commit proposal 120: Suicide descriptors when Tor servers stop

svn:r11115

doc/spec/proposals/000-index.txt

@@ -27,7 +27,7 @@ Proposals by number:
 106  Checking fewer things during TLS handshakes [CLOSED]
 107  Uptime Sanity Checking [CLOSED]
 108  Base "Stable" Flag on Mean Time Between Failures [OPEN]
-109  No more than one server per IP address [ACCEPTED]
+109  No more than one server per IP address [CLOSED]
 110  Avoiding infinite length circuits [OPEN]
 111  Prioritizing local traffic over relayed traffic [OPEN]
 112  Bring Back Pathlen Coin Weight [OPEN]
@@ -37,4 +37,5 @@ Proposals by number:
 116  Two hop paths from entry guards [OPEN]
 117  IPv6 exits [OPEN]
 118  Advertising multiple ORPorts at once [RESEARCH]
-
+119  New PROTOCOLINFO command for controllers [OPEN]
+120  Suicide descriptors when Tor servers stop [OPEN]

doc/spec/proposals/120-suicide-descriptors.txt

@@ -0,0 +1,76 @@
+Filename: 120-suicide-descriptors.txt
+Title: Suicide descriptors when Tor servers stop
+Version: $Revision$
+Last-Modified: $Date$
+Author: Roger Dingledine
+Created: 15-Aug-2007
+Status: Open
+
+Overview:
+
+  Tor servers should publish a last descriptor whenever they shut down,
+  to let others know that they are no longer offering service.
+
+The Problem:
+
+  The main reason for this is in reaction to Internet services that want
+  to treat connections from the Tor network differently. Right now,
+  if a user experiments with turning on the "relay" functionality, he
+  is punished by being locked out of some websites, some IRC networks,
+  etc --- and this lockout persists for several days even after he turns
+  the server off.
+
+Design:
+
+  During the "slow shutdown" period if exiting, or shortly after the
+  user sets his ORPort back to 0 if not exiting, Tor should publish a
+  final descriptor with the following characteristics:
+
+  1) Exit policy is listed as "reject *:*"
+  2) It includes a new entry called "opt shutdown 1"
+
+  The first step is so current blacklists will no longer list this node
+  as exiting to whatever the service is.
+
+  The second step is so directory authorities can avoid wasting time
+  doing reachability testing. Authorities should automatically not list
+  as Running any router whose latest descriptor says it shut down.
+
+  [I originally had in mind a third step --- Advertised bandwidth capacity
+  is listed as "0" --- so current Tor clients will skip over this node
+  when building most circuits. But since clients won't fetch descriptors
+  from nodes not listed as Running, this step seems pointless. -RD]
+
+Spec:
+
+  TBD but should be pretty straightforward.
+
+Security issues:
+
+  Now external people can learn exactly when a node stopped offering
+  relay service. How bad is this? I can see a few minor attacks based
+  on this knowledge, but on the other hand as it is we don't really take
+  any steps to keep this information secret.
+
+Overhead issues:
+
+  We are creating more descriptors that want to be remembered. However,
+  since the router won't be marked as Running, ordinary clients won't
+  fetch the suicide descriptors. Caches will, though. I hope this is ok.
+
+Implementation:
+
+  To make things easy, we should publish the suicide descriptor only
+  on controlled shutdown (SIGINT as opposed to SIGTERM). That would
+  leave enough time for publishing that we probably wouldn't need any
+  extra synchronization code.
+
+  If that turns out to be too unintuitive for users, I could imagine doing
+  it on SIGTERMs too, and just delaying exit until we had successfully
+  published to at least one authority, at which point we'd hope that it
+  propagated from there.
+
+Acknowledgements:
+
+  tup suggested this idea.
+