summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorPaul Syverson <syverson@itd.nrl.navy.mil>2003-11-03 18:28:31 +0000
committerPaul Syverson <syverson@itd.nrl.navy.mil>2003-11-03 18:28:31 +0000
commit3a0d3b7c893712a1361fcb94e1dec7c061848793 (patch)
tree6ab0f32fb8e46fea9b4ec554524844764c994c04 /doc
parenta0ad394c8c7facbe2d859bb72930d2dfeb05e37f (diff)
downloadtor-3a0d3b7c893712a1361fcb94e1dec7c061848793.tar.gz
tor-3a0d3b7c893712a1361fcb94e1dec7c061848793.zip
Fix small version error I introduced (I hope).
svn:r738
Diffstat (limited to 'doc')
-rw-r--r--doc/tor-design.tex46
1 files changed, 3 insertions, 43 deletions
diff --git a/doc/tor-design.tex b/doc/tor-design.tex
index b277c45cc7..88e2eb6f1d 100644
--- a/doc/tor-design.tex
+++ b/doc/tor-design.tex
@@ -83,8 +83,9 @@ Onion Routing project published several design and analysis papers
Routing network was deployed for some weeks, the only long-running and
publicly accessible implementation of the original design was a fragile
proof-of-concept that ran on a single machine. Even this simple deployment
-processed tens of thousands of connections daily from thousands of users
-worldwide. But many critical design and deployment issues were never
+processed connections from over sixty thousand distinct IP addresses from
+all over the world at an average rate of about fifty thousand per day.
+But many critical design and deployment issues were never
resolved, and the design has not been updated in several years. Here
we describe Tor, a protocol for asynchronous, loosely federated onion
routers that provides the following improvements over the old Onion
@@ -979,46 +980,6 @@ require investigation.
\SubSection{Exit policies and abuse}
\label{subsec:exitpolicies}
-
-Tor offers more reliability than the high-latency fire-and-forget
-anonymous email networks, because the sender opens a TCP stream
-with the remote mail server and receives an explicit confirmation of
-acceptance. But ironically, the private exit node model works poorly for
-email, when Tor nodes are run on volunteer machines that also do other
-things, because it's quite hard to configure mail transport agents so
-normal users can send mail normally, but the Tor process can only deliver
-mail locally. Further, most organizations have specific hosts that will
-deliver mail on behalf of certain IP ranges; Tor operators must be aware
-of these hosts and consider putting them in the Tor exit policy.
-
-The abuse issues on closed (e.g. military) networks are different
-from the abuse on open networks like the Internet. While these IP-based
-access controls are still commonplace on the Internet, on closed networks,
-nearly all participants will be honest, and end-to-end authentication
-can be assumed for anything important.
-
-Tor is harder than minion because TCP doesn't include an abuse
-address. you could reach inside the http stream and change the agent
-or something, but that's a specific case and probably won't help
-much anyway.
-And volunteer nodes don't resolve to anonymizer.mit.edu so it never
-even occurs to people that it wasn't you.
-
-Preventing abuse of open exit nodes is an unsolved problem. Princeton's
-CoDeeN project \cite{darkside} gives us a glimpse of what we're in for.
-% This is more speculative than a description of our design.
-
-but their solutions, which mainly involve rate limiting and blacklisting
-nodes which do bad things, don't translate directly to Tor. Rate limiting
-still works great, but Tor intentionally separates sender from recipient,
-so it's hard to know which sender was the one who did the bad thing,
-without just making the whole network wide open.
-
-even limiting most nodes to allow http, ssh, and aim to exit and reject
-all other stuff is sketchy, because plenty of abuse can happen over
-port 80. but it's a surprisingly good start, because it blocks most things,
-and because people are more used to the concept of port 80 abuse not
-=======
%XXX originally, we planned to put the "users only know the hostname,
% not the IP, but exit policies are by IP" problem here too. Worth
% while still? -RD
@@ -1069,7 +1030,6 @@ limited set of well-known services, such as HTTP, SSH, or AIM.
This is not a complete solution, since abuse opportunities for these
protocols are still well known. Nonetheless, the benefits are real,
since administrators seem used to the concept of port 80 abuse not
->>>>>>> 1.79
coming from the machine's owner.
A further solution may be to use proxies to clean traffic for certain