On Sat, 7 Jun 2014 14:02:43 -0400 grarpamp <grarpamp@xxxxxxxxx> wrote: > > So my idea is, maybe consider making directory authorities blacklist some > > ports as being unacceptable as ORPorts, 22 and 53 come to mind for a start, > > along with maybe 25 to avoid false alarms from anti-spam countermeasures. > > ORport config exists to give better anti blocking/censorship > performance. So Tor should not exclude any OR port/protocol. > The problem is with you and your ISP, not other relays who > have fine working relationships with their ISP regarding binding > to those ports. First of all, if an end-user is affected by censorship, they are likely to use Tor Bridges anyway, so the need of plain relays on standard ports does not seem to be of much significance. Second, to the contrary of what you describe regarding ISP relationships, it could very well be that running a relay on a port like 22 or 53 is caused by the opposite, i.e. by their ISP not being fully informed of what the relay operator is doing on their machine, and as a result with the said operator only being able to request opening/forwarding of a few innocent-looking ports from their network administrator (e.g. at an university or school). Sure they are doing this out of their best intentions to contribute bandwidth to Tor, but if such 'contribution' ends up knocking five other much faster relays from being able to act as relays anymore, how positive is it really. > A relay operator who feels they are at risk of making such > contact should probably work with their host or find another > one instead of narrowing their possible outbound paths. (The > impact to tor network of RelayNoORPorts would depend on > percent nodes having your noisy ORport and traffic weights. > May also affect clients reaching specific exit relay using said > ports. And add more overhead signaling. Better to find new host.) One issue is often the very fact that having a lot of such connections can be problematic might only be discovered post-factum*, i.e. after the user already has been forcefully "parted" with their VPS or dedi (prepaid for a some significant period too). Trying to explain about Tor in this case can easily result in some less-than-qualified or overly cautious ISPs banning all Tor on their network altogether ("oh so it was Tor that caused these SSH or DNS attacks? OK, from now on adding a 'no Tor' rule into the ToS"). * Sure you might argue that any relay operator needs to be upfront about running a relay with their ISP, but really, the easiest and the most workable solution when running a non-exit relay is (or at least was, before these port 22 and port 53 relays) to stay "below the radar". Another issue is that the pool of hosts providing cheap or reasonably priced unmetered VPSes or dedicated servers is far from being infinite, that you could so easily just abandon one and move over to the next one. -- With respect, Roman
Attachment:
signature.asc
Description: PGP signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk