r13979@catbus: nickm | 2007-07-29 01:20:20 -0400

      at least 100KB/s, and consider their bandwidth adequate to be a

      Guard if it is at least 250KB/s, no matter the medians. This fix

      complements proposal 107. [Bugfix on 0.1.2.x]

    - Directory authorities now never mark more than 3 servers per IP as

      Valid and Running.  (Implements proposal 109, by Kevin Bauer and

      Damon McCoy.)

  o Major bugfixes (directory):

    - Rewrite directory tokenization code to never run off the end of

      - Drop bandwidth history from router-descriptors

    - 105: Version negotiation for the Tor protocol

    - 108: Base "Stable" Flag on Mean Time Between Failures

    - 109: No more than one server per IP address

    o 109: No more than one server per IP address

    o 103: Splitting identity key from regularly used signing key

      o Merge with 101 into a new dir-spec.txt

    - 113: Simplifying directory authority administration

   Directory server administrators may label some servers or IPs as

   blacklisted, and elect not to include them in their network-status lists.

   Authorities SHOULD 'disable' any servers in excess of 3 on any single

   IP.  When there are more than 3 to choose from, authorities should first

   prefer Running to non-Running, and then prefer high-bandwidth to

   low-bandwidth.  To 'disable' a server, the authority *should* advertise

   it without the Running or Valid flag.

   Thus, the network-status list includes all non-blacklisted,

   non-expired, non-superseded descriptors.

   Directory server administrators may label some servers or IPs as

   blacklisted, and elect not to include them in their network-status lists.

   Thus, the network-status list includes all non-blacklisted,

   Authorities SHOULD 'disable' any servers in excess of 3 on any single

   IP.  When there are more than 3 to choose from, authorities should first

   prefer Running to non-Running, and then prefer high-bandwidth to

   low-bandwidth.  To 'disable' a server, the authority *should* advertise

   it without the Running or Valid flag.

   Thus, the network-status vote includes all non-blacklisted,

   non-expired, non-superseded descriptors.

3.4. Computing a consensus from a set of votes

Last-Modified: $Date$

Author: Kevin Bauer & Damon McCoy

Created: 9-March-2007

Status: Accepted

Status: Closed

Overview:

  This document describes a solution to a Sybil attack vulnerability in the

  For each IP address, each directory authority tracks the number of routers

  using that IP address, along with their total observed bandwidth.  If there

  are more than MAX_SERVERS_PER_IP servers at some IP, the authority should

  "disable" all but MAX_SERVERS_PER_IP servers.  If the total observed

  "disable" all but MAX_SERVERS_PER_IP servers.  When choosing which servers

  to disable, the authority should first disable non-Running servers in

  increasing order of observed bandwidth, and then should disable Running

  servers in increasing order of bandwidth.

  [[  We don't actually do this part here. -NM

  If the total observed

  bandwidth of the remaining non-"disabled" servers exceeds MAX_BW_PER_IP,

  the authority should "disable" some of the remaining servers until only one

  server remains, or until the remaining observed bandwidth of non-"disabled"

  servers is under MAX_BW_PER_IP.  When choosing which servers to disable,

  the authority should first disable non-Running servers in increasing order

  of observed bandwidth, and then should disable Running servers in

  increasing order of bandwidth.

  servers is under MAX_BW_PER_IP.

  ]]

  Servers that are "disabled" MUST be marked as non-Valid and non-Running.