107-uptime-sanity-checking.txt 1.7 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556
  1. Filename: 107-uptime-sanity-checking.txt
  2. Title: Uptime Sanity Checking
  3. Version: $Revision$
  4. Last-Modified: $Date$
  5. Author: Kevin Bauer & Damon McCoy
  6. Created: 8-March-2007
  7. Status: Closed
  8. Implemented-In: 0.2.0.x
  9. Overview:
  10. This document describes how to cap the uptime that is used when computing
  11. which routers are marked as stable such that highly stable routers cannot
  12. be displaced by malicious routers that report extremely high uptime
  13. values.
  14. This is similar to how bandwidth is capped at 1.5MB/s.
  15. Motivation:
  16. It has been pointed out that an attacker can displace all stable nodes and
  17. entry guard nodes by reporting high uptimes. This is an easy fix that will
  18. prevent highly stable nodes from being displaced.
  19. Security implications:
  20. It should decrease the effectiveness of routing attacks that report high
  21. uptimes while not impacting the normal routing algorithms.
  22. Specification:
  23. So we could patch Section 3.1 of dir-spec.txt to say:
  24. "Stable" -- A router is 'Stable' if it is running, valid, not
  25. hibernating, and either its uptime is at least the median uptime for
  26. known running, valid, non-hibernating routers, or its uptime is at
  27. least 30 days. Routers are never called stable if they are running
  28. a version of Tor known to drop circuits stupidly. (0.1.1.10-alpha
  29. through 0.1.1.16-rc are stupid this way.)
  30. Compatibility:
  31. There should be no compatibility issues due to uptime capping.
  32. Implementation:
  33. Implemented and merged into dir-spec in 0.2.0.0-alpha-dev (r9788).
  34. Discussion:
  35. Initially, this proposal set the maximum at 60 days, not 30; the 30 day
  36. limit and spec wording was suggested by Roger in an or-dev post on 9 March
  37. 2007.
  38. This proposal also led to 108-mtbf-based-stability.txt