[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Proposal: Suicide descriptors when Tor servers stop



After discussion on #tor, here is the modified proposal:

On Wed, Aug 15, 2007 at 09:38:06AM -0400, Roger Dingledine wrote:
>   During the "slow shutdown" period if exiting, or shortly after the
>   user sets his ORPort back to 0 if not exiting, Tor should publish a
>   final descriptor with the following characteristics:
> 
>   1) Exit policy is listed as "reject *:*"
>   2) It includes a new entry called "opt shutdown 1"

The problem we were trying to solve here is that
doc/contrib/torel-design.txt says:

  After a Tor server op turns off their server, it stops publishing server
  descriptors. We should consider that server's IP address to still
  represent a Tor node until 48 hours after its last descriptor was
  published.

I had originally interpreted the goal of this as "we're not sure whether
it's actually down, so list it anyway", but it turns out the goal is
"maybe it will come back tomorrow, so list it anyway".

The real problem with proposal 120 is that when the user shuts down Tor,
we can't divine whether he meant to stop being a server too.

So here are the proposed changes to the proposal:

A) Rename 'suicide descriptor' to 'terminate descriptor', since the
name upset somebody.

B) On exit, don't do anything different than we do now.

C) But if we setconf orport from non-zero to zero, either via the
controlport or via a hup, then generate and send a terminate descriptor.

The reasoning is that if the user unclicks the 'be a relay' button, then
he really did mean to turn off relaying. And we support this operation
on 'hup' too so non-gui users have a way to trigger it, even if it's a
hard way.

I'll update the proposal in svn at some point to reflect this. Please do
feel free to critique the above changes in the meantime.

Thanks,
--Roger