[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Proposal: Exit Scanning

To: or-dev@xxxxxxxxxxxxx
Subject: Re: Proposal: Exit Scanning
From: Roger Dingledine <arma@xxxxxxx>
Date: Tue, 17 Feb 2009 17:53:25 -0500
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-dev-outgoing@xxxxxxxx
Delivered-to: or-dev@xxxxxxxx
Delivery-date: Tue, 17 Feb 2009 17:53:31 -0500
In-reply-to: <20090217102349.GB14897@xxxxxxxxxx>
References: <20090217102349.GB14897@xxxxxxxxxx>
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx
User-agent: Mutt/1.5.13 (2006-08-11)

On Tue, Feb 17, 2009 at 02:23:49AM -0800, Mike Perry wrote:
> Title: Exit Scanning
> Version: $Revision$
> Last-Modified: $Date$
> Author: Mike Perry
> Created: 13-Feb-2009

I have just added this to the proposal directory as 'proposal 159'.

> Specification of Exit Marking:
> 
> Technically, BadExit could be marked via SETCONF AuthDirBadExit over
> the control port, but this would allow full access to the directory
> authority configuration and operation.

Right. That seems like a very bad move.

> The approved-routers file could also be used, but currently it only
> supports fingerprints, and it also contains other data unrelated to
> exit scanning that would be difficult to coordinate.
> 
> Instead, we propose that a new badexit-routers file that has three
> keywords:
> 
>   BadExitNet 1*[exitpattern from 2.3 in dir-spec.txt]
>   BadExitFP 1*[hexdigest from 2.3 in dir-spec.txt]
> 
> BadExitNet lines would follow the codepaths used by AuthDirBadExit to
> set authdir_badexit_policy, and BadExitFP would follow the codepaths
> from approved-router's !badexit lines.
> 
> The scanner would have exclusive ability to write, append, rewrite,
> and modify this file. Prior to building a new consensus vote, a
> participating Tor authority would read in a fresh copy.

This would involve quite a bit of new code -- reading, parsing, checking,
etc. I suggest we use the approved-routers file, with !badexit that's
already supported and teach it how to handle a new !badexitnet line.

It shouldn't be any more hassle on the SoaT side. For the two
Naming authorities (moria1 and tor26), we already manage multiple
approved-routers files, which are combined automatically.
https://svn.torproject.org/svn/tor/trunk/contrib/auto-naming/

The rule in my Makefile is:

approved-routers: approved-routers-auto approved-routers-manual tor-bad-fingerpr
ints/bad-routers
        cat $^ > "$@"

This 'approved-routers-auto' file is created by
https://svn.torproject.org/svn/tor/trunk/contrib/auto-naming/build-approved-routers

So SoaT could just generate and maintain an 'approved-routers-badexit'
file and we could add it to the Makefile line.

(One last note would be that we should run the file through another tiny
script to strip lines that don't start with !badexit or !badexitnet,
so we don't have to worry about somebody breaking into the soat and
generating !reject lines or Naming lines.)

--Roger

References:
- Proposal: Exit Scanning
  - From: Mike Perry

Prev by Author: Re: Effect of Tor window size on performance
Next by Author: Re: Effect of Tor window size on performance
Previous by thread: Re: Proposal: Exit Scanning
Next by thread: Moving from test win32 MSI packages to production ready
Index(es):
- Author
- Thread