[tor-bugs] #33898 [Core Tor/Tor]: Stop modifying addr on connections, and delete real_addr
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Apr 30 02:06:26 UTC 2020
#33898: Stop modifying addr on connections, and delete real_addr
-------------------------------------------+-------------------------------
Reporter: teor | Owner: nickm
Type: defect | Status: assigned
Priority: High | Milestone: Tor:
| 0.4.4.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: ipv6, technical-debt, prop311 | Actual Points:
Parent ID: #33048 | Points: 1
Reviewer: | Sponsor: Sponsor55-can
-------------------------------------------+-------------------------------
Comment (by arma):
Yeah, I can try to explain how we got here, and then folks can decide if
they have a better place we can get to.
When you receive a connection from a relay, it never comes from the
relay's IP address and ORPort. At best, it comes from the relay's IP
address and some high-numbered port. So if you rely on the address and
port of the incoming connection to be able to learn which relay it is,
there will at best be ambiguity in the cases where an IP address runs more
than one relay ("which one is the one that connected to you?"), and at
worst the connection came from a different IP address than is listed in
the relay's descriptor, for example because the other side sets
OutboundBindAddress, or because they *don't* set it but their default
route goes out through a different IP address, or because you do some port
forwarding thing on your side so it looks to you like connections come
from your forwarder.
Also there's the (hopefully less common) case where somebody is trying to
do a person-in-the-middle attack where they ask the other side to extend
to your identity but their address, and then they forward the connection
to you. Or they ask you to connect to some remote relay but at a
nonstandard address and port, and then they redirect that connection to
the relay.
Ok. Given that context, here are the rules we followed back when I wrote
this part:
* If the connection is to (or from) a known relay, then addr and port will
tell you which relay it is.
* Else (not to/from a known relay), addr and port will be whatever you
tried to connect to, or whatever TCP told you for the incoming connection.
* real_addr will always be whatever-you-tried-to-connect-to or whatever-
TCP-told-you. In the case where we overwrote addr and port because it's a
known relay, there is no concept of real_port, i.e. that information is
discarded.
* address will always be a string version of addr. We keep it entirely so
we don't have to keep recreating it every time we want to write addr
somewhere.
For extra context, the above conventions predate the "canonical" flag, and
also predate the DoS subsystem (which rightly looks at real_addr rather
than addr).
I agree that these rules start to get ugly once relays have multiple
canonical addresses.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33898#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list