[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: TOR on Academic networks (problem)

Roger has addressed the general flavor of this before. The direction
that we've taken here at berkeley is to push for the network to be
changed (which really needs to happen in the long term).
Specifically, we're arguing to various administrative and technical
committees that the whole damn network shouldn't be trusted by
services that we subscribe to... and instead, the proxy service that
berkeleyites use to connect to library services off campus should be
used on campus too (so that a much smaller segment of our network is

I would be interested in hearing others' responses to your two
technical options below... which we didn't even consider. -Joe

On 5/16/06, Michael Holstein <michael.holstein@xxxxxxxxxxx> wrote:
I'm sure this has happened to others, but here goes on my problem.

Many academic networks have a variety of online journals they subscribe
to (like thousands of them) .. most allow campus-wide use restricted
only by IP address, usually the whole /16 or greater.

This of course presents a problem when you have a TOR router in that
/16. Sometimes the admin at the journals will understand that TOR is
just one of those 65k+ IP addresses and block that, and sometimes they
get into a snit and say they'll block the whole /16.

Since we can't put thousands of lines in the exit policy without causing
a cascading problem, what about null-routing them .. either by putting
entries in /etc/hosts that will be denied by the exit policy (thus
causing the client to pick another exit -- but not preventing access
directly by IP address), or the more secure, but more problematic,
blocking by changing the kernel routing tables to send those networks
into a blackhole on the TOR router.

The first approach causes a minimal problem performance-wise since the
client will choose a new path. The second will cause timeouts and
significantly impact performance.

Problem is, if these sort of issues persist, most of our institutional
support will evaporate -- so I'm going to have to do something.

I really don't want to hear about censorship, et.al. because I already
know that's what it is, and don't have a problem admitting it. What I
want is viable solutions to the problem.

Any suggestions?


Michael Holstein CISSP GCIA
Cleveland State University

Joseph Lorenzo Hall
PhD Student, UC Berkeley, School of Information