[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Uptime Sanity Checking
On Thu, Mar 08, 2007 at 10:01:16PM -0800, coderman wrote:
> On 3/8/07, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
> >I think a fix_able_ cap probably gets us most of the benefit: if we
> >change the cap, only the directory servers need to change their code
> >or configuration.
> seems reasonable; the nature of the network is going to vary (perhaps
> significantly) with size and age...
Ok. I think we're all happy to accept this proposal -- Nick, can
you check it into the proposals section and integrate this thread
into a 'decisions' section or something?
Also, I would suggest that we make the cap 1 month, not two. The decision
shouldn't be so much about what fraction of the network it would cover,
but rather what uptime is "obviously" stable enough. And if there's a
Tor server that's been up for a whole month, I have no problem calling it
stable. And we can just remember that if much of the network has uptimes
less than a month, we become more vulnerable to the attack described.
So we could patch Section 3.1 of dir-spec.txt to say:
"Stable" -- A router is 'Stable' if it is running, valid, not
hibernating, and either its uptime is at least the median uptime for
known running, valid, non-hibernating routers, or its uptime is at
least one month. Routers are never called stable if they are running
a version of Tor known to drop circuits stupidly. (0.1.1.10-alpha
through 0.1.1.16-rc are stupid this way.)