[tor-dev] Proposal 186: Multiple addresses for one OR or bridge

Karsten Loesing karsten.loesing at gmx.net
Thu Sep 22 07:43:39 UTC 2011


Hi Nick,

a few comments to proposal 186 below:

On 9/21/11 8:13 PM, Nick Mathewson wrote:
>   In consonance with our changes to the (Socks|Trans|NATD|DNS)Port
>   options made in 0.2.3.x for proposal 171, I make a corresponding
>   change to allow multiple SocksPort options and deprecate
>   SocksListenAddress.

When you say "Socks" in this document in most cases you mean "OR".

>   The new syntax will be:
> 
>       "SocksPort" PortDescription Options?

The syntax allows multiple options per SocksPort line, right?  Would
that be "Options*" then?

>   The 'NoListen' option tells Tor to advertise an address, but not
>   bind to it.  The operator needs to use some other mechanism to
>   ensure that ports are redirected to ports that _are_ listened on.

Do we need to check that we have at least one SocksPort line without the
NoListen option?

>   In current operating systems (unless we get into crazy nonportable
>   tricks) we need to use one socket for every address:port that Tor
>   bind on.  As a sanity check, we can limit the number of such
>   sockets we use to, say, 64.  If you want to bind lots more
>   address:port combinations, you'll want to do it at the
>   firewall/routing level.

64 seems very high for the number sockets to open.  If someone wants to
open more than 8 sockets and doesn't know how to edit firewall rules,
that person probably shouldn't be opening this number of sockets.

>   Example: Our firewall is redirecting ports 80, 443, and 7000-8000
>   on all hosts in x.244.2.0/24 onto our port 2929.
> 
>      SocksPort 2929 no-advertise
>      SocksPort x.244.2.0/24:80,443,7000-8000 no-listen

"no-advertise" -> "noadvertise"

"no-listen" -> "nolisten"

The "/24" should probably also go away.

>   Example: We have a dynamic DNS provider that maps
>   tornode.example.com to our current external IPv4 and IPv6
>   addresses.  Our firewall forwards port 443 on those address to our
>   port 1337.
> 
>      SocksPort 1337 no-advertise alladdrs
>      SocksPort tornode.example.com:443 no-bind alladdrs

"no-advertise" -> "noadvertise"

"no-bind" -> "nolisten"

I wonder what the effect of putting in a dynamic hostname is.  Tor uses
an IP address in the server descriptor anyway, and wouldn't it find out
the IP address(es) by itself?

>   It will now be possible for a Tor node to find that some addresses
>   work and others do not.  In this case, the node should only
>   advertise socksport lines that have been checked.

What if a partial SocksPort line was found to work, that is, if only a
few ports work?

>   A node must not list more than 8 or-address lines.

Should there also be a restriction of PORTSPECs per line?  I can imagine
how these lines can get quite long: 1.2.3.4:1-2,4-5,7-8,...

Rest looks good!

Best,
Karsten


More information about the tor-dev mailing list