[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Uptime Sanity Checking

To: or-dev@xxxxxxxxxxxxx, "Nick Mathewson" <nickm@xxxxxxxxxxxxx>
Subject: Re: Uptime Sanity Checking
From: coderman <coderman@xxxxxxxxx>
Date: Thu, 8 Mar 2007 22:01:16 -0800
Delivered-to: archiver@seul.org
Delivered-to: or-dev-outgoing@seul.org
Delivered-to: or-dev@seul.org
Delivery-date: Fri, 09 Mar 2007 01:01:25 -0500
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EOpY+LXkvXknJKhnTwwd/dlcBZctrF4kpr3ElF9HrAIT8jXmBGEQZLV0Rfc7746gZZB9zpq78ztV43gGjly3QeSU7DyEO+W5iFPwUm1WHdLS8EiTf5yST/Rupm5PfJLNceIWdOQo40Vlbmqh8XizcRKrN82oFMgtbQlzsJNGJPY=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=axoTKUrIdjauF3vvKvWsgrW6ZeSGWMldOIAtFPGCUYwax+QapVeTz3j8aefvuFmvXgTFPccV0qKAdzJAyoqWac5XwdDzvFCy+avSKHGzDhixxXhBWRGiIPzx0cEScwc8CjhD/nMiluttiu+Nm5UBENuHlPDW+XakW8PrKJDz0cw=
In-reply-to: <20070309051200.GA31057@totoro.wangafu.net>
References: <20070308153959.ACA40984@robin.int.colorado.edu> <20070308225044.GB6926@asteria.noreply.org> <20070309044702.GW28282@moria.seul.org> <20070309051200.GA31057@totoro.wangafu.net>
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx

On 3/8/07, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:

...
I think a fix_able_ cap probably gets us most of the benefit: if we
change the cap, only the directory servers need to change their code
or configuration.


seems reasonable; the nature of the network is going to vary (perhaps
significantly) with size and age...

as for a particular tunable cap:
2 nodes with uptime over 20 million
14 over 10 million
47 over 5 million
131 over 2 million
215 over 1 million
239 over 500k
456 over 200k
545 over 100k
647 over 50k
702 over 20k
753 over 10k
...

Really, though, this is a band-aid, and we don't want to make it too
sophisticated.  Remember that 'uptime' is a bad proxy for the property
we want the 'Stable' flag to measure.  Mean time between failures
would approximate stability better, I think.


agreed.  previously long lived instances are overly penalized for a restart.

are there scenarios where a restart indicates possible vulnerability
that make aversion useful?  for instance, a server seized/cracked,
keys copied, and a rogue node comes up in it's place?

(that is, could MTBF open up other attacks that are avoided by uptime
measurement - an email in the morning: "remove my node from the
directory, it's been compromised")

Follow-Ups:
- Re: Uptime Sanity Checking
  - From: Roger Dingledine

References:
- Uptime Sanity Checking
  - From: Damon Liwanu Mc Coy
- Re: Uptime Sanity Checking
  - From: Peter Palfrader
- Re: Uptime Sanity Checking
  - From: Roger Dingledine
- Re: Uptime Sanity Checking
  - From: Nick Mathewson

Prev by Author: Re: IOCP / C10K
Next by Author: Re: Uptime Sanity Checking
Previous by thread: Re: Uptime Sanity Checking
Next by thread: Re: Uptime Sanity Checking
Index(es):
- Author
- Thread