tor/doc/spec/proposals/107-uptime-sanity-checking.txt

Filename: 107-uptime-sanity-checking.txt
Title: Uptime Sanity Checking
Version: $Revision$
Last-Modified: $Date$
Author: Kevin Bauer & Damon McCoy
Created: 8-March-2007
Status: Closed

Overview:

   This document describes how to cap the uptime that is used when computing
   which routers are marked as stable such that highly stable routers cannot
   be displaced by malicious routers that report extremely high uptime
   values.

   This is similar to how bandwidth is capped at 1.5MB/s.

Motivation:

   It has been pointed out that an attacker can displace all stable nodes and
   entry guard nodes by reporting high uptimes. This is an easy fix that will
   prevent highly stable nodes from being displaced.

Security implications:

   It should decrease the effectiveness of routing attacks that report high
   uptimes while not impacting the normal routing algorithms.

Specification:

  So we could patch Section 3.1 of dir-spec.txt to say:

   "Stable" -- A router is 'Stable' if it is running, valid, not
   hibernating, and either its uptime is at least the median uptime for
   known running, valid, non-hibernating routers, or its uptime is at
   least 30 days. Routers are never called stable if they are running
   a version of Tor known to drop circuits stupidly.  (0.1.1.10-alpha
   through 0.1.1.16-rc are stupid this way.)

Compatibility:

   There should be no compatibility issues due to uptime capping.

Implementation:

   Implemented and merged into dir-spec in 0.2.0.0-alpha-dev (r9788).

Discussion:

   Initially, this proposal set the maximum at 60 days, not 30; the 30 day
   limit and spec wording was suggested by Roger in an or-dev post on 9 March
   2007.

   This proposal also led to 108-mtbf-based-stability.txt
r12520@Kushana: nickm \| 2007-03-10 00:57:59 -0500 add initial uptime-sanity-checking proposal by Kevin Buaer and Damon McCoy. svn:r9791 2007-03-10 08:39:17 +01:00			`Filename: 107-uptime-sanity-checking.txt`
			`Title: Uptime Sanity Checking`
unified svn properties and keywords for proposals and address spec svn:r10625 2007-06-17 01:23:19 +02:00			`Version: $Revision$`
			`Last-Modified: $Date$`
r12521@Kushana: nickm \| 2007-03-10 01:15:58 -0500 Update and close proposal 107. svn:r9792 2007-03-10 08:39:20 +01:00			`Author: Kevin Bauer & Damon McCoy`
r12520@Kushana: nickm \| 2007-03-10 00:57:59 -0500 add initial uptime-sanity-checking proposal by Kevin Buaer and Damon McCoy. svn:r9791 2007-03-10 08:39:17 +01:00			`Created: 8-March-2007`
a few tweaks, plus actually close 107 svn:r9794 2007-03-10 09:13:34 +01:00			`Status: Closed`
r12520@Kushana: nickm \| 2007-03-10 00:57:59 -0500 add initial uptime-sanity-checking proposal by Kevin Buaer and Damon McCoy. svn:r9791 2007-03-10 08:39:17 +01:00
			`Overview:`

			`This document describes how to cap the uptime that is used when computing`
a few tweaks, plus actually close 107 svn:r9794 2007-03-10 09:13:34 +01:00			`which routers are marked as stable such that highly stable routers cannot`
r12520@Kushana: nickm \| 2007-03-10 00:57:59 -0500 add initial uptime-sanity-checking proposal by Kevin Buaer and Damon McCoy. svn:r9791 2007-03-10 08:39:17 +01:00			`be displaced by malicious routers that report extremely high uptime`
			`values.`

			`This is similar to how bandwidth is capped at 1.5MB/s.`

			`Motivation:`

			`It has been pointed out that an attacker can displace all stable nodes and`
			`entry guard nodes by reporting high uptimes. This is an easy fix that will`
			`prevent highly stable nodes from being displaced.`

			`Security implications:`

			`It should decrease the effectiveness of routing attacks that report high`
			`uptimes while not impacting the normal routing algorithms.`

			`Specification:`

r12521@Kushana: nickm \| 2007-03-10 01:15:58 -0500 Update and close proposal 107. svn:r9792 2007-03-10 08:39:20 +01:00			`So we could patch Section 3.1 of dir-spec.txt to say:`

			`"Stable" -- A router is 'Stable' if it is running, valid, not`
			`hibernating, and either its uptime is at least the median uptime for`
			`known running, valid, non-hibernating routers, or its uptime is at`
a few tweaks, plus actually close 107 svn:r9794 2007-03-10 09:13:34 +01:00			`least 30 days. Routers are never called stable if they are running`
r12521@Kushana: nickm \| 2007-03-10 01:15:58 -0500 Update and close proposal 107. svn:r9792 2007-03-10 08:39:20 +01:00			`a version of Tor known to drop circuits stupidly. (0.1.1.10-alpha`
			`through 0.1.1.16-rc are stupid this way.)`
r12520@Kushana: nickm \| 2007-03-10 00:57:59 -0500 add initial uptime-sanity-checking proposal by Kevin Buaer and Damon McCoy. svn:r9791 2007-03-10 08:39:17 +01:00
			`Compatibility:`

cleanups, and note a bug svn:r10022 2007-04-25 08:05:46 +02:00			`There should be no compatibility issues due to uptime capping.`
r12520@Kushana: nickm \| 2007-03-10 00:57:59 -0500 add initial uptime-sanity-checking proposal by Kevin Buaer and Damon McCoy. svn:r9791 2007-03-10 08:39:17 +01:00
			`Implementation:`

r12521@Kushana: nickm \| 2007-03-10 01:15:58 -0500 Update and close proposal 107. svn:r9792 2007-03-10 08:39:20 +01:00			`Implemented and merged into dir-spec in 0.2.0.0-alpha-dev (r9788).`

			`Discussion:`

a few tweaks, plus actually close 107 svn:r9794 2007-03-10 09:13:34 +01:00			`Initially, this proposal set the maximum at 60 days, not 30; the 30 day`
r12521@Kushana: nickm \| 2007-03-10 01:15:58 -0500 Update and close proposal 107. svn:r9792 2007-03-10 08:39:20 +01:00			`limit and spec wording was suggested by Roger in an or-dev post on 9 March`
			`2007.`
r12520@Kushana: nickm \| 2007-03-10 00:57:59 -0500 add initial uptime-sanity-checking proposal by Kevin Buaer and Damon McCoy. svn:r9791 2007-03-10 08:39:17 +01:00
r12522@Kushana: nickm \| 2007-03-10 02:38:33 -0500 Mark 107 closed (since it was implemented and merged into the spec). Put MTBF proposal in 108. svn:r9793 2007-03-10 08:39:23 +01:00			`This proposal also led to 108-mtbf-based-stability.txt`
a few tweaks, plus actually close 107 svn:r9794 2007-03-10 09:13:34 +01:00