[tor-talk] New release candidate: Tor 0.4.5.4-rc

Roman Mamedov rm at romanrm.net
Fri Feb 5 14:23:52 UTC 2021


On Fri, 5 Feb 2021 08:51:56 -0500
David Goulet <dgoulet at torproject.org> wrote:

> Can you expand here on why you think an operator using a /64 is worst than an
> operator using an IPv4 /24 to run their relays?

In the IPv4 a single person will rarely have an entire /24 to themselves; as
such connections coming from different IPs in a /24 more often assumed to have
no relation to each other.

...but in IPv6 a single person *most often* will have a /64, or more. Given
the current kinds of deployments maybe not always in datacenters, but always -
on broadband customer connections.

...so anyone and their dog can now be "using a /64" in IPv6, and if any
filtering, rate-limiting or banning solution happens to believe a /64 to be on
the equal grounds with a /24 of IPv4, they can now gain the benefit of doubt
of being considered as separate distinct entities, and reap whatever profit to
be had from that, if any.

> We have large Exit operators on the network that have racks of servers but
> only have a /48 available to them and thus they run a "fleet" of Exits on that
> very close by address range.

A /48 is 65.5 thousands of /64s, so they could use a separate /64 for each
relay and that'd still fit more relays than in the entire Tor network.

> As for sybil, we are looking for more than 2 relays per address which is the
> limit that has been for a long time now. That is true on IPv4 and IPv6 as
> well, the checked masked are /32 and /128 respectively.

The argument is that since a /64 in IPv6 is often controlled by a single
person, for the purposes of spam filtering, rate-limiting, or in this case
sybil detection, a /64 by itself should be equaled to "an address" (or "one
user"), i.e. treated the same as 1 IP (/32) in the IPv4 world.

-- 
With respect,
Roman


More information about the tor-talk mailing list