first thoughts on exit policies

[Roger Dingledine <arma@mit.edu>]

An exit policy allows a node operator to limit the types of traffic that
leave his node. A node's configuration file has lines of the form:

scope protocol rule ipblock

where:

 scope is either public or private
 protocol specifies which protocol to limit (http, smtp, etc).
   More generally, we can think of this as 'application'.
 rule is either 'accept' or 'reject'. We can add 'authenticate'
   down the road.
 ipblock can be several forms: 18.244.*.*, 18.244.0.0/16, or
   *.mit.edu

Rules are processed in order, so we can get arbitrary granularity e.g. by
accepting a large IP space and then rejecting certain smaller sets.

To be more general, we could instead structure rule and ipblock like in
'man hosts.deny'.

The 'public' and 'private' specifiers distinguish between advertised
exit rules and actual exit rules: a certain node may be willing to let
certain traffic exit, but may not wish to publish this fact.

However, this scope specifier introduces problems. The author of the exit
policy must be careful not to leak information about private rules when
crafting the public rules. More disturbingly, users might get unexpected
behavior from the node if private rules are interspersed with public
rules. At the least this can disorient and upset users; but it can also
allow them to guess more information about the private exit rules.

Hm.

--Roger