North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Tor and network security/administration

  • From: Lionel Elie Mamane
  • Date: Thu Jun 22 05:20:31 2006

On Thu, Jun 22, 2006 at 05:37:25PM +1000, Matthew Sullivan wrote:
> Lionel Elie Mamane wrote:

>> How an open proxy that will not connect to port 25 is relevant for
>> an *email* blacklist is beyond me.

> Perhaps because SORBS is not just an email blacklist?

My bad. I must have misunderstood its tagline.

> Perhaps because it is also used for webmail and other things...

Someone running a webmail that doesn't ask for authentication before
accepting mail is asking for trouble. You know it, and I'm fairly sure
you would list him.

If the user has authenticated himself on the webmail, why care whether
the TCP connection came from an open TCP or HTTP proxy? The user has
identified himself, so you know who it is.

>>> All of my discussions with Tor people have indicated [they] do not
>>> think I should have the right to deny traffic based on IP address,
>>> and that I should find other methods of authenticating traffic
>>> into my networks.

>> Isn't it rather that they think that filtering on the base of IP
>> address is broken in today's Internet, even if tor didn't exist?
>> Open proxies, trojans, multi-user computers, dynamic IPs, ... all
>> this makes that substituting IP address for people is very, very,
>> imprecise.

> ....and that is your opinion,

Actually, no. It is what I understand the tor people's opinion to be
from their public statements. As for my opinion, I think IP-based is
the best you've got when you are dealing with the world at large and
not just with a finite, known group of users. As with an MX. As with a
webshop. But IP-based authentication should be avoided if you can, and
does get over-used in contexts where it is worse than other
solutions. A prime example is the scientific journals publishers
blindly trusting the whole IP space of universities. We do give shell
accounts on some of our machines to externals: Other scientists from
abroad, high school students that can make good use of surplus
computing resources for a project, ...