Re: [tor-relays] Exits lost their function

2018-02-11 Thread Roger Dingledine 
On Sun, Feb 11, 2018 at 11:55:44AM +0100, Paul wrote:
> > (A) Correct, we recently changed it so both 80 and 443 are required:
> > https://bugs.torproject.org/23637
> 
> Thank you for that explanation - how long should it take to get the
>exit flag back when opening port 80 ?

How long *should* it take? At most an hour -- your relay publishes a
new descriptor with the new exit policy, and on the next consensus vote
(which happens at the top of each hour), all the dir auths who have seen
the new descriptor vote the Exit flag for you.

If you meant "how long until Atlas shows that I have it", add a few
hours to that, since it pulls its data from onionoo, which pulls from
whatever on the metrics side is doing the data fetching and collection.

There have been some other issues here and there lately, where your relay
publishes a new descriptor, but some of the dir auths decide that it
isn't interesting compared to the one they've already got. Your relay
publishes a new descriptor every 18 hours in any case, so these rare
situations generally work themselves out within a day.

So: it should be within an hour, and it likely will be within a day. :)

If you want to debug it more, you can fetch the recent votes from
https://collector.torproject.org/recent/relay-descriptors/votes/
and see what each of the votes says about your "s" lines.

I try to put moria1's most recently seen votes at
https://www.freehaven.net/~arma/moria1-v3-status-votes
every hour if you want extra fresh data.

--Roger

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Exits lost their function

2018-02-11 Thread Paul 


Am 09.02.2018 um 19:41 schrieb Roger Dingledine:
> On Fri, Feb 09, 2018 at 07:37:09PM +0100, niftybunny wrote:
>> Minimum is:
>>
>> accept *:53
>> accept *:80
>> accept *:443
> 
> (A) Correct, we recently changed it so both 80 and 443 are required:
> https://bugs.torproject.org/23637

> 
> --Roger

Thank you for that explanation - how long should it take to get the exit flag 
back when opening port 80 ?

Paul

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Exits lost their function

2018-02-11 Thread nusenu 

> It's a good mystery. :) Maybe we can find more recent situations where
> directory authorities completely left out the Exit flags from their votes?

thanks for your analysis.
maybe we can DocTor checks for this and graphs on consensus-health
https://lists.torproject.org/pipermail/tor-dev/2018-February/012918.html

-- 
https://mastodon.social/@nusenu
twitter: @nusenu_



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Exits lost their function

2018-02-10 Thread Roger Dingledine 
On Sat, Feb 10, 2018 at 11:37:00PM +, nusenu wrote:
> | 0.3.1.9   | Bifroest   |
> | 0.3.2.9   | bastet | bridge dirauth

Careful, it's Bifroest that's the bridge auth. bastet is just a normal
v3 auth.

> I'm curious:
> Why did this change come into effect after only 3/9 having the change
> deployed? Are only a subset of dir auths responsible for voting about the 
> exit flag?

From
https://collector.torproject.org/archive/relay-descriptors/votes/votes-2018-01.tar.xz
it looks like on 2018-01-20-12-00-00, mandela had the following status
flag votes:

dannenberg: s Fast Guard Stable V2Dir Valid
tor26: s Fast Guard HSDir Running Stable V2Dir Valid
longclaw: s Exit Fast HSDir Running Stable V2Dir Valid
bastet: s Fast HSDir Running Stable V2Dir Valid
maatuska: s Exit Fast HSDir Running Stable V2Dir Valid
moria1: s Fast Guard Running Stable V2Dir Valid
dizum: s Exit Fast Guard HSDir Running Stable V2Dir Valid
gabelmoo: s Fast Guard HSDir Running Stable V2Dir Valid
Faravahar: s Exit Fast HSDir Running Stable V2Dir Valid

So 4 of 9 votes for the Exit flag, and that's not enough.

In this case, 4 of the 9 were running a new enough version to withhold
the Exit flag, and dannenberg was the surprise fifth that withheld it.

In fact, dannenberg withheld the Exit flag from *every* relay in its vote,
that hour!

dannenberg gave out Exit flags from 00 to 10 on the 20th, but not at 11am,
or anytime else that day, until noon on the 21st when it resumed.

And when it resumed at noon on the 21st, it was running 0.3.2.9 (and so
even though it was voting Exit for many relays, it was no longer voting
Exit for mandela).

My first guess for the culprit would be bug 24137, which went into
0.3.3.1-alpha so only moria1 will have the fix. That bug basically
made dir auths not vote Exit when the relay's bandwidth is too low.
But that bug doesn't fit this situation perfectly.

I wonder if dannenberg dabbled in using the output of a bandwidth
authority (bwauth) during that time -- if so, then bug 24137 would be
a good match.

It's a good mystery. :) Maybe we can find more recent situations where
directory authorities completely left out the Exit flags from their votes?

--Roger

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Exits lost their function

2018-02-10 Thread nusenu 


niftybunny:
> The thing is, someone should scan all relays and inform them that their exit 
> flag is gone. We need every exit we can get.

thank you for your input - I sent out that other email to address it (luckily 
we do not need to scan
to gather that kind of data).

