Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

RPKI-Based Location-Unaware Tor Guard Relay Selection Algorithms

Zhifan Lu, Siyang Sun, Yixin Sun

TL;DR

This work tackles Tor's vulnerability to network-level routing attacks by removing reliance on client location in guard selection and leveraging RPKI (ROA/ROV) information. It presents two guard-selection algorithms: Discount, which discounts non-ROA relays, and Matching, which seeks ROA-ROV-aligned client-guard pairs through a linear-optimization framework. Measurements show growing ROA coverage (e.g., guard ROA from ~47% to ~71% over 2021–2024; total relay ROA coverage ~83.5% by May 2024) and simulations indicate substantial improvements in protection with modest performance impact, achieving up to 48.47% ROA-ROV matched client-relay pairs. The approach offers stronger, deterministic defenses against BGP-origin hijacks without leaking client location, and the authors provide open-source code to enable deployment by Tor directory authorities.

Abstract

Tor is a well-known anonymous communication tool, used by people with various privacy and security needs. Prior works have exploited routing attacks to observe Tor traffic and deanonymize Tor users. Subsequently, location-aware relay selection algorithms have been proposed to defend against such attacks on Tor. However, location-aware relay selection algorithms are known to be vulnerable to information leakage on client locations and guard placement attacks. Can we design a new location-unaware approach to relay selection while achieving the similar goal of defending against routing attacks? Towards this end, we leverage the Resource Public Key Infrastructure (RPKI) in designing new guard relay selection algorithms. We develop a lightweight Discount Selection algorithm by only incorporating Route Origin Authorization (ROA) information, and a more secure Matching Selection algorithm by incorporating both ROA and Route Origin Validation (ROV) information. Our evaluation results show an increase in the number of ROA-ROV matched client-relay pairs using our Matching Selection algorithm, reaching 48.47% with minimal performance overhead through custom Shadow simulations and benchmarking.

RPKI-Based Location-Unaware Tor Guard Relay Selection Algorithms

TL;DR

This work tackles Tor's vulnerability to network-level routing attacks by removing reliance on client location in guard selection and leveraging RPKI (ROA/ROV) information. It presents two guard-selection algorithms: Discount, which discounts non-ROA relays, and Matching, which seeks ROA-ROV-aligned client-guard pairs through a linear-optimization framework. Measurements show growing ROA coverage (e.g., guard ROA from ~47% to ~71% over 2021–2024; total relay ROA coverage ~83.5% by May 2024) and simulations indicate substantial improvements in protection with modest performance impact, achieving up to 48.47% ROA-ROV matched client-relay pairs. The approach offers stronger, deterministic defenses against BGP-origin hijacks without leaking client location, and the authors provide open-source code to enable deployment by Tor directory authorities.

Abstract

Tor is a well-known anonymous communication tool, used by people with various privacy and security needs. Prior works have exploited routing attacks to observe Tor traffic and deanonymize Tor users. Subsequently, location-aware relay selection algorithms have been proposed to defend against such attacks on Tor. However, location-aware relay selection algorithms are known to be vulnerable to information leakage on client locations and guard placement attacks. Can we design a new location-unaware approach to relay selection while achieving the similar goal of defending against routing attacks? Towards this end, we leverage the Resource Public Key Infrastructure (RPKI) in designing new guard relay selection algorithms. We develop a lightweight Discount Selection algorithm by only incorporating Route Origin Authorization (ROA) information, and a more secure Matching Selection algorithm by incorporating both ROA and Route Origin Validation (ROV) information. Our evaluation results show an increase in the number of ROA-ROV matched client-relay pairs using our Matching Selection algorithm, reaching 48.47% with minimal performance overhead through custom Shadow simulations and benchmarking.
Paper Structure (48 sections, 2 equations, 14 figures, 1 table)

This paper contains 48 sections, 2 equations, 14 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background and Motivation
  3. AS-level Adversaries and Location-aware Relay Selection
  4. Resource Public Key Infrastructure (RPKI)
  5. Motivation and Goal
  6. RPKI Coverage of Tor Relays
  7. Datasets
  8. ROA and ROV Coverage for Tor
  9. Coverage for All Tor Relays
  10. Coverage for All Relays
  11. ROV Coverage
  12. Discount Selection Algorithm
  13. Discount Factor
  14. Security Evaluation
  15. Relay Selection
  16. ...and 33 more sections

Figures (14)

  • Figure 1: ROA Coverage and Validity for All Guard Relays
  • Figure 2: Percentage of clients with ROA covered guard at different discount value over time
  • Figure 3: Discount factors with various load factors over time
  • Figure 4: Percent of relay-client pairs with matched ROA & ROV
  • Figure 5: Simulation running vanilla vs discount vs matching for selected byte size transfers
  • ...and 9 more figures