|
|
An Exit Enclave is a term used to reference a Tor relay that allows exit to another, non-tor service on that same IP address. An
|
|
|
example is https://archive.torproject.org/ has IP Address 38.229.70.19 and is reachable on tcp port 443. The Tor Exit Enclave is
|
|
|
named '''archivetpo''' with ''ExitPolicy accept 38.229.70.19:443''. The Tor relay '''archivetpo''' becomes the preferred path to
|
|
|
https://archive.torproject.org/ through the Tor Network.
|
|
|
|
|
|
This feature is useful for people who run services and wish to ensure Tor users have access though their nodes.
|
|
|
|
|
|
The current stable version of Tor (0.2.2.x) still supports Exit enclaves. The new versions of Tor
|
|
|
(> 0.2.3.x) use a new descriptor format (microdescriptors) allow relays to specify an Exit Enclave
|
|
|
policy, but clients will not use it, therefore voiding the purpose of exit enclaving.
|
|
|
|
|
|
Since microdescriptors don't include the addresses listed in the exit policy there is no way for the client
|
|
|
to understand that a certain Tor exit is an enclave for a certain destination address.
|
|
|
|
|
|
Even with Tor 0.2.2.x Exit Enclaves are not used for the first connection since the first connection is usually
|
|
|
done by hostname and not IP address. This means that if the client does not have the hostname lookup
|
|
|
result in cache they would not be using the enclave on the first connection, but only on subsequent ones.
|
|
|
|
|
|
Another reason why enclaves are not going to work properly with 0.2.3.x is that it is not possible to prevent a
|
|
|
relay from being overloaded by setting a low "MaxAdvertisedBandwidth". This means that if the enclave is receiving
|
|
|
a lot of Tor relay traffic the connection to the enclaved service end up being very slow.
|
|
|
|
|
|
The general feeling is that something like exit enclaves is needed, but the current design of enclaves does not
|
|
|
fit even the most lax threat models.
|
|
|
|
|
|
The only case in which Exit Enclaves make sense is for censorship circumvention on a IP basis, though even in this
|
|
|
case if the client were to exit through a censoring exit on first connection they would not be able to access the
|
|
|
content. All subsequent connection would be enclaved, but it requires the user to make another connection
|
|
|
attempt.
|
|
|
|
|
|
Overall the use of enclaves is not advised for these two main reasons:
|
|
|
|
|
|
- They will not be supported in future versions of Tor (> 0.2.3.x)
|
|
|
|
|
|
- They do not fit any particular threat model
|
|
|
|
|
|
|
|
|
If you would still like to be and Exit Enclave this is an example torrc of an Exit Enclave that only allows
|
|
|
connections out of the Tor network services offered on the same system. The following configuration is
|
|
|
used for the Tor exit enclave '''archivetpo''':
|
|
|
|
|
|
{{{
|
|
|
SocksPort 9050 # what port to open for local application connections
|
|
|
SocksListenAddress 127.0.0.1 # accept connections only from localhost
|
|
|
ORPort 9001
|
|
|
Nickname archivetpo
|
|
|
ExitPolicyRejectPrivate 0
|
|
|
ExitPolicy accept 38.229.70.19:443
|
|
|
ExitPolicy reject *:*
|
|
|
}}} |
|
|
\ No newline at end of file |