Hi,
I am trying to run a few Exit relays on my 1 gbps connection. To keep donating the exit capacity to the Tor project I have to keep abuse reports to a minimum.
In order to have the Exit flag I have read that I have to keep two of ports 80, 443 and 6667 open, plus allow exiting to at least one /8 network - is that still the Dir spec? Is it correct that without the Exit flag, no clients will choose the relay for their circuits - even if its Exit policy allows the port they need? For example, take a look at the "cry" relay (one of top 10) - it is not marked as "Exit" as it only allows ports 6660-6667 - does that mean it is only ever used as a middle relay?
I have read that port 80 generates quite a bit of abuse complaints as it is used to tunnel non-HTTP traffic, by malware, etc. So, choosing ports 443 and 6667 to get the 'Exit' flag looks like the safest choice. I have also read that ports above 1024 are more likely to used by BitTorrent clients, so they are to be rejected in order to minimize abuse.
My current, rather paranoid, list of accepted ports looks like this: 20-21, 53, 443, 993, 995, 6667. I am not sure how useful this is to Tor, and whether I will actually avoid complaints, but I guess I can only wait and see.
My question is about 6667 - should Tor's 'Exit flag policy' allow 6697 (IRC encrypted over SSL) as an alternative to 6667? I would rather support people using 6697, if I had the choice.
Thanks, Igor
On 5 Jul 2017, at 00:18, Igor Mitrofanov igor.n.mitrofanov@gmail.com wrote:
Hi,
I am trying to run a few Exit relays on my 1 gbps connection. To keep donating the exit capacity to the Tor project I have to keep abuse reports to a minimum.
In order to have the Exit flag I have read that I have to keep two of ports 80, 443 and 6667 open, plus allow exiting to at least one /8 network - is that still the Dir spec?
Yes.
Is it correct that without the Exit flag, no clients will choose the relay for their circuits - even if its Exit policy allows the port they need? For example, take a look at the "cry" relay (one of top 10) - it is not marked as "Exit" as it only allows ports 6660-6667 - does that mean it is only ever used as a middle relay?
It means that clients won't chose the relay for preemptive exit circuits. I think it might get some other Exit usage, but I'm not sure.
I have read that port 80 generates quite a bit of abuse complaints as it is used to tunnel non-HTTP traffic, by malware, etc. So, choosing ports 443 and 6667 to get the 'Exit' flag looks like the safest choice. I have also read that ports above 1024 are more likely to used by BitTorrent clients, so they are to be rejected in order to minimize abuse.
My current, rather paranoid, list of accepted ports looks like this: 20-21, 53, 443, 993, 995, 6667. I am not sure how useful this is to Tor, and whether I will actually avoid complaints, but I guess I can only wait and see.
Most Tor traffic is HTTP or HTTPS, and the HTTPS proportion is growing. So this is useful.
My question is about 6667 - should Tor's 'Exit flag policy' allow 6697 (IRC encrypted over SSL) as an alternative to 6667? I would rather support people using 6697, if I had the choice.
Some IRC services allow or require SSL on 6667, others require it on 6697. Why not enable both?
So I can't see a strong case for switching to 6697, given that the Exit flag is only a hint to relay operators about the minimum useful ports. (And a hint to clients about good relays for preemptive Exit circuits.)
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
at the "cry" relay (one of top 10) - it is not marked as "Exit" as it
It means that clients won't chose the relay for preemptive exit circuits. I think it might get some other Exit usage, but I'm not sure.
Users (various technical folks) sometimes configure traffic though exits lacking the exit flag, to avoid censorship based on exit flags, to utilize otherwise flag-unavailable geolocations, for network test / measurement, add some risk due to lower traffic levels, etc.
I have read that port 80 generates quite a bit of abuse complaints as it is used to tunnel non-HTTP traffic, by malware, etc. So, choosing ports 443 and 6667 to get the 'Exit' flag looks like the safest choice. I have also read that ports above 1024 are more likely to used by BitTorrent clients, so they are to be rejected in order to minimize abuse.
