-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
can_exit_to
a port returns True when using ServerDescriptor
and False when using RouterStatusEntry
#69
Comments
Hi juga. Tor has two types of exit policy: full and micro. Tor's full policy is a complete record of what a relay will and won't accept. These only reside within server descriptors and are effectively unused aside from directory authorities to inform what the micro policy should be. The micro policy is an abbreviated list of ports with a accept *:[port] policy. These are contained within the consensus and microdescritpors, and are used for most path selection in practice. Tor uses micro policies to dramatically lessen the amount of descriptor information tor must download to work. Stem's can_exit_to() method can answer two different questions based on its strict argument...
Here's a demonstration of what the policies actually look like and how the calls differ... Demo script
Demo output
We should describe this in our exit policy docs. Keeping this open to track that. |
Thanks @atagar for the detailed explanation. Now i know how we should query the exit policy in sbws. |
Hi @atagar, I thought I've understood how it works, but I didn't and got into another issue I can't explain. So, let's see...
According to this, is it generally recommended to use the micro policy?, when the full policy would be recommended instead?
Just a terminology thing: intuitively i'd think that ANY means what seems to be ALL here, and instead i'd think of ANY as SOME [snip]
Still not quite clear to me why the difference here. Because the micro policy is missing info about what is rejected by IP?
[snip] And in this case, it's the same with strict, but, i run into this other issue, in which the micropolicy seems to be the way to go in sbws case, ie: "give me all the exits that can exit to 443 from all IPs":
So i had assumed, that with the full policy and asking for ALL, i'd get all the relays that can exit to a port for all IPs, but it does seem to be the case for micro policy instead? And with descriptors there's also |
Hi juga. Tor's grown organically over this last decade and microdescriptors are an artifact of that. Server descriptors date back to the dawn of tor, whereas microdescriptors were added much later and brought with it tradeoffs. Most relevant for our discussion here...
Users that desire to download server descriptors (and by extension use full, authoritative exit policies) can put UseMicrodescriptors 0 in their torrc. So to answer your question the two policies answer subtly different questions...
Yes. The full policy has accept 133.0.0.0/8:443 whereas the microdescriptor policy does not.
Microdescriptors outnumber the number of server descriptor policies that can exit to ALL port 443s because server descriptors can reject individual IPs. For example, a server descriptor policy of "reject 1.2.3.4:443, accept *:443" would translate into a microdescriptor policy of "accept 443". The former doesn't exit to all port 443s, whereas the later does.
IPv6 has separate exit policies which were appended to consensus documents relatively recently. |
Thanks @atagar for all the explanation. One more thing, hopefully the last in this ticket. It seems then that for sbws i need a descriptor method that tells me whether an exit can exit to a port from all the public IP addresses. I was surprised that the line in my example will return 0 exits:
I found that, for example this exit rejects all the private IP address but not the public ones. I think it's probably better to implement this in stem since it'd have to go over the full policy. Would you have time to implement it? If not I can try. All of this come because, to don't have to resolve a web server domain via Tor, sbws choose whether to measure a relay in the exit position or not using the descriptor An alternative would be to always try a second exit if the measurement fails. Well, this would need more explanation but i think you can get an idea. |
Hi juga. Stem already has a method to drop private entries...
|
Awesome!, thanks and sorry I didn't see that. |
No worries in the least juga. Exit policies are deceptively confusing, and that method is easy to miss. :P |
Oops, stupid me. I wanted to keep this ticket open to expand the exit policy docs - reopening. |
When the exit policy accepts traffic to that port only to a subnet.
For instance, a relay with exit policy:
Why is
can_exit_to
returning different things?, should it be queried in a different way?, is it possible that this happens because sbws is not fetching microdescriptors.The text was updated successfully, but these errors were encountered: