[tor-dev] Proposal 188: Bridge Guards and other anti-enumeration defenses

Roger Dingledine arma at mit.edu
Tue Jun 12 11:06:21 UTC 2012


On Tue, Jun 12, 2012 at 12:55:24PM +0200, Fabio Pietrosanti (naif) wrote:
> And it would be very useful if we would allow an easy way to setup
> hundreds of "dumb briges", simple TCP forwarding proxy that goes in a
> random order across all public relays.

No need to go in a random order across all public relays. Just point
all the addresses at a single bridge, and that should work fine.

(I say bridge, rather than relay, because bug 1776 remains open. If you
configure a public relay as a bridge, you will eventually crash. But
that's easily resolved by asking, say, Noisebridge or Torservers.net to
tell us about one of the big bridges they run.)

Another reason to avoid the 'striping across all relays' design, at least
at first, is that you'd better add code to pull down the consensus, check
the signatures on it, know what keys to expect, etc. If you're going to go
that route, check out https://trac.torproject.org/projects/tor/ticket/3466

> Easier to setup, available in big quantities.
> 
> I would be pleased to use my *dsl/cable home-router with fixed-IP
> address to do a port-mapping to a known and stable tor-relay.
> 
> Being able to "setup a bridge" by simply:
> - opening a port-forward on my router
> - submitting it to a web-interface
> 
> would be a very cool way to open-up opportunities of hundreds or
> thousands of different IP:PORT pair (basically a bridge) without having
> to run dedicated software on an always on-server (replaced by a simple
> home-router, that's "the always-on server").

Sounds great. Can somebody boil down the required iptables rules to
something really simple and foolproof?

And then there's the web interface component of bridgedb. Doesn't sound
*too* hard though, eh? :)

--Roger



More information about the tor-dev mailing list