Proposal: Exit Scanning

Roger Dingledine arma at
Tue Feb 17 22:53:25 UTC 2009

On Tue, Feb 17, 2009 at 02:23:49AM -0800, Mike Perry wrote:
> Title: Exit Scanning
> Version: $Revision$
> Last-Modified: $Date$
> Author: Mike Perry
> Created: 13-Feb-2009

I have just added this to the proposal directory as 'proposal 159'.

> Specification of Exit Marking:
> Technically, BadExit could be marked via SETCONF AuthDirBadExit over
> the control port, but this would allow full access to the directory
> authority configuration and operation.

Right. That seems like a very bad move.

> The approved-routers file could also be used, but currently it only
> supports fingerprints, and it also contains other data unrelated to
> exit scanning that would be difficult to coordinate.
> Instead, we propose that a new badexit-routers file that has three
> keywords:
>   BadExitNet 1*[exitpattern from 2.3 in dir-spec.txt]
>   BadExitFP 1*[hexdigest from 2.3 in dir-spec.txt]
> BadExitNet lines would follow the codepaths used by AuthDirBadExit to
> set authdir_badexit_policy, and BadExitFP would follow the codepaths
> from approved-router's !badexit lines.
> The scanner would have exclusive ability to write, append, rewrite,
> and modify this file. Prior to building a new consensus vote, a
> participating Tor authority would read in a fresh copy.

This would involve quite a bit of new code -- reading, parsing, checking,
etc. I suggest we use the approved-routers file, with !badexit that's
already supported and teach it how to handle a new !badexitnet line.

It shouldn't be any more hassle on the SoaT side. For the two
Naming authorities (moria1 and tor26), we already manage multiple
approved-routers files, which are combined automatically.

The rule in my Makefile is:

approved-routers: approved-routers-auto approved-routers-manual tor-bad-fingerpr
        cat $^ > "$@"

This 'approved-routers-auto' file is created by

So SoaT could just generate and maintain an 'approved-routers-badexit'
file and we could add it to the Makefile line.

(One last note would be that we should run the file through another tiny
script to strip lines that don't start with !badexit or !badexitnet,
so we don't have to worry about somebody breaking into the soat and
generating !reject lines or Naming lines.)


More information about the tor-dev mailing list