diff options
| author | Nick Mathewson <nickm@torproject.org> | 2021-10-08 10:22:53 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2021-10-08 10:22:53 -0400 |
| commit | ecd41d465a5239a82e06ff88e4c03c2cbc99f2ec (patch) | |
| tree | 59dfaa82498241f04e45e3dc06813088b405c24b /proposals/335-middle-only-redux.md | |
| parent | 311c90ab364ae8a10f7388ea6791e88701a40b7f (diff) | |
| download | torspec-ecd41d465a5239a82e06ff88e4c03c2cbc99f2ec.tar.gz torspec-ecd41d465a5239a82e06ff88e4c03c2cbc99f2ec.zip | |
Proposal 335: alternative implementation for MiddleOnly.
Diffstat (limited to 'proposals/335-middle-only-redux.md')
| -rw-r--r-- | proposals/335-middle-only-redux.md | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/proposals/335-middle-only-redux.md b/proposals/335-middle-only-redux.md new file mode 100644 index 0000000..19e6c1b --- /dev/null +++ b/proposals/335-middle-only-redux.md @@ -0,0 +1,77 @@ +``` +Filename: 335-middle-only-redux.md +Title: An authority-only design for MiddleOnly +Author: Nick Mathewson +Created: 2021-10-08 +Status: Open +``` + +# Introduction + +This proposal describes an alternative design for a `MiddleOnly` +flag. Instead of making changes at the client level, it adds a +little increased complexity at the directory authority's voting +process. In return for that complexity, this design will work +without additional changes required from Tor clients. + +For additional motivation and discussion see proposal 334 by Neel +Chauhan, and the related discussions on tor-dev. + +# Protocol changes + +## Generating votes + +When voting for a relay with the `MiddleOnly` flag, an authority +should set all flags indicating that a relay is unusable for a +particular purpose, and against all flags indicating that the relay +is usable for a particular position. + +These flags SHOULD be set in a vote whenever `MiddleOnly` is +present, and only when the authority is configured to vote on the +`BadExit` flag. + + * `BadExit` + +These flags SHOULD be cleared in a vote whenever `MiddleOnly` is +present. + + * `Exit` + * `Guard` + * `HSDir` + * `V2Dir` + +## Computing a consensus + +This proposal will introduce a new consensus method (probably 32). +Whenever computing a consensus using that consensus method or later, +authorities post-process the set of flags that appear in the +consensus after flag voting takes place, by applying the same rule +as above. + +That is, with this consensus method, the authorities first compute +the presence or absence of each flag on each relay as usual. Then, +if the `MiddleOnly` flag is present, the authorities set `BadExit`, +and clear `Exit`, `Guard`, `HSDir`, and `V2Dir`. + +# Configuring authorities + +We'll need a means for configuring which relays will receive this +flag. For now, we'll just reuse the same mechanism as +`AuthDirReject` and `AuthDirBadExit`: a set of torrc configuration +lines listing relays by address. We'll call this +`AuthDirMiddleOnly`. + +We'll also add an `AuthDirListsMiddleOnly` option to turn on or off +voting on this option at all. + +# Notes on safety and migration + +Under this design, the MiddleOnly option becomes useful immediately, +since authorities that use it will stop voting for certain +additional options for MiddleOnly relays without waiting for the +other authorities. + +We don't need to worry about a single authority setting MiddleOnly +unilaterally for all relays, since the MiddleOnly flag will have no +special effect until most authorities have upgraded to the new +consensus method. |