[tor-bugs] #33375 [Core Tor/Tor]: Stop advertising an IPv6 exit policy when DNS is broken for IPv6
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Mar 20 11:36:34 UTC 2020
#33375: Stop advertising an IPv6 exit policy when DNS is broken for IPv6
-------------------------------------------------+-------------------------
Reporter: teor | Owner: neel
Type: defect | Status:
| needs_review
Priority: Medium | Milestone: Tor:
| 0.4.4.x-final
Component: Core Tor/Tor | Version: Tor:
| 0.2.9.14
Severity: Normal | Resolution:
Keywords: security-review-dos-risk, extra- | Actual Points:
review, no-backport, ipv6, tor-exit, tor-dns |
Parent ID: #24833 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by teor):
* reviewer: teor =>
Comment:
I don't have time to keep on reviewing this patch right now. I'm really
busy with google summer of code and outreachy. So I'm going to pass it to
another reviewer.
Here are some things for the reviewer to check:
Replying to [comment:5 teor]:
> This IPv6 DNS code is currently unused, so it has never been tested. So
I want to make sure we have the design right.
>
> Here are some issues I noticed when reading the code:
> * the code only counts DNS errors on timeout, but there are actually 11
different DNS errors. We should consider which errors we want to track,
and which ones we want to ignore. See
http://www.wangafu.net/~nickm/libevent-2.1/doxygen/html/dns_8h.html
Which errors should we turn off IPv6 DNS for? All of them? Only the ones
that clients can't trigger?
> * the minimum number of queries before failure is 10. But that could
happen by chance, on server startup. Let's make the minimum something more
reasonable. We can make it at least 1000. But maybe we should set it to 1
when TestingTorNetwork is set. That way, broken IPv6 exits will fail
quickly in chutney.
The last version of the PR I reviewed changed the wrong "10". Please check
that the new PR changes this code:
https://github.com/torproject/tor/pull/1771/files#diff-
ed2a85a7ec36e73dc681fe94a7dcf524L1556
> We should find out which DNS errors can be triggered by tor clients, and
ignore them. Otherwise, a client that floods an exit with bad DNS queries
could disable IPv6 exiting on that relay. I think Nick might be able to
help here.
We also need to think about the risk of DNS-based attacks.
> I think it's ok to fail thousands of client circuits, before an IPv6
exit disables IPv6. Because getting the new descriptor to clients can take
an hour or two. There's also a tradeoff here: we want quiet exits to
disable IPv6 eventually. But we want busy exits to survive a momentary
glitch.
Overall, I wonder if this patch is the best way to solve this issue.
Perhaps we should manually apply the BadExit flag through the network
health team. Perhaps we should set the limits much, much higher.
Do we know how many queries a busy exit processes? And how many timeouts
they have?
It's really hard to make a good design without good data.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33375#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list