[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: facility for specifying that a Tor node should not be preferred?

On 1/31/06, Roger Dingledine <arma@xxxxxxx> wrote:
> On Tue, Jan 31, 2006 at 04:22:42PM -0800, Joseph Lorenzo Hall wrote:
> > Hi, I was wondering if there was much interest in what would
> > effectively be the opposite of Tor's ExitNodes argument.  That is, it
> > would be nice to be able to specify that a node should never be a
> > "preferred" exit node.
> There is an opposite to ExitNodes -- it's called ExcludeNodes. See
> http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ChooseEntryExit
> But it doesn't do what you seem to want -- you cannot control how other
> Tor users choose their paths, because the exit node does not (should not)
> know this information.

(I think) What I'm referring to is more simple than that.  It would be
something, a flag, included in the directory information published
that said "this node can't be used in an ExitNodes argument".  Of
course, we'd have to rely on clients obeying that preference... and I
suppose sending a "your node is on the ExitNodes list for this client"
signal to a server would compromise anonymity.

> > PS: Barring that, what's the longest set of exit policies that a node
> > has ever run on? Did it cause problems?  Would it make more sense (in
> > terms of network efficiency, etc.) to block exits on port 80 or to
> > have a long (thousands of entries) set of exit policies?  What would
> > happen if all nodes ran with exit policies that were thousands of
> > lines long?
> Good question. I think our current directory distribution protocol would
> hurt if all of the servers have megabyte-long exit policies.
> So I guess the answer for that is that rejecting *:80 is the better
> plan if those are the choices.
> The real answer for universities is to route their subscriptions to things
> like Webster and Springer through a proxy server that uses their already
> established local auth mechanism (MIT's cert system, Harvard's PIN system,
> UCLA's Bruin OnLine system, etc etc). In many cases they *already* have
> the proxy system in place for off-campus users, so it's just a matter of
> using them in other cases too.

This is a very damn good point... and seems easy enough.  (Here at
berkeley our single sign-on is called CalNet... just in case you
wanted to add to your list :)

> This would free them up from all the fears that their IP space has to be
> locked down thoroughly or they'll be breaking some contract somewhere.
> Then they could get back to being centers of research and innovation.
> But, while some universities are becoming enlightened and heading in
> this direction, there are still a lot of scared people out there.
> --Roger

Joseph Lorenzo Hall
PhD Student
UC Berkeley, School of Information (SIMS)
blog: <http://josephhall.org/nqb2/>

This email is written in [markdown] - an easily-readable and parseable
text format.
[markdown]: http://daringfireball.net/projects/markdown/