TOR on Academic networks (problem)
Joseph Lorenzo Hall
joehall at gmail.com
Tue May 16 20:01:28 UTC 2006
Roger has addressed the general flavor of this before. The direction
that we've taken here at berkeley is to push for the network to be
changed (which really needs to happen in the long term).
Specifically, we're arguing to various administrative and technical
committees that the whole damn network shouldn't be trusted by
services that we subscribe to... and instead, the proxy service that
berkeleyites use to connect to library services off campus should be
used on campus too (so that a much smaller segment of our network is
I would be interested in hearing others' responses to your two
technical options below... which we didn't even consider. -Joe
On 5/16/06, Michael Holstein <michael.holstein at csuohio.edu> wrote:
> I'm sure this has happened to others, but here goes on my problem.
> Many academic networks have a variety of online journals they subscribe
> to (like thousands of them) .. most allow campus-wide use restricted
> only by IP address, usually the whole /16 or greater.
> This of course presents a problem when you have a TOR router in that
> /16. Sometimes the admin at the journals will understand that TOR is
> just one of those 65k+ IP addresses and block that, and sometimes they
> get into a snit and say they'll block the whole /16.
> Since we can't put thousands of lines in the exit policy without causing
> a cascading problem, what about null-routing them .. either by putting
> entries in /etc/hosts that will be denied by the exit policy (thus
> causing the client to pick another exit -- but not preventing access
> directly by IP address), or the more secure, but more problematic,
> blocking by changing the kernel routing tables to send those networks
> into a blackhole on the TOR router.
> The first approach causes a minimal problem performance-wise since the
> client will choose a new path. The second will cause timeouts and
> significantly impact performance.
> Problem is, if these sort of issues persist, most of our institutional
> support will evaporate -- so I'm going to have to do something.
> I really don't want to hear about censorship, et.al. because I already
> know that's what it is, and don't have a problem admitting it. What I
> want is viable solutions to the problem.
> Any suggestions?
> Michael Holstein CISSP GCIA
> Cleveland State University
Joseph Lorenzo Hall
PhD Student, UC Berkeley, School of Information
More information about the tor-talk