Hi Pascal,
On 04 Dec 2014, at 19:16, Pascal Pascal666@Users.SourceForge.Net wrote:
Microdescriptors (Tor >0.2.3.x) broke the inclusion of specific IPs in exit policies (exit enclaving). Did they break the exclusion of specific IPs in exit policies as well?
No, that's a local choice by the relay and it will prevent exiting to IPs that it disallows in its config.
Russia is not the only country to implement this type of ban. Is there a safe way to generalize and centralize this? E.g. if a directory authority detects an exit relay is in a location known to block access to/MITM specific IPs/ports it automatically updates the exit policy for that node in the directory to exclude them.
This is neither possible nor a good idea. The relay has to enforce its own exit policy, and the directory authority cannot do anything to change that. Giving them this kind of power would be very detrimental to the security of the network. The exit policy in a relay's descriptor is signed with that relay's key, and the dirauth has no access to it.
Cheers Sebastian