Re: [tor-dev] Should cloud-hosted relays be rejected?

Subject: Re: [tor-dev] Should cloud-hosted relays be rejected?

From: Tim Wilson-Brown - teor <teor2345@xxxxxxxxx>

Date: Tue, 1 Sep 2015 10:01:11 +1000

Delivery-date: Mon, 31 Aug 2015 20:01:31 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:message-id:mime-version:subject:date:references :to:in-reply-to; bh=DVoi8k8q4r/p5o39CZJh3mNObT7OCnU6favhydHCTO4=; b=mQ36bJLRz5xuSHeSt/t2jm7vVF77S+Sj6ezbNrduN6wkpg+Gzmwdq8DkBZ8asM0T00 PDMrMjs5LxeP41SprTTrN4vSlSlstFPUIeniSAsZ4IB11iuzlnCJpZmDN0gAIq6GrLW4 OFQejaDqYj8RZ/bUUq1RRTICzg94SfoQMffGthPc2f8RKHzB49XeAb1383cTuuB6S4Nz JEapEze0f6WO2XEuGlagfk0sBdZYF3zFqJJuzQjrmsi5NUPQLeJfg3cwasXEMN89HnsP 2Y8+HzVYCBnUhOsTOyVnuunPwriZQVjZFuvuAbk11jXvYcIszazbTFmmegAxqGs2I0sl aG4g==

In-reply-to: <55E4DBFD.4010405@xxxxxxxxxxxxxxx>

List-archive: <http://lists.torproject.org/pipermail/tor-dev/>

List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>

List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>

List-post: <mailto:tor-dev@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>

References: <20150831214510.GA5303@xxxxxxxxx> <55E4DBFD.4010405@xxxxxxxxxxxxxxx>

Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On 1 Sep 2015, at 07:45, Philipp Winter <phw@xxxxxxxxx> wrote:

The harm caused by cloud-hosted relays is more difficult to quantify.
Getting rid of them also wouldn't mean getting rid of any attacks. At
best, attackers would have to jump through more hoops.

If we were to decide to permanently reject cloud-hosted relays, we would
have to obtain the netblocks that are periodically published by all
three (and perhaps more) cloud providers:
<https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html>
<https://msdn.microsoft.com/en-us/library/azure/Dn175718.aspx>
<https://cloud.google.com/appengine/kb/general?hl=en#static-ip>

Note that this should be done periodically because the netblocks are
subject to change.

On 1 Sep 2015, at 08:58, nusenu <nusenu@xxxxxxxxxxxxxxx> wrote:

Should you decide to continue generally blacklisting entire ISPs/ASes/IP
ranges:

Please add that info (including the banned ISPs/ASes/IP ranges) to the
documentation (i.e. relay setup guides [4]) so volunteers don't waste
their time and money to setup blacklisted relays [5].

[4] https://www.torproject.org/getinvolved/relays.html.en
[5]
https://lists.torproject.org/pipermail/tor-relays/2015-August/007655.html

If the blocked IP ranges are going to become numerous, and change frequently, why not create a tool that volunteer relay operators can use to check an IP address?

Tim (teor)

_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev