exit policy to reflect country-wide ban
hi. Recently, github was blocked in Russia (see discussion here: https://news.ycombinator.com/item?id=8692584). The ban is executed by all major ISPs (comply with this regulation is necessary to keep the telecom license so no ISP is risking to disobey), this means that if your exit node happens to be in Russia, you're out of luck when you try to connect to github. Some suggest marking exit nodes in Russia as bad exits because connecting via them leads to various problems (like node provider doing MitM on all github https connections). Here is an example: https://twitter.com/wiretapped/status/539934125293961216 I think, if Russian exits operators implement reduced policy rejecting github, that would be better solution: they're still usefull for all other sites and a client would access github using a tor exit elsewhere. Do I miss something here? Are any disatvantages of this? More general, if a network, a particular exit node is connected to, blocks some IP addresses, is it wise to reflect those changes in the node's ExitPolicy? BR, Vladimir
Microdescriptors (Tor >0.2.3.x) broke the inclusion of specific IPs in exit policies (exit enclaving). Did they break the exclusion of specific IPs in exit policies as well? Russia is not the only country to implement this type of ban. Is there a safe way to generalize and centralize this? E.g. if a directory authority detects an exit relay is in a location known to block access to/MITM specific IPs/ports it automatically updates the exit policy for that node in the directory to exclude them. -Pascal On 12/4/2014 8:55 AM, Vladimir Ivanov wrote:
hi.
Recently, github was blocked in Russia (see discussion here: https://news.ycombinator.com/item?id=8692584). The ban is executed by all major ISPs (comply with this regulation is necessary to keep the telecom license so no ISP is risking to disobey), this means that if your exit node happens to be in Russia, you're out of luck when you try to connect to github.
Some suggest marking exit nodes in Russia as bad exits because connecting via them leads to various problems (like node provider doing MitM on all github https connections). Here is an example: https://twitter.com/wiretapped/status/539934125293961216
I think, if Russian exits operators implement reduced policy rejecting github, that would be better solution: they're still usefull for all other sites and a client would access github using a tor exit elsewhere.
Do I miss something here? Are any disatvantages of this?
More general, if a network, a particular exit node is connected to, blocks some IP addresses, is it wise to reflect those changes in the node's ExitPolicy?
BR, Vladimir _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi Pascal, On 04 Dec 2014, at 19:16, Pascal <Pascal666@Users.SourceForge.Net> wrote:
Microdescriptors (Tor >0.2.3.x) broke the inclusion of specific IPs in exit policies (exit enclaving). Did they break the exclusion of specific IPs in exit policies as well?
No, that's a local choice by the relay and it will prevent exiting to IPs that it disallows in its config.
Russia is not the only country to implement this type of ban. Is there a safe way to generalize and centralize this? E.g. if a directory authority detects an exit relay is in a location known to block access to/MITM specific IPs/ports it automatically updates the exit policy for that node in the directory to exclude them.
This is neither possible nor a good idea. The relay has to enforce its own exit policy, and the directory authority cannot do anything to change that. Giving them this kind of power would be very detrimental to the security of the network. The exit policy in a relay's descriptor is signed with that relay's key, and the dirauth has no access to it. Cheers Sebastian
On 12/4/2014 3:50 PM, Sebastian Hahn wrote:
No, that's a local choice by the relay and it will prevent exiting to IPs that it disallows in its config.
Yes, but does it have a way of telling clients that so they will use a different exit for those IPs? Vladimir's original question was about not marking Russian nodes as bad exits just because they can't get to certain IPs. I found the bug I was thinking of: https://trac.torproject.org/projects/tor/ticket/1774 It's old, but still open. I don't know if the microdescriptor format has been extended since then, but nickm states rather plainly that microdescriptors do not support excluding specific IPs. -Pascal
Hi Pascal, On 05 Dec 2014, at 04:26, Pascal <Pascal666@Users.SourceForge.Net> wrote:
On 12/4/2014 3:50 PM, Sebastian Hahn wrote:
No, that's a local choice by the relay and it will prevent exiting to IPs that it disallows in its config.
Yes, but does it have a way of telling clients that so they will use a different exit for those IPs? Vladimir's original question was about not marking Russian nodes as bad exits just because they can't get to certain IPs.
This influences path selection on the client without too good a reason, it also increases complexity on the dirauths even more. It would also mean yet larger consensuses to make these results public. Not a good plan.
I found the bug I was thinking of: https://trac.torproject.org/projects/tor/ticket/1774
It's old, but still open. I don't know if the microdescriptor format has been extended since then, but nickm states rather plainly that microdescriptors do not support excluding specific IPs.
This is a misunderstanding. It just means that clients don't know that a relay doesn't allow exiting to an individual IP address. The relay in question will still disallow the request to exit there. Cheers Sebastian
On Thu, Dec 04, 2014 at 05:55:10PM +0300, Vladimir Ivanov wrote:
Recently, github was blocked in Russia (see discussion here: https://news.ycombinator.com/item?id=8692584). The ban is executed by all major ISPs (comply with this regulation is necessary to keep the telecom license so no ISP is risking to disobey), this means that if your exit node happens to be in Russia, you're out of luck when you try to connect to github.
GitHub now seems to cooperate with the Russian government and started GeoIP-based blocking. Russian exit relays should no longer be affected by HTTPS MitM. Cheers, Philipp
participants (4)
-
Pascal -
Philipp Winter -
Sebastian Hahn -
Vladimir Ivanov