diff options
author | Nick Mathewson <nickm@torproject.org> | 2007-07-29 05:20:31 +0000 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2007-07-29 05:20:31 +0000 |
commit | 1b665b3c7e13b493e229bf308bf4de7a1d7413c3 (patch) | |
tree | e3f67d3419d4f49ee50f677528f9878c43bbedf5 /doc | |
parent | eca2a300609437ab390eac6fb5a81be006fa1af7 (diff) | |
download | tor-1b665b3c7e13b493e229bf308bf4de7a1d7413c3.tar.gz tor-1b665b3c7e13b493e229bf308bf4de7a1d7413c3.zip |
r13979@catbus: nickm | 2007-07-29 01:20:20 -0400
Implement proposal 109: As an authority, never call more than 3 servers per IP Running and Valid. Prefer Running servers to non-running ones; then prefer high-bandwidth to low-bandwidth. Needs testing.
svn:r10968
Diffstat (limited to 'doc')
-rw-r--r-- | doc/TODO | 2 | ||||
-rw-r--r-- | doc/spec/dir-spec-v2.txt | 6 | ||||
-rw-r--r-- | doc/spec/dir-spec.txt | 8 | ||||
-rw-r--r-- | doc/spec/proposals/109-no-sharing-ips.txt | 17 |
4 files changed, 25 insertions, 8 deletions
@@ -140,7 +140,7 @@ Things we'd like to do in 0.2.0.x: - Drop bandwidth history from router-descriptors - 105: Version negotiation for the Tor protocol - 108: Base "Stable" Flag on Mean Time Between Failures - - 109: No more than one server per IP address + o 109: No more than one server per IP address o 103: Splitting identity key from regularly used signing key o Merge with 101 into a new dir-spec.txt - 113: Simplifying directory authority administration diff --git a/doc/spec/dir-spec-v2.txt b/doc/spec/dir-spec-v2.txt index 712be9e7fc..553e565cc5 100644 --- a/doc/spec/dir-spec-v2.txt +++ b/doc/spec/dir-spec-v2.txt @@ -482,6 +482,12 @@ $Id$ Directory server administrators may label some servers or IPs as blacklisted, and elect not to include them in their network-status lists. + Authorities SHOULD 'disable' any servers in excess of 3 on any single + IP. When there are more than 3 to choose from, authorities should first + prefer Running to non-Running, and then prefer high-bandwidth to + low-bandwidth. To 'disable' a server, the authority *should* advertise + it without the Running or Valid flag. + Thus, the network-status list includes all non-blacklisted, non-expired, non-superseded descriptors. diff --git a/doc/spec/dir-spec.txt b/doc/spec/dir-spec.txt index 4da1e97712..1900fe3716 100644 --- a/doc/spec/dir-spec.txt +++ b/doc/spec/dir-spec.txt @@ -968,7 +968,13 @@ $Id$ Directory server administrators may label some servers or IPs as blacklisted, and elect not to include them in their network-status lists. - Thus, the network-status list includes all non-blacklisted, + Authorities SHOULD 'disable' any servers in excess of 3 on any single + IP. When there are more than 3 to choose from, authorities should first + prefer Running to non-Running, and then prefer high-bandwidth to + low-bandwidth. To 'disable' a server, the authority *should* advertise + it without the Running or Valid flag. + + Thus, the network-status vote includes all non-blacklisted, non-expired, non-superseded descriptors. 3.4. Computing a consensus from a set of votes diff --git a/doc/spec/proposals/109-no-sharing-ips.txt b/doc/spec/proposals/109-no-sharing-ips.txt index 4a5f1a80b7..483b8b53fc 100644 --- a/doc/spec/proposals/109-no-sharing-ips.txt +++ b/doc/spec/proposals/109-no-sharing-ips.txt @@ -4,7 +4,7 @@ Version: $Revision$ Last-Modified: $Date$ Author: Kevin Bauer & Damon McCoy Created: 9-March-2007 -Status: Accepted +Status: Closed Overview: This document describes a solution to a Sybil attack vulnerability in the @@ -34,14 +34,19 @@ Specification: For each IP address, each directory authority tracks the number of routers using that IP address, along with their total observed bandwidth. If there are more than MAX_SERVERS_PER_IP servers at some IP, the authority should - "disable" all but MAX_SERVERS_PER_IP servers. If the total observed + "disable" all but MAX_SERVERS_PER_IP servers. When choosing which servers + to disable, the authority should first disable non-Running servers in + increasing order of observed bandwidth, and then should disable Running + servers in increasing order of bandwidth. + + [[ We don't actually do this part here. -NM + + If the total observed bandwidth of the remaining non-"disabled" servers exceeds MAX_BW_PER_IP, the authority should "disable" some of the remaining servers until only one server remains, or until the remaining observed bandwidth of non-"disabled" - servers is under MAX_BW_PER_IP. When choosing which servers to disable, - the authority should first disable non-Running servers in increasing order - of observed bandwidth, and then should disable Running servers in - increasing order of bandwidth. + servers is under MAX_BW_PER_IP. + ]] Servers that are "disabled" MUST be marked as non-Valid and non-Running. |