> > On 17 Sep 2017, at 17:11, Iain R. Learmonth <irl@xxxxxxxxxxxxxx> wrote: > > The most interesting thing I've discovered so far is that it's common > for the connections to fail in one direction but then succeed when the > two relays are reversed. I can't be sure if this is because I can't > reach one of the relays. Yes, this would be common, because firewalls are often asymmetric (many firewalls let relays connect out, but not receive connections in). For example: > On 17 Sep 2017, at 23:13, Scott Bennett <bennett@xxxxxxx> wrote: > > Roger Dingledine <arma@xxxxxxx> wrote: > >> On Sat, Sep 16, 2017 at 11:44:41PM +0000, dawuud wrote: >>>> Your only option would be to ask your ISP to uncensor the internet, >>>> unfortunately. Tor requires that all relays are able to contact all >>>> other relays, and those which cannot participate in the network. >>> >>> I think you meant to say: >>> "Tor requires that all relays are able to contact all directory authorities" >> >> Actually, no, we want it to be the case that all relays can reach all > > That does not contradict what dawuud wrote, as can be clearly seen. > What you want and what tor currently requires are not the same thing at all. > >> relays. The less true that becomes -- that is, the less clique-like >> the network topology becomes -- the more complicated the anonymity >> measurements become, and that is potentially quite bad. > > That is why OutboundBindAddress values need to be published somewhere. Some relay operators don't want to publish all their IP addresses. Other relay operators don't know or don't control their outbound addresses, or have multiple outbound addresses. Tor 0.2.7 used to publish OutboundBindAddresses in the exit policy by default. But as of 0.2.9 this was considered a bug and split into ExitPolicyRejectPrivate (which rejects published addresses) and ExitPolicyRejectLocalInterfaces (which rejects other addresses). So you could advocate for the adoption of ExitPolicyRejectLocalInterfaces 1, and then scrape exit policies for these addresses. Even then, you won't catch NATs and other weird arrangements that aren't on the local machine. > Those of us who use packet filters in defense of our systems and/or our LANs > can allow connections to our relays' ORPorts from otherwise blocked addresses > if we know which of those blocked addresses have tor relays that may be trying > to connect. Without that information, the only way you will ever get what you > want is by turning away volunteers. ... or by asking volunteers not to hurt client anonymity by blocking inbound connections. And telling them we might remove their relay in future if they block too many other relays. If you want to run a tor relay, it needs to be able to accept inbound connections from any address. That's the best way to make sure tor users are safe. We need to keep doing this, until we get some good research on anonymity in partially-connected networks. T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n ------------------------------------------------------------------------
Attachment:
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays