[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: any of Tor operators receiving mail from MediaSentry Copyright Infringement?



On Mon, Oct 10, 2005 at 03:59:15PM +0200, Eugen Leitl wrote:
> On Mon, Oct 10, 2005 at 09:13:48AM -0400, Geoffrey Goodell wrote:
> > reject 0.0.0.0/255.0.0.0:*
> > reject 169.254.0.0/255.255.0.0:*
> > reject 127.0.0.0/255.0.0.0:*
> > reject 192.168.0.0/255.255.0.0:*
> > reject 10.0.0.0/255.0.0.0:*
> 
> Question: if I have a local network in 10.3.0.0
> (virtual TUN/TAP interface), can I change this
> policy without causing problems. (10.0.0.0/255.0.0.0
> isn't routable, anyway, right? This is to prevent
> spillover of unroutable traffic into Tor network, and not
> something against spoofing, correct?)

10.0.0.0/255.0.0.0 is certainly routable.  It just so happens that ISPs
in the core of the Internet have decided, by convention (RFC 1918) to
not announce BGP prefixes in these ranges.  If you remove the reject
line for 10.0.0.0/255.0.0.0, potentially any Tor client can speak
directly to your local network by explicitly specifying your node as the
exit node for such communication.  Whether this behavior "causes
problems" or not is a question I cannot answer.  If you want to provide
access to your local network to the world, then this is great.  If there
are services on your local network that assume (perhaps for security
reasons) that all of the clients are local, then those assumptions would
suddenly be wrong.  So, it is up to you.

> It has to be a pretty smart firewall to track an entire BitTorrent
> session sufficiently to be able to recognize it and to drop it.
> Also, if I had such a firewall which would block outgoing Tor
> traffic it recognizes it would not be reflected in the Tor exit 
> policy, and the local Tor node would cheerfully send it out
> where it will be chomped up by the firewall. This would violate
> the expectations of any user.

Agreed!  But we see this behavior even today, specifically from Tor
nodes with bad resolvers (or bad nameservers, etc.).  Have you ever seen
privoxy tell you that it could not look up the name of a particular
host when you're using Tor?  Bingo.  And we have no reason to believe
that these node operators are deliberately attacking the network -- this
is probably just accidental misconfiguration.  Nonetheless, this is a
difficult problem to solve, and one that has (mostly) been punted so
far.

Geoff

Attachment: signature.asc
Description: Digital signature