[tor-relays] ipv6 behaviour consensus

teor teor at riseup.net
Fri Apr 19 01:02:17 UTC 2019


Hi,

> On 19 Apr 2019, at 07:41, Charly Ghislain <charlyghislain at gmail.com> wrote:
> 
> I feel there is an issue in case the operator advertises an unreachable ip6 address in the config. This seems like a configuration error that should be spotted by a self-reachability mechanism that is yet to come, like for ipv4. I can imagine however that directories could be able to flag the relay as reachable over ipv4 and not over ipv6, and that the relay would still be usable over ip4. I thought it was the case actually.

We asked the directory authority operators what they wanted Tor to do when
relays are reachable over IPv4 but not IPv6. They told us that the relays
should not be in the consensus, because then operators would notice, and
fix them. (As Jake Visser did.)

We also talked with relay operators, and there were a range of different
opinions.

If we want to have enough IPv6 relays to support lots of IPv6 clients, we
need every relay that can do IPv6, to have working IPv6.

> On 19 Apr 2019, at 08:46, s7r <s7r at sky-ip.org> wrote:
> 
> One use I can think for this is in a world where an IPv6 only client
> gets to use such a relay as Guard, by connecting it to its advertised
> IPv6 address (regardless that will be actually converted to IPv4 before
> it hits the relay, this will be transparent to the client and will
> actually work).

I think having more ways to do IPv6 is useful as we transition to IPv6.

When most relays support IPv6, we can start deprecating some of the less
useful ways of doing IPv6. But we're not there yet.

> On 19 Apr 2019, at 08:54, Jake Visser <jake at emeraldonion.org> wrote:
> 
> Thanks Charly – yes.. in this case a flag or error in logging that IPv6 was not reachable would have saved me many hours of debugging (for us, this was an obscure IPv6 issue, where all other IPs on the same range work; it was broken as a function of a very restrictive ND policy on the firewall).
> 
> So regardless of Full v6 support, or v6 only support [both are needed], at the very least some good logging to say if its failing would be great 😉

After a few hours, your relays should have warned you that they were not
in the consensus. Maybe you missed the warning, because you were looking
at debug logs?

A relay can't tell you that its own IPv6 address is unreachable, because
it never checks its IPv6 address for reachability.

We have a ticket to implement IPv6 reachability checks, but it's more
complex than you might expect, because relays don't extend to other
relays over IPv6 yet.

https://trac.torproject.org/projects/tor/ticket/24403

We're working on getting funding for IPv6 improvements in 2020, and this
feature will be first. (There's no point in making clients do IPv6 better,
if we don't have enough IPv6 relays.)

T


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20190419/f325f268/attachment.sig>


More information about the tor-relays mailing list