On 4/4/19, Conrad Rockenhaus conrad@rockenhaus.com wrote:
when ISPs are ordered to BGP blackhole some exit IP addresses
I've been assigning a second set of IP addresses to my servers in case I want to run another instance of Tor. Would it be more prudent to use that second set of IP addresses as an OutboundBindAddressExit instead and use different ports as a better practice?
ISP traffic filtering sinks, from the tor browser perspective, affecting traffic exiting a relay out through its exitpolicy to clearnet, can be...
- dst based "sink traffic to there", appears as "cnn.com down", a minor issue, depending on scope of the sink.
- src based "sink traffic from there", appears as "Internet down", a major issue, depending on scope of the sink.
Unlike websites, and unless they're tied playing [geo]politics, ISP's really don't like to keep these sinks in place for a long time.
Relay management such as OS updates, ssh, wget could get blocked if those addresses are in consensus.
Then there is relay-to-relay traffic types that don't "exit", but can still get found and blocked.
And the OR IP must be obviously not be blocked, else depending on scope, the relay won't receive traffic to move out any horizon.
Tor should still allow config of 2 tor instances on one IP.
If IP's are "free", and if operator survey says the exit functions are getting knocked off the tor network more often than entire OR's, try putting out the OutboundBindAddressExit on IP for sacrifice, instead of burning entire OR's which could otherwise be used more quietly as middle relays etc.
An operators own cost, management, and ISP relationships may show running more relays is better IP, or net traffic pushed, wise than enduring a few sinks now and then.
Probably every situation is different. Or try both and see.
Common options from the manpage...
Address address ORPort [address:]PORT|auto [flags] OutboundBindAddress IP OutboundBindAddressOR IP OutboundBindAddressExit IP
First one implemented was OutboundBindAddress, then came OutboundBindAddressOR and OutboundBindAddressExit. All for different matrix of reasons.