[tor-relays] Simplifying ExoneraTor

Zack Weinberg zackw at cmu.edu
Tue Jul 7 18:47:23 UTC 2015 

On Tue, Jul 7, 2015 at 12:21 PM, Karsten Loesing <karsten at torproject.org> wrote:
> On 07/07/15 17:40, Zack Weinberg wrote:
>
>> where: "Never" means the relay has never allowed exiting to any
>> port or IP;
>
> Well, the table already contains a timestamp, so this is probably not
> necessary.  Also, keeping a history whether a relay permitted exiting
> up to a given time is quite expensive, because we'd have to re-import
> the whole descriptor archives for this.

The thing is, putting myself in the shoes of someone trying to
investigate an incident, I think the distinction among "this relay has
_never_ allowed any sort of exiting", "this relay _does_ allow exiting
right now", and "this relay _did_ allow exiting at some point in the
past but doesn't right now" is critical. More important than whatever
its current policy is wrt any given port or IP address.  Re-importing
the entire descriptor archive therefore strikes me as "yeah, if that's
what it takes, you should do that."

Moreover, when digging deeper, I would want to be able to know the
exact exit policy at a specific time in the past, which I believe
would entail having the entire descriptor history available anyway?

>> "Unrestricted" means the relay currently allows exiting to all
>> ports and IPs;
>
> Plausible, though there are hardly any relays permitting all ports.

Maybe the right distinction is between relays that allow more than the
common "reduced exit policy", and those that allow no more than that?

> I'd simply call this "Yes".  All relays with the Exit flag would have
> this state.

I do not think using "Yes" as a member of an N-way distinction (N>2)
is good design.

>> "Unlikely" means the relay currently allows exiting to some ports
>> and IPs, *not* enough to get the exit flag;
>
> This is probably what I'd call "Restricted" or "Limited".  That's for
> all relays which don't have reject 1-65535 and which also don't have
> the Exit flag.

I hesitate to use "Restricted" or "Limited" because people might think
it referred to the reduced exit policy.

I wanted a single word which expressed "technically an exit, but a
client would have had to override the default circuit generation
policy to have used it as an exit".  I'm not happy with "Unlikely" but
I can't think of anything better.

If five states is too many, I'd drop the unrestricted/restricted
distinction first (i.e. now/former/never/now but only with special
circuit generation).

zw

More information about the tor-relays mailing list