[tor-talk] IPv6 /48 for OnionCat
Mirimir
mirimir at riseup.net
Mon Aug 29 05:34:48 UTC 2016
On 08/28/2016 11:09 PM, Bernhard R. Fischer wrote:
> On 2016-08-28 23:35, grarpamp wrote:
>> On 8/28/16, Mirimir <mirimir at riseup.net> wrote:
>>> On 08/28/2016 02:00 AM, grarpamp wrote:
>>
>>> OK. As I understand it, all that matters is using a /48 that won't be
>>> provisioned by ISPs. In case it hits the public Internet. Right?
>>
>> If your users are the masses, yes. In a private install / userbase
>> you could pick anything that doesn't collide in your stacks,
>> and then anything that hasn't been allocated via rfc / registry,
>> which is almost the entire /128. Use filters, not rely whatever isp
>> do or iana docs say.
>>
>>> And I could configure onion services to route among multiple /48
>>> networks, yes?
>>
>> Well you would bind apps to the ipv6/128 on the tun interface,
>> onioncat takes care of routing that /48 among tor's onions
>> after the hosts routing table sends its packets to the tun.
>> Basically yes.
>
>
> Exactly. To be more precise, OnionCat does not "route packets" in terms
> of the IP protocol. In respect to IP, OC is like an Ethernet switch,
> i.e. it works on layer 2.
> Thus, routing has to be set up on the host computer (your Linux box, or
> whatever) as usual. Think of Onioncat (and its tun device) as being just
> another Ethernet port on you computer.
Yes, I get that.
> This basically implies all kinds of security risks (firewalling,...) you
> could have on a network port with an IP address assigned to it.
>
> You may also have a look at
> https://www.cypherpunk.at/onioncat_trac/wiki/Security
As I wrote in another subthread, I restrict traffic by local and remote
OnionCat IPv6 addresses, both in ip6tables and for ip4ip6 tunnels. And
I'll also be using HiddenServiceAuthorizeClient.
>>> OK, so I get that -t is the SocksPort used for outbound connections. And
>>> for inbound connections, I get that -l is the listening address and
>>> port, and that -s is the virtual hidden service port.
>>>
>>> So for now, each instance would have its own pair of -t and -l/-s. But
>>> I'm having a hard time imagining what multiplexing would look like. And
>>> anyway, isn't it better to split stuff across multiple SocksPorts?
>>
>> Socks5 port is a bit different from onion p2p.
>> I meant having single onioncat handling multiple /48's would give another
>> abstract management option, in addition today multiple onioncats with
>> one /48 each.
>
>
> For me, it sounds very complicated what you are trying to do. So even
> one /48 prefix contains more addresses than the whole IPv4 address space.
I mainly just wanted a different /48, as another kind of isolation. And
perhaps that's unnecessary.
> And OC is not a multi-cast network, thus you cannot simply "arp" for
> other OCs.
Thanks, I glossed over that. You can only route to OnionCat IPv6 that
you know already. Because they're basically just transformed hostnames.
> So why would you try to use several different /48 prefixes?
Upon reflection, I wouldn't ;)
> Bernhard
>
>
More information about the tor-talk
mailing list