|  | @@ -7,27 +7,28 @@ Status:
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  Why?
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | -  It's useful for third parties to be able to tell when they've got a
 | 
	
		
			
				|  |  | -  connection from a Tor exit node.  Potential aplications range from
 | 
	
		
			
				|  |  | +  It's useful for third parties to be able to tell when a given connection
 | 
	
		
			
				|  |  | +  is coming from a Tor exit node.  Potential applications range from
 | 
	
		
			
				|  |  |    "anonymous user" cloaks on IRC networks like oftc, to networks like
 | 
	
		
			
				|  |  |    Freenode that apply special authentication rules to users from these
 | 
	
		
			
				|  |  | -  IPs, to systems like Wikipedia that want to make a priority of
 | 
	
		
			
				|  |  | +  IPs, to systems like Wikipedia that may want to make a priority of
 | 
	
		
			
				|  |  |    _unblocking_ shared IPs more liberally than non-shared IPs, since shared
 | 
	
		
			
				|  |  |    IPs presumably have non-abusive users as well as abusive ones.
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |    Since Tor provides exit policies, not every Tor server will connect to
 | 
	
		
			
				|  |  |    every address:port combination on the Internet.  Unless you're trying to
 | 
	
		
			
				|  |  |    penalize hosts for supporting anonymity, it makes more sense to answer
 | 
	
		
			
				|  |  | -  the fine-grained question "which Tor servers will connect to _me_" than
 | 
	
		
			
				|  |  | +  the fine-grained question "which Tor servers will connect to _me_?" than
 | 
	
		
			
				|  |  |    the coarse-grained question "which Tor servers exist?"  The fine-grained
 | 
	
		
			
				|  |  |    approach also helps Tor server ops who share an IP with their Tor
 | 
	
		
			
				|  |  | -  server: if they want to access a site that blocks Tor users, they can
 | 
	
		
			
				|  |  | -  add that site to their exit policy, and the site can learn that they
 | 
	
		
			
				|  |  | -  won't send it anonymous connections.
 | 
	
		
			
				|  |  | -
 | 
	
		
			
				|  |  | -  Tor already ships with a tool (the "exitlist" script) to identify which
 | 
	
		
			
				|  |  | -  Tor nodes might open anonymous connections to any given exit address.
 | 
	
		
			
				|  |  | -  But this is a bit tricky to set up, and isn't seeing much use.
 | 
	
		
			
				|  |  | +  server: if they want to access a site that blocks Tor users, they
 | 
	
		
			
				|  |  | +  can exclude that site from their exit policy, and the site can learn
 | 
	
		
			
				|  |  | +  that they won't send it anonymous connections.
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +  Tor already ships with a tool (the "contrib/exitlist" script) to
 | 
	
		
			
				|  |  | +  identify which Tor nodes might open anonymous connections to any given
 | 
	
		
			
				|  |  | +  exit address.  But this is a bit tricky to set up, so only sites like
 | 
	
		
			
				|  |  | +  Freenode and OFTC that are dedicated to privacy use it.
 | 
	
		
			
				|  |  |    Conversely, providers of some DNSBL implementations are providing
 | 
	
		
			
				|  |  |    coarse-grained lists of Tor hosts -- sometimes even listing servers that
 | 
	
		
			
				|  |  |    permit no exit connections at all.  This is rather a problem, since
 | 
	
	
		
			
				|  | @@ -40,9 +41,12 @@ How?
 | 
	
		
			
				|  |  |    cached-routers.new files as new routers arrive.  To tell whether a given
 | 
	
		
			
				|  |  |    server allows connections to a certain address:port combo, look at the
 | 
	
		
			
				|  |  |    definitions in dir-spec.txt or follow the logic of the current exitlist
 | 
	
		
			
				|  |  | -  script.
 | 
	
		
			
				|  |  | +  script. If bug 405 is still open when you work on this
 | 
	
		
			
				|  |  | +  (http://bugs.noreply.org/flyspray/index.php?do=details&id=405), you'll
 | 
	
		
			
				|  |  | +  probably want to extend it to look at only the newest descriptor for
 | 
	
		
			
				|  |  | +  each server, so you don't use obsolete exit policy data.
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | -  FetchUselessDescriptors would probably be a good option to enable.
 | 
	
