February 2020 - tor-commits - lists.torproject.org

[torspec/master] Prop 312: Add Ignore Addresses on Inbound Conns
by teor＠torproject.org 05 Feb '20

05 Feb '20

commit 1f9f3986d188c9d530fd1edc7294978273796385 Author: teor <teor(a)torproject.org> Date: Wed Feb 5 10:44:43 2020 +1000 Prop 312: Add Ignore Addresses on Inbound Conns Add an optional change. Part of 33073. --- proposals/312-relay-auto-ipv6-addr.txt | 86 +++++++++++++++++++++++----------- 1 file changed, 59 insertions(+), 27 deletions(-) diff --git a/proposals/312-relay-auto-ipv6-addr.txt b/proposals/312-relay-auto-ipv6-addr.txt index 7724afd..31a5dd7 100644 --- a/proposals/312-relay-auto-ipv6-addr.txt +++ b/proposals/312-relay-auto-ipv6-addr.txt @@ -399,7 +399,7 @@ Ticket: #33073 prefer designs where all relays behave in a similar way, regardless of their internal state.) - For some more complex directory load-balancing schemes, see section 3.5.3. + For some more complex directory load-balancing schemes, see section 3.5.4. Tor already ignores private IPv4 addresses in directory headers. We propose to also ignore private IPv6 addresses in directory headers. If all IPv4 and @@ -602,8 +602,7 @@ Ticket: #33073 * authenticated NETINFO cells. See the following sections for more details. - See also sections 3.5.2 (for preferring addresses from directory - authorities) and 3.5.3 (for load-balancing). + See also sections 3.5.2 to 3.5.4. 3.5.1.1. Authenticated Directory Connections @@ -760,10 +759,33 @@ Ticket: #33073 IPv6, until clients start to do so. (See [Proposal 306: Client Auto IPv6 Connections].) - See also sections 3.5.1 (for only using addresses from authenticated - connections) and 3.5.3 (for load-balancing). + See also sections 3.5.1 to 3.5.4. -3.5.3. Load Balancing +3.5.3. Ignoring Addresses on Inbound Connections + + We propose this optional change, to improve relay (and bridge) address + accuracy and reliability. + + Relays ignore IPv4 and IPv6 address suggestions received on inbound + connections. + + We make this change, because we want to detect the IP addresses of the + relay's outbound routes, rather than the addresses that that other relays + believe they are connecting to for inbound connections. + + If we make this change, relays may need to close some inbound connections, + before doing address detection. If we also make the changes in sections + 3.5.1 and 3.5.2, busy relays could have persistent, inbound OR connections + from all directory authorities. (Currently, there are 9 directory + authorities with IPv4 addresses, and 6 directory authorities with IPv6 + addresses.) + + Directory authorities do not use these address detection methods to + discover their own addresses, for security reasons. + + See also sections 3.5.1 to 3.5.4. + +3.5.4. Load Balancing We propose some optional changes to improve relay (and bridge) load-balancing across directory authorities. @@ -771,15 +793,20 @@ Ticket: #33073 Directory authorities do not use these address detection methods to discover their own addresses, for security reasons. -3.5.3.1. Directory Authority Load Balancing + See also sections 3.5.1 to 3.5.3. + +3.5.4.1. Directory Authority Load Balancing Relays may prefer: * authenticated connections (section 3.5.1). Relays and bridges may prefer: - * connecting to Directory Authorities (section 3.5.2). + * connecting to Directory Authorities (section 3.5.2), or + * ignoring addresses on inbound connections (section 3.5.3) + (and therefore, they may close some inbound connections, + leading to extra connection re-establishment load). - Both these changes are optional, so they might not be implemented. + All these changes are optional, so they might not be implemented. Directory authorities do not use these address detection methods to discover their own addresses, for security reasons. @@ -839,7 +866,7 @@ Ticket: #33073 (Relays may use NETINFO cells for address detection, see section 3.5.1.2.) - See also section 3.5.3.3, for some general load balancing criteria, that + See also section 3.5.4.3, for some general load balancing criteria, that may help when tuning the address detection interval. We propose a related change, which is also optional: @@ -850,11 +877,9 @@ Ticket: #33073 ORPort directory requests. (And the most expensive cryptography happens when the ORPort connection is opened.) - See also sections 3.5.1 (for only using addresses from authenticated - connections) and 3.5.2 (for preferring addresses from directory - authorities). + See also sections 3.5.1 to 3.5.3. -3.5.3.2. Load Balancing Between IPv4 and IPv6 Directories +3.5.4.2. Load Balancing Between IPv4 and IPv6 Directories We propose this optional change, to improve the load-balancing between IPv4 and IPv6 directories, when used by relays to find their IPv4 and IPv6 @@ -869,9 +894,11 @@ Ticket: #33073 This change may only be necessary if the following changes result in poor load-balancing, or other relay issues: - * randomly selecting IPv4 or IPv6 directories (see section 3.2.5), or + * randomly selecting IPv4 or IPv6 directories (see section 3.2.5), * preferring addresses from directory authorities, via an authenticated - connection (see sections 3.5.1 and 3.5.2). + connection (see sections 3.5.1 and 3.5.2), or + * ignoring addresses on inbound connections, and therefore closing and + re-opening some connections (see section 3.5.3). We propose that the RelayMaxIntervalWithoutAddressDetection option is counted separately for IPv4 and IPv6 (see the previous section for details). @@ -887,14 +914,16 @@ Ticket: #33073 If both intervals have elapsed at the same time, the relay should choose between IPv4 and IPv6 at random. - See also section 3.5.3.3, for some general load balancing criteria, that + See also section 3.5.4.3, for some general load balancing criteria, that may help when tuning the address detection interval. Alternately, we could wait until [Proposal 306: Client Auto IPv6 Connections] is implemented, and use the directory fetch design from that proposal. -3.5.3.3. General Load Balancing Criteria + See also sections 3.5.1 to 3.5.3. + +3.5.4.3. General Load Balancing Criteria We propose the following criteria for choosing load-balancing intervals: @@ -909,6 +938,7 @@ Ticket: #33073 tor cryptography, so it is more expensive for authorities than a DirPort fetch (and it can not be cached by a HTTP cache) (see section 3.5.1), + * closing and re-opening some OR connections (see section 3.5.3), * minimising wasted CPU (and bandwidth) for IPv6 connection attempts on IPv4-only relays, and * other potential changes to relay directory fetches (see @@ -932,7 +962,9 @@ Ticket: #33073 at random (see section 3.2.5 for more detail). But if this change causes issues on IPv4-only relays, we may have to try IPv6 less often. -3.5.4. Detailed Address Resolution Logs + See also sections 3.5.1 to 3.5.3. + +3.5.5. Detailed Address Resolution Logs We propose this optional change, to help diagnose relay address resolution issues. @@ -948,7 +980,7 @@ Ticket: #33073 The logs should tell operators to set the Address torrc option for IPv4 and IPv6 (if available). -3.5.5. Add IPv6 Support to is_local_addr() +3.5.6. Add IPv6 Support to is_local_addr() We propose this optional change, to improve the accuracy of IPv6 address detection from directory documents. @@ -974,7 +1006,7 @@ Ticket: #33073 network block). See also the next section, which uses IPv6 /64 for sybils. -3.5.6. Add IPv6 Support to AuthDirMaxServersPerAddr +3.5.7. Add IPv6 Support to AuthDirMaxServersPerAddr We propose this optional change, to improve the health of the network, by rejecting too many relays on the same IPv6 address. @@ -1017,7 +1049,7 @@ Ticket: #33073 Since these relay exclusions happen at voting time, they do not require a new consensus method. -3.5.7. Use a Local Interface Address on the Default Route +3.5.8. Use a Local Interface Address on the Default Route We propose this optional change, to improve the accuracy of local interface IPv4 and IPv6 address detection (see section 3.2.3), on relays @@ -1038,7 +1070,7 @@ Ticket: #33073 method will find the IP address of the default route, in most cases (see section 3.2.5). -3.5.8. Add IPv6 Support Using gethostbyname2() +3.5.9. Add IPv6 Support Using gethostbyname2() We propose these optional changes, to add IPv6 support to hostname resolution on older OSes. These changes affect: @@ -1081,7 +1113,7 @@ Ticket: #33073 if all other methods fail. Or operators can set the Address torrc option to an IPv4 or IPv6 literal. -3.5.9. Change Relay OutboundBindAddress Defaults +3.5.10. Change Relay OutboundBindAddress Defaults We propose this optional change, to improve the reliability of IP address-based filters in tor. These filters typically affect relays and @@ -1107,7 +1139,7 @@ Ticket: #33073 the outbound address comes from the chosen route for each TCP connection or UDP packet (usually the default route). -3.5.10. IPv6 Address Privacy Extensions +3.5.11. IPv6 Address Privacy Extensions We propose this optional change, to improve the reliability of relays (and bridges) that use IPv6 address privacy extensions (see section 3.5 of @@ -1161,7 +1193,7 @@ Ticket: #33073 IPv6 addresses change. (See [Ticket 28725: Reset relay bandwidths when their IPv6 address changes].) -3.5.11. Quick Extends After Relay Restarts +3.5.12. Quick Extends After Relay Restarts We propose this optional change, to reduce client circuit failures, after a relay restarts. @@ -1215,7 +1247,7 @@ Ticket: #33073 should be able to perform extends (and serve cached directory documents) shortly after startup. -3.5.12. Using Authority Addresses for Socket-Based Address Detection +3.5.13. Using Authority Addresses for Socket-Based Address Detection We propose this optional change, to avoid issues with firewalls during relay (and bridge) address detection. (And to reduce user confusion about

1 0

[torspec/master] Prop 312: Add s7r as an author
by teor＠torproject.org 05 Feb '20

05 Feb '20

commit 34fb76cd5f0d7ec7f4772438997dd7c5489f57f1 Author: teor <teor(a)torproject.org> Date: Wed Feb 5 13:05:07 2020 +1000 Prop 312: Add s7r as an author Part of 33073. --- proposals/312-relay-auto-ipv6-addr.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/312-relay-auto-ipv6-addr.txt b/proposals/312-relay-auto-ipv6-addr.txt index c407dc1..cff3c77 100644 --- a/proposals/312-relay-auto-ipv6-addr.txt +++ b/proposals/312-relay-auto-ipv6-addr.txt @@ -1,6 +1,6 @@ Filename: 312-relay-auto-ipv6-addr.txt Title: Tor Relays Automatically Find Their IPv6 Address -Author: teor, Nick Mathewson +Author: teor, Nick Mathewson, s7r Created: 28-January-2020 Status: Draft Ticket: #33073

1 0

[torspec/master] Prop 312: Use Authority IPs for the Socket Method
by teor＠torproject.org 05 Feb '20

05 Feb '20

commit 6e7d4abd1f18292c501e8a4e173b83d2fa9313b1 Author: teor <teor(a)torproject.org> Date: Tue Feb 4 14:39:47 2020 +1000 Prop 312: Use Authority IPs for the Socket Method Add an optional section, where we propose using a directory authority IPv4 and IPv6 address for socket-based local interface address detection. As suggested by Nick Mathewson. Part of 33073. --- proposals/312-relay-auto-ipv6-addr.txt | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/proposals/312-relay-auto-ipv6-addr.txt b/proposals/312-relay-auto-ipv6-addr.txt index 3209e0b..1a672fb 100644 --- a/proposals/312-relay-auto-ipv6-addr.txt +++ b/proposals/312-relay-auto-ipv6-addr.txt @@ -935,6 +935,35 @@ Ticket: #33073 support IPv6 may be quite small. But we should still test this use case for clients connecting over IPv4 and IPv6, and extending over IPv4 and IPv6. +3.5.12. Using Authority Addresses for Socket-Based Address Detection + + We propose this optional change, to avoid issues with firewalls during + address detection. (And to reduce user confusion about firewall + notifications which show a strange IP address.) + + We propose that tor should use a directory authority IPv4 and IPv6 address, + for any sockets that it opens to detect local interface addresses (see + section 3.2.3). We propose that this change is applied regardless of the + role of the current tor instance (relay, bridge, directory authority, or + client). + + Tor currently uses the arbitrary IP addresses 18.0.0.1 and [2002::], which + may be blocked by firewalls. These addresses may also cause user confusion, + when they appear in logs or notifications. + + The relevant function is get_interface_address6_via_udp_socket_hack() in + lib/net. The hard-coded addresses are in app/config. Directly using these + addresses would break tor's module layering rules, so we propose: + * copying one directory authority's hard-coded IPv4 and IPv6 addresses to + an ADDRESS_PRIVATE macro or variable in lib/net/address.h + * writing a unit test that makes sure that the address used by + get_interface_address6_via_udp_socket_hack() is still in the list of + hard-coded directory authority addresses. + + When we choose the directory authority, we should avoid using a directory + authority that has different hard-coded and advertised IP addresses. (To + avoid user confusion.) + 4. Directory Protocol Specification Changes We propose explicitly supporting IPv6 X-Your-Address-Is HTTP headers in the

1 0

[torspec/master] Prop 312: Rewrite authenticated address detection
by teor＠torproject.org 05 Feb '20

05 Feb '20

commit 043ac7d7aa9e0b48ef7f80e8cfb1b6b2f5ce2f39 Author: teor <teor(a)torproject.org> Date: Tue Feb 4 19:19:12 2020 +1000 Prop 312: Rewrite authenticated address detection All these changes are optional in the proposal: * Add the NETINFO cell address detection method (as suggested by Nick Mathewson) * Defer decisions about ignoring some addresses, or using those addresses as the lowest priority method * Simplify the load-balancing design Part of 33073. --- proposals/312-relay-auto-ipv6-addr.txt | 359 ++++++++++++++++++++++++--------- 1 file changed, 263 insertions(+), 96 deletions(-) diff --git a/proposals/312-relay-auto-ipv6-addr.txt b/proposals/312-relay-auto-ipv6-addr.txt index c167329..a6d89e4 100644 --- a/proposals/312-relay-auto-ipv6-addr.txt +++ b/proposals/312-relay-auto-ipv6-addr.txt @@ -519,6 +519,7 @@ Ticket: #33073 (also minimise consensus size) * store a list of previous addresses in the state file, and use the most recently used address that's currently available. + Operators who want to avoid address flipping should set the Address option in the torrc. Operators who want to minimise the size of the consensus should use all-zero IPv6 host identifiers. @@ -531,13 +532,46 @@ Ticket: #33073 Some of these changes may be more appropriate in future releases, or along with other proposed features. -3.5.1. Only Use Authenticated Directory Header IPv4 and IPv6 Addresses + Some of these changes make tor ignore some potential IP addresses. + + Ignoring addresses risks relays having no available ORPort addresses, and + refusing to publish their descriptor. So before we ignore any addresses, we + should make sure that: + * tor's other address detection methods are robust and reliable, and + * we would prefer relays to shut down, rather than use the ignored + address. + + As a less severe alternative, low-quality methods can be put last in the + address resolution order. (See section 3.2.) + + If relays prefer addresses from particular sources (for example: ORPorts), + they should try these sources regularly, so that their addresses do not + become too old. + + If relays ignore addresses from some sources (for example: DirPorts), they + must regularly try other sources (for example: ORPorts). + +3.5.1. Using Authenticated IPv4 and IPv6 Addresses We propose this optional change, to improve relay (and bridge) address accuracy and reliability. - Relays should only use authenticated directory fetches to discover their - own IPv4 and IPv6 addresses. + Relays should try to use authenticated connections to discover their own + IPv4 and IPv6 addresses. + + Tor supports two kinds of authenticated address information: + * authenticated directory connections, and + * authenticated NETINFO cells. + See the following sections for more details. + + See also sections 3.5.2 (for preferring addresses from directory + authorities) and 3.5.3 (for load-balancing). + +3.5.1.1. Authenticated Directory Connections + + We propose this optional change, to improve relay address accuracy and + reliability. (Bridges are not affected, because they already use + authenticated directory connections, just like clients.) Tor supports authenticated, encrypted directory fetches using BEGINDIR over ORPorts (see the [Tor Specification] for details). @@ -548,82 +582,216 @@ Ticket: #33073 authenticated directory fetches.) Using authenticated directory headers for relay addresses: - * avoids caches (or other machines) mangling X-Your-Address-Is headers in - transit, and - * avoids attacks where directories are deliberately given an incorrect IP - address. + * provides authenticated address information, + * reduces the number of attackers that can deliberately give a relay an + incorrect IP address, and + * avoids caches (or other machines) accidentally mangling, deleting, or + repeating X-Your-Address-Is headers. - To make this change, we need to modify two different parts of tor: + To make this change, we need to modify tor's directory connection code: * when making directory requests, relays should fetch some directory - documents using BEGINDIR over ORPorts, and - * when using the X-Your-Address-Is HTTP header to guess their own IPv4 or - IPv6 addresses, relays ignore directory documents that were not fetched - using BEGINDIR over ORPorts. + documents using BEGINDIR over ORPorts. - See also sections 3.5.2 (for preferring addresses from directory - authorities) and 3.5.3 (for load-balancing). + Once tor regularly gets authenticated X-Your-Address-Is headers, relays can + change how they handle unauthenticated addresses. When they receive an + unauthenticated address suggestion, relays can: + * ignore the address, or + * use the address as the lowest priority address method. + See section 3.5 for some factors to consider when making this design + decision. -3.5.2. Preferring IPv4 and IPv6 Addresses from Directory Authorities + For anonymity reasons, bridges are unable to fetch directory documents over + IPv6, until clients start to do so. (See + [Proposal 306: Client Auto IPv6 Connections].) + + Bridges currently use authenticated IPv4 connections for all their + directory fetches, to imitate default client behaviour. + + We describe a related change, which is also optional: + + We can increase the number of ORPort directory fetches: + * if tor has an existing ORPort connection to a relay that it has selected + for a directory fetch, it should use an ORPort fetch, rather than + opening an additional DirPort connection. + + Using an existing ORPort connection: + * saves one DirPort connection and file descriptor, + * but slightly increases the cryptographic processing done by the relay, + and by the directory server it is connecting to. + However, the most expensive cryptographic operations have already happened, + when the ORPort connection was opened. + + This change does not increase the number of NETINFO cells, because it + re-uses existing OR connections. See the next section for more details. + +3.5.1.2. Authenticated NETINFO Cells We propose this optional change, to improve relay (and bridge) address + accuracy and reliability. (Bridge IPv6 addresses are not affected, because + bridges only make OR connections over IPv4, to imitate default client + behaviour.) + + Tor supports authenticated IPv4 and IPv6 address information, using the + NETINFO cells exchanged at the beginning of each ORPort connection (see the + [Tor Specification] for details). + + Relays do not currently use any address information from NETINFO cells. + + Using authenticated NETINFO cells for relay addresses: + * provides authenticated address information, + * reduces the number of attackers that can deliberately give a relay an + incorrect IP address, and + * does not require a directory fetch (NETINFO cells are sent during + connection setup). + + To make this change, we need to modify tor's cell processing: + * when processing NETINFO cells, tor should store the OTHERADDR field, + like it currently does for X-Your-Address-Is HTTP headers, and + * IPv4 and IPv6 addresses should be stored separately. + See the previous section, and section 3.2.5 for more details about the + X-Your-Address-Is HTTP header. + + Once tor uses NETINFO cell addresses, relays can change how they handle + unauthenticated X-Your-Address-Is headers. When they receive an + unauthenticated address suggestion, relays can: + * ignore the address, or + * use the address as the lowest priority address method. + See section 3.5 for some factors to consider when making this design + decision. + + We propose that tor continues to use the X-Your-Address-Is header, and adds + support for addresses in NETINFO cells. X-Your-Address-Is headers are sent + once per directory document fetch, but NETINFO cells are only sent once per + OR connection. + + If a relay: + * only gets addresses from NETINFO cells from authorities, and + * has an existing, long-term connection to every authority, + then it may struggle to detect address changes. + + Once all supported tor versions use NETINFO cells for address detection, we + should review this design decision. If we are confident that almost all + relays will be forced to make new connections when their address changes, + then tor may be able to stop using X-Your-Address-Is HTTP headers. + + Bridges only make OR connections, and those OR connections are only over + IPv4, to imitate default client behaviour. + + For anonymity reasons, bridges are unable to make regular connections over + IPv4 and IPv6, until clients start to do so. (See + [Proposal 306: Client Auto IPv6 Connections].) + + As an alternative design, if tor's addresses are stale, it could close some + of its open directory authority connections. (Similar to section 4.4.2 + in [Proposal 311: Relay IPv6 Reachability], where relays close existing OR + connections, before testing their own reachability.) However, this design is + more complicated, because it involves tracking address age, as well as the + address itself. + +3.5.2. Preferring IPv4 and IPv6 Addresses from Directory Authorities + + We propose this optional change, to improve relay (but not bridge) address accuracy and reliability. - Relays store the latest IPv4 and IPv6 addresses received from: - * a directory authority, and - * a directory mirror, - and prefer the address from a directory authority, as long as it is not - too old. - - Relays should also store a timestamp for each address, and ignore addresses - where: - * the timestamp is too old, or - * the timestamp for the preferred address (from a directory authority) - is much older than the timestamp for the other address (from a directory - mirror). - - Relays should try directory authorities often enough, that their addresses - usually do not become too old. (And if the addresses do become too old, - relays should try directory authorities more often.) - - As an alternative, relays could ignore addresses from other relays: - * when using the X-Your-Address-Is HTTP header to guess their own IPv4 or - IPv6 addresses, relays ignore directory documents that were not fetched - from directory authorities. - However, this implementation is not ideal, because it is better for a relay - to use an address from a directory mirror, than have no address at all. + Relays prefer IPv4 and IPv6 address suggestions received from Directory + Authorities. + + When they receive an address suggestion from a directory mirror, relays can: + * ignore the address, or + * use the address as the lowest priority address method. + See section 3.5 for some factors to consider when making this design + decision. + + Bridges only make OR connections, and those OR connections are only over + IPv4, to imitate default client behaviour. + + For anonymity reasons, bridges are unable to make regular connections over + IPv6, until clients start to do so. (See + [Proposal 306: Client Auto IPv6 Connections].) See also sections 3.5.1 (for only using addresses from authenticated connections) and 3.5.3 (for load-balancing). 3.5.3. Load Balancing - We propose some optional changes to improve load-balancing. + We propose some optional changes to improve relay (and bridge) + load-balancing across directory authorities. 3.5.3.1. Directory Authority Load Balancing - Ideally, we would like all relays (and bridges) to do frequent directory - fetches: + Relays may prefer: + * authenticated connections (section 3.5.1). + + Relays and bridges may prefer: + * connecting to Directory Authorities (section 3.5.2). + + Both these changes are optional, so they might not be implemented. + + If both changes are implemented, we would like all relays (and bridges) to + do frequent directory fetches: * using BEGINDIR over ORPorts, * to directory authorities. - However, this change may be unsustainable during high network load - (see [Ticket 33018: Dir auths using an unsustainable 400+ mbit/s]). + However, this extra load from relays may be unsustainable during high + network load (see + [Ticket 33018: Dir auths using an unsustainable 400+ mbit/s]). + + For anonymity reasons, bridges should avoid connecting to directory + authorities too frequently, to imitate default client behaviour. Therefore, we propose a simple load-balancing scheme between address resolution and non-address resolution requests: - * when relays do not know their own IP addresses, they should make as many - directory authority ORPort directory fetches as is sustainable, and - * when relays know their own IP addresses, they should make an occasional - directory authority ORPort directory fetch, to learn if their address - has changed. + * when relays first start up, they should make two directory authority + ORPort fetch attempts, one on IPv4, and one on IPv6, + * relays should also make occasional directory authority ORPort directory + fetch attempts, on IPv4 and IPv6, to learn if their addresses have + changed. - We use the load-balancing criteria in section 3.5.3.3, to select the ratio - between: - * ORPort connections to directory authorities, and - * ORPort or DirPort connections to directory mirrors. + We propose a new torrc option and consensus parameter: - It should be possible for relays to choose between ORPort and DirPort - connections to directory mirrors at random: they typically have enough spare - CPU and bandwidth. + RelayMaxIntervalWithoutAddressDetectionRequest N seconds|minutes|hours + + Relays make most of their directory requests via directory mirror DirPorts, + to reduce the load on directory authorities. + + When this amount of time has passed since a relay last connected to a + directory authority ORPort, the relay makes its next directory request via + a directory authority ORPort. (Default: 15 minutes) + + The final name and description for this option will depend on which optional + changes are actually implemented in tor. In particular, this option should + only consider requests that tor may use to discover its IP addresses. + For example: + * if tor uses NETINFO cells for addresses (section 3.5.1.2), then all + OR connections to an authority should be considered, + * if tor does not use NETINFO cells for addresses, and only uses + X-Your-Address-Is headers, then only directory fetches from authorities + should be considered. + + We set the default value of this option to 15 minutes, because: + * tor's reachability tests fail if the ORPort is unreachable after 20 + minutes. So we want to do at least two address detection requests in + the first 20 minutes; + * the minimum consensus period is 30 minutes, and we want to do at least + one address detection per consensus period. (Consensuses are usually + created every hour. But if there is no fresh consensus, directory + authorities will try to create a consensus every 30 minutes); and + * the default value for TestingAuthDirTimeToLearnReachability is 30 + minutes. So directory authorities will make reachability test OR + connections to each relay, at least every 30 minutes. Therefore, relays + will see NETINFO cells from directory authorities about this often. + (Relays may use NETINFO cells for address detection, see section + 3.5.1.2.) + + See also section 3.5.3.3, for some general load balancing criteria, that + may help when tuning the address detection interval. + + We propose a related change, which is also optional: + + If relays use address suggestions from directory mirrors, they may choose + between ORPort and DirPort connections to directory mirrors at random. + Directory mirrors typically have enough spare CPU and bandwidth to handle + ORPort directory requests. (And the most expensive cryptography happens + when the ORPort connection is opened.) See also sections 3.5.1 (for only using addresses from authenticated connections) and 3.5.2 (for preferring addresses from directory @@ -633,36 +801,34 @@ Ticket: #33073 We propose this optional change, to improve the load-balancing between IPv4 and IPv6 directories, when used by relays to find their IPv4 and IPv6 - addresses (see section 3.2.6). + addresses (see section 3.2.5). + + For anonymity reasons, bridges are unable to make regular connections over + IPv6, until clients start to do so. (See + [Proposal 306: Client Auto IPv6 Connections].) This change may only be necessary if the following changes result in poor load-balancing, or other relay issues: - * randomly selecting IPv4 or IPv6 directories (see section 3.2.6), or - * preferring directory header addresses, from directory authorities, - via an authenticated connection (see sections 3.5.1 and 3.5.2). + * randomly selecting IPv4 or IPv6 directories (see section 3.2.5), or + * preferring addresses from directory authorities, via an authenticated + connection (see sections 3.5.1 and 3.5.2). - We propose a new torrc option and consensus parameter: - MaxNumIPv4DirectoryAttempts. This option limits the number of IPv4 directory - requests, before the relay makes an IPv6 directory request. It should only - apply to attempts that are expected to provide a usable IPv4 or IPv6 - address in their directory header. (Based on sections 3.2.6, 3.5.1, and - 3.5.2.) - - The design is similar to MaxNumIPv4BootstrapAttempts in - [Proposal 306: Client Auto IPv6 Connections]. - - Here is a quick sketch of the design: - * when MaxNumIPv4DirectoryAttempts is reached, select an IPv6-capable - directory, and make an IPv6 connection attempt, - * use a directory authority, or an ORPort, if required (see sections - 3.5.1 and 3.5.2), - * use a default value between 2 and 4: - * the ideal value for load-balancing is >= 2 - (because 6/9 directory authorities are already on IPv6) - * the ideal value for minimising failures is ~4 - (because relays won't waste too much CPU or bandwidth) - * choose the default value based on the load-balancing criteria in section - 3.5.3.3. + We propose that the RelayMaxIntervalWithoutAddressDetection option is + counted separately for IPv4 and IPv6 (see the previous section for details). + + For example: + * if 30 minutes has elapsed since the last IPv4 address detection request, + then the next directory request should be an IPv4 address detection + request, and + * if 30 minutes has elapsed since the last IPv6 address detection request, + then the next directory request should be an IPv6 address detection + request. + + If both intervals have elapsed at the same time, the relay should choose + between IPv4 and IPv6 at random. + + See also section 3.5.3.3, for some general load balancing criteria, that + may help when tuning the address detection interval. Alternately, we could wait until [Proposal 306: Client Auto IPv6 Connections] is implemented, and use the @@ -670,20 +836,15 @@ Ticket: #33073 3.5.3.3. General Load Balancing Criteria - We propose the following criteria for choosing load-balancing ratios: + We propose the following criteria for choosing load-balancing intervals: - The selected ratios should be chosen based on the following factors: - * the current number of directory fetches that a relay makes: - * when bootstrapping with an empty cache directory, and - * in a steady state (per hour, or per new consensus), - (these numbers aren't currently collected by tor, so we may need to - write some extra code to include them in the heartbeat logs), + The selected interval should be chosen based on the following factors: * relays need to discover their IPv4 and IPv6 addresses to publish their descriptors, * it only takes one successful directory fetch from one authority for a relay to discover its IP address (see section 3.5.2), - * relays will fall back to addresses from directory mirrors, if directory - authorities are unavailable (see section 3.5.2), + * if relays fall back to addresses discovered from directory mirrors, + when directory authorities are unavailable (see section 3.5.2), * BEGINDIR over ORPort requires and TLS connection, and some additional tor cryptography, so it is more expensive for authorities than a DirPort fetch (and it can not be cached by a HTTP cache) @@ -693,14 +854,20 @@ Ticket: #33073 * other potential changes to relay directory fetches (see [Ticket 33018: Dir auths using an unsustainable 400+ mbit/s]) - The selected ratios should allow almost all relays to update both their IPv4 - and IPv6 addresses: - * at least twice when they bootstrap (to allow for fetch failures), - * at least once per directory fetch (or per hour), and - * from a directory authority (if available). + The selected interval should allow almost all relays to update both their + IPv4 and IPv6 addresses: + * at least twice when they bootstrap and test reachability (to allow for + fetch failures), + * at least once per consensus interval (that is, every 30 minutes), and + * from a directory authority (if required). + + For anonymity reasons, bridges are unable to make regular connections over + IPv6, until clients start to do so. (See + [Proposal 306: Client Auto IPv6 Connections].) In this proposal, relays choose between IPv4 and IPv6 directory fetches - at random (see section 3.2.6 for more detail). + at random (see section 3.2.5 for more detail). But if this change causes + issues on IPv4-only relays, we may have to try IPv6 less often. 3.5.4. Detailed Address Resolution Logs

1 0

[torspec/master] Prop 312: Require explicit authority addresses
by teor＠torproject.org 05 Feb '20

05 Feb '20

commit 89e7222f65a06bead82e9ae63d5b87a518c5d38c Author: teor <teor(a)torproject.org> Date: Tue Feb 4 14:50:04 2020 +1000 Prop 312: Require explicit authority addresses Only use explicit IPv4 and IPv6 address literals, configured in Address or ORPort lines, for directory authority addresses. As suggested by Nick Mathewson. Part of 33073. --- proposals/312-relay-auto-ipv6-addr.txt | 104 ++++++++++++++++++++++++++++----- 1 file changed, 89 insertions(+), 15 deletions(-) diff --git a/proposals/312-relay-auto-ipv6-addr.txt b/proposals/312-relay-auto-ipv6-addr.txt index 2fdb79a..e434267 100644 --- a/proposals/312-relay-auto-ipv6-addr.txt +++ b/proposals/312-relay-auto-ipv6-addr.txt @@ -50,12 +50,16 @@ Ticket: #33073 * start using IPv4 ORPort for IPv4 address detection, and * re-order IPv4 address detection methods. - Relays and directory authorities (but not bridges): + Relays (but not bridges, or directory authorities): * fetch some directory documents over IPv6. + For anonymity reasons, bridges are unable to fetch directory documents over IPv6, until clients start to do so. (See [Proposal 306: Client Auto IPv6 Connections].) + For security reasons, directory authorities must only use addresses that + are explicitly configured in their torrc. + This proposal makes a small, optional change to existing client behaviour: * clients also check IPv6 addresses when rotating TLS keys for new networks. @@ -90,7 +94,9 @@ Ticket: #33073 To discover their IPv6 address, some relays may fetch directory documents over IPv6. (For anonymity reasons, bridges are unable to fetch directory - documents over IPv6, until clients start to do so.) + documents over IPv6, until clients start to do so. For security reasons, + directory authorities only use addresses that are explicitly configured in + their torrc.) 3.1. Current Relay IPv4 Address Implementation @@ -137,10 +143,13 @@ Ticket: #33073 the traffic without the relay's private keys, but they can monitor traffic patterns. - Therefore, we only use untrusted address discovery methods, if every other - method has failed. Any method that uses DNS is potentially untrusted, - because DNS is often a remote, unauthenticated service. And addresses - provided by other directory servers are also untrusted. + Therefore, relays should only use untrusted address discovery methods, if + every other method has failed. Any method that uses DNS is potentially + untrusted, because DNS is often a remote, unauthenticated service. And + addresses provided by other directory servers are also untrusted. + + For security reasons, directory authorities only use addresses that are + explicitly configured in their torrc. Based on these principles, we propose that tor tries to find relay IPv4 and IPv6 addresses in this order: @@ -224,6 +233,12 @@ Ticket: #33073 tor is configured with a custom set of directory authorities, private addresses should be allowed, with a notice-level log.) + For security reasons, directory authorities only use addresses that are + explicitly configured in their torrc. Therefore, we propose that directory + authorities only accept IPv4 or IPv6 address literals in their Address + option. They must not attempt to resolve their Address using DNS. It is a + config error to provide a hostname as a directory authority's Address. + If the Address option is not configured for IPv4 or IPv6, or the hostname lookups do not provide both IPv4 and IPv6 addresses, address resolution should go to the next step. @@ -250,6 +265,19 @@ Ticket: #33073 In rare cases, relays may have been using non-advertised ORPorts for their addresses. This change may also change their addresses. + For security reasons, directory authorities only use addresses that are + explicitly configured in their torrc. Therefore, we propose that directory + authorities only accept IPv4 or IPv6 address literals in the address part + of the ORPort and DirPort options. They must not attempt to resolve these + addresses using DNS. It is a config error to provide a hostname as a + directory authority's ORPort or DirPort. + + If directory authorities don't have an IPv4 address literal in their + Address or ORPort, they should issue a configuration error, and refuse to + launch. If directory authorities don't have an IPv6 address literal in their + Address or ORPort, they should issue a notice-level log, and fall back to + only using IPv4. + For the purposes of address resolution, tor should ignore private configured ORPort addresses on public tor networks. (Binding to private ORPort addresses is supported, even on public tor networks, for relays that @@ -285,6 +313,12 @@ Ticket: #33073 socket. (UDP is used because it is stateless, so the OS will not send any packets to open a connection.) + For security reasons, directory authorities only use addresses that are + explicitly configured in their torrc. Since local interface addresses are + implicit, and may depend on DHCP, directory authorities do not use this + address resolution method (or any of the other, lower-priority address + resolution methods). + Relays that use NAT to reach the Internet may have no publicly routable local interface addresses, even on the public tor network. The NAT box has the publicly routable addresses, and it may be a separate machine. @@ -310,10 +344,9 @@ Ticket: #33073 * the local hostname. However, OS APIs typically only return a single hostname. - Even though the hostname lookup may use remote DNS, we propose to use it on - directory authorities, to maintain compatibility with current - configurations. Even if it is remote, we expect the configured DNS to be - somewhat trusted by the operator. + For security reasons, directory authorities only use addresses that are + explicitly configured in their torrc. Since hostname lookups may use DNS, + directory authorities do not use this address resolution method. The hostname lookup should ignore private addresses on public relays. If multiple IPv4 or IPv6 addresses are returned, the first public address from @@ -334,11 +367,10 @@ Ticket: #33073 directory fetches, bridge behaviour can also change to match. (See section 3.4.1 and [Proposal 306: Client Auto IPv6 Connections].) - We propose that directory authorities should ignore addresses in directory - headers. Allowing other authorities (or relays) to change a directory - authority's published IP address may lead to security issues. Instead, - if interface and hostname lookups fail, tor should stop address resolution, - and return a permanent error. (And issue a log to the operator, see below.) + For security reasons, directory authorities only use addresses that are + explicitly configured in their torrc. Since directory headers are provided + by other directory servers, directory authorities do not use this address + resolution method. We propose to use a simple load balancing scheme for IPv4 and IPv6 directory requests: @@ -606,6 +638,11 @@ Ticket: #33073 See section 3.5 for some factors to consider when making this design decision. + For security reasons, directory authorities only use addresses that are + explicitly configured in their torrc. Since directory headers are provided + by other directory servers, directory authorities do not use this address + resolution method. + For anonymity reasons, bridges are unable to fetch directory documents over IPv6, until clients start to do so. (See [Proposal 306: Client Auto IPv6 Connections].) @@ -680,6 +717,11 @@ Ticket: #33073 relays will be forced to make new connections when their address changes, then tor may be able to stop using X-Your-Address-Is HTTP headers. + For security reasons, directory authorities only use addresses that are + explicitly configured in their torrc. Since NETINFO cells are provided + by other directory servers, directory authorities do not use this address + resolution method. + Bridges only make OR connections, and those OR connections are only over IPv4, to imitate default client behaviour. @@ -702,6 +744,9 @@ Ticket: #33073 Relays prefer IPv4 and IPv6 address suggestions received from Directory Authorities. + Directory authorities do not use these address detection methods to + discover their own addresses, for security reasons. + When they receive an address suggestion from a directory mirror, relays can: * ignore the address, or * use the address as the lowest priority address method. @@ -723,6 +768,9 @@ Ticket: #33073 We propose some optional changes to improve relay (and bridge) load-balancing across directory authorities. + Directory authorities do not use these address detection methods to + discover their own addresses, for security reasons. + 3.5.3.1. Directory Authority Load Balancing Relays may prefer: @@ -733,6 +781,9 @@ Ticket: #33073 Both these changes are optional, so they might not be implemented. + Directory authorities do not use these address detection methods to + discover their own addresses, for security reasons. + If both changes are implemented, we would like all relays (and bridges) to do frequent directory fetches: * using BEGINDIR over ORPorts, @@ -813,6 +864,9 @@ Ticket: #33073 IPv6, until clients start to do so. (See [Proposal 306: Client Auto IPv6 Connections].) + Directory authorities do not use these address detection methods to + discover their own addresses, for security reasons. + This change may only be necessary if the following changes result in poor load-balancing, or other relay issues: * randomly selecting IPv4 or IPv6 directories (see section 3.2.5), or @@ -871,6 +925,9 @@ Ticket: #33073 IPv6, until clients start to do so. (See [Proposal 306: Client Auto IPv6 Connections].) + Directory authorities do not use these address detection methods to + discover their own addresses, for security reasons. + In this proposal, relays choose between IPv4 and IPv6 directory fetches at random (see section 3.2.5 for more detail). But if this change causes issues on IPv4-only relays, we may have to try IPv6 less often. @@ -937,6 +994,9 @@ Ticket: #33073 IPv4 and IPv6 address detection (see section 3.2.3), on relays (and bridges). + Directory authorities do not use this address detection method to + discover their own addresses, for security reasons. + Rewrite the get_interface_address*() functions to choose an interface address on the default route, or to sort default route addresses first in the list of addresses. (If the platform API allows us to find the default @@ -958,6 +1018,9 @@ Ticket: #33073 * automatic hostname resolution (see section 3.2.4), on relays and bridges. + Directory authorities do not use this address detection method to + discover their own addresses, for security reasons. + Use gethostbyname2() to add IPv6 support to hostname resolution on older OSes, which don't support getaddrinfo(). @@ -1021,6 +1084,12 @@ Ticket: #33073 bridges) that use IPv6 address privacy extensions (see section 3.5 of [RFC 4941: Privacy Extensions for IPv6]). + Directory authorities: + * should not use IPv6 address privacy extensions, because their addresses + need to stay the same over time, and + * do not use address detection methods that would automatically select + an IPv6 address with privacy extensions, for security reasons. + We propose that tor should avoid using IPv6 addresses generated using privacy extensions, unless no other publicly routable addresses are available. @@ -1124,6 +1193,11 @@ Ticket: #33073 firewall notifications which show a strange IP address, particularly on clients.) + Directory authorities do not use a UDP socket to discover their own + addresses, for security reasons. Therefore, we are free to use any + directory address for this check, without the risk of a directory authority + making a UDP socket to itself, and discovering its own private address. + We propose that tor should use a directory authority IPv4 and IPv6 address, for any sockets that it opens to detect local interface addresses (see section 3.2.3). We propose that this change is applied regardless of the

