diff --git a/doc/spec/proposals/000-index.txt b/doc/spec/proposals/000-index.txt index a90d3997a2..8d83ae70da 100644 --- a/doc/spec/proposals/000-index.txt +++ b/doc/spec/proposals/000-index.txt @@ -27,7 +27,7 @@ Proposals by number: 106 Checking fewer things during TLS handshakes [CLOSED] 107 Uptime Sanity Checking [CLOSED] 108 Base "Stable" Flag on Mean Time Between Failures [OPEN] -109 No more than one server per IP address [ACCEPTED] +109 No more than one server per IP address [CLOSED] 110 Avoiding infinite length circuits [OPEN] 111 Prioritizing local traffic over relayed traffic [OPEN] 112 Bring Back Pathlen Coin Weight [OPEN] @@ -37,4 +37,5 @@ Proposals by number: 116 Two hop paths from entry guards [OPEN] 117 IPv6 exits [OPEN] 118 Advertising multiple ORPorts at once [RESEARCH] - +119 New PROTOCOLINFO command for controllers [OPEN] +120 Suicide descriptors when Tor servers stop [OPEN] diff --git a/doc/spec/proposals/120-suicide-descriptors.txt b/doc/spec/proposals/120-suicide-descriptors.txt new file mode 100644 index 0000000000..f0bc6921a4 --- /dev/null +++ b/doc/spec/proposals/120-suicide-descriptors.txt @@ -0,0 +1,76 @@ +Filename: 120-suicide-descriptors.txt +Title: Suicide descriptors when Tor servers stop +Version: $Revision$ +Last-Modified: $Date$ +Author: Roger Dingledine +Created: 15-Aug-2007 +Status: Open + +Overview: + + Tor servers should publish a last descriptor whenever they shut down, + to let others know that they are no longer offering service. + +The Problem: + + The main reason for this is in reaction to Internet services that want + to treat connections from the Tor network differently. Right now, + if a user experiments with turning on the "relay" functionality, he + is punished by being locked out of some websites, some IRC networks, + etc --- and this lockout persists for several days even after he turns + the server off. + +Design: + + During the "slow shutdown" period if exiting, or shortly after the + user sets his ORPort back to 0 if not exiting, Tor should publish a + final descriptor with the following characteristics: + + 1) Exit policy is listed as "reject *:*" + 2) It includes a new entry called "opt shutdown 1" + + The first step is so current blacklists will no longer list this node + as exiting to whatever the service is. + + The second step is so directory authorities can avoid wasting time + doing reachability testing. Authorities should automatically not list + as Running any router whose latest descriptor says it shut down. + + [I originally had in mind a third step --- Advertised bandwidth capacity + is listed as "0" --- so current Tor clients will skip over this node + when building most circuits. But since clients won't fetch descriptors + from nodes not listed as Running, this step seems pointless. -RD] + +Spec: + + TBD but should be pretty straightforward. + +Security issues: + + Now external people can learn exactly when a node stopped offering + relay service. How bad is this? I can see a few minor attacks based + on this knowledge, but on the other hand as it is we don't really take + any steps to keep this information secret. + +Overhead issues: + + We are creating more descriptors that want to be remembered. However, + since the router won't be marked as Running, ordinary clients won't + fetch the suicide descriptors. Caches will, though. I hope this is ok. + +Implementation: + + To make things easy, we should publish the suicide descriptor only + on controlled shutdown (SIGINT as opposed to SIGTERM). That would + leave enough time for publishing that we probably wouldn't need any + extra synchronization code. + + If that turns out to be too unintuitive for users, I could imagine doing + it on SIGTERMs too, and just delaying exit until we had successfully + published to at least one authority, at which point we'd hope that it + propagated from there. + +Acknowledgements: + + tup suggested this idea. +