A way to allow firewalled exit nodes [Was: Re: getting more exit nodes]

Michael Rogers m.rogers at cs.ucl.ac.uk
Tue Apr 29 13:50:15 UTC 2008

F. Fox wrote:
> I think that adding a "firewall-piercing" rendezvous-type system (like
> STUN, or I2P's SSU) to allow heavily-firewalled nodes to act as exits -
> ON A STRICTLY VOLUNTARY BASIS (i.e., off by default) - might be a nice
> feature.

Maybe Tor could copy Gnutella's connection reversal trick: if a node X 
is firewalled, it connects to any unfirewalled node Y and publishes Y's 
address in its descriptor. When an unfirewalled node Z wants to open a 
connection to X, it sends a message to X through Y, and X opens a 
connection back to Z. The X->Z connection is used exactly as if it were 
a Z->X connection established in the normal way. The circuit doesn't 
pass through Y, so all the crypto from TLS upwards remains the same.

Your comments about modifying the descriptors would still apply, though, 
and clients would have to be aware of it because connection reversal 
can't establish a connection between two firewalled nodes, so no circuit 
could contain two consecutive firewalled nodes (I guess that might have 
implications for anonymity as well). But if it allows more people to run 
nodes then maybe it's a worthwhile tradeoff?


More information about the tor-talk mailing list