[tor-commits] [torspec/master] Update RSOS proposal: RendPostPeriod and other option recommendations

[nickm at torproject.org]

commit 07de4f0ef9ba0d623de31816b55bfe76606d1a9f
Author: teor (Tim Wilson-Brown) <teor2345 at gmail.com>
Date:   Fri Nov 20 11:25:41 2015 +1100

    Update RSOS proposal: RendPostPeriod and other option recommendations
---
 proposals/ideas/xxx-rend-single-onion.txt |   23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/proposals/ideas/xxx-rend-single-onion.txt b/proposals/ideas/xxx-rend-single-onion.txt
index 5cfbe1a..d402618 100644
--- a/proposals/ideas/xxx-rend-single-onion.txt
+++ b/proposals/ideas/xxx-rend-single-onion.txt
@@ -174,13 +174,21 @@ Status: Draft
         The default PredictedPortsRelevanceTime setting creates additional,
         unnecessary connections.
 
-      RendPostPeriod 0 seconds
-        This option typically hides the startup time of a hidden service by
-        randomly posting over a 2 hour period. Since single onion services
-        value speed over anonymity, they can post descriptors straight away.
-        (Actually, 30 seconds after they bootstrap, for descriptor stability.)
+   High-churn / quick-failover RSOS using descriptor competition strategies
+   should consider setting the following option:
 
-   However, we do not recommend setting the following option to 1, unless bug
+      RendPostPeriod 600 seconds
+        Refresh onion service descriptors, choosing an interval between
+        0 and 2*RendPostPeriod. Tor also posts descriptors on bootstrap, and
+        when they change.
+        (Strictly, 30 seconds after they first change, for descriptor
+        stability.)
+
+        XX - Reduce the minimum RendPostPeriod for RSOS to 1 minute?
+        XX - Make the initial post 30 + rand(1*rendpostperiod) ?
+             (Avoid thundering herd, but don't hide startup time)
+
+   However, we do NOT recommend setting the following option to 1, unless bug
    #17359 is resolved so tor onion services can bootstrap without predicted
    circuits.
 
@@ -198,6 +206,9 @@ Status: Draft
    service tor instance. Since tor runs as a client (and not a relay) by
    default, rendezvous single onion service operators should set:
 
+      XX - George says we don't allow operators to run HS/Relay any more,
+           or that we warn them.
+
       SocksPort 0
         Disallow connections from client applications to the tor network
         via this tor instance.