[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] Re: #1774 [Tor - Tor client]: how much of exit policies can we squeeze into microdescriptors?
#1774: how much of exit policies can we squeeze into microdescriptors?
------------------------------+---------------------------------------------
Reporter: arma | Owner:
Type: task | Status: new
Priority: normal | Milestone: Deliverable-Sep2010
Component: Tor - Tor client | Version:
Keywords: | Parent: #1748
------------------------------+---------------------------------------------
Comment(by nickm):
'''What we lose''':
We lose exit enclaving, but almost nobody uses it. Looking at the
desriptors in my cache, we have ONE that does accept "$my_ip/32:anything,"
and many that do "reject $my_ip/32:*". Further, thanks to having to
resolve addresses before you use them, most users wouldn't have wound up
with an exit enclave anyway. If we want exit enclaving to work in the
future, that's a good goal, but it doesn't work so well and isn't much
used now.
[Here and in the rest of this message, I'm using a definition of "exit" ==
"Has at least one accept *:port entry." You can reproduce my findings
with the script I'll attach with this.)
We won't miss private network support, since connecting to private
networks never made sense unless you specified an address explicitly.
We lose the ability to say "I reject nearly everything on port X, except
for these addresses" in such a way that clients will use it without being
told to do so explicitly. Right now 6 exits in my cache seem do that: che
(2 addresses), NSAFortMeade (27), lapiste (19), PotatoPalace (34),
blahblahblah (2), and brazoslink (1).
We lose the ability to say "Don't even bother trying to connect to this
single address X from me" in a way that clients won't try. (Arguably,
since clients need to DNS lookup, we never had this ability in a reliable
way.) 22 exits in my cache do this.
Finally, we lose the ability for exits to tell clients in advance that
they do (or don't) support big carve-outs of IP space with a portmask
other than /32 and /0. The clients need to connect, fail, and find out if
reject lots of weird carve-outs... and if we accept lots of weird carve-
outs, clients might never try at all. There are right now only 27 exits
that reject portions of netspace, and only 5 that accept portions of
netspace.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1774#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online