Re: getting more exit nodes

[Scott Bennett <bennett@xxxxxxxxxx>]

     On Sun, 27 Apr 2008 13:57:34 -0700 "F. Fox" <kitsune.or@xxxxxxxxx>
wrote:
>Alexander Bernauer wrote:
>> On Wed, Apr 23, 2008 at 07:51:51AM -0700, Martin Fick wrote:
>>> I really don't understand why pseudo-exit node
>>> anonymity is so important?  
>> 
>> The short answer: 
>> Admins who run a Tor node which is for good reasons not an exit node
>> should be able to run at least a pseudo-exit node without additional
>> personal risk.
>(snip)
>
>This is why I've got reject *.* - I feel that the level of risk is just
>too much for me, given the current state of things.

     I reject port 80, but let exits to hundreds of other ports through.
>
>That being said... I just don't understand this pseudo-exit thing, and
>could really use a clear set of documents (or better yet, something with
>diagrams), so I can get my brain around it.
>
>Basically:
>
>1.) How can someone be an exit, without letting arbitrary users "take
>on" the identity of their IP?
>
>As soon as someone does that (as is with normal exits), they're open to
>crapstorms from anything bad anyone does... and I just don't understand
>how that can be avoided.
>
>2.) If a pseudo-exit doesn't "loan out" its IP, it must be hiding it
>somehow - most likely through another proxy. How on Earth can that be an
>exit?
>
>Sorry, but I've just been confused from the beginning.
>
     I think the original proposal was, at least in part, an attempt to
provide a way to effectively get more exit servers by allowing people to
run exits who are unable to make an ORPort reachable due to firewall
restrictions over which they have no authority.  Their systems connect
to registered servers and would then be able to offer exit service.  (They
could also offer relay service by the same token, but that's irrelevant here.)
However, when connections to other servers are closed/broken, their services
are no longer available via the same routes.  The original proposal also
included an involuntary draft of any non-server (in the registered sense) that
connected to a registered server.  It also failed to provide encryption for
the final hop to the real exit, a serious failing that bothered many readers,
and removed some control over route selection from the client and placed it
instead with the "pseudo-exit".
     My counterproposal is essentially to expand/enhance the existing
communication between servers to allow would-be servers with insurmountable
firewall restrictions to offer their exit capabilities to the various servers
to which they connect.  The listing of such services would be kept locally in
those servers and deleted upon termination of the relevant connections.
Clients' route selection and construction routines could request from an exit
server (but in principle, could be any server) via fully encrypted paths the
queried server's local directory of extra hops to such local exit servers.
(N.B. that "local" simply means "directly connected"; i.e., "local" is used
here in a topological sense, not a geographical one.)


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************