On Tue, Jul 7, 2015 at 12:21 PM, Karsten Loesing karsten@torproject.org wrote:
On 07/07/15 17:40, Zack Weinberg wrote:
where: "Never" means the relay has never allowed exiting to any port or IP;
Well, the table already contains a timestamp, so this is probably not necessary. Also, keeping a history whether a relay permitted exiting up to a given time is quite expensive, because we'd have to re-import the whole descriptor archives for this.
The thing is, putting myself in the shoes of someone trying to investigate an incident, I think the distinction among "this relay has _never_ allowed any sort of exiting", "this relay _does_ allow exiting right now", and "this relay _did_ allow exiting at some point in the past but doesn't right now" is critical. More important than whatever its current policy is wrt any given port or IP address. Re-importing the entire descriptor archive therefore strikes me as "yeah, if that's what it takes, you should do that."
Moreover, when digging deeper, I would want to be able to know the exact exit policy at a specific time in the past, which I believe would entail having the entire descriptor history available anyway?
"Unrestricted" means the relay currently allows exiting to all ports and IPs;
Plausible, though there are hardly any relays permitting all ports.
Maybe the right distinction is between relays that allow more than the common "reduced exit policy", and those that allow no more than that?
I'd simply call this "Yes". All relays with the Exit flag would have this state.
I do not think using "Yes" as a member of an N-way distinction (N>2) is good design.
"Unlikely" means the relay currently allows exiting to some ports and IPs, *not* enough to get the exit flag;
This is probably what I'd call "Restricted" or "Limited". That's for all relays which don't have reject 1-65535 and which also don't have the Exit flag.
I hesitate to use "Restricted" or "Limited" because people might think it referred to the reduced exit policy.
I wanted a single word which expressed "technically an exit, but a client would have had to override the default circuit generation policy to have used it as an exit". I'm not happy with "Unlikely" but I can't think of anything better.
If five states is too many, I'd drop the unrestricted/restricted distinction first (i.e. now/former/never/now but only with special circuit generation).
zw