Delay descriptor bandwidth reporting on established relays
In #23856 (moved), we:
- reduced the bandwidth stats interval from 4 hours to 24 hours, and
- reduced urgent (2x change) descriptor bandwidth reports from every 20 minutes to every 3 hours.
But we think we can make descriptor bandwidth reports even slower on large relays, because they have less need to ramp up their bandwidth.
Here are our options:
- don't report until the change is larger, for example, 4x
- don't report for longer, for example, every 6 hours or 24 hours
- delay the reporting of the first large change, as well as subsequent large changes
Here are the open questions:
- tor traffic has a daily cycle, so do we need to report large bandwidth changes multiple times a day to cope with this? (I think the answer is "no", because small changes are already reported every 18 hours on the standard descriptor schedule, and that seems to work fine. And large changes are already reported once, then the delay is imposed.)
Activity
changed milestone to %Tor: 0.2.9.x-final
added 029-backport-maybe 031-unreached-backport-maybe 032-unreached-backport-maybe 033-backport-maybe 034-backport-maybe 034-removed-20180328 034-triage-20180328 035-triaged-in-20180711 bwauth-wants chutney-wants component::core tor/tor guard-discovery-stats milestone::Tor: 0.2.9.x-final owner::juga parent::25925 points::1 priority::medium resolution::fixed reviewer::ahf security-low severity::normal status::closed tor-bwauth type::defect labels
Replying to arma:
I am a fan of "publish a new descriptor for sufficiently-changed bandwidth estimates if your uptime is less than 24 hours, else assume that things are sufficiently established and the next regularly scheduled descriptor update will be enough".
I can imagine two pathological cases here:
- relays that reboot (or hibernate) every 24 hours, and
- relays that hibernate or go offline, rather than just having started.
We'll need to account for both these cases, but they'll make the relay lose the guard flag, so we don't need to be so concerned about them.
If we code this feature so we can make bandwidth reporting faster on non-default networks, that would make it easier to test bandwidth authorities in chutney (see also #16386 (moved)).
Trac:
Keywords: N/A deleted, chutney-wants, bwauth-wants addedReplying to arma:
I am a fan of "publish a new descriptor for sufficiently-changed bandwidth estimates if your uptime is less than 24 hours, else assume that things are sufficiently established and the next regularly scheduled descriptor update will be enough".
This seems like a nice simple solution to the issue. Let's make it happen.
Trac:
Parent: 25925 to #25925 (moved)-
Is the place to do this change
check_descriptor_bandwidth_changed(https://gitweb.torproject.org/tor.git/tree/src/or/router.c#n2629)?If i've the line https://gitweb.torproject.org/tor.git/tree/src/or/router.c#n2643 as:
if (get_uptime() < 60*60*24 && last_changed+MAX_BANDWIDTH_CHANGE_FREQ < now || !prev), then the descriptor would still be uploaded when there is notprev.Should instead i do
get_uptime() > 60*60*24 return;at the beginning of the function so that there are not any further checks when the relay is up for more than 1 day?Trac:
Owner: N/A to juga
Status: new to assigned
Cc: juga to N/A Replying to juga:
Is the place to do this change
check_descriptor_bandwidth_changed(https://gitweb.torproject.org/tor.git/tree/src/or/router.c#n2629)?If i've the line https://gitweb.torproject.org/tor.git/tree/src/or/router.c#n2643 as:
if (get_uptime() < 60*60*24 && last_changed+MAX_BANDWIDTH_CHANGE_FREQ < now || !prev), then the descriptor would still be uploaded when there is notprev.Should instead i do
get_uptime() > 60*60*24 return;at the beginning of the function so that there are not any further checks when the relay is up for more than 1 day?Yes, but please make
60*60*24a named #define with a comment. It should be like MAX_BANDWIDTH_CHANGE_FREQ.Replying to juga:
Should i also make the
2incur > prev*2andcur > prev/2a named #define in case we want to change it to other number in the future?.Yes, that would be helpful.
And in the end there is no need to check whether the relay is large here?
No, we are just checking whether it has been up for a day. See comment 2.
-
See my branch
ticket20104.test_router.conly contains 1 test and adding a test for this does not seem possible without adding more mocking functions, asget_uptimeandbandwidthcapacityShould we also change the dir-spec line https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n354 to say something like:
- Its uptime is less than 24h and bandwidth has changed...Trac:
Status: assigned to needs_review
Keywords: N/A deleted, tor-bwauth added This is a low-severity security issue because bandwidth spike reporting enables guard discovery attacks.
We might want to backport it to 0.2.9, so please base the branch on 0.2.9.
Trac:
Version: N/A to Tor: unspecified
Milestone: Tor: unspecified to Tor: 0.3.5.x-final
Type: enhancement to defect
Keywords: N/A deleted, security-low, 034-backport-maybe, 029-backport-maybe, 033-backport-maybe, 031-backport-maybe, 032-backport-maybe added
