On Wed, Apr 23, 2014 at 03:12:36PM -0400, Zack Weinberg wrote:
I'd like a sanity check on this list of special-purpose IPv4 blocks which I'm currently forbidding in the CMU exit node's policy. I'm most uncertain about denying access to multicast (224.0.0.0/4) and 6to4 router anycast (192.88.99.0/24) -- I *think* there are no scenarios where someone would actually need to get at either of those via Tor, but I could be wrong.
Hi Zack,
Best practice is to only block addresses and destinations that you know you don't want to reach. When you block addresses where somebody tells you there should be nothing there, you're narrowing out the future. If the RFC changes tomorrow and you don't notice, suddenly you're blocking connections to a piece of Africa or whoever gets that IP space. And if indeed nobody is using it, why block it?
Thanks! --Roger