From a0489cda3a8f58f1c18efa6f4fb0241cd3781b94 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sat, 10 Mar 2007 07:39:17 +0000 Subject: r12520@Kushana: nickm | 2007-03-10 00:57:59 -0500 add initial uptime-sanity-checking proposal by Kevin Buaer and Damon McCoy. svn:r9791 --- proposals/107-uptime-sanity-checking.txt | 48 ++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 proposals/107-uptime-sanity-checking.txt (limited to 'proposals/107-uptime-sanity-checking.txt') diff --git a/proposals/107-uptime-sanity-checking.txt b/proposals/107-uptime-sanity-checking.txt new file mode 100644 index 0000000..57ec841 --- /dev/null +++ b/proposals/107-uptime-sanity-checking.txt @@ -0,0 +1,48 @@ +Filename: 107-uptime-sanity-checking.txt +Title: Uptime Sanity Checking +Version: +Last-Modified: +Author: Kevin Buaer and Damon McCoy +Created: 8-March-2007 +Status: Open + +Overview: + + This document describes how to cap the uptime that is used when computing + which routers are maked as stable such that highly stable routers cannot + be displaced by malicious routers that report extremely high uptime + values. + + This is similar to how bandwidth is capped at 1.5MB/s. + +Motivation: + + It has been pointed out that an attacker can displace all stable nodes and + entry guard nodes by reporting high uptimes. This is an easy fix that will + prevent highly stable nodes from being displaced. + +Security implications: + + It should decrease the effectiveness of routing attacks that report high + uptimes while not impacting the normal routing algorithms. + +Specification: + + We propose that uptime be capped at two months. Currently there are + approximetly 50 nodes with this amount of uptime, and the average uptime + is around 9 days. This cap would prevent these 50 nodes from being + displaced by an attacker. + +Compatibility: + + There should be no compatiblity issues due to uptime capping. + +Implementation: + + #define MAX_BELIEVABLE_UPTIME 60*24*60*60 + dirserv.c + 1448: *up = (uint32_t) real_uptime(ri, now); + if(*up > MAX_BELIEVABLE_UPTIME) { + *up = MAX_BELIEVABLE_UPTIME; + } + -- cgit v1.2.3-54-g00ecf