[tor-relays] exit policy to reflect country-wide ban
Sebastian Hahn
sebastian at torproject.org
Thu Dec 4 21:50:11 UTC 2014
Hi Pascal,
On 04 Dec 2014, at 19:16, Pascal <Pascal666 at Users.SourceForge.Net> wrote:
> Microdescriptors (Tor >0.2.3.x) broke the inclusion of specific IPs in exit policies (exit enclaving). Did they break the exclusion of specific IPs in exit policies as well?
No, that's a local choice by the relay and it will prevent exiting to
IPs that it disallows in its config.
> Russia is not the only country to implement this type of ban. Is there a safe way to generalize and centralize this? E.g. if a directory authority detects an exit relay is in a location known to block access to/MITM specific IPs/ports it automatically updates the exit policy for that node in the directory to exclude them.
This is neither possible nor a good idea. The relay has to enforce its
own exit policy, and the directory authority cannot do anything to change
that. Giving them this kind of power would be very detrimental to the
security of the network. The exit policy in a relay's descriptor is
signed with that relay's key, and the dirauth has no access to it.
Cheers
Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20141204/c08f93b3/attachment.sig>
More information about the tor-relays
mailing list