[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #16558 [Tor]: Dir auths should vote about Invalid like they do about BadExit
#16558: Dir auths should vote about Invalid like they do about BadExit
------------------------+--------------------------------
Reporter: arma | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.8.x-final
Component: Tor | Version:
Resolution: | Keywords: tor-hs
Actual Points: | Parent ID: #16538
Points: small | Sponsor: SponsorR
------------------------+--------------------------------
Comment (by dgoulet):
Replying to [comment:1 arma]:
> One option is to have some dir auths just decide they won't vote about
Valid (we add another config option just like AuthDirListBadExits). Then
the decision about which relays get the Valid flag falls to a subset of
the dir auths. Shazam, I think we're there.
>
> I worry though that some of the steps we've taken to de-fang non-Valid
relays won't just magically come along there. For example, we withhold the
HSDir flag if we withhold the Valid flag (#16524), but if 3 authorities
vote about Valid, and two of them deciding to withhold Valid is enough for
the relay to not be Valid, yet 7 of them remain voting yes on HSDir, then
the relay will end up with the HSDir flag even if it doesn't have the
Valid flag.
Seems like we would have to relax the HSDir and Guard flag requirement to
NOT require Valid if your dirauth has `AuthDirListValid 0`. Aren't we
losing the "majority" concept from all dirauth? Here is an example:
Let's assume 3 out of 9 have `Valid` in their known-flags. This means that
6 dirauth will NOT vote for Valid thus will vote for HSDir and Guard
without caring if a relay is valid or not (because it's not their "job").
Now voting happens, we have 3 dirauth saying that X relays are *invalid*
(flag majority 3/3) so the other dirauth do not put them in the consensus
as they are invalid with enough vote. Thus the rest is Valid.
This basically means that 2/3 dirauth (majority) can choose which relays
are Guard/HSDir or not since they can simply boot out of the consensus any
relay they want. Isn't this making the 6 other dirauth quite useless? Two
colluding dirauth here can control the whole network (as for BadExit but
that's less scary then removing node from the network).
As much as I want a way for us to remove invalid relays fast, this seems
like an insane pressure to few dirauth operators and a not very fun
addition to our network security?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16558#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs