[tor-talk] IPv6 /48 for OnionCat

Mirimir mirimir at riseup.net
Mon Aug 29 05:34:48 UTC 2016


On 08/28/2016 11:09 PM, Bernhard R. Fischer wrote:
> On 2016-08-28 23:35, grarpamp wrote:
>> On 8/28/16, Mirimir <mirimir at riseup.net> wrote:
>>> On 08/28/2016 02:00 AM, grarpamp wrote:
>>
>>> OK. As I understand it, all that matters is using a /48 that won't be
>>> provisioned by ISPs. In case it hits the public Internet. Right?
>>
>> If your users are the masses, yes. In a private install / userbase
>> you could pick anything that doesn't collide in your stacks,
>> and then anything that hasn't been allocated via rfc / registry,
>> which is almost the entire /128. Use filters, not rely whatever isp
>> do or iana docs say.
>>
>>> And I could configure onion services to route among multiple /48
>>> networks, yes?
>>
>> Well you would bind apps to the ipv6/128 on the tun interface,
>> onioncat takes care of routing that /48 among tor's onions
>> after the hosts routing table sends its packets to the tun.
>> Basically yes.
> 
> 
> Exactly. To be more precise, OnionCat does not "route packets" in terms
> of the IP protocol. In respect to IP, OC is like an Ethernet switch,
> i.e. it works on layer 2.
> Thus, routing has to be set up on the host computer (your Linux box, or
> whatever) as usual. Think of Onioncat (and its tun device) as being just
> another Ethernet port on you computer.

Yes, I get that.

> This basically implies all kinds of security risks (firewalling,...) you
> could have on a network port with an IP address assigned to it.
> 
> You may also have a look at
> https://www.cypherpunk.at/onioncat_trac/wiki/Security

As I wrote in another subthread, I restrict traffic by local and remote
OnionCat IPv6 addresses, both in ip6tables and for ip4ip6 tunnels. And
I'll also be using HiddenServiceAuthorizeClient.

>>> OK, so I get that -t is the SocksPort used for outbound connections. And
>>> for inbound connections, I get that -l is the listening address and
>>> port, and that -s is the virtual hidden service port.
>>>
>>> So for now, each instance would have its own pair of -t and -l/-s. But
>>> I'm having a hard time imagining what multiplexing would look like. And
>>> anyway, isn't it better to split stuff across multiple SocksPorts?
>>
>> Socks5 port is a bit different from onion p2p.
>> I meant having single onioncat handling multiple /48's would give another
>> abstract management option, in addition today multiple onioncats with
>> one /48 each.
> 
> 
> For me, it sounds very complicated what you are trying to do. So even
> one /48 prefix contains more addresses than the whole IPv4 address space.

I mainly just wanted a different /48, as another kind of isolation. And
perhaps that's unnecessary.

> And OC is not a multi-cast network, thus you cannot simply "arp" for
> other OCs.

Thanks, I glossed over that. You can only route to OnionCat IPv6 that
you know already. Because they're basically just transformed hostnames.

> So why would you try to use several different /48 prefixes?

Upon reflection, I wouldn't ;)

> Bernhard
> 
> 


More information about the tor-talk mailing list