Tor bug?: AllowInvalidNodes

Roger Dingledine arma at mit.edu
Wed Aug 16 17:42:17 UTC 2006


On Wed, Aug 16, 2006 at 07:28:25PM +0200, Gompie wrote:
> Sorry, but I think that patch is not the correct way to go. With 
> "AllowInvalidNodes middle,rendezvous" (Tor v. 0.1.1.22) in my 
> torrc-file, I expect my Tor client not to build a circuit that uses an 
> invalid exit node. So apparently, something concerning this option is 
> broken and this should be fixed.

The fundamental confusion here is that the word 'invalid' means many
things to many people, but it means pretty much nothing to Tor. The
exit.pl script that Geoff wrote and runs on Serifos uses the phrase "not
a valid Tor server" to mean "not a Tor server as far as I know". The
word "valid" with respect to the AllowInvalidNodes config option is
simply defined as "not manually designed by the directory authorities
as invalid".

The reason why serifos's exit.pl script is confused as to whether these
particular IP addresses are Tor servers is because they publishes one
IP but their traffic comes out another one. This is common practice for
multi-homed servers, and there are other networking features that make
it plausible too.

We have no master way of deciding whether a server is safe or not. Once
upon a time, we demanded that I had met each server operator personally.
That turned out to scale even less well than I had expected it to. So
the answer now is to aim to grow the Tor network large enough that few
adversaries are big enough to be able to attack it "well". There are also
some research avenues that seem promising but have a lot of hurdles yet
to overcome (e.g. http://freehaven.net/anonbib/#feamster:wpes2004).

That said, I suggest you forget all about the AllowInvalidNodes config
option. It's not in the sample torrc that we ship. It barely exists
anymore.

Hope that helps,
--Roger



More information about the tor-talk mailing list