Perhaps what we really need is a configuration that recognizes the two
security requirements:
1) Defend ietf.org from DDoS attack
2) Provide access to Tor users.
The first requirement is at least as important as the first.
Sln1: If it is possible, perhaps the Cloudflare config could be set up
so that connections over Tor go to one particular server that is run
by IETF direct and not in the critical path.
Broken: You would have to have the site in the IETF server room and
where there is a site, there is a pipe and it is really the pipe that
is DDoSed.
Sln2: Can Cloudflare adjust their CAPTCHA scheme so that it only
queries users if an attack is actually in progress.
Question: Is this what they do already? Was the CAPTCHA showing up
because of a dumb blacklist or was it showing up because the IP was on
a blacklist AND that IP was currently performing a DDoS AND that DDoS
was aimed at ietf.org?
I suspect IETF use is atypical where Tor is concerned. Most sites
probably just want to shut Tor exit nodes out.