So back to my question: 

> Why did this change come into effect after only 3/9 [dirauths] having the 
> change
> deployed? Are only a subset of dir auths responsible for voting about the 
> exit flag?




-- 
https://mastodon.social/@nusenu
twitter: @nusenu_



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Exits lost their function

2018-02-10 Thread niftybunny 
The thing is, someone should scan all relays and inform them that their exit 
flag is gone. We need every exit we can get.

> On 11. Feb 2018, at 00:37, nusenu  wrote:
> 
> 
>> so on that day I guess dir auths updated to the version enforcing
>> 80+443 for exit flag
> 
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Exits lost their function

2018-02-10 Thread nusenu 

> so on that day I guess dir auths updated to the version enforcing
> 80+443 for exit flag

to confirm this:

Dir Auth Tor versions as of 2018-01-19 13:00
+---++
| tor_version   | nickname   |
+---++
| 0.3.1.9   | dannenberg |
| 0.3.1.9   | longclaw   |
| 0.3.1.9   | dizum  |
| 0.3.1.9   | gabelmoo   |
| 0.3.1.9   | Bifroest   |
| 0.3.1.9   | Faravahar  |
| 0.3.1.9   | maatuska   |

| 0.3.2.9   | tor26  |
| 0.3.3.0-alpha-dev | moria1 |

| 0.3.2.9   | bastet | bridge dirauth
+---++

Dir Auth Tor versions as of 2018-01-20 12:00 

An hour after you lost the exit flag:
+---++
| tor_version   | nickname   |
+---++
| 0.3.1.9   | dannenberg |
| 0.3.1.9   | longclaw   |
| 0.3.1.9   | dizum  |
| 0.3.1.9   | Bifroest   |
| 0.3.1.9   | Faravahar  |
| 0.3.1.9   | maatuska   |

| 0.3.2.9   | gabelmoo   |
| 0.3.2.9   | tor26  |
| 0.3.3.0-alpha-dev | moria1 |

| 0.3.2.9   | bastet | bridge dirauth
+---++

I'm curious:
Why did this change come into effect after only 3/9 having the change
deployed? Are only a subset of dir auths responsible for voting about the exit 
flag?

thanks!

the change was in 0.3.2.9:
> Minor features (directory authority):
> 
> Make the "Exit" flag assignment only depend on whether the exit
> policy allows connections to ports 80 and 443. Previously relays
> would get the Exit flag if they allowed connections to one of these
> ports and also port 6667. Resolves ticket 23637.


-- 
https://mastodon.social/@nusenu
twitter: @nusenu_




signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Exits lost their function

2018-02-09 Thread Roger Dingledine 
On Fri, Feb 09, 2018 at 07:37:09PM +0100, niftybunny wrote:
> Minimum is:
> 
> accept *:53
> accept *:80
> accept *:443

(A) Correct, we recently changed it so both 80 and 443 are required:
https://bugs.torproject.org/23637

(B) Port 53 has nothing to do with the exit flag, and it goes mostly
unused anyway -- you might think 53 is dns, but most dns is not done in
the form of tunneled tcp connections to tcp port 53.

--Roger

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Exits lost their function

2018-02-09 Thread nusenu 


niftybunny:
> reject 80
> 
> Thats why.

good catch :)

yes, I can confirm that, but it was already there on 
2018-01-19 13:00

so on that day I guess dir auths updated to the version enforcing 80+443
for exit flag

-- 
https://mastodon.social/@nusenu
twitter: @nusenu_



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Exits lost their function

2018-02-09 Thread niftybunny 
Minimum is:

accept *:53
accept *:80
accept *:443


> On 9. Feb 2018, at 19:35, Paul  wrote:
> 
> 
> 
> Am 09.02.2018 um 19:28 schrieb niftybunny:
>> reject 80
>> 
>> Thats why.
> 
> 
> Was there a change of rules on that day?
> Reject 80 was always the case in those settings.
> 
> 
>> 
>>> On 9. Feb 2018, at 19:25, nusenu  wrote:
>>> 
>>> 
>>> 
>>> Paul:
 What could bring several exits at different providers and different 
 operating systems (Linux and FreeBSD) down on the same day, Jan 21st?
 
 Since, while they still run as relays, they don’t show as exits any more 
 without any change from my side.
 
 They do run on Tor 0.3.1.9 or 0.3.2.9 in the same Family.
>>> 
>>> I'm not sure if you are referring to your relays or someone else's relays?
>>> 
>>> I assume you talk about:
>>> https://atlas.torproject.org/#search/contact:1K38x9xqK3YDzjehYFAEPzsESEC4ScH5wJ
>>>  
>>> 
>>> it is indeed interesting why some of them have no exit flag, example: 
>>> https://atlas.torproject.org/#details/B27509F6D6233ACD2EAC8936D5FE7CBF009163BE
>>> 
>>> @David: they don't have badexit flags
>>> 
>>> 2018-01-21 appeas to have been an interesting day indeed
>>> https://twitter.com/nusenu_/status/960176185954242560
>>> 
>>> -- 
>>> https://mastodon.social/@nusenu
>>> twitter: @nusenu_
>>> 
>>> ___
>>> tor-relays mailing list
>>> tor-relays@lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> 
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Exits lost their function

2018-02-09 Thread Paul 


Am 09.02.2018 um 19:28 schrieb niftybunny:
> reject 80
> 
> Thats why.


