[tor-bugs] #18348 [Tor]: Tor conflates IPv4 Dir port with IPv6 OR Port
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Feb 20 08:09:49 UTC 2016
#18348: Tor conflates IPv4 Dir port with IPv6 OR Port
-----------------------+------------------------------------
Reporter: sysrqb | Owner:
Type: defect | Status: needs_review
Priority: Very High | Milestone: Tor: 0.2.8.x-final
Component: Tor | Version: Tor: unspecified
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
-----------------------+------------------------------------
Comment (by teor):
Replying to [ticket:18348 sysrqb]:
> Since #17840 tor prefers IPv6 addresses for client connections when
they're available. This is a significant improvement but is not always
correct in the network as it is now. Unfortunately, this affects a relays
dirconns, too. The primary problem arises when a relay attempt a
descriptor upload/fetch with a directory authority with an IPv6 OR port.
Relays should never use IPv6. If they are, it's a bug.
> Currently all configuration options allow configuring IPv6 OR ports, but
none specify dir ports. When a client attempts a dir port connection, it
implicitly assumes the dir port is listening on the same ip address as the
OR port.
This is a deliberate implementation choice - we don't have IPv6 dirport
entries or data structures.
> Currently most of the dir auths Dir ports are only listening on their
ipv4 address, including the dir auths with ipv6 OR addresses. An easy (but
not necessary correct) solution is Dir Auth Op configure their dirauths so
they accept ipv6 connections on the dir port.
Opened #18350 to encourage Directory Authorities to bind their existing
DirPort to IPv6.
> A better solution is tor knows when a dir port is ipv4 or ipv6 and
chooses the correct corresponding ip address.
I think this is #6772, but for DirPorts. Let's handle it there, as the
code is very similar.
> Now, as a relay, in fascist_firewall_allows_dir_server() we choose the
destination's ipv4 address. However, when we subsequently call
directory_choose_address_routerstatus() we don't remember which address we
prefer:
> {{{
> } else {
> /* We use an IPv6 address if we have one and we prefer it.
> * Use the preferred address and port if they are reachable,
otherwise,
> * use the alternate address and port (if any).
> */
> have_or = fascist_firewall_choose_address_rs(status,
> FIREWALL_OR_CONNECTION,
0,
> use_or_ap);
> }
>
> have_dir = fascist_firewall_choose_address_rs(status,
> FIREWALL_DIR_CONNECTION,
0,
> use_dir_ap);
> }}}
>
> Therefore directory_initiate_command_rend() uses the ipv6 address by
default.
Oh dear, there's no way that should be happening. Relays should always
allow and choose IPv4 addresses.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18348#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list