mirror of
https://github.com/torproject/torspec.git
synced 2024-12-13 21:48:45 +00:00
102 lines
4.0 KiB
Plaintext
102 lines
4.0 KiB
Plaintext
Filename: 178-param-voting.txt
|
|
Title: Require majority of authorities to vote for consensus parameters
|
|
Author: Sebastian Hahn
|
|
Created: 16-Feb-2011
|
|
Status: Closed
|
|
Implemented-In: 0.2.3.9-alpha
|
|
|
|
Overview:
|
|
|
|
The consensus that the directory authorities create may contain one or
|
|
more parameters (32-bit signed integers) that influence the behavior
|
|
of Tor nodes (see proposal 167, "Vote on network parameters in
|
|
consensus" for more details).
|
|
|
|
Currently (as of consensus method 11), a consensus will end up
|
|
containing a parameter if at least one directory authority votes for
|
|
that paramater. The value of the parameter will be the low-median of
|
|
all the votes for this parameter.
|
|
|
|
This proposal aims at changing this voting process to be more secure
|
|
against tampering by a small fraction of directory authorities.
|
|
|
|
Motivation:
|
|
|
|
To prevent a small fraction of the directory authorities from
|
|
influencing the value of a parameter unduly, a big enough fraction
|
|
of all directory authorities authorities has to vote for that
|
|
parameter. This is not currently happening, and it is in fact not
|
|
uncommon for a single authority to govern the value of a consensus
|
|
parameter.
|
|
|
|
Design:
|
|
|
|
When the consensus is generated, the directory authorities ensure that
|
|
a param is only included in the list of params if at least three of the
|
|
authorities (or a simple majority, whichever is the smaller number)
|
|
votes for that param. The value chosen is the low-median of all the
|
|
votes. We don't mandate that the authorities have to vote on exactly
|
|
the same value for it to be included because some consensus parameters
|
|
could be the result of active measurements that individual authorities
|
|
make.
|
|
|
|
Security implications:
|
|
|
|
This change is aimed at improving the security of Tor nodes against
|
|
attacks carried out by a small fraction of directory authorities. It
|
|
is possible that a consensus parameter that would be helpful to the
|
|
network is not included because not enough directory authorities
|
|
voted for it, but since clients are required to have sane defaults
|
|
in case the parameter is absent this does not carry a security risk.
|
|
|
|
This proposal makes a security vs coordination effort tradeoff. When
|
|
considering only the security of the design, it would be better to
|
|
require a simple majority of directory authorities to agree on
|
|
voting on a parameter, but it would involve requiring more
|
|
directory authority operators to coordinate their actions to set the
|
|
parameter successfully.
|
|
|
|
Specification:
|
|
|
|
dir-spec section 3.4 currently says:
|
|
|
|
Entries are given on the "params" line for every keyword on which any
|
|
authority voted. The values given are the low-median of all votes on
|
|
that keyword.
|
|
|
|
It is proposed that the above is changed to:
|
|
|
|
Entries are given on the "params" line for every keyword on which a
|
|
majority of authorities (total authorities, not just those
|
|
participating in this vote) voted on, or if at least three
|
|
authorities voted for that parameter. The values given are the
|
|
low-median of all votes on that keyword.
|
|
|
|
Consensus methods 11 and before, entries are given on the "params"
|
|
line for every keyword on which any authority voted, the value given
|
|
being the low-median of all votes on that keyword.
|
|
|
|
The following should be added to the bottom of section 3.4.:
|
|
|
|
* If consensus method 12 or later is used, only consensus
|
|
parameters that more than half of the total number of
|
|
authorities voted for are included in the consensus.
|
|
|
|
The following line should be added to the bottom of section 3.4.1.:
|
|
|
|
"12" -- Params are only included if enough auths voted for them
|
|
|
|
Compatibility:
|
|
|
|
A sufficient number of directory authorities must upgrade to the new
|
|
consensus method used to calculate the params in the way this proposal
|
|
calls for, otherwise the old mechanism is used. Nodes that do not act
|
|
as directory authorities do not need to be upgraded and should
|
|
experience no change in behaviour.
|
|
|
|
Implementation:
|
|
|
|
An example implementation of this feature can be found in
|
|
https://gitweb.torproject.org/sebastian/tor.git, branch safer_params.
|
|
|