[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: ExcludeNodes setting bypassed

To: or-talk@xxxxxxxxxxxxx
Subject: Re: ExcludeNodes setting bypassed
From: Scott Bennett <bennett@xxxxxxxxxx>
Date: Sat, 13 Feb 2010 04:47:14 -0600 (CST)
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Sat, 13 Feb 2010 05:47:36 -0500
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

     On Fri, 12 Feb 2010 22:24:35 -0500 Nick Mathewson <nickm@xxxxxxxxxxxxx>
wrote:
>On Fri, Feb 12, 2010 at 6:10 AM,  <twinkletoedturtle@xxxxxxxxxxxxx> wrote:
>> This thread is being forked from the original as it doesn't entirely
>> depend on the user(s) using bridges and this problem. I understand
>> the purpose of Tor and know individuals, organizations, as well as
>> governments use Tor, so why be surprised when governments use Tor?
>> But if these individuals are correct, why are dc nodes making the
>> exception with ExcludeNodes and passing through? Is there an attack
>> on Tor certain nodes use to bypass this feature?
>>
>> From: Andrew Lewman
>>
>> "Yes, https://bugs.torproject.org/flyspray/index.php?do=3Ddetails&id=3D10=
>90.
>> =A0We're still working on it. =A0In fact, we're working on rewriting the
>> entire codebase around {Exclude}{Entry|Exit}Nodes options."
>
>I'll try to expand on the understand the bug report you are citing,
>since the stuff there really _does_ explain what the problem is,
>albeit in programmer-speak.
>
>The root problem here is in the way that node selection was originally
>written.  We needed to solve the question of, "what should we do when
>the user requests that only certain nodes be used, and then makes a
>request that those nodes cannot satisfy?"  Some examples where
>excluding nodes can make it impossible to fulfill a request include:
>   - Excluding a node, then choosing that node as the exit for a
>particular circuit.
>   - Excluding every introduction point for a hidden service, then
>trying to connect to that hidden service.
>   - Excluding every distributed directory point for a hidden service,
>then trying to look up its descriptor.
>   - Operating a hidden service, when the client picks a rendezvous
>point you've excluded.
>   - Trying to connect to an IP:Port when you have excluded every exit
>node that would support it.
>   - Trying to bootstrap when you have excluded every directory authority.
>
>In *most* of these cases, we figured that recent requests should
>override old requests, so if the user says "don't do X" and then says
>"do X", they probably meant the latter rather than the former.
>Similarly, we figured that people mostly wanted their requests not to
>break, and would get irritated if excluding nodes meant that their
>hidden service requests could break at random.  So (IIUC) we set up
>the code so that some service requests that could only be granted with
>excluded nodes would produce a warning rather than a complete failure.
>
>It turns out this wasn't the choice a lot of people want: they want to
>be able to say "Never ever ever use these nodes. If I ever make a
>request that can only be satisfied with nodes I've excluded, reject
>that request, even if it means I don't get the hidden services I want,
>or I can't bootstrap, or whatever."  This isn't a crazy thing to ask
>for at all.  As Andrew said, Roger's working on rewriting big chunks
>of the node selection code to support this feature.  As Andrew said,
>check out Bug 1090 for the details and progress.
>
>(Another confusing aspect here is that "exclude X as an exit node" has
>been taken by some people to mean that all circuits ending at X should
>be verboten.  But circuits can end at a node for reasons other than
>sending traffic out of the network, including accessing a hidden
>service via a rendezvous point, performing a self-test, or accessing a
>directory server.  Perhaps what people really want is an
>ExcludeAsLastHop option, and we should build that instead.)
>
     I'm afraid I don't see why this should be confusing at all.  Circuits
can end also at a directory server for internal (i.e., fully hidden and
encrypted) access to directory information.  Those circuits and circuits
created for access to hidden services are *not* exit circuits, but rather
are circuits that are built to some point in the tor network for non-exit
purposes.  ExcludeExitNodes specifications are inapplicable.  ExcludeNodes
specifications, OTOH, are absolutely applicable.  "ExcludeAsLastHop" has
yet to receive a justification at this point.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

Prev by Author: Re: Path-spec - fast circuits
Next by Author: Re: Path-spec - fast circuits
Previous by thread: Re: ExcludeNodes setting bypassed
Next by thread: Fixed Size Cell
Index(es):
- Author
- Thread