[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Proposal 147: Eliminate the need for v2 directories in generating v3 directories



On Wed, Jul 02, 2008 at 03:18:50PM -0400, Nick Mathewson wrote:
>   Authorities don't need to generate more than one opinion document
>   per voting interval, but may.  They should send it to the other
>   authorities they know about, at the regular vote upload URL, before
>   the authorities begin voting,

It seems that this 'push' architecture is fragile. Here are some reasons
to go with 'pull' instead:

A) If we change the publishing interval, then upgraded servers would
learn info at the time they want rather than the time not-yet-upgraded
servers choose.

B) Other people besides the currently known authorities can fetch
opinions too, e.g. for people wanting to run their own
not-yet-recognized authorities, for debugging, etc.

I guess it's a bit of a hassle in that it requires more code in
directory.c; but perhaps it's a good move long-term?

While we're at it, when we pull, does the authority just whip up an
opinion right then and sign it, maybe caching for a minute or so to avoid
signing too many per second? Or said another way, there's no reason why
everybody who asks around a given time needs to get the same opinion,
right?

> so that enough time remains for the
>   authorities to fetch new descriptors.

Let's look at this timing a little bit more. There are two cases for
a new descriptor: a) a new descriptor for a known server at the same
location as before, and b) a brand new one, or an old one but with a new
location. For the second case, we need to both fetch the descriptor and
do our first reachability test before the voting happens.

(For comparison, currently each v3 authority fetches a v2 networkstatus
from each other v2 authority every AUTHORITY_NS_CACHE_INTERVAL, i.e. every
10 minutes.)

Once we know a descriptor, it takes as many as 1280 seconds before the
reachability test happens, since we round-robin over identity digests.
(See comments for dirserv_test_reachability() in dirserv.c.)

So to be certain that we have enough time, we need to push the opinions
at least about 23ish minutes before the votes. That isn't much better
than 60 minutes before the votes, which is what we do already.

Here are options I can imagine to deal with the reachability-test lag:

A) Don't worry about it. If a relay doesn't publish to enough authorities
for them to do their reachability tests in time, that gets fixed within
the hour, and then everything's fine. Not very appealing though.

B) Have authorities trigger a reachability test immediately upon
learning about a new descriptor.

B') Pull opinion documents from each other authority several times an
hour, to reduce the pounding on authorities when they learn a bunch of
new descriptors and launch a new TLS connection for each. Perhaps pull
at :45, :05, and :25?

--Roger