A way to allow firewalled exit nodes [Was: Re: getting more exit nodes]
Michael Rogers
m.rogers at cs.ucl.ac.uk
Tue Apr 29 13:50:15 UTC 2008
F. Fox wrote:
> I think that adding a "firewall-piercing" rendezvous-type system (like
> STUN, or I2P's SSU) to allow heavily-firewalled nodes to act as exits -
> ON A STRICTLY VOLUNTARY BASIS (i.e., off by default) - might be a nice
> feature.
Maybe Tor could copy Gnutella's connection reversal trick: if a node X
is firewalled, it connects to any unfirewalled node Y and publishes Y's
address in its descriptor. When an unfirewalled node Z wants to open a
connection to X, it sends a message to X through Y, and X opens a
connection back to Z. The X->Z connection is used exactly as if it were
a Z->X connection established in the normal way. The circuit doesn't
pass through Y, so all the crypto from TLS upwards remains the same.
Your comments about modifying the descriptors would still apply, though,
and clients would have to be aware of it because connection reversal
can't establish a connection between two firewalled nodes, so no circuit
could contain two consecutive firewalled nodes (I guess that might have
implications for anonymity as well). But if it allows more people to run
nodes then maybe it's a worthwhile tradeoff?
Cheers,
Michael
More information about the tor-talk
mailing list