On 09/05/14 10:14, Michael Rogers wrote:
On 08/05/14 14:40, Christopher Baines wrote:
Perhaps it would make sense to pick one or more IPs per guard, and change those IPs when the guard is changed? Then waldo's attack by a malicious IP would only ever discover one guard.
If you change the IP's when the guard is changed, this could break the consistency between different instances of the same service (assuming that the different instances are using different guards).
It should be possible to avoid breaking consistency by having an overlap period: when a guard is scheduled to be replaced, each instance connects to a new guard and IPs, the new descriptor is published, then each instance disconnects from the old guard and IPs.
This should work whether or not the instances use the same guards. If the instances use the same guards, waldo's attack can discover one guard shared by all instances; otherwise it can discover one guard per instance. I'm not sure which is worse for anonymity - any thoughts?
How do you see the guards being "scheduled" for replacement?
Another issue is how do you get each instance to connect through the same guard node?
I think that it would be fine having per instance guard nodes (1 or more). I don't see much significance in it being shared, it also seems quite problematic to accomplish.