Reduce Sybil harm while still getting use out of them
With the exception of bad exit relays, we have a binary approach to dealing with bad relays; we either let them be, or remove them from the network. That's not always appropriate because Sybils can be useful, provided we strip them of power. In particular, we probably want to prevent them from becoming:
- Anything hidden service-related (HSDirs, introduction points, rendezvous points)
- Exit relays
- Guard relays
- Maybe even directory mirrors?
One possibility would be an option such as
AuthDirRestrain, that specifies which relay should be stripped of powers. Another possibility would be a set of more fine-grained options but that sounds less useful because it assumes that we know what a bad relays is up to. Often, however, we are only aware of a subset of the actual attack.
If we indeed want something like
AuthDirRestrain, we should also think about the voting process. The
AuthDirBadExit process works well so far because we have three voters, whereof two are typically quick to act. It doesn't work that well for
AuthDirReject where we need the majority of all nine authority operators.