[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Filtering out attacks?

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Filtering out attacks?
From: Adam Langley <alangley@xxxxxxxxx>
Date: Tue, 17 May 2005 16:59:25 +0100
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Tue, 17 May 2005 11:59:52 -0400
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=C/6WJWCEjiw7XK64CWu89bUsN6l6rlxbZ0BnKaANnWQFzYot/Z0d6TkrntYUHW0SALegBcp7C+I6jU4XBNymsAGGxvCvj+37yjhCWvOKY4Ob78pO3rdeuU2vxjT14UBLtw0doxnShxCRCqUeopOqk3zQLjrxbIzGVhUPXLk/Nyc=
In-reply-to: <4289BE84.27732.2F72733@localhost>
References: <20050516153349.GF25798@csail.mit.edu> <20050516152054.S12832@moria.mit.edu> <4289BE84.27732.2F72733@localhost>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

On 5/17/05, alexyz@xxxxxxxxxx <alexyz@xxxxxxxxxx> wrote:
> If I can make an additional suggestion, why not have Tor implement some kind packet
> inspection?

It's important to remember that the circuit route is decided at
connection time - before any higher level information is available.
Since this is the case, one cannot use information like "I won't
connect to google.com" from the directory.

Thus any application level filtering has to be network wide. The
alternative is a non-deterministic "sometimes Google works, sometimes
it doesn't" and that's a very bad user experience.

(yes, a node could wait until after getting the first header before
making the connection. That might work for some protocols. For HTTP it
would have to be site level filtering only because many requests can
be sent down the same connection. But we can do site level filtering
already with exit rules. Don't underestimate how nice it is that Tor
has so far avoided touching the traffic at all.)

Do you have specific examples of where this would be a good idea?

AGL

-- 
Adam Langley                                      agl@xxxxxxxxxxxxxxxxxx
http://www.imperialviolet.org                       (+44) (0)7906 332512
PGP: 9113   256A   CC0F   71A6   4C84   5087   CDA5   52DF   2CB6   3D60

Follow-Ups:
- Re: Filtering out attacks?
  - From: alexyz
- Re: Filtering out attacks?
  - From: Geoffrey Goodell

References:
- Filtering out attacks?
  - From: Jonathan D. Proulx
- Re: Filtering out attacks?
  - From: Roger Dingledine
- Re: Filtering out attacks?
  - From: alexyz

Prev by Author: Re: Tor-1.0.4 core dump on FreeBSD 5.3
Next by Author: Re: Filtering out attacks?
Previous by thread: Re: Filtering out attacks?
Next by thread: Re: Filtering out attacks?
Index(es):
- Author
- Thread