We want to have som automation to detect relay problems (both malicious and accidental) (#5) · Issues · The Tor Project / Community / Relays · GitLab

### Tor Weather release & beta testing

The Tor Weather notification service helped Tor operators to get
notifications about incidents, issues, removal of flags etc. regarding
their relays. This service has been offline and unmaintained for a while
now because of a time shortage. Such monitoring service can be very
valuable for Tor operators though, and would lower the bar for new Tor
relay operators to start running Tor relays without having to worry
about implementing advanced monitoring to check on their Tor relays.

For the Google Summer of Code (GSoc) Project 2022 the Tor Project found a mentee to
revitalize Tor-weather. The current repository can be found on GitLab[1]
and after improvements Tor would like to test these with Tor operators.

The Tor operators got a short demonstration of Tor Weather and are
enthusiastic about it. :slight_smile:

[1] The Tor Project / Network Health / Tor-Weather · GitLab

### DoS situation update

The Network Team isn't available today so instead the Tor Project asks
the Tor operator community how they are experiencing and dealing with
the DDoS situation. On Tor's side not much has changed but the
implementation of the proof of work is coming along nicely[1]. There is
no input from the Tor relay operators.

#### This might be a stupid question - but what is the TL;DR on the
DDos? To be honest, I didn't notice anything really even though I run
quite a few exits. Is it higher network usage only or high CPU or...?
Sorry for asking such a basic question (Kristian - lokodlare)

There are different DDoS attacks, some are focused on guard/middle
relays while others target exit relays. Some DDoS attacks are done via
the Tor network itself while other DDoS attacks are plain old UDP/TCP
flood attacks. Tor Project is working on more DDoS mitigation.

For a summary, read this blog post:

[1] prop327: Implement PoW over Introduction Circuits (#40634) · Issues · The Tor Project / Core / Tor · GitLab

### Questions and topics

#### When is the next relay operator meetup?

Gus will pick a date between April 1 19:00 UTC and April 8 19:00 UTC.

#### What about bridge enumeration attackers and how to prevent it?

Censors already have their own tools and devices to block and/or
enumerate Tor bridges and circumvention tech. That said, such projects
exposing bridges aren't helping Tor in any way.
If you know any potential issues with BridgeDB, or if you're one of the
people collecting this data, please contact the Tor Project. Don't be a
jerk, be awesome instead. :slight_smile:

#### When a new workshop Sysadmin 101 will be organized?

We should find a new date and topics for the next Sysadmin workshop.
Suggestions are welcome:

For BSD enthusiasts, the BSD community have a IRC (#bsd-privacy) channel
and everyone is welcome to join and reach out.

#### Obfs4 is totally blocked in Iran and snowflake has very little
speed if not blocked at some ISPs, are there any plans to upgrade the
bridge software to circumvent the stricter kinds of censorships?

- Decline in Snowflake users from Iran during the second part of
  February, cause unknown:
  2023 February update - Open Collective
- Investigating a possible misconfiguration
  Make nf_conntrack changes persistent (#40259) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
- There is a second Snowflake bridge (snowflake-02), available in Tor
  Browser since 12.0:
  New Release: Tor Browser 12.0 | The Tor Project
  Add Secondary Snowflake Bridge (#40674) · Issues · The Tor Project / Applications / tor-browser-build · GitLab
  But most Snowflake users in Iran use Orbot, not Tor Browser, and the
second Snowflake bridge is not in any released version of Orbot yet.
  #tor-meeting log
  You can activate the second bridge in Orbot by manually pasting in a
bridge line.
  Second Snowflake bridge available for testing · Issue #152 · net4people/bbs · GitHub
- There have been intermittent blocks of the domain fronting
  rendezvous in some ISPs in Iran. A workaround is to use the AMP
cache rendezvous.
  Blocking of cdn.sstatic.net by SNI in Iran, 2023-01-16 to 2023-01-24 and sporadically thereafter (#115) · Issues · The Tor Project / Anti-censorship / Team · GitLab
    
If you're from Iran, you might be able to help the Tor project. Please
reach out to us if you can provide more information about how Iran is
blocking Tor.

#### Can we move forward with increasing the relays per IP limit? 4 -> 8
-> 16? We are waiting for the final step because we don't want to do the
IP renumbering dance multiple times. Also: If you stop at "8 relays per
IP" please document why, so we at least know why we are spending money
on IP addresses instead of faster hardware to deal with the DDoS pain.

The Tor project wants to check the impact of the change from 2 to 4
first before further increasing the limit. This will take at least a few
more weeks and then further steps can be taken (based on the data).

#### Please document MetricsPort

#### I wish to collaborate on the Snowflake landing page revamp. Please
give me Gitlab account access. I would love to learn more about The Tor
Project.

- If you're a GSoC applicant, please talk with your project mentor
  first.

#### DDoS mitigation: Would you implement this as a patch only so we do
measurements and come up with some data for a proposal that aims to make
DDoS against non-guards harder?

The Network Team isn't available, but Tor Project will discuss this in
the next week. The proposal looks fine at first sight. Thanks for
submitting a proposal to improve Tor.

#### dannenberg doesn't seem up to date wrt to
AuthDirMaxServersPerAddr=4, it says a lot of relays are sybil. Any idea
when it will get updated?

Tor Project contacted all Authorities but for the time being you have to
live with it.

#### Please help us prevent downtimes with this easy addition to
MetricsPort MetricsPort: new metric exposing time until online keys expire for relay operators using OfflineMasterKey (#40546) · Issues · The Tor Project / Core / Tor · GitLab

The Network Team is aware of this proposal.

#### I have a question about my Snowflake node running on a DigitalOcean
droplet. Its log says "NAT type: restricted" but I do see connections
and traffic being relayed. Where is a good place to go for help/support?
Or is this a known issue/not an issue?
- "NAT type: restricted" is not really a problem; it just means that
there are some Snowflake clients your proxy will not be able to
connect to. The Snowflake broker takes NAT compatibility into account,
so it will not assign clients with an incompatible NAT to your proxy.

For a full documentation about Snowflake NAT matching, please read this
wiki page:

#### Do you know about an approach or hacking guide to store your
ed25519_master_id_secret_key on a smartcard or hardware token like
Nitrokey or Yubikey and use this smartcard in the signing process? I
think this would a helpful approach to make offline key signing even
more secure. (I know that there are different key formats, different
firmware versions etc. - just wanted to know if someone has experiences
with that).

This topic has come up a few times, but as far as is known no one really
implemented this in practice.

#### will exit scanner support IPv6 anytime soon? (ExoneraTor) after the
last relay meetup I realized it also affects us even without using the
torrc setting to use a distinct exit IP

Not anytime soon probably.

#### I have some relays hosted on residential connection that change the
IP 1-2 times per month. My ISP provides me DDNS. Can I use that to
advertise my relays instead of the IP in order not repeat the lifecycle
of a new relay every time IP is changed?

Yes! In theory, you can write your FQDN (dyndns address) in the
"Address" field in your torrc, and Tor will resolve it periodically to
see if it has changed. Also, in theory you should be able to just leave
it all blank, and Tor will discover that your IP address has changed.
You should maintain your relay reputation across IP address changes --
though we do count the change as a brief downtime, because client
connections get cut when you change addresses.
  
#### Does the Tor Weather support Bridges too?

It could look at the bridgestrap output, rather than needing to
scan the bridges itself.

···

On Wed, Mar 01, 2023 at 12:19:31PM -0300, gus wrote:

Hello,

Just a friendly reminder that the Tor Relay Operator meetup will happen
this Saturday, March 4, 2023 at 19 UTC (view in your timezone:
timee | World clock and scheduler ).

cheers,
Gus

On Tue, Feb 14, 2023 at 11:48:56AM -0300, gus wrote:
> Hi,
>
> The next Tor Relay Operator Meetup will happen on March 4, 2023, at 19
> UTC!
>
> We're still working on the agenda, feel free to add your topics
> and/or questions on the pad:
> Riseup Pad
> onionsite: http://kfahv6wfkbezjyg4r6mlhpmieydbebr5vkok5r34ya464gqz6c44bnyd.onion/p/tor-relay-op-meetup-m4-keep
>
> WHERE
> Room link: Tor Relay Operator Meetup
>
> Registration
>
> No need for a registration or anything else, just use the room-link
> above. We will open the room 10 minutes before so you can test your mic
> setup.
>
> Please share with your friends, social media and other mailing lists!
>
> Gus
> --
> The Tor Project
> Community Team Lead

--
The Tor Project
Community Team Lead

--
The Tor Project
Community Team Lead