[tor-bugs] #18348 [Tor]: Tor conflates IPv4 Dir port with IPv6 OR Port

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Feb 20 08:09:49 UTC 2016


#18348: Tor conflates IPv4 Dir port with IPv6 OR Port
-----------------------+------------------------------------
 Reporter:  sysrqb     |          Owner:
     Type:  defect     |         Status:  needs_review
 Priority:  Very High  |      Milestone:  Tor: 0.2.8.x-final
Component:  Tor        |        Version:  Tor: unspecified
 Severity:  Major      |     Resolution:
 Keywords:             |  Actual Points:
Parent ID:             |         Points:
  Sponsor:             |
-----------------------+------------------------------------

Comment (by teor):

 Replying to [ticket:18348 sysrqb]:
 > Since #17840 tor prefers IPv6 addresses for client connections when
 they're available. This is a significant improvement but is not always
 correct in the network as it is now. Unfortunately, this affects a relays
 dirconns, too. The primary problem arises when a relay attempt a
 descriptor upload/fetch with a directory authority with an IPv6 OR port.

 Relays should never use IPv6. If they are, it's a bug.

 > Currently all configuration options allow configuring IPv6 OR ports, but
 none specify dir ports. When a client attempts a dir port connection, it
 implicitly assumes the dir port is listening on the same ip address as the
 OR port.

 This is a deliberate implementation choice - we don't have IPv6 dirport
 entries or data structures.

 > Currently most of the dir auths Dir ports are only listening on their
 ipv4 address, including the dir auths with ipv6 OR addresses. An easy (but
 not necessary correct) solution is Dir Auth Op configure their dirauths so
 they accept ipv6 connections on the dir port.

 Opened #18350 to encourage Directory Authorities to bind their existing
 DirPort to IPv6.

 > A better solution is tor knows when a dir port is ipv4 or ipv6 and
 chooses the correct corresponding ip address.

 I think this is #6772, but for DirPorts. Let's handle it there, as the
 code is very similar.

 > Now, as a relay, in fascist_firewall_allows_dir_server() we choose the
 destination's ipv4 address. However, when we subsequently call
 directory_choose_address_routerstatus() we don't remember which address we
 prefer:
 > {{{
 >   } else {
 >     /* We use an IPv6 address if we have one and we prefer it.
 >      * Use the preferred address and port if they are reachable,
 otherwise,
 >      * use the alternate address and port (if any).
 >      */
 >     have_or = fascist_firewall_choose_address_rs(status,
 >                                                  FIREWALL_OR_CONNECTION,
 0,
 >                                                  use_or_ap);
 >   }
 >
 >   have_dir = fascist_firewall_choose_address_rs(status,
 >                                                 FIREWALL_DIR_CONNECTION,
 0,
 >                                                 use_dir_ap);
 > }}}
 >
 > Therefore directory_initiate_command_rend() uses the ipv6 address by
 default.

 Oh dear, there's no way that should be happening. Relays should always
 allow and choose IPv4 addresses.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18348#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list