diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/tor-design.tex | 46 |
1 files changed, 3 insertions, 43 deletions
diff --git a/doc/tor-design.tex b/doc/tor-design.tex index b277c45cc..88e2eb6f1 100644 --- a/doc/tor-design.tex +++ b/doc/tor-design.tex @@ -83,8 +83,9 @@ Onion Routing project published several design and analysis papers Routing network was deployed for some weeks, the only long-running and publicly accessible implementation of the original design was a fragile proof-of-concept that ran on a single machine. Even this simple deployment -processed tens of thousands of connections daily from thousands of users -worldwide. But many critical design and deployment issues were never +processed connections from over sixty thousand distinct IP addresses from +all over the world at an average rate of about fifty thousand per day. +But many critical design and deployment issues were never resolved, and the design has not been updated in several years. Here we describe Tor, a protocol for asynchronous, loosely federated onion routers that provides the following improvements over the old Onion @@ -979,46 +980,6 @@ require investigation. \SubSection{Exit policies and abuse} \label{subsec:exitpolicies} - -Tor offers more reliability than the high-latency fire-and-forget -anonymous email networks, because the sender opens a TCP stream -with the remote mail server and receives an explicit confirmation of -acceptance. But ironically, the private exit node model works poorly for -email, when Tor nodes are run on volunteer machines that also do other -things, because it's quite hard to configure mail transport agents so -normal users can send mail normally, but the Tor process can only deliver -mail locally. Further, most organizations have specific hosts that will -deliver mail on behalf of certain IP ranges; Tor operators must be aware -of these hosts and consider putting them in the Tor exit policy. - -The abuse issues on closed (e.g. military) networks are different -from the abuse on open networks like the Internet. While these IP-based -access controls are still commonplace on the Internet, on closed networks, -nearly all participants will be honest, and end-to-end authentication -can be assumed for anything important. - -Tor is harder than minion because TCP doesn't include an abuse -address. you could reach inside the http stream and change the agent -or something, but that's a specific case and probably won't help -much anyway. -And volunteer nodes don't resolve to anonymizer.mit.edu so it never -even occurs to people that it wasn't you. - -Preventing abuse of open exit nodes is an unsolved problem. Princeton's -CoDeeN project \cite{darkside} gives us a glimpse of what we're in for. -% This is more speculative than a description of our design. - -but their solutions, which mainly involve rate limiting and blacklisting -nodes which do bad things, don't translate directly to Tor. Rate limiting -still works great, but Tor intentionally separates sender from recipient, -so it's hard to know which sender was the one who did the bad thing, -without just making the whole network wide open. - -even limiting most nodes to allow http, ssh, and aim to exit and reject -all other stuff is sketchy, because plenty of abuse can happen over -port 80. but it's a surprisingly good start, because it blocks most things, -and because people are more used to the concept of port 80 abuse not -======= %XXX originally, we planned to put the "users only know the hostname, % not the IP, but exit policies are by IP" problem here too. Worth % while still? -RD @@ -1069,7 +1030,6 @@ limited set of well-known services, such as HTTP, SSH, or AIM. This is not a complete solution, since abuse opportunities for these protocols are still well known. Nonetheless, the benefits are real, since administrators seem used to the concept of port 80 abuse not ->>>>>>> 1.79 coming from the machine's owner. A further solution may be to use proxies to clean traffic for certain |