[tor-relays] Emerald Onion's new relays

grarpamp grarpamp at gmail.com
Thu Apr 4 07:45:17 UTC 2019 

On 4/4/19, Conrad Rockenhaus <conrad at rockenhaus.com> wrote:
>> when ISPs are ordered to BGP blackhole some exit IP addresses

> I've been assigning a second set of IP addresses to my servers in case
> I want to run another instance of Tor. Would it be more prudent to use
> that second set of IP addresses as an OutboundBindAddressExit instead
> and use different ports as a better practice?

ISP traffic filtering sinks,  from the tor browser perspective,
affecting traffic exiting a relay out through its exitpolicy
to clearnet, can be...

- dst based "sink traffic to there", appears as "cnn.com down",
a minor issue, depending on scope of the sink.

- src based "sink traffic from there", appears as "Internet down",
a major issue, depending on scope of the sink.

Unlike websites, and unless they're tied playing [geo]politics,
ISP's really don't like to keep these sinks in place for a long time.


Relay management such as OS updates, ssh, wget
could get blocked if those addresses are in consensus.

Then there is relay-to-relay traffic types that don't "exit",
but can still get found and blocked.

And the OR IP must be obviously not be blocked, else depending
on scope, the relay won't receive traffic to move out any horizon.

Tor should still allow config of 2 tor instances on one IP.

If IP's are "free", and if operator survey says the exit functions are
getting knocked off the tor network more often than entire OR's,
try putting out the OutboundBindAddressExit on IP for sacrifice,
instead of burning entire OR's which could otherwise be used
more quietly as middle relays etc.

An operators own cost, management, and ISP relationships
may show running more relays is better IP, or net traffic pushed,
wise than enduring a few sinks now and then.

Probably every situation is different. Or try both and see.


Common options from the manpage...

       Address address
       ORPort [address:]PORT|auto [flags]
       OutboundBindAddress IP
       OutboundBindAddressOR IP
       OutboundBindAddressExit IP

First one implemented was OutboundBindAddress,
then came OutboundBindAddressOR and
OutboundBindAddressExit. All for different matrix of reasons.

More information about the tor-relays mailing list