[tor-relays] Debugging ipv6 conenctivity

s7r s7r at sky-ip.org
Sat Feb 23 16:58:14 UTC 2019 

s7r wrote:
> Hi there,
> 
> Thanks for running a relay.
> 
> IPv6 is not intended to be used that way. IPv6 was designed to ensure
> end to end connectivity, given it's not a scarce resource each device
> should have its own public IPv6 address and you can implement whatever
> filters or restrictions the haproxy provides at an upstream firewall or
> router or something.
> 
> Back to the subject, your setup will not work because your Tor daemon is
> not listening on any IPv6 address.
> 
> 
> You have this line in your torrc:
> 
> ORPort [2001:41d0:1:84bc::1]:9001 NoListen
> 
> and this means to advertise this address and port in the descriptor but
> NOT BIND TO IT.
> 
> So, you must add a secondary NoAdvertise address, where the Tor daemon
> can actually bind and listen to. That is why the cleanest way was to
> have the public IPv6 address assigned directly to the box. The same as
> you did for IPv4 actually.
> 
> You can do some forwarding between haproxy and the Tor server to still
> advertise the haproxy public IPv6 address and somehow forward using link
> local addresses (fe80::/16) or 6-to-4 (::ffff:192:168:1:2 or whatever
> NAT IPv4 class you use) between haproxy and Tor, but this seams
> overkill. You need to make sure nothing blocks or drops ICMPv6 (IPv6
> needs it) and also you are not filtering fe80::/16 and fc00:/16 classes
> as well as UDP port 546. Remember that link local IPv6 addresses change
> if you change the interface (ethernet port) or even its name, so you
> must always update the rules and torrc config. This is why I am telling
> you it's overkill, and I am only explaining how to theoretically do it
> in order for your to understand how things work, not to actually do it
> because it's pointless and overkill.
> 
> Then you would have (if the Tor server would actually have this link
> local address - this is just a dumb example):
> ORPort [fe80:cafe:cafe::2]:9001 NoAdvertise
> 
> So it would bind to it.
> 
> Hope this clarifies. Please assign the IPv6 directly, there are exactly
> 0 reasons not to do it.
> 
> -s7r
> 
> Charly Ghislain wrote:
>> ok, maybe i haven't waited that long. I will put it back and come back
>> to you in a couple of days.
>> I must say I would be surprised it would take so long to check connectivity.
>>
>>
>> On Sat, Feb 23, 2019 at 4:02 PM Blicky <tor at blicky.net
>> <mailto:tor at blicky.net>> wrote:
>>
>>     Hi,
>>
>>     For how long have you advertised the v6 address? My relays also received
>>     the UnreachableIpv6 flag shortly after I setup IPv6, but after 24 hours
>>     that automatically turned into ReachableIPv6. I'm guessing it takes some
>>     time for the measurements to take place and propagate.
>>
>>     I can reach your IPv6 address on that port, so the network configuration
>>     is fine, at least.
>>
>>     Regards,
>>
>>     Blicky.
>>
>>     On 2019-02-23, Charly Ghislain wrote:
>>     > Hi all,
>>     >
>>     > My tor relay has got the UnreachableIpv6 flag set once i mentionned an
>>     > OrPort with my ipv6 address.
>>     >
>>     > From what i can tell, my server is reachable over ipv6, and can
>>     contact the
>>     > directory authorities through ipv6 (following the instructions
>>     found there:
>>     >
>>     https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#Makesurerelayportscanbereached
>>     > ).
>>     >
>>     > The node is behind an haproxy that relays ipv6 traffic to natted
>>     ipv4 (with
>>     > no logging for those concerned). It seems to work fine for web
>>     content over
>>     > ipv6, and traffic on both ips (v4 and v6) goes through this channel.
>>     >
>>     > I can successfully telnet my node ORPort using my v6 address. The
>>     ports
>>     > have been defined this way in torrc:
>>     > ORPort 0.0.0.0:9001 NoAdvertise
>>     > ORPort 91.121.79.188:9001 NoListen
>>     > ORPort [2001:41d0:1:84bc::1]:9001 NoListen
>>     >
>>     > Is there a way to make a tor client connect to a specific relay to
>>     debug
>>     > this kind of connectivity issues? Or any other mean?
>>     >
>>     > In the meantime ive removed the advertized ip6.
>>     >
>>     > Regards,
>>     >
>>     > Charly
>>

And thanks for actually discovering a potential bug with this weird
setup -- I have just logged #29570 :

https://trac.torproject.org/projects/tor/ticket/29570

So we may avoid this happening even in rare use cases.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20190223/9d2f702f/attachment.sig>

More information about the tor-relays mailing list