1 0

[torspec/master] Prop 312: Make bridge changes clearer
by teor＠torproject.org 05 Feb '20

05 Feb '20

commit 55d3beb6c22be53aa3e97ea7f0f4c2657cdabc51 Author: teor <teor(a)torproject.org> Date: Tue Feb 4 22:17:14 2020 +1000 Prop 312: Make bridge changes clearer Part of 33073. --- proposals/312-relay-auto-ipv6-addr.txt | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/proposals/312-relay-auto-ipv6-addr.txt b/proposals/312-relay-auto-ipv6-addr.txt index 9fbd64d..2fdb79a 100644 --- a/proposals/312-relay-auto-ipv6-addr.txt +++ b/proposals/312-relay-auto-ipv6-addr.txt @@ -154,6 +154,10 @@ Ticket: #33073 Each of these address resolution steps is described in more detail, in its own subsection. + For anonymity reasons, bridges are unable to fetch directory documents over + IPv6, until clients start to do so. (See + [Proposal 306: Client Auto IPv6 Connections].) + We avoid using advertised DirPorts for address resolution, because: * they are not supported on bridges, * they are not supported on IPv6, @@ -930,7 +934,8 @@ Ticket: #33073 3.5.7. Use a Local Interface Address on the Default Route We propose this optional change, to improve the accuracy of local interface - IPv4 and IPv6 address detection (see section 3.2.3). + IPv4 and IPv6 address detection (see section 3.2.3), on relays + (and bridges). Rewrite the get_interface_address*() functions to choose an interface address on the default route, or to sort default route addresses first in @@ -950,7 +955,8 @@ Ticket: #33073 resolution on older OSes. These changes affect: * the Address torrc option, when it is a hostname (see section 3.2.1), and - * automatic hostname resolution (see section 3.2.4). + * automatic hostname resolution (see section 3.2.4), + on relays and bridges. Use gethostbyname2() to add IPv6 support to hostname resolution on older OSes, which don't support getaddrinfo(). @@ -986,7 +992,9 @@ Ticket: #33073 3.5.9. Change Relay OutboundBindAddress Defaults We propose this optional change, to improve the reliability of - IP address-based filters in tor. + IP address-based filters in tor. These filters typically affect relays and + directory authorities. But we propose that bridges and clients also make + this change, for consistency. For example, the tor network treats relay IP addresses differently when: * resisting denial of service, and @@ -1009,8 +1017,8 @@ Ticket: #33073 3.5.10. IPv6 Address Privacy Extensions - We propose this optional change, to improve the reliability of relays that - use IPv6 address privacy extensions (see section 3.5 of + We propose this optional change, to improve the reliability of relays (and + bridges) that use IPv6 address privacy extensions (see section 3.5 of [RFC 4941: Privacy Extensions for IPv6]). We propose that tor should avoid using IPv6 addresses generated using @@ -1105,11 +1113,16 @@ Ticket: #33073 support IPv6 may be quite small. But we should still test this use case for clients connecting over IPv4 and IPv6, and extending over IPv4 and IPv6. + Directory authorities do not rely on their own reachability checks, so they + should be able to perform extends (and serve cached directory documents) + shortly after startup. + 3.5.12. Using Authority Addresses for Socket-Based Address Detection We propose this optional change, to avoid issues with firewalls during - address detection. (And to reduce user confusion about firewall - notifications which show a strange IP address.) + relay (and bridge) address detection. (And to reduce user confusion about + firewall notifications which show a strange IP address, particularly on + clients.) We propose that tor should use a directory authority IPv4 and IPv6 address, for any sockets that it opens to detect local interface addresses (see

