[tor-dev] Do Tor relays rely on ICMP type 11 (time exceeded / timeout in transit)?

Sun Oct 22 18:14:08 UTC 2017

Hi,

On my relays I am dropping any traffic that Tor itself does not rely on.
I wonder if I should allow or block incoming and/outgoing ICMP type 11
(time exceeded / timeout in transit)?

My host does receive some ICMP type 11 packets, and does seem to send
some out, but I am not sure if Tor is the source or destination.
Do Tor relays use some 'traceroute'-like mechanism to detect unreachable relays?

"netstat -s:
    ...
    ICMP input histogram:
        ...
        timeout in transit: 1923
    ...
    ICMP output histogram:
        ...
        timeout in transit: 1277
"
I remember seeing outgoing TCP packets with TTL set to 1 - those were
the ones triggering incoming ICMP type 11 packets.

Thanks,
- Igor