diff options
| author | Nick Mathewson <nickm@torproject.org> | 2007-03-17 21:10:08 +0000 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2007-03-17 21:10:08 +0000 |
| commit | c50cf094b17cf3498916f08863b8902e92e41d1e (patch) | |
| tree | 769f14c470b106dc6d585d17782c47976c4f25c0 /doc | |
| parent | 5679edfd3a235e41c2cd5f3560361b666be48165 (diff) | |
| download | tor-c50cf094b17cf3498916f08863b8902e92e41d1e.tar.gz tor-c50cf094b17cf3498916f08863b8902e92e41d1e.zip | |
r12212@catbus: nickm | 2007-03-17 17:05:54 -0400
Merge or-dev discussion into 109; mark 109 accepted.
svn:r9864
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/spec/proposals/000-index.txt | 2 | ||||
| -rw-r--r-- | doc/spec/proposals/109-no-sharing-ips.txt | 37 |
2 files changed, 20 insertions, 19 deletions
diff --git a/doc/spec/proposals/000-index.txt b/doc/spec/proposals/000-index.txt index d0042d807c..71d8253bdd 100644 --- a/doc/spec/proposals/000-index.txt +++ b/doc/spec/proposals/000-index.txt @@ -27,6 +27,6 @@ Proposals by number: 106 Checking fewer things during TLS handshakes [CLOSED] 107 Uptime Sanity Checking [CLOSED] 108 Base "Stable" Flag on Mean Time Between Failures [OPEN] -109 No more than one server per IP address [OPEN] +109 No more than one server per IP address [ACCEPTED] 110 Avoiding infinite length circuits [OPEN] 111 Prioritizing local traffic over relayed traffic [OPEN] diff --git a/doc/spec/proposals/109-no-sharing-ips.txt b/doc/spec/proposals/109-no-sharing-ips.txt index f71a707135..bd0ce14888 100644 --- a/doc/spec/proposals/109-no-sharing-ips.txt +++ b/doc/spec/proposals/109-no-sharing-ips.txt @@ -4,7 +4,7 @@ Version: Last-Modified: Author: Kevin Bauer & Damon McCoy Created: 9-March-2007 -Status: Open +Status: Accepted Overview: This document describes a solution to a Sybil attack vulnerability in the @@ -30,9 +30,24 @@ Security implications: attacker must control in order to carry out traffic analysis. Specification: - We propose that the directory servers check if an incoming Tor router IP - address is already registered under another router. If this is the case, - then prevent the new router from joining the network. + + For each IP address, each directory authority tracks the number of routers + using that IP address, along with their total observed bandwidth. If there + are more than MAX_SERVERS_PER_IP servers at some IP, the authority should + "disable" all but MAX_SERVERS_PER_IP servers. If the total observed + bandwidth of the remaining non-"disabled" servers exceeds MAX_BW_PER_IP, + the authority should "disable" some of the remaining servers until only one + server remains, or until the remaining observed bandwidth of non-"disabled" + servers is under MAX_BW_PER_IP. When choosing which servers to disable, + the authority should first disable non-Running servers in increasing order + of observed bandwidth, and then should disable Running servers in + increasing order of bandwidth. + + Servers that are "disabled" MUST be marked as non-Valid and non-Running. + + MAX_SERVERS_PER_IP is 3. + + MAX_BW_PER_IP is 8 MB per s. Compatibility: @@ -66,17 +81,3 @@ Compatibility: would only make use of a bit of it. So Roger suggested that he run two Tor servers, to use more. -Alternatives: - - Roger suggested that instead of capping number of servers per IP to 1, we - should cap total declared bandwidth per IP to some N, and total declared - servers to some M. (He suggested N=5MB/s and M=5.) Directory authorities - would then always choose to keep the highest-bandwidth running servers - -- if they pick based on time joining the network we can get into bad - race conditions. - - Roger also suggested that rather than not listing servers, we mark them as - not Running. (He originally suggested marking them as Running but not - Valid, but that would still allow an attacker to control an arbitrary - number of middle hops, which is still likely to be worrisome.) - |