From 429dd3ab775f2b493c8cf3c9eb4d1f3456520379 Mon Sep 17 00:00:00 2001 From: David Goulet Date: Wed, 29 Jan 2020 16:58:57 -0500 Subject: dir-spec: Vote should be refused after upload period Spec change for ticket #4631. Signed-off-by: David Goulet --- dir-spec.txt | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'dir-spec.txt') diff --git a/dir-spec.txt b/dir-spec.txt index 1a7a1cd..a5f7460 100644 --- a/dir-spec.txt +++ b/dir-spec.txt @@ -320,7 +320,21 @@ VA-DistSeconds-VoteSeconds: The authorities exchange votes. VA-DistSeconds-VoteSeconds/2: The authorities try to download any - votes they don't have. + votes they don't have. Furthermore, they stopped accepting vote posted to + them. + + Note: The reason why the vote should be refused is to minimize the + chance of a consensus split if the authorities are under bandwidth + pressure. If an authority is struggling to upload its vote and finally + does it on a fraction of authorities after this period, they will + compute a consensus different from the others. By refusing the vote + after this period, we increase our chances that everyone will use the + same vote set. + + It does not fix the problem entirely because the problem also exists if + N authorities are able to fetch a specific vote but M authorities fail + to do so. However, it is an improvement towards making sure each + authority has the same set of votes. VA-DistSeconds: The authorities calculate the consensus and exchange signatures. -- cgit v1.2.3-54-g00ecf From a3006814874f18efd9bcabd4733e0811eca445b5 Mon Sep 17 00:00:00 2001 From: teor Date: Tue, 18 Feb 2020 13:00:49 +1000 Subject: dir-spec: Edit uploaded vote rejection spec Be more specific: clearly distinguish between uploaded and downloaded votes. Add the Tor version that introduces this behaviour. Spec for ticket 4631. --- dir-spec.txt | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) (limited to 'dir-spec.txt') diff --git a/dir-spec.txt b/dir-spec.txt index a5f7460..1e91070 100644 --- a/dir-spec.txt +++ b/dir-spec.txt @@ -317,24 +317,28 @@ The timeline for a given consensus is as follows: - VA-DistSeconds-VoteSeconds: The authorities exchange votes. + VA-DistSeconds-VoteSeconds: The authorities exchange votes. Each authority + uploads their vote to all other authorities. VA-DistSeconds-VoteSeconds/2: The authorities try to download any - votes they don't have. Furthermore, they stopped accepting vote posted to - them. - - Note: The reason why the vote should be refused is to minimize the - chance of a consensus split if the authorities are under bandwidth - pressure. If an authority is struggling to upload its vote and finally - does it on a fraction of authorities after this period, they will - compute a consensus different from the others. By refusing the vote - after this period, we increase our chances that everyone will use the - same vote set. - - It does not fix the problem entirely because the problem also exists if - N authorities are able to fetch a specific vote but M authorities fail - to do so. However, it is an improvement towards making sure each - authority has the same set of votes. + votes they don't have. + + Authorities SHOULD also reject any votes that other authorities try to + upload after this time. (0.4.4.1-alpha was the first version to reject votes + in this way.) + + Note: Refusing late uploaded votes minimises the chance of a consensus + split, particular when authorities are under bandwidth pressure. If an + authority is struggling to upload its vote, and finally uploads to a + fraction of authorities after this period, they will compute a consensus + different from the others. By refusing uploaded votes after this time, + we increase the likelihood that most authorities will use the same vote + set. + + Rejecting late uploaded votes does not fix the problem entirely. If + some authorities are able to download a specific vote, but others fail + to do so, then there may still be a consensus split. However, this + change does remove one common cause of consensus splits. VA-DistSeconds: The authorities calculate the consensus and exchange signatures. -- cgit v1.2.3-54-g00ecf