F. Fox wrote:
I think that adding a "firewall-piercing" rendezvous-type system (like STUN, or I2P's SSU) to allow heavily-firewalled nodes to act as exits - ON A STRICTLY VOLUNTARY BASIS (i.e., off by default) - might be a nice feature.
Maybe Tor could copy Gnutella's connection reversal trick: if a node X is firewalled, it connects to any unfirewalled node Y and publishes Y's address in its descriptor. When an unfirewalled node Z wants to open a connection to X, it sends a message to X through Y, and X opens a connection back to Z. The X->Z connection is used exactly as if it were a Z->X connection established in the normal way. The circuit doesn't pass through Y, so all the crypto from TLS upwards remains the same.
Your comments about modifying the descriptors would still apply, though, and clients would have to be aware of it because connection reversal can't establish a connection between two firewalled nodes, so no circuit could contain two consecutive firewalled nodes (I guess that might have implications for anonymity as well). But if it allows more people to run nodes then maybe it's a worthwhile tradeoff?
Cheers, Michael