Filename: 243-hsdir-flag-need-stable.txt
Title: Give out HSDir flag only to relays with Stable flag
Author: George Kadianakis
Created: 2015-03-23
Status: Closed
Implemented-in: 0.2.7

1. Introduction

   The descriptors of hidden services are stored by hidden service
   directories. Those are chosen by directory authorities who assign
   the "HSDir" flag to those relays according to their uptime.

   It's important for new relays to not be able to get the HSDir flag
   too easily, because a few correctly placed HSDirs can launch a
   denial of service attack on a hidden service. We should make sure
   that a naive Sybil attacker that injects thousands of new Tor
   relays to the network cannot position herself like this.

2. Motivation

   Currently, directory authorities give out the HSDir flag to relays
   that volunteer to be hidden service directories by sending a
   "hidden-service-dir" line in their relay descriptor, which is the
   default relay behavior. Furthermore, the HSDir flag is only given
   to relays that have been up for more than MinUptimeHidServDirectoryV2 hours.
   MinUptimeHidServDirectoryV2 is a parameter locally set at the
   directory authorities and it's somewhere between 25 to 96 hours.

   We propose changing that last requirement, and instead giving the
   HSDir flag only to relays that have the Stable flag. We believe
   that this will result in a few benefits:

   - We stop using the ad-hoc uptime calculation that we are currently
     doing (see dirserv_thinks_router_is_hs_dir()). Instead, we use
     the MTBF uptime calculation that is performed for the Stable flag
     which is more robust.

   - We increase the time required to get the HSDir flag, making it
     harder for naive adversaries that flood the network with relays
     to actually get the HSDir flag.

   - After implementing non-deterministic HSDir picks (#8244) we also
     make it harder for sophisticated adversaries to DoS a hidden
     service, since at that point their main attack strategy is to
     flood the network with relays.

   - By increasing the stability of HSDirs, we reduce the misses
     during descriptor fetching that get caused by natural churn of
     relays on the list of HSDirs.

3. Specification

   We are suggesting changing the criteria that directory authorities
   use to vote for HSDirs to the following:

   - The relay has included the "hidden-service-dir\n" line in its
     descriptor.

   - The relay is eligible for having the "Stable" flag.

4. Security considerations

   As it currently is, a router is 'Stable' if it is active, and
   either its Weighted MTBF is at least the median for known active
   routers or its Weighted MTBF corresponds to at least 7 days. This
   is stricter criteria than what's required for HSDir, which means
   that the number of HSDirs will decrease after the suggested changes.

   Currently there are about 2400 HSDirs in the consensus, and about
   2300 of them are Stable, which means that we will lose about 100 HSDirs.
   We believe that this is an acceptable temporary loss. In the
   short-term future, the number of HSDirs will greatly improve as
   more directory authorities upgrade to #14202 and more relays
   upgrade to #12538.

5. Future

   Should we give out the HSDir flag only to relays that are Fast? Is
   being an HSDir a demanding job bandwidth-wise?

   With the upcoming keyblinding scheme (#8106) and non-deterministic
   HSDir selection (#8244), are there any other criteria that we
   should use when assigning HSDir flags?