[tor-bugs] #16558 [Tor]: Dir auths should vote about Invalid like they do about BadExit

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Oct 6 20:45:21 UTC 2015


#16558: Dir auths should vote about Invalid like they do about BadExit
------------------------+--------------------------------
     Reporter:  arma    |      Owner:
         Type:  defect  |     Status:  new
     Priority:  major   |  Milestone:  Tor: 0.2.8.x-final
    Component:  Tor     |    Version:
   Resolution:          |   Keywords:  tor-hs
Actual Points:          |  Parent ID:  #16538
       Points:  small   |    Sponsor:  SponsorR
------------------------+--------------------------------

Comment (by dgoulet):

 Replying to [comment:1 arma]:
 > One option is to have some dir auths just decide they won't vote about
 Valid (we add another config option just like AuthDirListBadExits). Then
 the decision about which relays get the Valid flag falls to a subset of
 the dir auths. Shazam, I think we're there.
 >
 > I worry though that some of the steps we've taken to de-fang non-Valid
 relays won't just magically come along there. For example, we withhold the
 HSDir flag if we withhold the Valid flag (#16524), but if 3 authorities
 vote about Valid, and two of them deciding to withhold Valid is enough for
 the relay to not be Valid, yet 7 of them remain voting yes on HSDir, then
 the relay will end up with the HSDir flag even if it doesn't have the
 Valid flag.

 Seems like we would have to relax the HSDir and Guard flag requirement to
 NOT require Valid if your dirauth has `AuthDirListValid 0`. Aren't we
 losing the "majority" concept from all dirauth? Here is an example:

 Let's assume 3 out of 9 have `Valid` in their known-flags. This means that
 6 dirauth will NOT vote for Valid thus will vote for HSDir and Guard
 without caring if a relay is valid or not (because it's not their "job").

 Now voting happens, we have 3 dirauth saying that X relays are *invalid*
 (flag majority 3/3) so the other dirauth do not put them in the consensus
 as they are invalid with enough vote. Thus the rest is Valid.

 This basically means that 2/3 dirauth (majority) can choose which relays
 are Guard/HSDir or not since they can simply boot out of the consensus any
 relay they want. Isn't this making the 6 other dirauth quite useless? Two
 colluding dirauth here can control the whole network (as for BadExit but
 that's less scary then removing node from the network).

 As much as I want a way for us to remove invalid relays fast, this seems
 like an insane pressure to few dirauth operators and a not very fun
 addition to our network security?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16558#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list