path selection despite exit policies
Roger Dingledine
arma at mit.edu
Mon Apr 7 17:18:17 UTC 2003
I've hit a roadblock in thinking about exit policies. The basic problem
is that users need to be able to compare their upcoming request with the
exit policies of the servers, so they can know which server will allow
their request to exit. But servers should accept/reject requests based
on IP, and the users phrase their requests as hostnames.
It seems the "if users resolve hostnames directly, they'll leak their
destination" problem from socks4 has come back to bite us again.
Here are some solutions that I'm not happy with:
A) Force users to tunnel a dns resolve through the tor network to find
out the IP of something. Firstly this slows things down some; secondly it
may produce reliability issues if an IP resolves differently in different
places; thirdly it may allow an attacker to mis-resolve an IP to send
the user in a desired direction. But maybe this approach is ok -- it would
also let normal socks4 applications work without leaking your destination.
B) Express exit policies in terms of hostnames. This is kind of a
bugger for places with lots of virthosts. It's also dangerous: I can
make foo.seul.org point to any IP in the world.
C) Guess and check. Open a circuit to a node, then try opening an outbound
connection and see if the node lets you. Also quite slow, and might leak
your interests to all sorts of nodes who otherwise wouldn't know.
Another requirement here is that I want clients to be able to recognize
when a hostname they're going to is on the same machine as an onion
router, so they can choose that node as its exit hop.
D) Let routers specify a list of "hostnames that are me" that gets
distributed in the directory. It can't be entirely automated, though,
or adversaries will sign up to "be" hosts they want to monitor. And this
doesn't entirely solve the problem.
E) Let exit policies be only based on port, and not address. The user
can look at the port directly and decide which exit nodes will allow it.
This removes the flexibility of restricting by address, but hey, do
people really need that?
Options D and E combined don't seem horrible. But it's certainly not
what I'd hoped exit policies to be. Thoughts?
--Roger
More information about the tor-dev
mailing list