|
@@ -2,7 +2,7 @@ Filename: 107-uptime-sanity-checking.txt
|
|
|
Title: Uptime Sanity Checking
|
|
Title: Uptime Sanity Checking
|
|
|
Version:
|
|
Version:
|
|
|
Last-Modified:
|
|
Last-Modified:
|
|
|
-Author: Kevin Buaer and Damon McCoy
|
|
+Author: Kevin Bauer & Damon McCoy
|
|
|
Created: 8-March-2007
|
|
Created: 8-March-2007
|
|
|
Status: Open
|
|
Status: Open
|
|
|
|
|
|
|
@@ -28,10 +28,14 @@ Security implications:
|
|
|
|
|
|
|
|
Specification:
|
|
Specification:
|
|
|
|
|
|
|
|
- We propose that uptime be capped at two months. Currently there are
|
|
+ So we could patch Section 3.1 of dir-spec.txt to say:
|
|
|
- approximetly 50 nodes with this amount of uptime, and the average uptime
|
|
+
|
|
|
- is around 9 days. This cap would prevent these 50 nodes from being
|
|
+ "Stable" -- A router is 'Stable' if it is running, valid, not
|
|
|
- displaced by an attacker.
|
|
+ hibernating, and either its uptime is at least the median uptime for
|
|
|
|
|
+ known running, valid, non-hibernating routers, or its uptime is at
|
|
|
|
|
+ least one month. Routers are never called stable if they are running
|
|
|
|
|
+ a version of Tor known to drop circuits stupidly. (0.1.1.10-alpha
|
|
|
|
|
+ through 0.1.1.16-rc are stupid this way.)
|
|
|
|
|
|
|
|
Compatibility:
|
|
Compatibility:
|
|
|
|
|
|
|
@@ -39,10 +43,12 @@ Compatibility:
|
|
|
|
|
|
|
|
Implementation:
|
|
Implementation:
|
|
|
|
|
|
|
|
- #define MAX_BELIEVABLE_UPTIME 60*24*60*60
|
|
+ Implemented and merged into dir-spec in 0.2.0.0-alpha-dev (r9788).
|
|
|
- dirserv.c
|
|
+
|
|
|
- 1448: *up = (uint32_t) real_uptime(ri, now);
|
|
+Discussion:
|
|
|
- if(*up > MAX_BELIEVABLE_UPTIME) {
|
|
+
|
|
|
- *up = MAX_BELIEVABLE_UPTIME;
|
|
+ Initially, this proposal set the maximum at 50 days, not 30; the 30 day
|
|
|
- }
|
|
+ limit and spec wording was suggested by Roger in an or-dev post on 9 March
|
|
|
|
|
+ 2007.
|
|
|
|
|
|
|
|
|
|
+ This proposal also led to 108-mtbf-based-uptime.txt
|
Nick Mathewson