[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Filtering out attacks?

On 5/17/05, alexyz@xxxxxxxxxx <alexyz@xxxxxxxxxx> wrote:
> If I can make an additional suggestion, why not have Tor implement some kind packet
> inspection?

It's important to remember that the circuit route is decided at
connection time - before any higher level information is available.
Since this is the case, one cannot use information like "I won't
connect to google.com" from the directory.

Thus any application level filtering has to be network wide. The
alternative is a non-deterministic "sometimes Google works, sometimes
it doesn't" and that's a very bad user experience.

(yes, a node could wait until after getting the first header before
making the connection. That might work for some protocols. For HTTP it
would have to be site level filtering only because many requests can
be sent down the same connection. But we can do site level filtering
already with exit rules. Don't underestimate how nice it is that Tor
has so far avoided touching the traffic at all.)

Do you have specific examples of where this would be a good idea?


Adam Langley                                      agl@xxxxxxxxxxxxxxxxxx
http://www.imperialviolet.org                       (+44) (0)7906 332512
PGP: 9113   256A   CC0F   71A6   4C84   5087   CDA5   52DF   2CB6   3D60