[tor-relays] Exit node rejection of special IPv4 blocks

Roger Dingledine arma at mit.edu
Wed Apr 23 22:26:42 UTC 2014


On Wed, Apr 23, 2014 at 03:12:36PM -0400, Zack Weinberg wrote:
> I'd like a sanity check on this list of special-purpose IPv4 blocks
> which I'm currently forbidding in the CMU exit node's policy.  I'm
> most uncertain about denying access to multicast (224.0.0.0/4) and
> 6to4 router anycast (192.88.99.0/24) -- I *think* there are no
> scenarios where someone would actually need to get at either of those
> via Tor, but I could be wrong.


Hi Zack,

Best practice is to only block addresses and destinations that you know
you don't want to reach. When you block addresses where somebody tells
you there should be nothing there, you're narrowing out the future. If
the RFC changes tomorrow and you don't notice, suddenly you're blocking
connections to a piece of Africa or whoever gets that IP space. And if
indeed nobody is using it, why block it?

Thanks!
--Roger



More information about the tor-relays mailing list