mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 13:53:31 +01:00
dirauth: Make voting flag threshold tunable via torrc
Remove UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE, TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD and replace each of them with a tunnable torrc option. Related to #40652 Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit is contained in:
parent
681c15a32d
commit
8bf1a86ae1
@ -1,5 +1,10 @@
|
||||
o Minor features (dirauth):
|
||||
- Add an AuthDirVoteGuard torrc option that can allow authorities to assign
|
||||
the Guard flag to the given fingerprints/country code/IPs. This is a
|
||||
needed feature mostly for defense purposes in case a DoS hits the network
|
||||
and relay start losing the Guard flags too fast. Closes ticket 40652.
|
||||
- Add an AuthDirVoteGuard torrc option that can allow authorities to
|
||||
assign the Guard flag to the given fingerprints/country code/IPs. This
|
||||
is a needed feature mostly for defense purposes in case a DoS hits the
|
||||
network and relay start losing the Guard flags too fast.
|
||||
- Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE,
|
||||
TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable from
|
||||
torrc.
|
||||
- Add a torrc option to control the Guard flag bandwidth threshold
|
||||
percentile. Closes ticket 40652.
|
||||
|
@ -3234,6 +3234,27 @@ on the public Tor network.
|
||||
nodes to vote Guard for regardless of their uptime and bandwidth. See
|
||||
<<ExcludeNodes,ExcludeNodes>> for more information on how to specify nodes.
|
||||
|
||||
[[AuthDirVoteGuardBwThresholdFraction]] **AuthDirVoteGuardBwThresholdFraction** __FRACTION__::
|
||||
The Guard flag bandwidth performance threshold fraction that is the
|
||||
fraction representing who gets the Guard flag out of all measured
|
||||
bandwidth. (Default: 0.75)
|
||||
|
||||
[[AuthDirVoteGuardGuaranteeTimeKnown]] **AuthDirVoteGuardGuaranteeTimeKnown** __N__ **seconds**|**minutes**|**hours**|**days**|**weeks**::
|
||||
A relay with at least this much weighted time known can be considered
|
||||
familiar enough to be a guard. (Default: 8 days)
|
||||
|
||||
[[AuthDirVoteGuardGuaranteeWFU]] **AuthDirVoteGuardGuaranteeWFU** __FRACTION__::
|
||||
A level of weighted fractional uptime (WFU) is that is sufficient to be a
|
||||
Guard. (Default: 0.98)
|
||||
|
||||
[[AuthDirVoteStableGuaranteeMinUptime]] **AuthDirVoteStableGuaranteeMinUptime** __N__ **seconds**|**minutes**|**hours**|**days**|**weeks**::
|
||||
If a relay's uptime is at least this value, then it is always considered
|
||||
stable, regardless of the rest of the network. (Default: 30 days)
|
||||
|
||||
[[AuthDirVoteStableGuaranteeMTBF]] **AuthDirVoteStableGuaranteeMTBF** __N__ **seconds**|**minutes**|**hours**|**days**|**weeks**::
|
||||
If a relay's mean time between failures (MTBF) is least this value, then
|
||||
it will always be considered stable. (Default: 5 days)
|
||||
|
||||
[[BridgePassword]] **BridgePassword** __Password__::
|
||||
If set, contains an HTTP authenticator that tells a bridge authority to
|
||||
serve all requested bridge information. Used by the (only partially
|
||||
|
@ -434,6 +434,11 @@ dirauth_options_validate(const void *arg, char **msg)
|
||||
"Recommended*Versions.");
|
||||
}
|
||||
|
||||
if (options->AuthDirVoteGuardBwThresholdFraction > 1.0 ||
|
||||
options->AuthDirVoteGuardBwThresholdFraction < 0.0) {
|
||||
REJECT("Guard bandwdith threshold fraction is invalid.");
|
||||
}
|
||||
|
||||
char *t;
|
||||
/* Call these functions to produce warnings only. */
|
||||
t = format_recommended_version_list(options->RecommendedClientVersions, 1);
|
||||
|
@ -79,6 +79,28 @@ CONF_VAR(RecommendedServerVersions, LINELIST, 0, NULL)
|
||||
/** Relays which should be voted Guard regardless of uptime and bandwidth. */
|
||||
CONF_VAR(AuthDirVoteGuard, ROUTERSET, 0, NULL)
|
||||
|
||||
/** If a relay's uptime is at least this value, then it is always considered
|
||||
* stable, regardless of the rest of the network. This way we resist attacks
|
||||
* where an attacker doubles the size of the network using allegedly
|
||||
* high-uptime nodes, displacing all the current guards. */
|
||||
CONF_VAR(AuthDirVoteStableGuaranteeMinUptime, INTERVAL, 0, "30 days")
|
||||
|
||||
/** If a relay's MTBF is at least this value, then it is always stable. See
|
||||
* above. */
|
||||
CONF_VAR(AuthDirVoteStableGuaranteeMTBF, INTERVAL, 0, "5 days")
|
||||
|
||||
/** A relay with at least this much weighted time known can be considered
|
||||
* familiar enough to be a guard. */
|
||||
CONF_VAR(AuthDirVoteGuardGuaranteeTimeKnown, INTERVAL, 0, "8 days")
|
||||
|
||||
/** A relay with sufficient WFU is around enough to be a guard. */
|
||||
CONF_VAR(AuthDirVoteGuardGuaranteeWFU, DOUBLE, 0, "0.98")
|
||||
|
||||
/** The Guard flag bandwidth performance threshold fraction that is the
|
||||
* fraction representing who gets the Guard flag out of all measured
|
||||
* bandwidth. */
|
||||
CONF_VAR(AuthDirVoteGuardBwThresholdFraction, DOUBLE, 0, "0.75")
|
||||
|
||||
/** If an authority has been around for less than this amount of time, it
|
||||
* does not believe its reachability information is accurate. Only
|
||||
* altered on testing networks. */
|
||||
|
@ -36,24 +36,6 @@
|
||||
|
||||
#include "lib/container/order.h"
|
||||
|
||||
/** If a router's uptime is at least this value, then it is always
|
||||
* considered stable, regardless of the rest of the network. This
|
||||
* way we resist attacks where an attacker doubles the size of the
|
||||
* network using allegedly high-uptime nodes, displacing all the
|
||||
* current guards. */
|
||||
#define UPTIME_TO_GUARANTEE_STABLE (3600*24*30)
|
||||
/** If a router's MTBF is at least this value, then it is always stable.
