Home Explore Help
Sign In
JeremyRand
/
torspec
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: stream-event-isolation
Branches Tags
torspec
/
proposals
/
206-directory-sources.txt

206-directory-sources.txt 3.3 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990 
  1. Filename: 206-directory-sources.txt
    2. 

  2. Title: Preconfigured directory sources for bootstrapping
    3. 

  3. Author: Nick Mathewson
    4. 

  4. Created: 10-Oct-2012
    5. 

  5. Status: Closed
    6. 

  6. Implemented-In: 0.2.4.7-alpha
    7. 

  7. 

  8. 

  9. Motivation and History:
    10. 

  10. 

  11.    We've long wanted a way for clients to do their initial
    12. 

  12.    bootstrapping not from the directory authorities, but from some
    13. 

  13.    other set of nodes expected to probably be up when future clients are
    14. 

  14.    starting.
    15. 

  15. 

  16.    We tried to solve this a while ago by adding a feature where we could
    17. 

  17.    ship a 'fallback' networkstatus file -- one that would get parsed
    18. 

  18.    when we had no current networkstatus file, and which we would use to
    19. 

  19.    learn about possible directory sources.  But we couldn't actually use
    20. 

  20.    it, since it turns out that a randomly chosen list of directory
    21. 

  21.    caches from 4-5 months ago is a terrible place to go when
    22. 

  22.    bootstrapping.
    23. 

  23. 

  24.    Then for a while we considered an "Extra-Stable" flag so that clients
    25. 

  25.    could use only nodes with a long history of existence from these
    26. 

  26.    fallback networkstatus files.  We never built it, though.
    27. 

  27. 

  28.    Instead, we can do this so much more simply.  If we want to ship Tor
    29. 

  29.    with a list of initial locations to go for directory information, why
    30. 

  30.    not just do so?
    31. 

  31. 

  32. Proposal:
    33. 

  33. 

  34.    In the same way that Tor currently ships with a list of directory
    35. 

  35.    authorities, Tor should also ship with a list of directory sources --
    36. 

  36.    places to go for an initial consensus if you don't have a somewhat
    37. 

  37.    recent one.
    38. 

  38. 

  39.    These need to include an address for the cache's ORPort, and its
    40. 

  40.    identity key.  Additionally, they should include a selection weight.
    41. 

  41. 

  42.    They can be configured with a torrc option, just like directory
    43. 

  43.    authorities are now.
    44. 

  44. 

  45.    Whenever Tor is starting without a consensus, if it would currently
    46. 

  46.    ask a directory authority for a consensus, it should instead ask one
    47. 

  47.    of these preconfigured directory sources.
    48. 

  48. 

  49.    I have code for this (see git branch fallback_dirsource_v2) in my
    50. 

  50.    public repository.
    51. 

  51. 

  52.    When we deploy this, we can (and should) rip out the Fallback
    53. 

  53.    Networkstatus File logic.
    54. 

  54. 

  55. 

  56. How to find nodes to make into directory sources:
    57. 

  57. 

  58.    We could take any of three approaches for selecting these initial
    59. 

  59.    directory sources.
    60. 

  60. 

  61.    First, we could try to vet them a little, with a light variant of the
    62. 

  62.    process we use for authorities.  We'd want to look for nodes where we knew
    63. 

  63.    the operators, verify that they were okay with keeping the same IP for a
    64. 

  64.    very long time, and so forth.
    65. 

  65. 

  66.    Second, we could try to pick nodes for listing with each Tor release
    67. 

  67.    based entirely on how long those nodes have been up.  Anything that's
    68. 

  68.    been a high-reliability directory for a long time on the same IP
    69. 

  69.    (like, say, a year) could be a good choice.
    70. 

  70. 

  71.    Third, we could blend the approach and start by looking for
    72. 

  72.    up-for-a-long-time nodes, and then also ask the operators whether
    73. 

  73.    their nodes are likely to stay running for a long time.
    74. 

  74. 

  75.    I think the third model is best.
    76. 

  76. 

  77. 

  78. Some notes on security:
    79. 

  79. 

  80.    Directory source nodes have an opportunity to learn about new users
    81. 

  81.    connecting to the network for the first time.  Once we have directory
    82. 

  82.    guards, that's going to be a fairly uncommon ability.  We should be
    83. 

  83.    careful in any directory guard design to make sure that we don't fall
    84. 

  84.    back to the directory sources any more than we need to.  See proposal 207.
    85. 

  85. 

  86. 

  87. 

  88. 

  89. 

  90.