From gwolf at gwolf.org Tue Apr 17 17:56:41 2018 From: gwolf at gwolf.org (Gunnar Wolf) Date: Tue, 17 Apr 2018 12:56:41 -0500 Subject: [tor-teachers] Running relays in universities? Exit nodes, perhaps? Please share your experience! Message-ID: <20180417175641.44ovvbvi7msc6ud3@gwolf.org> TL;DR - Have you got official permission to operate Tor exit nodes within an university campus/network? Relay nodes, even? Please share me how this permission was achieved! (or even if it was denied, please tell me!) Hi, I know this list is mostly about *teaching about* how to run Tor (clients, relays, etc.), so sorry for presenting a very different kind of topic here; I have sent a very similar message to the tor-relays list, but I believe the population of this list to be interesting... I am trying to get my university's (Universidad Nacional Autónoma de México) OK to run an exit node from our campus' network. I currently operate one relay, am willing to set up some extra relays, and have at least one colleague in a different research institute with a relay of his own, but I believe we should aim for exit nodes. Now, I don't want to set it up in a rogue fashion, as I'm sure that the university's NOC or CERT would not take long to get complaints and require me to shut it down. I have already made an official request for the permission to run an exit node and (as expected) it was turned down. Quoting (translation mine) the reasons for rejection, 1. This assignation is not factible because the Tor network is not compatible with the Acceptable Usage Policies of RedUNAM, being this infrastructure oriented to the service of institutional goals. 2. While the Tor network can have reseearch purposes, due to its nature and the hiding of IPv4 addresses and anonymous connectivity, it is susceptible to be used by third parties from outside the University with purposes conflicting with those specified in item 1, without any possibility of control or regulation from the University's part or from your project. 3. Even more so: The Tor network, due to its definition and structure, can potentially incorporate third people with malicious or even delictive intentions, which would affect not only the computers or networks in your Institute or all of the University, but also networks outside the institution's control So, I want to gather experiences from operators in different universities or research institutions. Which way did you have to argue? How hard was to get this OK? Did you ask a permission for a specific project, or as part of your networking infrastructure in general? Did you ask this before setting up the exit node, or as a "fait accompli" gathering not-too-ill results for a given time period? Any help and pointers are welcome! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From kat at sigstop.org Tue Apr 17 18:34:06 2018 From: kat at sigstop.org (Kat) Date: Tue, 17 Apr 2018 14:34:06 -0400 (EDT) Subject: [tor-teachers] Running relays in universities? Exit nodes, perhaps? Please share your experience! In-Reply-To: <20180417175641.44ovvbvi7msc6ud3@gwolf.org> References: <20180417175641.44ovvbvi7msc6ud3@gwolf.org> Message-ID: Adding Ian, who is not on this list, but has relevant experience. [Admin, can you whitelist him so he can participate without subscribing?] -Kat On Tue, 17 Apr 2018, Gunnar Wolf wrote: > TL;DR - Have you got official permission to operate Tor exit nodes > within an university campus/network? Relay nodes, even? Please > share me how this permission was achieved! (or even if it was > denied, please tell me!) > > Hi, > > I know this list is mostly about *teaching about* how to run Tor > (clients, relays, etc.), so sorry for presenting a very different kind > of topic here; I have sent a very similar message to the tor-relays > list, but I believe the population of this list to be interesting... > > I am trying to get my university's (Universidad Nacional Autónoma de > México) OK to run an exit node from our campus' network. I currently > operate one relay, am willing to set up some extra relays, and have at > least one colleague in a different research institute with a relay of > his own, but I believe we should aim for exit nodes. > > Now, I don't want to set it up in a rogue fashion, as I'm sure that > the university's NOC or CERT would not take long to get complaints and > require me to shut it down. I have already made an official request > for the permission to run an exit node and (as expected) it was turned > down. Quoting (translation mine) the reasons for rejection, > > 1. This assignation is not factible because the Tor network is not > compatible with the Acceptable Usage Policies of RedUNAM, being > this infrastructure oriented to the service of institutional > goals. > > 2. While the Tor network can have reseearch purposes, due to its > nature and the hiding of IPv4 addresses and anonymous > connectivity, it is susceptible to be used by third parties from > outside the University with purposes conflicting with those > specified in item 1, without any possibility of control or > regulation from the University's part or from your project. > > 3. Even more so: The Tor network, due to its definition and > structure, can potentially incorporate third people with > malicious or even delictive intentions, which would affect not > only the computers or networks in your Institute or all of the > University, but also networks outside the institution's control > > So, I want to gather experiences from operators in different > universities or research institutions. Which way did you have to > argue? How hard was to get this OK? Did you ask a permission for a > specific project, or as part of your networking infrastructure in > general? Did you ask this before setting up the exit node, or as a > "fait accompli" gathering not-too-ill results for a given time period? > > Any help and pointers are welcome! > From tor at cypherpunks.ca Tue Apr 17 21:58:11 2018 From: tor at cypherpunks.ca (Ian Goldberg) Date: Tue, 17 Apr 2018 17:58:11 -0400 Subject: [tor-teachers] Running relays in universities? Exit nodes, perhaps? Please share your experience! In-Reply-To: Message-ID: <20180417215811.GA4493@yoink.cs.uwaterloo.ca> The single most important thing I had to work out was that we couldn't use a University of Waterloo IP address; if we had, then anyone exiting through our exit node would get access to site-licensed journals and other library materials, which use IP-based controls. The library also could not provide us with a comprehensive list of such sites (otherwise we could simply block them with an exit policy). So most of the problem was aquiring IPv4 space not in the university's allocation. This took some months. Another advantage of having your own IP space is that you can list yourself in SWIP as the abuse contact, so that you get the abuse notifications, and not your network admins. I used to get about one abuse complaint every ~3 weeks on average. But then this bot called "Fail2Ban" appeared, and it auto-emails much more often. But almost nobody configures it correctly, and the reply address rarely is deliverable. So there's nothing to be done with those emails, anyway. I still have a policy of sending a reply (starting with a form email, slightly tweaked if they indicate they've already blocked the node from their network) to each message, unless I already know that that sender address cannot receive email. We're still technically on the university's network, in that we share the university's network uplinks. They currently cap our bandwidth at 100 Mbps, but I'm right now negotiating to up that to 1 Gbps, based on writing a grant proposal to provide funding for them to provision an extra 1 Gbps over what they currently have. Another argument is that any researcher using the Tor network for research is at least kind of ethically obligated to contribute capacity to the network, much in the style of PlanetLab. We originally put up a middle node, not an exit node (as the research we were doing at the time did not require us to be an exit), but I warned them early on that one day I would come asking to turn on the exit flag. The day after I got tenure, I knocked on their door and asked for that, because I thought that would be the funniest time to do it. :-) As above, it then took some months to actually make it happen. The University of Waterloo is very supportive of its faculty. The IT staff really see it as their job to help us do what we need to do for our research, which is great. -- Ian Goldberg Professor and University Research Chair Cheriton School of Computer Science University of Waterloo