aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/tor-design.tex46
1 files changed, 3 insertions, 43 deletions
diff --git a/doc/tor-design.tex b/doc/tor-design.tex
index b277c45cc..88e2eb6f1 100644
--- a/doc/tor-design.tex
+++ b/doc/tor-design.tex
@@ -83,8 +83,9 @@ Onion Routing project published several design and analysis papers
Routing network was deployed for some weeks, the only long-running and
publicly accessible implementation of the original design was a fragile
proof-of-concept that ran on a single machine. Even this simple deployment
-processed tens of thousands of connections daily from thousands of users
-worldwide. But many critical design and deployment issues were never
+processed connections from over sixty thousand distinct IP addresses from
+all over the world at an average rate of about fifty thousand per day.
+But many critical design and deployment issues were never
resolved, and the design has not been updated in several years. Here
we describe Tor, a protocol for asynchronous, loosely federated onion
routers that provides the following improvements over the old Onion
@@ -979,46 +980,6 @@ require investigation.
\SubSection{Exit policies and abuse}
\label{subsec:exitpolicies}
-
-Tor offers more reliability than the high-latency fire-and-forget
-anonymous email networks, because the sender opens a TCP stream
-with the remote mail server and receives an explicit confirmation of
-acceptance. But ironically, the private exit node model works poorly for
-email, when Tor nodes are run on volunteer machines that also do other
-things, because it's quite hard to configure mail transport agents so
-normal users can send mail normally, but the Tor process can only deliver
-mail locally. Further, most organizations have specific hosts that will
-deliver mail on behalf of certain IP ranges; Tor operators must be aware
-of these hosts and consider putting them in the Tor exit policy.
-
-The abuse issues on closed (e.g. military) networks are different
-from the abuse on open networks like the Internet. While these IP-based
-access controls are still commonplace on the Internet, on closed networks,
-nearly all participants will be honest, and end-to-end authentication
-can be assumed for anything important.
-
-Tor is harder than minion because TCP doesn't include an abuse
-address. you could reach inside the http stream and change the agent
-or something, but that's a specific case and probably won't help
-much anyway.
-And volunteer nodes don't resolve to anonymizer.mit.edu so it never
-even occurs to people that it wasn't you.
-
-Preventing abuse of open exit nodes is an unsolved problem. Princeton's
-CoDeeN project \cite{darkside} gives us a glimpse of what we're in for.
-% This is more speculative than a description of our design.
-
-but their solutions, which mainly involve rate limiting and blacklisting
-nodes which do bad things, don't translate directly to Tor. Rate limiting
-still works great, but Tor intentionally separates sender from recipient,
-so it's hard to know which sender was the one who did the bad thing,
-without just making the whole network wide open.
-
-even limiting most nodes to allow http, ssh, and aim to exit and reject
-all other stuff is sketchy, because plenty of abuse can happen over
-port 80. but it's a surprisingly good start, because it blocks most things,
-and because people are more used to the concept of port 80 abuse not
-=======
%XXX originally, we planned to put the "users only know the hostname,
% not the IP, but exit policies are by IP" problem here too. Worth
% while still? -RD
@@ -1069,7 +1030,6 @@ limited set of well-known services, such as HTTP, SSH, or AIM.
This is not a complete solution, since abuse opportunities for these
protocols are still well known. Nonetheless, the benefits are real,
since administrators seem used to the concept of port 80 abuse not
->>>>>>> 1.79
coming from the machine's owner.
A further solution may be to use proxies to clean traffic for certain