A way to allow firewalled exit nodes [Was: Re: getting more exit nodes]
kitsune.or at gmail.com
Tue Apr 29 00:17:48 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
I think that adding a "firewall-piercing" rendezvous-type system (like
STUN, or I2P's SSU) to allow heavily-firewalled nodes to act as exits -
ON A STRICTLY VOLUNTARY BASIS (i.e., off by default) - might be a nice
I can think of one potential problem, though - I don't know if such a
firewalled exit could be reliable, from the client POV. The problem
isn't so much from the general way connections are made on the Net, as
it is in the trust-no-one model of how onions are formed.
It's possible, but to preserve both the encryption from the injection
into the Tor clould to the exit node, and the TNO model, here's what
we're looking at:
1.) A firewalled node - we'll call it Router X - opens a number of
connections (the more the merrier, since it will complicate traffic
analysis) - to non-Guard and non-Exit nodes; we'll call these Routers A-M.
2.) Router X would publish an extended server descriptor, which would
include the list of nodes it's meshed with - in this case, Routers A-M.
3.) If a client, choosing nodes randomly, includes a firewalled node, it
would take that published list into account, so that it wouldn't put
adjacent layers on the onion that couldn't be handled by its neighbors.
(So, the client couldn't put a layer for Router Z right over Router X,
because Router Z wouldn't be able to contact Router X.)
4.) So, let's say the client layered an onion to pass from some random
Router Y --> Router A --> Router X. When the transfer starts, Router X
can act as an exit, even though it's firewalled.
It's an interesting solution from a pure hackery point-of-view; however,
the Occam's Razor part of me seriously questions whether it'd be worth it.
For one, we'd be talking about a serious overhaul of some code; in
1.) The directory protocols would have to allow for these extended
2.) The client code would have to take the meshes of firewalled exits
3.) Of course, the server code would have to allow for a firewalled exit
I thought I'd throw it out there, just for the hell of it - but my
personal opinion is, Tor is actually working far better than I had
expected. It's improved over the past year or so, and I don't think a
solution like this would be worth either the work, or the potential risk
of new bugs or attacks it could open up.
AAS, CompTIA A+/Network+/Security+
Owner of Tor node "kitsune"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the tor-talk