From 55c7fcbdca7d7d4b420bc5498ff27206283cf8fd Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Tue, 13 Mar 2007 02:37:43 +0000 Subject: clarify roger's alternatives on proposal 109 svn:r9810 --- proposals/109-no-sharing-ips.txt | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'proposals/109-no-sharing-ips.txt') diff --git a/proposals/109-no-sharing-ips.txt b/proposals/109-no-sharing-ips.txt index d1177bf..f71a707 100644 --- a/proposals/109-no-sharing-ips.txt +++ b/proposals/109-no-sharing-ips.txt @@ -22,7 +22,7 @@ Overview: Motivation: Since it is possible for an attacker to register an arbitrarily large - number of Tor routers, it is possible for malicious parties to do this to + number of Tor routers, it is possible for malicious parties to do this as part of a traffic analysis attack. Security implications: @@ -32,7 +32,7 @@ Security implications: Specification: We propose that the directory servers check if an incoming Tor router IP address is already registered under another router. If this is the case, - then prevent this router from joining the network. + then prevent the new router from joining the network. Compatibility: @@ -70,8 +70,13 @@ Alternatives: Roger suggested that instead of capping number of servers per IP to 1, we should cap total declared bandwidth per IP to some N, and total declared - servers to some M. (He suggested N=5MB/s and M=5.) + servers to some M. (He suggested N=5MB/s and M=5.) Directory authorities + would then always choose to keep the highest-bandwidth running servers + -- if they pick based on time joining the network we can get into bad + race conditions. Roger also suggested that rather than not listing servers, we mark them as - not Valid. + not Running. (He originally suggested marking them as Running but not + Valid, but that would still allow an attacker to control an arbitrary + number of middle hops, which is still likely to be worrisome.) -- cgit v1.2.3-54-g00ecf