[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: First go at directory server details



On Sun, Jan 12, 2003 at 01:16:45AM -0800, Len Sassaman wrote:
> Are you considering propogation delays? What if an attacker submits

Normal propagation delays over the Internet are trivial.

> altered serverdescs to various directory servers, in an attempt to keep
> them too busy with broadcasts to reach consensus?

If we get flooded with new unknown serverdescs, then we continue to ping
the old ones, and we ping the new ones as we feel like it. It will take
longer to learn which are the good ones, but it won't stop pinging the
ones we already know are probably good.

The nastier issue here is that with my original proposal, nodes are
either on the list or not on the list. And if they're not on the list,
they'll get far fewer messages -- and they know that the ones they do
get are probably pings. So they could perform just well enough to get on
the active list, then fall off it, get on, etc. Our reputation system
could take this into account and only list people who do 'well enough'
over time -- but that just changes the required attack. I suspect we're
going to need an ordered reputation list a la the casc-rep paper, where
users have an algorithm they all use which chooses nodes weighted by
reputation, rather than just having a cutoff point.

> Also, you must consider
> that some directories may not be reachable by others directly.

You mean when one of them is off the net? Yep..that's why they're
redundant. If you mean that people need to be able to run directory
servers on non-routable IPs...no. :)

> What is the lifespan you are assuming for any given directory server?

Well, I'd like it to be years, once things are more stable. Am I crazy?

> >  If any the hashes are bad compares to the active node list
> > that dirserver got, the dirserver operators are notified and freak out
> > appropriately. Each dirserver now puts the signatures together with the
> > consensus directory, and offers it to the world.
> 
> You are assuming that the directory server admins will take an active role
> in this process?

The admins don't need to take an active role in day-to-day normal
activities of the directory server.

But they must be actively involved in issues about directory server
credibility. The reason we may be able to pull off this whole redundant
directory server notion is that there are relatively few of them,
and they're people that the community trusts. You cannot show up with
a reliable machine at observer.adversary.com, and volunteer to run a
directory server.

Rather than having solely automated dishonesty detection mechanisms, we
need actual human beings looking at the situation and getting suspicious.

> What happens when there are no active directory servers hardcoded in the
> client, because the client hasn't been updated in 2 years, and all the
> previously existing directory servers are dead?

Then that client won't be able to gain the benefits of the signed
directories. He should either upgrade his list of directory keys, or if
for some reason he doesn't want to, he should go to popular nodes for
directories. These popular nodes will presumably have people using them
who do know the current directory keys, and it would be a big scandal
if they were found to be cheating/broken.

So not all users need to have the right keys, verify things, etc. Just
enough that somebody notices. (And if you're worried that your anonymity
is at risk in the meantime before somebody notices, then you should do
the checking yourself too.)

> The clients aren't able to ping directly?

Why do you think this? The directory server software would be free
software; it's probably a very good idea for people who aren't official
directory servers to run them as well, a) so they can verify the official
ones, and b) so less reliable nodes can't assume their traffic is entirely
from the official directory servers.

--Roger