		
			
				|  |  | +  FetchUselessDescriptors would probably be a good torrc option to enable.
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |    If you're also running a directory cache, you get extra-fresh
 | 
	
		
			
				|  |  |    information.
 | 
	
	
		
			
				|  | @@ -61,7 +65,7 @@ The DNS interface
 | 
	
		
			
				|  |  |    possibly a bad idea.
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | -  "General IP:Port"
 | 
	
		
			
				|  |  | +  Query type 1: "General IP:Port"
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |      Format:
 | 
	
		
			
				|  |  |          {IP1}.{port}.{IP2}.ip-port.torhosts.example.com
 | 
	
	
		
			
				|  | @@ -77,7 +81,7 @@ The DNS interface
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |      Example use:
 | 
	
		
			
				|  |  |          I'm running an IRC server at w.x.y.z:9999, and I want to tell
 | 
	
		
			
				|  |  | -        whether an incoming connections are from Tor servers.  I set
 | 
	
		
			
				|  |  | +        whether an incoming connection is from a Tor server.  I set
 | 
	
		
			
				|  |  |          up my IRC server to give a special mask to any user coming from
 | 
	
		
			
				|  |  |          an IP listed in 9999.z.y.x.w.ip-port.torhosts.example.com.
 | 
	
		
			
				|  |  |  
 | 
	
	
		
			
				|  | @@ -86,7 +90,7 @@ The DNS interface
 | 
	
		
			
				|  |  |          if it's a Tor server that allows connections to my ircd.
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | -  "IP-port group."
 | 
	
		
			
				|  |  | +  Query type 2: "IP-port group"
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |      Format:
 | 
	
		
			
				|  |  |          {IP}.{listname}.list.torhosts.example.com
 | 
	
	
		
			
				|  | @@ -100,7 +104,7 @@ The DNS interface
 | 
	
		
			
				|  |  |          Suppose torhosts.example.com has a list of IP:Port called "foo".
 | 
	
		
			
				|  |  |          There is an A record for 4.3.2.1.foo.list.torhosts.example.com
 | 
	
		
			
				|  |  |          if and only if 1.2.3.4 is a Tor server that permits connections
 | 
	
		
			
				|  |  | -        to one of the addresses in list "foo|.
 | 
	
		
			
				|  |  | +        to one of the addresses in list "foo".
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |      Example use:
 | 
	
		
			
				|  |  |          Suppose torhosts.example.com has a list of hosts in "examplenet",
 | 
	
	
		
			
				|  | @@ -116,7 +120,7 @@ The DNS interface
 | 
	
		
			
				|  |  |          just a few foonet addresses to my exit policy.
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | -  "My IP, with port."
 | 
	
		
			
				|  |  | +  Query type 3: "My IP, with port"
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |      Format:
 | 
	
		
			
				|  |  |          {IP}.{port}.me.torhosts.example.com
 | 
	
	
		
			
				|  | @@ -138,8 +142,7 @@ The DNS interface
 | 
	
		
			
				|  |  |          This would be easiest to use, but DNS gets in the way. If you
 | 
	
		
			
				|  |  |          create DNS records that give different results depending on who is
 | 
	
		
			
				|  |  |          asking, you mess up caching.  There could be a fix here, but might
 | 
	
		
			
				|  |  | -        now.
 | 
	
		
			
				|  |  | -        here.
 | 
	
		
			
				|  |  | +        not.
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |    RECOMMENDATION: Just build ip-port for now, and see what demand is
 | 
	
	
		
			
				|  | @@ -157,4 +160,7 @@ Other issues:
 | 
	
		
			
				|  |  |    masks wider than /8 make me nervous here, as do port ranges.
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |    We need an answer for what to do about hosts which exit from different
 | 
	
		
			
				|  |  | -  IPs than their advertised IP.
 | 
	
		
			
				|  |  | +  IPs than their advertised IP. One approach would be for the DNSBL
 | 
	
		
			
				|  |  | +  to launch periodic requests to itself through all exit servers whose
 | 
	
		
			
				|  |  | +  policies allow it -- and then see where the requests actually come from.
 | 
	
		
			
				|  |  | +
 |