TOR on Academic networks (problem)

[Michael Holstein]

I'm sure this has happened to others, but here goes on my problem.

Many academic networks have a variety of online journals they subscribe 
to (like thousands of them) .. most allow campus-wide use restricted 
only by IP address, usually the whole /16 or greater.

This of course presents a problem when you have a TOR router in that 
/16. Sometimes the admin at the journals will understand that TOR is 
just one of those 65k+ IP addresses and block that, and sometimes they 
get into a snit and say they'll block the whole /16.

Since we can't put thousands of lines in the exit policy without causing 
a cascading problem, what about null-routing them .. either by putting 
entries in /etc/hosts that will be denied by the exit policy (thus 
causing the client to pick another exit -- but not preventing access 
directly by IP address), or the more secure, but more problematic, 
blocking by changing the kernel routing tables to send those networks 
into a blackhole on the TOR router.

The first approach causes a minimal problem performance-wise since the 
client will choose a new path. The second will cause timeouts and 
significantly impact performance.

Problem is, if these sort of issues persist, most of our institutional 
support will evaporate -- so I'm going to have to do something.

I really don't want to hear about censorship, et.al. because I already 
know that's what it is, and don't have a problem admitting it. What I 
want is viable solutions to the problem.

Any suggestions?

Regards,

Michael Holstein CISSP GCIA
Cleveland State University