Bw Auths should penalize nodes for circ extend failures
Right now we have about 50 extremely overloaded guard nodes (the Pandora* set) that are failing TLS connections, dir connections, and just about everything else, due to maxing out their CPU load on crypto.
However, when they do manage to actually rarely complete a circuit, they have huge bandwidth capacity available.
What we should do is assign a measurement of 0 every time we try to use a node as a first hop, but it fails to accept our extend.
We can try to do this to the 2nd hop too, but that is less reliable, since it won't be clear if that extend failed because the 1st hop sucks or if 2nd hop is actually broken... We could ensure that each exit is measured at least twice as an entry, or something, to improve this property (maybe).
We may want to ensure that each exit is measured at least N times as an entry anyways (for N=1 or 2).