|
||||
* See above. (Corresponds to about 7 days for current decay rates.) */
|
||||
#define MTBF_TO_GUARANTEE_STABLE (60*60*24*5)
|
||||
/** Similarly, every node with at least this much weighted time known can be
|
||||
* considered familiar enough to be a guard. Corresponds to about 20 days for
|
||||
* current decay rates.
|
||||
*/
|
||||
#define TIME_KNOWN_TO_GUARANTEE_FAMILIAR (8*24*60*60)
|
||||
/** Similarly, every node with sufficient WFU is around enough to be a guard.
|
||||
*/
|
||||
#define WFU_TO_GUARANTEE_GUARD (0.98)
|
||||
|
||||
/* Thresholds for server performance: set by
|
||||
* dirserv_compute_performance_thresholds, and used by
|
||||
* generate_v2_networkstatus */
|
||||
@ -111,13 +93,13 @@ dirserv_thinks_router_is_unreliable(time_t now,
|
||||
*/
|
||||
long uptime = real_uptime(router, now);
|
||||
if ((unsigned)uptime < stable_uptime &&
|
||||
(unsigned)uptime < UPTIME_TO_GUARANTEE_STABLE)
|
||||
uptime < dirauth_get_options()->AuthDirVoteStableGuaranteeMinUptime)
|
||||
return 1;
|
||||
} else {
|
||||
double mtbf =
|
||||
rep_hist_get_stability(router->cache_info.identity_digest, now);
|
||||
if (mtbf < stable_mtbf &&
|
||||
mtbf < MTBF_TO_GUARANTEE_STABLE)
|
||||
mtbf < dirauth_get_options()->AuthDirVoteStableGuaranteeMTBF)
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
@ -325,13 +307,15 @@ dirserv_compute_performance_thresholds(digestmap_t *omit_as_sybil)
|
||||
/* (Now bandwidths is sorted.) */
|
||||
if (fast_bandwidth_kb < RELAY_REQUIRED_MIN_BANDWIDTH/(2 * 1000))
|
||||
fast_bandwidth_kb = bandwidths_kb[n_active/4];
|
||||
int nth = (int)(n_active *
|
||||
dirauth_options->AuthDirVoteGuardBwThresholdFraction);
|
||||
guard_bandwidth_including_exits_kb =
|
||||
third_quartile_uint32(bandwidths_kb, n_active);
|
||||
find_nth_uint32(bandwidths_kb, n_active, nth);
|
||||
guard_tk = find_nth_long(tks, n_active, n_active/8);
|
||||
}
|
||||
|
||||
if (guard_tk > TIME_KNOWN_TO_GUARANTEE_FAMILIAR)
|
||||
guard_tk = TIME_KNOWN_TO_GUARANTEE_FAMILIAR;
|
||||
if (guard_tk > dirauth_options->AuthDirVoteGuardGuaranteeTimeKnown)
|
||||
guard_tk = dirauth_options->AuthDirVoteGuardGuaranteeTimeKnown;
|
||||
|
||||
{
|
||||
/* We can vote on a parameter for the minimum and maximum. */
|
||||
@ -379,15 +363,16 @@ dirserv_compute_performance_thresholds(digestmap_t *omit_as_sybil)
|
||||
} SMARTLIST_FOREACH_END(node);
|
||||
if (n_familiar)
|
||||
guard_wfu = median_double(wfus, n_familiar);
|
||||
if (guard_wfu > WFU_TO_GUARANTEE_GUARD)
|
||||
guard_wfu = WFU_TO_GUARANTEE_GUARD;
|
||||
if (guard_wfu > dirauth_options->AuthDirVoteGuardGuaranteeWFU)
|
||||
guard_wfu = dirauth_options->AuthDirVoteGuardGuaranteeWFU;
|
||||
|
||||
enough_mtbf_info = rep_hist_have_measured_enough_stability();
|
||||
|
||||
if (n_active_nonexit) {
|
||||
int nth = (int)(n_active_nonexit *
|
||||
dirauth_options->AuthDirVoteGuardBwThresholdFraction);
|
||||
guard_bandwidth_excluding_exits_kb =
|
||||
find_nth_uint32(bandwidths_excluding_exits_kb,
|
||||
n_active_nonexit, n_active_nonexit*3/4);
|
||||
find_nth_uint32(bandwidths_excluding_exits_kb, n_active_nonexit, nth);
|
||||
}
|
||||
|
||||
log_info(LD_DIRSERV,
|
||||
|
Loading…
Reference in New Issue
Block a user