[tor-dev] Proposal 178: Require majority of authorities to vote for consensus parameters
Sebastian Hahn
hahn.seb at web.de
Mon May 2 18:43:42 UTC 2011
On May 2, 2011, at 11:23 AM, Sebastian Hahn wrote:
> On Mar 2, 2011, at 8:06 AM, Nick Mathewson wrote:
>> This is possibly bikeshed, but I would suggest that instead of
>> requiring half of existing authorities to vote on a particular
>> parameter, we require 3 or more to vote on it. (As a degenerate case,
>> fall back to "at least half" if there are fewer than 6 authorities in
>> the clique.)
>
> Hrm. I'm not too happy with this, unless we also include a way for a
> majority of authorities to prevent voting on that parameter altogether.
> Doing the design as presented above would then be simpler.
I updated the proposal without taking into account the
suggested change. If people feel strongly I'm happy to revise
it as I indicated above. I've pushed an updated version to
my torspec repository, where the old version [0], the new
version [1] and a diff [2] between the two is available.
I updated the example implementation to be compatible with
the current code, and changed it to refer to this proposal
correctly instead of 178. I hope that with this clarification on
the intentions this proposal can go into the accepted category,
unless concerns remain.
Below I am replicating the new version of the proposal
fully.
Thanks
Sebastian
[0]: https://gitweb.torproject.org/sebastian/torspec.git/blob/e52b2be829a9a8027c173568b6d841feb3c1096a:/proposals/178-param-voting.txt
[1]: https://gitweb.torproject.org/sebastian/torspec.git/blob/0fe8b85897a8919b2911bedcf475b578b0b67ec6:/proposals/178-param-voting.txt
[2]: https://gitweb.torproject.org/sebastian/torspec.git/commitdiff/0fe8b85897a8919b2911bedcf475b578b0b67ec6
Filename: 178-param-voting.txt
Title: Require majority of authorities to vote for consensus parameters
Author: Sebastian Hahn
Created: 16-Feb-2011
Status: Open
Overview:
The consensus that the directory authorities create may contain one or
more parameters (32-bit signed integers) that influence the behavior
of Tor nodes (see proposal 167, "Vote on network parameters in
consensus" for more details).
Currently (as of consensus method 11), a consensus will end up
containing a parameter if at least one directory authority votes for
that paramater. The value of the parameter will be the low-median of
all the votes for this parameter.
This proposal aims at changing this voting process to be more secure
against tampering by a non-majority of directory authorities.
Motivation:
To prevent a minority of the directory authorities from influencing
the value of a parameter unduly, the majority of directory authorities
has to vote for that parameter. This is not currently happening, and
it was in fact not uncommon for a single authority to govern the value
of a consensus parameter.
Design:
When the consensus is generated, the directory authorities ensure that
a param is only included in the list of params if at least half of the
total number of authorities votes for that param. The value chosen is
the low-median of all the votes. We don't mandate that the authorities
have to vote on exactly the same value for it to be included because
some consensus parameters could be the result of active measurements
that individual authorities make.
Security implications:
This change is aimed at improving the security of Tor nodes against
attacks carried out by a minority of directory authorities. It is
possible that a consensus parameter that would be helpful to the
network is not included because not enough directory authorities
voted for it, but since clients are required to have sane defaults
in case the parameter is absent this does not carry a security risk.
Specification:
dir-spec section 3.4 currently says:
Entries are given on the "params" line for every keyword on which any
authority voted. The values given are the low-median of all votes on
that keyword.
It is proposed that the above is changed to:
Entries are given on the "params" line for every keyword on which a
majority of authorities (total authorities, not just those
participating this vote) voted on. The values given are the
low-median of all votes on that keyword.
Consensus methods 11 and before, entries are given on the "params"
line for every keyword on which any authority voted, the value given
being the low-median of all votes on that keyword.
The following should be added to the bottom of section 3.4.:
* If consensus method 12 or later is used, only consensus
parameters that more than half of the total number of
authorities voted for are included in the consensus.
The following line should be added to the bottom of section 3.4.1.:
"12" -- Params are only included if a majority voted for them
Compatibility:
A sufficient number of directory authorities must upgrade to the new
consensus method used to calculate the params in the way this proposal
calls for, otherwise the old mechanism is used. Nodes that do not act
as directory authorities do not need to be upgraded and should
experience no change in behaviour.
Implementation:
An example implementation of this feature can be found in
https://gitweb.torproject.org/sebastian/tor.git, branch safer_params.
More information about the tor-dev
mailing list