eliminating bogus port 43 exits

Roger Dingledine arma at mit.edu
Mon Jun 15 08:40:42 UTC 2009

On Mon, Jun 15, 2009 at 02:43:49AM -0500, Scott Bennett wrote:
> >The main discord here seems to arise from totally different approaches 
> >to the question. You are building a whitelist while default tor exit 
> >policy is a blacklist. IMHO it's hard to constructively discuss amending 
> >blacklist from whitelist POV.
>      Actually, the default policy does neither.  It simply allows exits to
> most ports and blocks exits to a few.  IIRC, vidalia takes a different
> approach, defaulting to a relay only configuration.

No, Vidalia uses the default exit policy too when you opt to become a
relay. This probably surprises some Vidalia users, but it's still better
than having zero exit relays.

>      Then a couple of days ago after I posted information about new results,
> it was pointed out that I had missed a large number of official whois servers.
> So I went back and added their addresses.  Unfortunately, was not
> able to publish its descriptor bearing the additional exit policy information,
> so for the time being, I've simply closed port 43 to exits through my relay.
> Whenever I'm informed that the bug has been fixed, I'll try again.

We won't be fixing it. We don't want relay descriptors to be huge, because
every client has to fetch them. I would say that your heuristic of "if
you have too many exit policy lines about a given port, then simplify
by rejecting it" is not a bad one.

In the future, when clients aren't fetching relay descriptors at all,
and exit policies are instead summarized in the consensus or the
microdescriptors, clients won't even be learning the IP-address parts
of exit policies. See Section 3.4 of proposal 141 for details.


More information about the tor-talk mailing list