Re: [tor-relays] Comcast blocks ALL traffic with tor relays

To: xmrk2 <xmrk2@xxxxxxxxxxxxxx>, "tor-relays@xxxxxxxxxxxxxxxxxxxx" <tor-relays@xxxxxxxxxxxxxxxxxxxx>

Subject: Re: [tor-relays] Comcast blocks ALL traffic with tor relays

From: "Livingood, Jason via tor-relays" <tor-relays@xxxxxxxxxxxxxxxxxxxx>

Date: Wed, 14 Jun 2023 21:14:01 +0000

Accept-language: en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cable.comcast.com; dmarc=pass action=none header.from=cable.comcast.com; dkim=pass header.d=cable.comcast.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9VVBVrKCO1YFgWr0THIQ3RJUDYdOO7CYh1luKPL+Y6w=; b=QyQpMMw2vVJJiLN2ka7kCTa+hr9IP90+g25c2+zQngiu/7r9WIiRanm/nZzQJkcFVfYpM4mrwhRUj0dQ8m+46fr1bybJb7MZMUAUUXu7GP0dfS/O1HCXlSfJFrokJ9snmJ21hRs3dZ7m0l+hoqCQA9HYxGF64O8hNh6z1NNMIE9OBbBI6XpP7GKvUvyFN2GE9BuIpDJmcRtjiA50ZGeNF+6htEbAKZ42nBLrUmOSjRsamPD/MTYk8DiAuTuL6qZDFQJY2uSEZ1UjjOwXUrQVVlgVc//nIuPYSmpyLeWtnzydd3aNinK6GSneHHAZVH0gzTnUoQ3EhEXbvAdhS+PzPw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ihzLqf3C+XmJ3564jAiFJUqvi+5O3gx5437QWpMlT2aFK8cjYLiGdj2Qgs0GEUC+MQlAyAg8dKCCSmZL4XjibbQAakpOsqb3kpzfk7KGNugcwGgS2cx9d+F1QItBHyZLOQPd2riC3TGx0ajbVzA+ZvCHE9vvY8WQOQvX9eAh2r2ceViFdXeBMoDOT7SDj7RVQMh6JRs/0NC7pcsn+mUfop2OzJLe/cf3yWquxH6oLpjXhX9Q5xjjmxnWuWvvom4UxxMxS8BdpfZO2upEufrnwmsf2d1PPVauneIZXvAEeGcmvGa7RuA9rneNLPJYqtraeK78mlc7t0WGn+NxFsLhUQ==

Cc: "Livingood, Jason" <Jason_Livingood@xxxxxxxxxxx>

Delivered-to: archiver@xxxxxxxx

Delivery-date: Thu, 15 Jun 2023 02:44:14 -0400

Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lists.torproject.org; s=2022-eugeni; t=1686811380; bh=ZCvy8lYArJWM87BxKQ3RR8TT3m/CThtLWUiSxxlN+n8=; h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=lPBSHW8j/dMJJboAIwsGfTlNU9xGykk9t5qPpX5JdbwitkEpZSsERA94Kt/WAxa6S spbhboK4o2PakcVGq9at/feL+/n2AFGuN0vwtSnbsQnKmWCwHlPG7dfOD8iLqOvSca jem4/c29fEZ5tWAdDcRdCm7ymeHW73EiwETzBeXGSSCctKDgxd/9HAXB3w7FmEnPBZ fMSIxRDnpEBpPTN658KxQXIcGFAiRmFRlp2HhhLCmBhKPHmx12GvUiVpS95ZRt13x1 yB04kRxWIRTXXWoMNNJKxbd9sQW6tI67iSanMMIZ07wTPHr+ycZ2ACRcKG7xd1FJWb jKvnIwkFwiIVg==

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

Msip_labels: MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_Enabled=true; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_ActionId=2e0b4602-67a9-4cd1-84d6-20926c33fbf7; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_SetDate=2023-06-14T21:02:22Z; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_SiteId=906aefe9-76a7-4f65-b82d-5ec20775d5aa; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_Name=Confidential (C); MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_ContentBits=0; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_Enabled=true; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_Method=Standard;

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Thread-index: AQHZnwUkYCXy+1oX5kWzsLBiJMlTzA==

Thread-topic: [tor-relays] Comcast blocks ALL traffic with tor relays

User-agent: Microsoft-MacOutlook/16.74.23061100

>As to the blog post you mention… Your statements are very generic: now you talk about "not blocking tor", but tor is not just one webpage, one server, a monolithic entity. I would appreciate details: If your customer has "advanced security" activated, can he connect to any ORPort of any tor middle relay?

Fair enough. That post was in any case from 2014 and the questions are different today (I just used it as an example that we’re not against Tor). Honestly, I’m a little surprised that someone running a Tor exit node would not be using their own cable modem and running their own router (whether open source a la Openwrt or commercial). If someone wants to do stuff like run a Tor exit node or run a MASQUE relay or whatever, I’d recommend they turn off Advanced Security and manage their routing & firewall rules themselves.

>Sorry if I am a bit repetitive, but https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?

It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.

> I don't know whether this customer has "Advanced security" turned on, I just assume he has. Do you want me to send you privately more details (my IP and this peer's IP)?

Sure – I am happy to look at that confidentially. But it could be a wide range of other things – even basic things like someone’s router timing out external connections after X minutes, etc.

> So you remind me of an old joke: who should I believe, you, or my eyes? Sorry, I choose my eyes. I am talking here about direction from my node to Comcast. It is still possible that you don't block connections from Comcast to relays, I have contradictory evidence about this point. So if your "not blocking tor" means "not preventing our customer from connecting to some tor relays", this could be true.

Alternatively, given the large size of our network, if we were in fact blocking this, then I’d expect to see this list filled with complaints and social media sites (Twitter, Reddit, etc.) filled with complaints. But what I see now is a single report. That said, I routinely look at such reports when they seem at odds with our network policies so as to be certain there’s not some misconfiguration or bug someplace.

Jason

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays