[tahoe-dev] Building a more resistant introducer

Francois Deppierraz francois at ctrlaltdel.ch
Fri Dec 11 18:28:51 UTC 2009


Sam Mason wrote:

> Just out of interest, why isn't this done at the DNS level?  It
> seems appropriate to have multiple IP addresses associated with
> "volunteergrid-introducer.allmydata.org" and you'd gain the advantage
> that the list of introducers can be varied more easily.  This doesn't
> seem to introduce any additional attacks as the multiple-hosts-per-url
> version you have also trusts the DNS system.

Using multiple DNS domains prevents the 'allmydata.org' domain itself
from becoming a single point of failure.  In every case, we explicitly
require the introducer to have only a single IP address at any given
moment to avoid the "netsplit situation" that Brian was writing about.

It also doesn't seem really practical to know in advance -- because the
furl is going to be deployed on every node -- all the possible IP
addresses on which the introducer might run in the future.

The goal of this new introducer furl is primarily to prevent the need to
reconfigure every node in the volunteer grid if the introducer disappear
(server crash, expired domain name, unresponsive administrator, etc.).

Unfortunately, it doesn't protect from someone with access to one of the
zone used in the furl to actively disrupt the grid by creating a bogus
introducer.

François




More information about the tahoe-dev mailing list