[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] The reasoning behind the 'exit' flag definition



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

I'd like to understand why the exit flag is defined as it is.

The current definition can be found in the directory spec [1]:

"
"Exit" -- A router is called an 'Exit' iff it allows exits to at
   least two of the ports 80, 443, and 6667 and allows exits to at
   least one /8 address space.
"

I assume the exit flag was meant to be used by tor clients only [2]
because destination port 80/443 are probably amongst the most
frequently accessed services, but was than (mis)used to generate
(inaccurate) 'Tor exit IP address lists' (?).

This means that there is no way to tell if a relay actually allows
exiting (any) traffic simply by looking at relay flags. To actually
tell you would have to parse exit policies.

I think this is the main reason why people trying to handle the 'is a
tor user' - case are having a hard time.

Here are two examples why this negatively affects tor and non-tor users:

1) Non-Tor users are banned to access certain services when they share
their IP address with a non-exit relay. Admins start to block *all*
tor relay IP addresses (even non-exits) ones they realize that also
relays without 'exit' flag might allow exiting to their services.

2) I'm regularly banned from accessing my gmail account when using tor
because google blocks my access to its services if I'm appearing to
have a *non*-tor IP address [3] (this is the direct inversion of 1).


Which one of the following proposals would be more likely too be
accepted by the Tor Project (if any at all):

- - change the definition of the 'exit' flag to include all nodes that
allow *any* exiting traffic.

- - introduce a new flag that is set on all relays allowing *any* exit
traffic (leaving the current definition of the 'exit' flag unchanged)

As an alternative, better tools to create 'tor exit lists' as
suggested in [4] and [5], might also do the job. Is someone aware of a
tool that implements something like that already?

Something along the lines of:

./get-tor-exits [relay-IP] target-service-IP[/mask][:port],...

output: boolean if relay-IP is given,
if no relay IP was given: print a list of all relay IP addresses that
would allow accessing (any) service in the target IP (range).

(similar to what exonerator does already)

thanks!


[1]
https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=dir-spec.txt

[2]
https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=path-spec.txt


[3]
https://lists.torproject.org/pipermail/tor-talk/2013-September/029975.html
https://lists.torproject.org/pipermail/tor-talk/2013-September/029981.html

[4]
https://lists.torproject.org/pipermail/tor-talk/2013-September/029988.html
[5]
https://lists.torproject.org/pipermail/tor-talk/2013-September/029986.html



-----BEGIN PGP SIGNATURE-----

iF4EAREKAAYFAlIuIJIACgkQyM26BSNOM7aVXQEAkxKjDlkpFO44DA9Gbe5tscvL
b2kX/27XSRHIpXczcW8A/1olo4LrMWgZyY+X8OccGbtJ2iUUwxWnynnqy8CcgUtE
=atrW
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk