[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Exit node rejection of special IPv4 blocks

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Exit node rejection of special IPv4 blocks
From: Roger Dingledine <arma@xxxxxxx>
Date: Wed, 23 Apr 2014 18:26:42 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 23 Apr 2014 18:26:56 -0400
In-reply-to: <CAKCAbMhpg-A9xhf2JOUm2rNsaxG40BN2sg14cR=MAoR89oN9Ew@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <CAKCAbMhpg-A9xhf2JOUm2rNsaxG40BN2sg14cR=MAoR89oN9Ew@xxxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.20 (2009-06-14)

On Wed, Apr 23, 2014 at 03:12:36PM -0400, Zack Weinberg wrote:
> I'd like a sanity check on this list of special-purpose IPv4 blocks
> which I'm currently forbidding in the CMU exit node's policy.  I'm
> most uncertain about denying access to multicast (224.0.0.0/4) and
> 6to4 router anycast (192.88.99.0/24) -- I *think* there are no
> scenarios where someone would actually need to get at either of those
> via Tor, but I could be wrong.

Hi Zack,

Best practice is to only block addresses and destinations that you know
you don't want to reach. When you block addresses where somebody tells
you there should be nothing there, you're narrowing out the future. If
the RFC changes tomorrow and you don't notice, suddenly you're blocking
connections to a piece of Africa or whoever gets that IP space. And if
indeed nobody is using it, why block it?

Thanks!
--Roger

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Exit node rejection of special IPv4 blocks
  - From: grarpamp

References:
- [tor-relays] Exit node rejection of special IPv4 blocks
  - From: Zack Weinberg

Prev by Author: Re: [tor-relays] Relay not gettings flags, changing IP
Next by Author: Re: [tor-relays] MaxAdvertiseBandwith
Previous by thread: [tor-relays] Exit node rejection of special IPv4 blocks
Next by thread: Re: [tor-relays] Exit node rejection of special IPv4 blocks
Index(es):
- Author
- Thread