[tor-relays] Simplifying ExoneraTor

[teor]

> On 7 Jul 2015, at 17:01 , josh at tucker.wales wrote:
> 
> 
>> On 7 Jul 2015, at 07:48, Karsten Loesing <karsten at torproject.org> wrote:
>> 
>>> On 07/07/15 03:45, teor wrote:
>>> 
>>>>> On 7 Jul 2015, at 09:46 , josh at tucker.wales wrote:
>>>>> 
>>>>> From the perspective of someone investigating abuse, I think
>>>>> it's important that 'not an exit relay' means 'not capable of
>>>>> exiting on any port at all'. Ergo I think your option c) is the
>>>>> way to go.
>>>> 
>>>> I also think this (c) is the best option. I agree that it's
>>>> important to be able to determine, from an investigatory
>>>> perspective, whether or not a relay was capable of exiting on any
>>>> port.
>> 
>> Okay, let's do c).
>> 
>>> And, if we are going to implement "Exit" as any port, it should
>>> also be *any* IP, not just an IPv4 /8 as in the Ext flag
>>> definition.
>> 
>> For c), we'd just check if there's a "p reject 1-65535" line or not.
>> 
> 
> I think this is a perfectly OK way of doing this considering the use case.

I agree, as long as we document what "Exit" means, and that there are edge cases where a relay could be used to exit to a small number of IPs, yet not have "yes" in the "Exit" column. (A false negative.)

It may be worth documenting the false positives as well, that is, that there are many ways a packet could appear to be from an IP, yet not have come via Tor.

Are we going to provide a list of exit ports, or does Exonerator not go into that level of detail?

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
pgp ABFED1AC
https://gist.github.com/teor2345/d033b8ce0a99adbc89c5

teor at blah dot im
OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20150707/d78c91e8/attachment.sig>