On Thu, May 20, 2010 at 07:44:51AM -0400, [email protected] wrote: > On Thu, May 20, 2010 at 01:31:47PM +0200, [email protected] wrote 0.9K > bytes in 19 lines about: > : >From what I understand, yes, at the moment both "partners" have to list > : each other. That's what the fuss is all about, because this becomes hard > : to manage when you run a lot of nodes. > > Yes, this is how MyFamily works. Each node in the family must be > configured to list all other nodes in the family. If I start up node > Alice, and list Bob and Mallory in MyFamily, Bob must list Alice and > Mallory, and Mallory must list Alice and Bob. If Mallory lists Alice > and Bob, but neither Alice nor Bob list Mallory, it's not a valid > Family. Otherwise, Mallory could list every node in the network and > screw everyone. Or list all nodes in the network but 3 and shunt all > traffic through those 3, etc.
Glad I read this thread through to the end. This was what I was going to say, only not as well as Andrew. It is possible however, to have some value to allowing some asymmetry, viz: if Alice lists Bob_1, ..., Bob_1000 in her family, but no Bob lists Alice, then a path selection that chooses both Alice and Bob_i will be rejected, but one that lists Bob_i and Bob_j will be just fine. This is not how MyFamily works now (or am I wrong ?). But that could change. The only paths Alice could then affect would be ones that choose her. The point is not just that the attacks Andrew mentioned are no longer possible. It is also true that someone who mananged to set MyFamily on only some of his nodes would still cause those paths to be avoided. S/he may or may not have covered the entire family by this process, but s/he can cover the entire family by setting MyFamily in half of them, perhaps a little less overhead. Perhaps this is what various people were alluding to when they said that there is no attack in letting one node set MyFamily and having it only affect itself thereby? The above is not an unqualified recommendation, however. Besides the fifty percent configuration overhead savings for people with large families. I like that a partially set family provides some of the intended function rather than just failing completely, but (a) It's off the top of my head, (b) There may be other more subtle attacks than the obvious ones Andrew was mentioning, (c) The added complexity of it being OK to do something less complete than setting this at all nodes may lead to more people getting it wrong more often so that the graceful failure is more than offset. (d) I haven't thought about implications for complexity of path selection, distribution of directory info, etc. They may render any benefit too expensive. All that said, it is perhaps worth at least considering. aloha, Paul *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
