syverson at itd.nrl.navy.mil
Fri Dec 5 20:35:45 UTC 2003
On Fri, Dec 05, 2003 at 02:29:54PM -0500, Adam Shostack wrote:
> On Fri, Dec 05, 2003 at 02:08:40PM -0500, Paul Syverson wrote:
> | Right, this was exactly my thought. The way we build a route via
> | extensions means that we are dependent on who the current end of the
> | route node says is up when we attempt to extend. And, what we care
> | about are reasonably stable nodes. Even if I have a < 5 minute old
> | threshold signed net state, there's not much I can or probably even
> | want to do if I try to make a circuit and get told by one of the "up"
> | nodes that another "up" node is unreachable.
> I think you want to report it somewhere, because this (plus some code)
> makes it harder to lie about the state of a node. That is, if Alice
> can tell you that Bob is down, while others are using it, we want to
> be able to detect that.
I'm not sure about this. The problem is that if Alice says Bob is
down, you don't know who is at fault. Could be neither of them, just
the network between them. Could be one is lying, could be the
other. Alice could be trying to frame Bob, or Bob could be trying to
frame Alice as someone making bogus reports. Plus clients could
selectively decide which errors to report. We looked at some of this
in our cascades-reputation paper at FC02 and in the earlier one by
Roger et al in IH01. I'm guessing that for short-lived free routes,
you just want to have some trusted testers answering these questions
(with threshold voting). That's already complicated enough, and
anything else will untenable.
More information about the tor-dev