Add a "rendezvous approver" control API
From the discussion on mitigating HS denial of service in #16052 (moved):
Add a "rendezvous approver" control API, which gives an opted-in controller the chance to approve or deny all rendezvous circuit and stream requests before they're acted upon. This would allow us to make more complex and useful mitigations as third party software.
This might be useful for:
- Rate limiting; at most N unauthenticated clients per Y
- Extra-conservative logic like "stop accepting connections during potential guard discovery"
- Limiting capacity to control server load; only allow N simultaneous clients.
- Protocol-tuned rules for things like Ricochet
- More advanced pre-rendezvous authorization
arma also noted:
Speaking of the mitigator, the original HS design had the services giving out tokens to preferred users, who then use the token to get access during times of high load.
This could be built by using a new auth type for access tokens, and checking them in the approver.