7

Why is it still required have two open ports, DirPort and OrPort, for a relay?

Imagine such a situation. A Tor user with unlimited network traffic and with that kind great bandwidth stay behind a NAT router without the ability to forward two ports, or e.g. no external IP address in the provider's VPN configuration, or public modern Wi-Fi cafe, etc...

It is obvious that the anonymity of a relay operator, while browsing, is much better than the client's.

This should be enabled by default for high-bandwidth connections.

Why do I point out the possibility of incoming traffic to such a middle-relay? I'm just fortuitously found for myself, that the onion hidden service isn't required in any open ports.

In the same way, with only one hop, not a three hops, any relay behind the NAT router would share its bandwidth with the network. That means, the bandwidth of the whole network will grow 100 times and the anonymity of such clients-middle-relays will grow!

Complexity of code for this is +100 lines at maximum.

Current state is: 5,000 relays vs 500,000 clients, 1 x 100.

Under "Middle-relay", I mean ExitPolicy reject *:*

Peter Mortensen
  • 137
  • 5
perpetuity
  • 563
  • 4
  • 13

3 Answers3

5

Right now, Tor depends on the fact that all clients and all servers can contact all servers.

Once you add relays that are not reachable from the Internet because they are behind NAT for instance, this will no longer be true. This would making arguing about Tor's security properties way harder.

Somebody would have to come up with a design and its implications would have to be studied in detail before such a change could be made.

weasel - Peter Palfrader
  • 5,158
  • 1
  • 24
  • 39
4

See also this report:

Jacob Appelbaum. Tor and NAT devices: increasing bridge & relay reachability or, enabling the use of NAT-PMP and UPnP by default (Technical Report 2012-08-001, The Tor Project, August 2012.)

adrelanos
  • 2,847
  • 2
  • 20
  • 35
3

I'm not sure if I understand your question correctly, but if you can't have any incoming connection then you can't run a relay. A non-exit relay has to be able to send/receive data within Tor network.

And that ExitPolicy reject *:* which is the correct setting for a non-exit relay means it will accept any connection in and out.

If you're running a non-exit relay, it eventually becomes a middle node.

And if you're talking about every-user-a-relay, you should read this.

mrphs
  • 2,754
  • 4
  • 21
  • 34