[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Mexico ISP blocking authority nodes and preventing exit relays.



On 02/18/2016 04:24 AM, Tim Wilson-Brown - teor wrote:
> 
>> On 18 Feb 2016, at 22:16, Mirimir <mirimir@xxxxxxxxxx> wrote:
>>
>> On 02/18/2016 03:47 AM, Tim Wilson-Brown - teor wrote:
>>>
>>>> On 18 Feb 2016, at 14:40, Ricardo Malagon Jerez <rjmalagon@xxxxxxxxx> wrote:
>>>>
>>>> I don't know how and why, but since January is impossible to have an exit relay in Telmex ISP.
>>>> And is harder to reach authority nodes.
>>>> Someone wrote about this, but is mid February and is the same.
>>>> Tor 2.8 alpha works pretty good with the authority fallback measures, but I can't implement the exit relay or publish the relay.
>>>
>>> Thanks for the feedback about the fallback directory mirrors feature - I am glad to hear that it's working as planned.
>>> But it only works for clients.
>>>
>>> Relays need to be able to post their descriptors to the authorities. So they have to be able to reach at least one authority - they can't use only fallback directory mirrors.
>>
>> Could relays somehow use bridges for that?
> 
> 
> Relays could upload their descriptors to the authorities over 3-hop tor circuits, like hidden services do to hidden service directories.
> 
> But that doesn't solve the core issue: Tor assumes all relays can connect to every other relay. If a relay can't reach the authorities, then that's 9 relays it can't reach, and it's likely that other relays are also blocked.

Doh. And any network that blocked access to authorities could block
access to all Tor relays.

> We would need to answer the following questions before we allowed relays that can't reach the authorities to bootstrap:
> * how many other relays can each Tor relay reach at the moment?
> * what's the minimum number of relays each relay should be able to reach to be useful?
> * how can we check if a relay can reach that many relays?
> * should the relay do the check itself before it submits its descriptor, or should the authorities or bandwidth authorities do the check?
> 
> This requires some research and security analysis.

Right. A relay that needs a bridge to reach other relays is relatively
useless. And can perhaps hide malicious activity more easily too.

> Tim
> 
> Tim Wilson-Brown (teor)
> 
> teor2345 at gmail dot com
> PGP 968F094B
> 
> teor at blah dot im
> OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
> 
> 
> 
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays