On 7/11/06, Matthew Toseland <toad at amphibian.dyndns.org> wrote: > That's called "update over mandatory". There are two complications: > 1. We must be able to verify the signature on the update. We don't trust > our peers *THAT* much that we'd deploy unsigned code from them! > 2. We must determine whether the revocation key has been blown. This > means we must get a majority or universal verdict from a number of our > peers on this fact. >
Pardon my question if its not realistic, but instead of having incompatible nodes completely disconnect from each other, could we maybe have it go into a "limp mode" where only a white-listed set of SSK keys could be requested, and no data-inserts at all? This would allow for old nodes to still pull down the update and verify it, but keep them from affecting routing? I suppose you would have to allow all CHK's to be requested though, since the update's CHK would be unknown to us, unless the newer node puts the list of CHK's in its white-list when it receives an update, then old node requests the SSK, gets the list of CHK's and requests those which we be allowed by the newer node. This would stop malicious nodes from affecting bandwith of the network and if we took it a bit further a well behaved node would stop requesting or sending anything except the update once a certain percentage of its routes report it to be out of date. -- I may disagree with what you have to say, but I shall defend, to the death, your right to say it. - Voltaire
