[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Protecting exit-nodes by GeoIP based policy

arrakistor@xxxxxxxxx (Arrakistor) writes:

> What kind of policy did you have in mind in which the exit nodes would
> detect and base a decision on?

GeoIP (http://www.maxmind.com/app/c) is a candidate but I am not sure
about licensing.

Blocking/allowing a connection would be signaled in a similar way like
for current 'ExitPolicy'.

> From what i see, the only policy would be "determine if destination
> address is in same jurisdiction as tor server, if so, deny, else ok."

Yes; basically that's my idea. But I would increase configurability;
e.g. allow to define jurisdiction (e.g. when having my tor server
somewhere in the Caribbean, I would count Caribbean and Germany to my
jurisdiction; ditto for things like single Germany or whole Europe).

You will have to add rules for hosts not covered by the GeoIP database
too (either allow them, or forbid them).

> This doesn't sound like a bad idea, and I guess it could be client or
> server implemented.

Doing it voluntarily on the client would be step 1 and can be done
immediately after implementing the feature.

Enforcing it on the server would be step 2 and needs some time, because
every client would have to know how to interpret the new exit policy.


Attachment: pgp0PVip6CzVK.pgp
Description: PGP signature