[tor-relays] Exit node rejection of special IPv4 blocks

grarpamp grarpamp at gmail.com
Thu Apr 24 04:58:07 UTC 2014


On Wed, Apr 23, 2014 at 6:26 PM, Roger Dingledine <arma at mit.edu> wrote:
> On Wed, Apr 23, 2014 at 03:12:36PM -0400, Zack Weinberg wrote:
>> I'd like a sanity check on this list of special-purpose IPv4 blocks
>> which I'm currently forbidding in the CMU exit node's policy.  I'm

> Best practice is to only block addresses and destinations that you know
> you don't want to reach. When you block addresses where somebody tells
> you there should be nothing there, you're narrowing out the future.
> If the RFC changes tomorrow and you don't notice, suddenly you're blocking
> connections to a piece of Africa or whoever gets that IP space.

Yes, a lot of BGP people did/do that, blocking not just the
thou shalt not route stuff, but also just plain unallocated stuff,
leading to partial blackouts and weird routing for ages after
allocation till everyone updated their silly filters. Search "bogons".

> And if indeed nobody is using it, why block it?

Everything is pretty well collated and described here...
https://www.iana.org/numbers

6to4 appears global. Multicast won't work over Tor. Yet that huge swath
of space would seem ripe for better management/assignment someday.
Nanog would have that thread.

For shalt not... it probably doesn't matter if you block the whole
non-global special purpose lot. A couple reasons should be obvious:
- To protect yourself and nearby lan/wan systems from
remote access via selective use of you as the exit
towards those addresses. Obvious example is rfc1918
to gratuitously reconfigure your modem/router for you.
- To stop building and wasting circuits for users who
dump/leak packets with those destinations into
Tor, such packet dests would not be forwarded/accepted
by your ISP's routers anyways.

It would not be difficult for some relays to run
a report on what is seen trying to exit them.


More information about the tor-relays mailing list