[tor-talk] The reasoning behind the 'exit' flag definition

Nathan Suchy theusernameiwantistaken at gmail.com
Mon Sep 9 19:54:09 UTC 2013


Interesting how the flag works. I think it should be just at least one port
with access to one IP address. Also can you really get banned from Gmail? I
access my accounts from normal inet, VPN, and Tor depending on what I'm
doing... For example I have some emails I only access via Tor...

Sent from my Android so do not expect a fast, long, or perfect response...
On Sep 9, 2013 3:46 PM, "Roger Dingledine" <arma at mit.edu> wrote:

> On Mon, Sep 09, 2013 at 07:25:06PM +0000, tagnaq wrote:
> > I'd like to understand why the exit flag is defined as it is.
> >
> > The current definition can be found in the directory spec [1]:
> >
> > "
> > "Exit" -- A router is called an 'Exit' iff it allows exits to at
> >    least two of the ports 80, 443, and 6667 and allows exits to at
> >    least one /8 address space.
> > "
>
> The Exit flag used to not matter at all.
>
> Now it matters because clients use it for load balancing. (If you have
> the Exit flag then it's likely that other clients are using you as their
> exit, so we should avoid using you for non-exit positions in our path.)
>
> > I assume the exit flag was meant to be used by tor clients only [2]
> > because destination port 80/443 are probably amongst the most
> > frequently accessed services, but was than (mis)used to generate
> > (inaccurate) 'Tor exit IP address lists' (?).
>
> Does anybody actually do that?
>
> My experience is that people make a list of all Tor relays at all, and
> think of all of them as exiting anywhere, because they've never heard
> of exit policies at all.
>
> > This means that there is no way to tell if a relay actually allows
> > exiting (any) traffic simply by looking at relay flags. To actually
> > tell you would have to parse exit policies.
>
> Correct. Consensus flags aren't meant for that.
>
> > Which one of the following proposals would be more likely too be
> > accepted by the Tor Project (if any at all):
> >
> > - change the definition of the 'exit' flag to include all nodes that
> > allow *any* exiting traffic.
>
> This one is a poor idea, since it will ruin the load balancing which
> is the only thing it's used for.
>
> > - introduce a new flag that is set on all relays allowing *any* exit
> > traffic (leaving the current definition of the 'exit' flag unchanged)
>
> I guess we could do that. But I think it would be a burden on the network,
> to say something that doesn't matter in any way and have every client
> download it every few hours.
>
> > As an alternative, better tools to create 'tor exit lists' as
> > suggested in [4] and [5], might also do the job. Is someone aware of a
> > tool that implements something like that already?
>
> You don't like https://check.torproject.org/cgi-bin/TorBulkExitList.py ?
>
> --Roger
>
> > Something along the lines of:
> >
> > ./get-tor-exits [relay-IP] target-service-IP[/mask][:port],...
> >
> > output: boolean if relay-IP is given,
> > if no relay IP was given: print a list of all relay IP addresses that
> > would allow accessing (any) service in the target IP (range).
>
> https://www.torproject.org/tordnsel/exitlist-spec.txt
>
> This is up and running now (exitlist.torproject.org answers these dns
> queries), but unmaintained.
>
> See also
> https://trac.torproject.org/projects/tor/ticket/9204
> and
> https://trac.torproject.org/projects/tor/ticket/9529
>
> --Roger
>
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsusbscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>


More information about the tor-talk mailing list