r13979@catbus: nickm | 2007-07-29 01:20:20 -0400

 Implement proposal 109:  As an authority, never call more than 3 servers per IP Running and Valid.  Prefer Running servers to non-running ones; then prefer high-bandwidth to low-bandwidth.  Needs testing.


svn:r10968

4 files changed, 25 insertions, 8 deletions

diff --git a/doc/TODO b/doc/TODO
index 9d98ad9d4..ceff559f1 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -140,7 +140,7 @@ Things we'd like to do in 0.2.0.x:
       - Drop bandwidth history from router-descriptors
     - 105: Version negotiation for the Tor protocol
     - 108: Base "Stable" Flag on Mean Time Between Failures
-    - 109: No more than one server per IP address
+    o 109: No more than one server per IP address
     o 103: Splitting identity key from regularly used signing key
       o Merge with 101 into a new dir-spec.txt
     - 113: Simplifying directory authority administration
diff --git a/doc/spec/dir-spec-v2.txt b/doc/spec/dir-spec-v2.txt
index 712be9e7f..553e565cc 100644
--- a/doc/spec/dir-spec-v2.txt
+++ b/doc/spec/dir-spec-v2.txt
@@ -482,6 +482,12 @@ $Id$
    Directory server administrators may label some servers or IPs as
    blacklisted, and elect not to include them in their network-status lists.
 
+   Authorities SHOULD 'disable' any servers in excess of 3 on any single
+   IP.  When there are more than 3 to choose from, authorities should first
+   prefer Running to non-Running, and then prefer high-bandwidth to
+   low-bandwidth.  To 'disable' a server, the authority *should* advertise
+   it without the Running or Valid flag.
+
    Thus, the network-status list includes all non-blacklisted,
    non-expired, non-superseded descriptors.
 
diff --git a/doc/spec/dir-spec.txt b/doc/spec/dir-spec.txt
index 4da1e9771..1900fe371 100644
--- a/doc/spec/dir-spec.txt
+++ b/doc/spec/dir-spec.txt
@@ -968,7 +968,13 @@ $Id$
    Directory server administrators may label some servers or IPs as
    blacklisted, and elect not to include them in their network-status lists.
 
-   Thus, the network-status list includes all non-blacklisted,
+   Authorities SHOULD 'disable' any servers in excess of 3 on any single
+   IP.  When there are more than 3 to choose from, authorities should first
+   prefer Running to non-Running, and then prefer high-bandwidth to
+   low-bandwidth.  To 'disable' a server, the authority *should* advertise
+   it without the Running or Valid flag.
+
+   Thus, the network-status vote includes all non-blacklisted,
    non-expired, non-superseded descriptors.
 
 3.4. Computing a consensus from a set of votes
diff --git a/doc/spec/proposals/109-no-sharing-ips.txt b/doc/spec/proposals/109-no-sharing-ips.txt
index 4a5f1a80b..483b8b53f 100644
--- a/doc/spec/proposals/109-no-sharing-ips.txt
+++ b/doc/spec/proposals/109-no-sharing-ips.txt
@@ -4,7 +4,7 @@ Version: $Revision$
 Last-Modified: $Date$
 Author: Kevin Bauer & Damon McCoy
 Created: 9-March-2007
-Status: Accepted
+Status: Closed
 
 Overview:
   This document describes a solution to a Sybil attack vulnerability in the
@@ -34,14 +34,19 @@ Specification:
   For each IP address, each directory authority tracks the number of routers
   using that IP address, along with their total observed bandwidth.  If there
   are more than MAX_SERVERS_PER_IP servers at some IP, the authority should
-  "disable" all but MAX_SERVERS_PER_IP servers.  If the total observed
+  "disable" all but MAX_SERVERS_PER_IP servers.  When choosing which servers
+  to disable, the authority should first disable non-Running servers in
+  increasing order of observed bandwidth, and then should disable Running
+  servers in increasing order of bandwidth.
+
+  [[  We don't actually do this part here. -NM
+
+  If the total observed
   bandwidth of the remaining non-"disabled" servers exceeds MAX_BW_PER_IP,
   the authority should "disable" some of the remaining servers until only one
   server remains, or until the remaining observed bandwidth of non-"disabled"
-  servers is under MAX_BW_PER_IP.  When choosing which servers to disable,
-  the authority should first disable non-Running servers in increasing order
-  of observed bandwidth, and then should disable Running servers in
-  increasing order of bandwidth.
+  servers is under MAX_BW_PER_IP.
+  ]]
 
   Servers that are "disabled" MUST be marked as non-Valid and non-Running.