[tor-relays] Mexico ISP blocking authority nodes and preventing exit relays.
mirimir at riseup.net
Thu Feb 18 12:00:08 UTC 2016
On 02/18/2016 04:24 AM, Tim Wilson-Brown - teor wrote:
>> On 18 Feb 2016, at 22:16, Mirimir <mirimir at riseup.net> wrote:
>> On 02/18/2016 03:47 AM, Tim Wilson-Brown - teor wrote:
>>>> On 18 Feb 2016, at 14:40, Ricardo Malagon Jerez <rjmalagon at gmail.com> wrote:
>>>> I don't know how and why, but since January is impossible to have an exit relay in Telmex ISP.
>>>> And is harder to reach authority nodes.
>>>> Someone wrote about this, but is mid February and is the same.
>>>> Tor 2.8 alpha works pretty good with the authority fallback measures, but I can't implement the exit relay or publish the relay.
>>> Thanks for the feedback about the fallback directory mirrors feature - I am glad to hear that it's working as planned.
>>> But it only works for clients.
>>> Relays need to be able to post their descriptors to the authorities. So they have to be able to reach at least one authority - they can't use only fallback directory mirrors.
>> Could relays somehow use bridges for that?
> Relays could upload their descriptors to the authorities over 3-hop tor circuits, like hidden services do to hidden service directories.
> But that doesn't solve the core issue: Tor assumes all relays can connect to every other relay. If a relay can't reach the authorities, then that's 9 relays it can't reach, and it's likely that other relays are also blocked.
Doh. And any network that blocked access to authorities could block
access to all Tor relays.
> We would need to answer the following questions before we allowed relays that can't reach the authorities to bootstrap:
> * how many other relays can each Tor relay reach at the moment?
> * what's the minimum number of relays each relay should be able to reach to be useful?
> * how can we check if a relay can reach that many relays?
> * should the relay do the check itself before it submits its descriptor, or should the authorities or bandwidth authorities do the check?
> This requires some research and security analysis.
Right. A relay that needs a bridge to reach other relays is relatively
useless. And can perhaps hide malicious activity more easily too.
> Tim Wilson-Brown (teor)
> teor2345 at gmail dot com
> PGP 968F094B
> teor at blah dot im
> OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
> tor-relays mailing list
> tor-relays at lists.torproject.org
More information about the tor-relays