Reduce Sybil harm while still getting use out of them
With the exception of bad exit relays, we have a binary approach to dealing with bad relays; we either let them be, or remove them from the network. That's not always appropriate because Sybils can be useful, provided we strip them of power. In particular, we probably want to prevent them from becoming:
- Anything hidden service-related (HSDirs, introduction points, rendezvous points)
- Exit relays
- Guard relays
- Maybe even directory mirrors?
One possibility would be an option such as AuthDirRestrain
, that specifies which relay should be stripped of powers. Another possibility would be a set of more fine-grained options but that sounds less useful because it assumes that we know what a bad relays is up to. Often, however, we are only aware of a subset of the actual attack.
If we indeed want something like AuthDirRestrain
, we should also think about the voting process. The AuthDirBadExit
process works well so far because we have three voters, whereof two are typically quick to act. It doesn't work that well for AuthDirReject
where we need the majority of all nine authority operators.