[tahoe-dev] switching from introducers to gossip?
Brian
warner at lothar.com
Tue Jul 3 16:36:28 UTC 2012
On 7/3/12 3:51 AM, darrob wrote:
> We've been using the multi-introducer patch on I2P since Tahoe-LAFS
> 1.8.3 and it has indeed proven to be more robust. The
> single-introducer grid we started out with simply fell apart when the
> introducer disappeared. It then took a long time before everybody
> learned the new introducer's address and adjusted their
> configurations. Time and files were lost. This hasn't happened again
> since we've started using the patched version.
>
> The administrative burden is definitely there. However, I'd argue
> against it being worse. At least nodes that only know about a subset
> of introducers (e.g. only I2 in your example below) are in no rush of
> adding the rest (I3) because the grid is still functional.
Ah, that's an excellent data point. Thanks! Yeah, multi-introducers are
a bit like RAID: you have more time to respond to a failure before the
whole system starts having problems.
>> If you generalize this, then all nodes can function as introducers,
>> and there's no need for dedicated Introducer nodes. As long as at
>> least one node with a public IP is up at any given time, everybody
>> else can learn the current state of the world.
>
> This sounds perfect. I wonder if this system is susceptible to
> introducer spam attacks of some sort, though. I image those would be
> an annoyance at best.
Yeah, I think the worst-case attack is a DoS, where somebody floods
useless information into the system. The key is the signed
announcements: you may hear about all sorts of garbage, but you'll only
pay attention to announcements that are signed by someone you've
Invited, or who Invited you, or to whom you're transitively connected by
Invitations.
Ideally we can use that same criteria to limit how Announcements are
flooded, so unrecognized garbage (i.e. "a stranger") doesn't travel
further than a single node.
cheers,
-Brian
More information about the tahoe-dev
mailing list