Was there a change of rules on that day?
Reject 80 was always the case in those settings.


> 
>> On 9. Feb 2018, at 19:25, nusenu  wrote:
>>
>>
>>
>> Paul:
>>> What could bring several exits at different providers and different 
>>> operating systems (Linux and FreeBSD) down on the same day, Jan 21st?
>>>
>>> Since, while they still run as relays, they don’t show as exits any more 
>>> without any change from my side.
>>>
>>> They do run on Tor 0.3.1.9 or 0.3.2.9 in the same Family.
>>
>> I'm not sure if you are referring to your relays or someone else's relays?
>>
>> I assume you talk about:
>> https://atlas.torproject.org/#search/contact:1K38x9xqK3YDzjehYFAEPzsESEC4ScH5wJ
>>  
>>
>> it is indeed interesting why some of them have no exit flag, example: 
>> https://atlas.torproject.org/#details/B27509F6D6233ACD2EAC8936D5FE7CBF009163BE
>>
>> @David: they don't have badexit flags
>>
>> 2018-01-21 appeas to have been an interesting day indeed
>> https://twitter.com/nusenu_/status/960176185954242560
>>
>> -- 
>> https://mastodon.social/@nusenu
>> twitter: @nusenu_
>>
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Exits lost their function

2018-02-09 Thread niftybunny 
reject 80

Thats why.

> On 9. Feb 2018, at 19:25, nusenu  wrote:
> 
> 
> 
> Paul:
>> What could bring several exits at different providers and different 
>> operating systems (Linux and FreeBSD) down on the same day, Jan 21st?
>> 
>> Since, while they still run as relays, they don’t show as exits any more 
>> without any change from my side.
>> 
>> They do run on Tor 0.3.1.9 or 0.3.2.9 in the same Family.
> 
> I'm not sure if you are referring to your relays or someone else's relays?
> 
> I assume you talk about:
> https://atlas.torproject.org/#search/contact:1K38x9xqK3YDzjehYFAEPzsESEC4ScH5wJ
>  
> 
> it is indeed interesting why some of them have no exit flag, example: 
> https://atlas.torproject.org/#details/B27509F6D6233ACD2EAC8936D5FE7CBF009163BE
> 
> @David: they don't have badexit flags
> 
> 2018-01-21 appeas to have been an interesting day indeed
> https://twitter.com/nusenu_/status/960176185954242560
> 
> -- 
> https://mastodon.social/@nusenu
> twitter: @nusenu_
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Exits lost their function

2018-02-09 Thread nusenu 


Paul:
> What could bring several exits at different providers and different operating 
> systems (Linux and FreeBSD) down on the same day, Jan 21st?
> 
> Since, while they still run as relays, they don’t show as exits any more 
> without any change from my side.
> 
> They do run on Tor 0.3.1.9 or 0.3.2.9 in the same Family.

I'm not sure if you are referring to your relays or someone else's relays?

I assume you talk about:
https://atlas.torproject.org/#search/contact:1K38x9xqK3YDzjehYFAEPzsESEC4ScH5wJ 

it is indeed interesting why some of them have no exit flag, example: 
https://atlas.torproject.org/#details/B27509F6D6233ACD2EAC8936D5FE7CBF009163BE

@David: they don't have badexit flags

2018-01-21 appeas to have been an interesting day indeed
https://twitter.com/nusenu_/status/960176185954242560

-- 
https://mastodon.social/@nusenu
twitter: @nusenu_



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Exits lost their function

2018-02-09 Thread David Goulet 
On 09 Feb (19:06:23), Paul wrote:
> What could bring several exits at different providers and different operating 
> systems (Linux and FreeBSD) down on the same day, Jan 21st?
> 
> Since, while they still run as relays, they don’t show as exits any more 
> without any change from my side.
> 
> They do run on Tor 0.3.1.9 or 0.3.2.9 in the same Family.

They could have been flagged as BadExit.

Can you provide the list of fingerprints or/and IPs of your Exits?

Thanks!
David

> 
> Thanks 
> Paul
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-- 
And8vxUcJVOn9srRjJ3mpKMUC5pScfYMRq9Qv9yt54Y=


signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Exits lost their function

2018-02-09 Thread Paul 
What could bring several exits at different providers and different operating 
systems (Linux and FreeBSD) down on the same day, Jan 21st?

Since, while they still run as relays, they don’t show as exits any more 
without any change from my side.

They do run on Tor 0.3.1.9 or 0.3.2.9 in the same Family.

Thanks 
Paul
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays