[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Uptime Sanity Checking



On Thu, Mar 08, 2007 at 10:01:16PM -0800, coderman wrote:
> On 3/8/07, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
> >I think a fix_able_ cap probably gets us most of the benefit: if we
> >change the cap, only the directory servers need to change their code
> >or configuration.
> 
> seems reasonable; the nature of the network is going to vary (perhaps
> significantly) with size and age...

Ok. I think we're all happy to accept this proposal -- Nick, can
you check it into the proposals section and integrate this thread
into a 'decisions' section or something?

Also, I would suggest that we make the cap 1 month, not two. The decision
shouldn't be so much about what fraction of the network it would cover,
but rather what uptime is "obviously" stable enough.  And if there's a
Tor server that's been up for a whole month, I have no problem calling it
stable. And we can just remember that if much of the network has uptimes
less than a month, we become more vulnerable to the attack described.

So we could patch Section 3.1 of dir-spec.txt to say:

   "Stable" -- A router is 'Stable' if it is running, valid, not
   hibernating, and either its uptime is at least the median uptime for
   known running, valid, non-hibernating routers, or its uptime is at
   least one month. Routers are never called stable if they are running
   a version of Tor known to drop circuits stupidly.  (0.1.1.10-alpha
   through 0.1.1.16-rc are stupid this way.)

Thanks!
--Roger