commit d30d3fe8ed4b88c070736b22e2de16dcfe9a1b80 Author: teor teor2345@gmail.com Date: Fri Jan 5 00:08:11 2018 +1100
Adjust fallback selection parameters
Avoid selecting fallbacks that change their IP addresses too often.
Select more fallbacks by ignoring the Guard flag, and allowing lower cutoffs for the Running and V2Dir flags. Also allow a lower bandwidth, and a higher number of fallbacks per operator (5% of the list).
Implements ticket 24785. --- changes/ticket24785 | 6 +++++ scripts/maint/updateFallbackDirs.py | 49 +++++++++++++++++++++++-------------- 2 files changed, 36 insertions(+), 19 deletions(-)
diff --git a/changes/ticket24785 b/changes/ticket24785 new file mode 100644 index 000000000..39667cb8d --- /dev/null +++ b/changes/ticket24785 @@ -0,0 +1,6 @@ + o Minor features (fallbacks): + - Avoid selecting fallbacks that change their IP addresses too often. + Select more fallbacks by ignoring the Guard flag, and allowing lower + cutoffs for the Running and V2Dir flags. Also allow a lower bandwidth, + and a higher number of fallbacks per operator (5% of the list). + Implements ticket 24785. diff --git a/scripts/maint/updateFallbackDirs.py b/scripts/maint/updateFallbackDirs.py index fafc4f129..9f44bc097 100755 --- a/scripts/maint/updateFallbackDirs.py +++ b/scripts/maint/updateFallbackDirs.py @@ -170,25 +170,30 @@ MAX_LIST_FILE_SIZE = 1024 * 1024
# Require fallbacks to have the same address and port for a set amount of time # We used to have this at 1 week, but that caused many fallback failures, which -# meant that we had to rebuild the list more often. +# meant that we had to rebuild the list more often. We want fallbacks to be +# stable for 2 years, so we set it to a few months. # # There was a bug in Tor 0.2.8.1-alpha and earlier where a relay temporarily # submits a 0 DirPort when restarted. # This causes OnionOO to (correctly) reset its stability timer. -# Affected relays should upgrade to Tor 0.2.8.7 or later, which has a fix +# Affected relays should upgrade to Tor 0.2.9 or later, which has a fix # for this issue. -ADDRESS_AND_PORT_STABLE_DAYS = 30 +# +# If a relay changes address or port, that's it, it's not useful any more, +# because clients can't find it +ADDRESS_AND_PORT_STABLE_DAYS = 90 # We ignore relays that have been down for more than this period MAX_DOWNTIME_DAYS = 0 if MUST_BE_RUNNING_NOW else 7 -# What time-weighted-fraction of these flags must FallbackDirs -# Equal or Exceed? -CUTOFF_RUNNING = .90 -CUTOFF_V2DIR = .90 -# Tolerate lower guard flag averages, as guard flags are removed for some time -# after a relay restarts -CUTOFF_GUARD = .80 -# What time-weighted-fraction of these flags must FallbackDirs -# Equal or Fall Under? +# FallbackDirs must have a time-weighted-fraction that is greater than or +# equal to: +# Mirrors that are down half the time are still useful half the time +CUTOFF_RUNNING = .50 +CUTOFF_V2DIR = .50 +# Guard flags are removed for some time after a relay restarts, so we ignore +# the guard flag. +CUTOFF_GUARD = .00 +# FallbackDirs must have a time-weighted-fraction that is less than or equal +# to: # .00 means no bad exits PERMITTED_BADEXIT = .00
@@ -211,13 +216,19 @@ MAX_FALLBACK_COUNT = None if OUTPUT_CANDIDATES else 200 MIN_FALLBACK_COUNT = 0 if OUTPUT_CANDIDATES else MAX_FALLBACK_COUNT*0.5
# The maximum number of fallbacks on the same address, contact, or family -# With 200 fallbacks, this means each operator can see 1% of client bootstraps -# (The directory authorities used to see ~12% of client bootstraps each.) +# +# With 150 fallbacks, this means each operator sees 5% of client bootstraps. +# For comparison: +# - We try to limit guard and exit operators to 5% of the network +# - The directory authorities used to see 11% of client bootstraps each +# +# We also don't want too much of the list to go down if a single operator +# has to move all their relays. MAX_FALLBACKS_PER_IP = 1 MAX_FALLBACKS_PER_IPV4 = MAX_FALLBACKS_PER_IP MAX_FALLBACKS_PER_IPV6 = MAX_FALLBACKS_PER_IP -MAX_FALLBACKS_PER_CONTACT = 3 -MAX_FALLBACKS_PER_FAMILY = 3 +MAX_FALLBACKS_PER_CONTACT = 7 +MAX_FALLBACKS_PER_FAMILY = 7
## Fallback Bandwidth Requirements
@@ -229,11 +240,11 @@ EXIT_BANDWIDTH_FRACTION = 1.0
# If a single fallback's bandwidth is too low, it's pointless adding it # We expect fallbacks to handle an extra 10 kilobytes per second of traffic -# Make sure they can support a hundred times the expected extra load -# (Use 102.4 to make it come out nicely in MByte/s) +# Make sure they can support fifty times the expected extra load +# # We convert this to a consensus weight before applying the filter, # because all the bandwidth amounts are specified by the relay -MIN_BANDWIDTH = 102.4 * 10.0 * 1024.0 +MIN_BANDWIDTH = 50.0 * 10.0 * 1024.0
# Clients will time out after 30 seconds trying to download a consensus # So allow fallback directories half that to deliver a consensus