Increase rotation period of guard nodes
We are supposed to increase the rotation period of guard nodes from 2-3 months to 9-10 months, as per proposal 236. This is the ticket about this task.
This also should be deployed hand in hand with legacy/trac#9321 (moved), otherwise young guards will experience a big drop of clients.
Activity
changed milestone to %Tor: 0.2.7.x-final in legacy/trac
added 027-backport in Legacy / Trac component::core tor/tor in Legacy / Trac milestone::Tor: 0.2.7.x-final in Legacy / Trac owner::asn in Legacy / Trac parent::11480 in Legacy / Trac priority::high in Legacy / Trac resolution::duplicate in Legacy / Trac status::closed in Legacy / Trac tor-guard in Legacy / Trac type::task in Legacy / Trac labels
Also, even though we already have a
GuardLifetimeconsensus parameter, maybe it would be smarter to introduce a new consensus parameter for this switch, so that only upgraded clients actually switch to the new rotation period.Trac:
Parent: N/A to legacy/trac#11480 (moved)-
Indeed I'm on it. IMO, this blocks on legacy/trac#9321 (moved) which is moving.
So, all we need to do here beyond legacy/trac#9321 (moved) is to add an alternative name for GuardLifetime once 9321 is merged.
Trac:
Keywords: 026-triaged-1 deleted, 026-triaged-1 unfrozen added-
OK, here is a rough deployment plan:
-
We merge legacy/trac#9321 (moved) to little-t-tor. This allows dirauths to publish consensuses with guardfraction info, and it also allows clients to understand them and tweak their path selection appropriately.
-
We deploy guardfraction script to all the authorities we can find. We give them some time to populate their consensus database, etc.
-
We get authorities to run a version of Tor with the legacy/trac#9321 (moved) code. They enable the feature so that consensuses get produced with GuardFraction items. Old clients ignore those items, upgraded clients ignore them too because the
UseGuardFractionis still turned off. -
Now we Tor developers can test the guardfraction code on the real network. We can manually turn on
UseGuardFractionin our torrc, and check the logs to see if the new probabilities make sense. After this phase we should have a reasonable assurance that the code works. -
Now it's time to turn the feature on for all upgraded clients. We can do this with 3 months of guard lifetime, or we can first up the guard lifetime to 9 months. It's useful in both cases.
We should decide whether we should do this final step when the legacy/trac#9321 (moved) code is in stable or in alpha. I think that alpha is fine, but this means that not all clients will switch to the new path selection logic immediately. This is not optimal because proposal 238 also updates the total bandwidth weights (
G, M, E, D) according to guardfraction information, which basically assumes that all clients upgrade at the same time. In our case, this is probably not going to be true, which means that theMiddleweight and theExitweight will get overestimated, since they are going to drain some of theGuard+Middleweight and theGuard+Exitweight. From my discussion with Nick Hopper during the past dev meeting, we decided that the network should be able to handle this, and the situation will improve as more clients update. We maybe should think more about this.Finally, I'm not sure if we need an alternative name for
GuardLifetimeso that only upgraded clients switch to the new rotation period. I don't think this is necessary since it's OK also for old clients to switch to the new rotation period, as long as there are enough upgraded clients out there doing the guardfraction path selection so that they fill the guard traffic gap. -
-
Gonna close this as a duplicate of legacy/trac#8240 (moved).
Trac:
Resolution: N/A to duplicate
Status: assigned to closed moved from legacy/trac#12598 (moved)
added Task label and removed 1 deleted label
added Guards label and removed 1 deleted label