Opened 7 years ago

Closed 3 years ago

#6327 closed enhancement (duplicate)

Exit policy for ASN-based allow

Reported by: ioerror Owned by: ln5
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Keywords: bgp asn needs-proposal tor-relay
Cc: nickm, arma, ln5, ioerror, karsten, lunar@… Actual Points:
Parent ID: #22339 Points:
Reviewer: Sponsor:

Description

We need to integrate ASNs into configurations for exit nodes. This should allow ln5 to set an exit policy that allows for policies based on a single ASN or a list of ASNs.

A very easy way to accomplish this is to modify the exit policy checking code on the exit node and before the last policy is applied.

As an example, we'd add the right headers for IP to ASN and then after a DNS resolve, we check the IP:port against the IP to ASN database and if it matches the allowed ASNs, we pass the policy test.

This does not actually enable the client or any client to use these exits but it does mean that the exit can signal, locally, a policy related to ASN.

We should also write a proposal to decide how clients use ASN exit policies safely.

Child Tickets

Change History (12)

comment:1 Changed 7 years ago by nickm

Component: - Select a componentTor Relay
Summary: BGP as exitExit policy for ASN-based allow

This needs a small proposal, at least for the part where we add non-advertised exit policy components.

comment:2 Changed 7 years ago by nickm

Milestone: Tor: unspecified

comment:3 Changed 7 years ago by nickm

Keywords: needs-proposal added

comment:4 Changed 7 years ago by arma

Do we add an 'acceptAS' line, sort of like the 'accept6' line currently? And then clients that don't understand it will ignore it?

If we're talking about a few ASes, that sounds plausible. If we're talking about 300, less so.

comment:5 Changed 7 years ago by arma

Also, what's the right IP-to-AS db to use, and what format is in it? Can we convert it so our geoip parsing code can (mostly) handle it?

comment:6 Changed 7 years ago by ioerror

Cc: ioerror added

comment:7 Changed 7 years ago by karsten

Cc: karsten added

comment:8 Changed 7 years ago by nickm

Keywords: tor-relay added

comment:9 Changed 7 years ago by nickm

Component: Tor RelayTor

comment:10 Changed 6 years ago by lunar

Cc: lunar@… added

comment:11 Changed 6 years ago by naif

Would it possible, with this method, to enable an exit policy to express stuff like:

  • "Allow only Facebook"
  • "Allow only Youtube"
  • "Allow only youporn"

It would be interesting to try to implement one of such policy, as it would enable a lot of people to run "high bandwidth exit node" going on the top-traffic websites (that are also the non-abuse generating, so safe to be run at home).

comment:12 Changed 3 years ago by nickm

Parent ID: #22339
Resolution: duplicate
Status: newclosed

Closing as duplicate under #22339. If we figure out how to do that, some of these tickets can become live again.

Note: See TracTickets for help on using tickets.