My current, rather paranoid, list of accepted ports looks like this: 20-21, 53, 443, 993, 995, 6667. I am not sure how useful this is to Tor, and whether I will actually avoid complaints, but I guess I can only wait and see.
Most Tor traffic is HTTP or HTTPS, and the HTTPS proportion is growing. So this is useful.
My question is about 6667 - should Tor's 'Exit flag policy' allow 6697 (IRC encrypted over SSL) as an alternative to 6667? I would rather support people using 6697, if I had the choice.
Some IRC services allow or require SSL on 6667, others require it on 6697. Why not enable both?
So I can't see a strong case for switching to 6697, given that the Exit flag is only a hint to relay operators about the minimum useful ports.
6667 cleartext is there because tor is old... it was widely prevailing then. 6697 TLS became widespread much later, especially post Snowden.
What does survey of IRC nets regarding TLS capabilities look like today? Do users have some need to connect, out via exit, to [any particular] cleartext IRC services, for something that TLS IRC services do not provide? Do we continue endorsing cleartext upon operators who seek minimums and/or proffer to carry non-monitorable e2e traffic to avoid legal issues? Does cleartext insistance therein funnel users into choosing possibly harmful cleartext transports due to better speed / latency / probability of successful exit paths? What are consensus bandwidth capacity and exit node counts for 6667:6697? What is the traffic ratio of 6667:6697 actually exiting the network?
I suspect switching minimum to 6697 is fine, or at least making it logical OR.
On 5 Jul 2017, at 05:29, grarpamp grarpamp@gmail.com wrote:
...
My current, rather paranoid, list of accepted ports looks like this: 20-21, 53, 443, 993, 995, 6667. I am not sure how useful this is to Tor, and whether I will actually avoid complaints, but I guess I can only wait and see.
Most Tor traffic is HTTP or HTTPS, and the HTTPS proportion is growing. So this is useful.
My question is about 6667 - should Tor's 'Exit flag policy' allow 6697 (IRC encrypted over SSL) as an alternative to 6667? I would rather support people using 6697, if I had the choice.
Some IRC services allow or require SSL on 6667, others require it on 6697. Why not enable both?
I really do think this is a good way to tackle this issue: we should encourage relay operators to enable *both* 6667 and 6697.
The flag minimum requirement really is a minimum.
So I can't see a strong case for switching to 6697, given that the Exit flag is only a hint to relay operators about the minimum useful ports.
6667 cleartext is there because tor is old... it was widely prevailing then. 6697 TLS became widespread much later, especially post Snowden.
What does survey of IRC nets regarding TLS capabilities look like today? Do users have some need to connect, out via exit, to [any particular] cleartext IRC services, for something that TLS IRC services do not provide? Do we continue endorsing cleartext upon operators who seek minimums and/or proffer to carry non-monitorable e2e traffic to avoid legal issues?
Port numbers and TLS ore orthogonal: port 443 can be used for cleartext, and port 80 for encrypted traffic. In the case of IRC, it's quite common for 6667 to be used with TLS.
And the Exit operator would need to set up DNSCrypt or similar. Otherwise Exit DNS requests are trivially monitorable.
Does cleartext insistance therein funnel users into choosing possibly harmful cleartext transports due to better speed / latency / probability of successful exit paths? What are consensus bandwidth capacity and exit node counts for 6667:6697? What is the traffic ratio of 6667:6697 actually exiting the network?
Good question. We don't collect stats on individual ports, because it's hard to do safely.
I suspect switching minimum to 6697 is fine, or at least making it logical OR.
The current Exit flag requires 2 ports out of [80, 443, 6667]. Can you clarify what the two options are that you are suggesting here?
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
tor-relays@lists.torproject.org
-
grarpamp -
Igor Mitrofanov -
teor