1 0

[torspec/master] Merge branch 'prop312-squashed'
by teor＠torproject.org 05 Feb '20

05 Feb '20

commit ad1b25cb54d800c77cefcdb39e398f46da80fba3 Merge: 5e79a7d c09bbe9 Author: teor <teor(a)torproject.org> Date: Wed Feb 5 22:07:06 2020 +1000 Merge branch 'prop312-squashed' proposals/312-relay-auto-ipv6-addr.txt | 1542 ++++++++++++++++++++++++++++++++ 1 file changed, 1542 insertions(+)

1 0

[torspec/master] Prop 312: Improve AddressDisableIPv6
by teor＠torproject.org 05 Feb '20

05 Feb '20

commit 7269d17c6faab742a8fbbdbfffba917d783b9cfb Author: teor <teor(a)torproject.org> Date: Tue Feb 4 17:06:33 2020 +1000 Prop 312: Improve AddressDisableIPv6 Explain why we might need to turn IPv6 address detection off. Part of 33073. --- proposals/312-relay-auto-ipv6-addr.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/proposals/312-relay-auto-ipv6-addr.txt b/proposals/312-relay-auto-ipv6-addr.txt index 1a672fb..c167329 100644 --- a/proposals/312-relay-auto-ipv6-addr.txt +++ b/proposals/312-relay-auto-ipv6-addr.txt @@ -391,7 +391,8 @@ Ticket: #33073 * publish a descriptor containing that IPv6 ORPort, * have the directory authorities find it reachable, * have it published in the consensus, and - * have it used by clients. + * have it used by clients, + regardless of how the operator configures their tor instance. Currently, relays are required to have an IPv4 address. So if the guessed IPv4 address is unsuitable, operators can set the Address option to a

1 0

[torspec/master] Prop 312: Update IPv6 Privacy Extensions
by teor＠torproject.org 05 Feb '20

05 Feb '20

commit c09bbe991728cfc012f2f6d689eb9348e91b6cd6 Author: teor <teor(a)torproject.org> Date: Wed Feb 5 13:10:26 2020 +1000 Prop 312: Update IPv6 Privacy Extensions As suggested by s7r. Part of 33073. --- proposals/312-relay-auto-ipv6-addr.txt | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/proposals/312-relay-auto-ipv6-addr.txt b/proposals/312-relay-auto-ipv6-addr.txt index cff3c77..ad7e7f4 100644 --- a/proposals/312-relay-auto-ipv6-addr.txt +++ b/proposals/312-relay-auto-ipv6-addr.txt @@ -1286,6 +1286,13 @@ Ticket: #33073 applications if a particular address is using privacy extensions. So implementing this change may be difficult. + On operating systems that provide IPv6 address privacy extension state, + IPv6 addresses may be: + * "public" - these addresses do not change + * "temporary" - these addresses change due to IPv6 privacy extensions. + Therefore, tor should prefer "public" IPv6 addresses, when they are + available. + However, even if we do not make this change, tor should be compatible with the RFC 4941 defaults: * a new IPv6 address is generated each day

1 0

[torspec/master] Prop 312: Add State Management
by teor＠torproject.org 05 Feb '20

05 Feb '20

commit da1b248e2ef9f6b07b089ad95d05adf2f91ce3d9 Author: teor <teor(a)torproject.org> Date: Wed Feb 5 12:51:46 2020 +1000 Prop 312: Add State Management Document tor's current address detection state management, and our new state management for IPv4 and IPv6 address detection. As suggested by Nick Mathewson. Part of 33073. --- proposals/312-relay-auto-ipv6-addr.txt | 114 +++++++++++++++++++++++++++++++-- 1 file changed, 108 insertions(+), 6 deletions(-) diff --git a/proposals/312-relay-auto-ipv6-addr.txt b/proposals/312-relay-auto-ipv6-addr.txt index ed5ebac..c407dc1 100644 --- a/proposals/312-relay-auto-ipv6-addr.txt +++ b/proposals/312-relay-auto-ipv6-addr.txt @@ -98,7 +98,7 @@ Ticket: #33073 directory authorities only use addresses that are explicitly configured in their torrc.) -3.1. Current Relay IPv4 Address Implementation +3.1. Current Relay IPv4 Address Discovery Currently, all relays (and bridges) must have an IPv4 address. IPv6 addresses are optional for relays. @@ -124,6 +124,66 @@ Ticket: #33073 * the latest address(es) returned by a directory server, DNS, or the local interface API. +3.1.1. Current Relay IPv4 and IPv6 Address State Management + + Currently, relays (and bridges) manage their IPv4 address discovery state, + as described in the following table: + + a b c d e f + 1. Address literal . . . . . . + 1. Address hostname S N . . . T + 2. auto hostname S N . . F T + 3. auto interface ? ? . . F ? + 3. auto socket ? ? . . F ? + 4. auto dir header D N D D F A + + IPv6 address discovery only uses the first IPv6 ORPort address: + + a b c d e f + 1. ORPort listener . . C . F . + 1. ORPort literal . . C C F . + 1. ORPort hostname S N C C F T + + The tables are structured as follows: + * rows are address resolution stage variants + * each address resolution stage has a number, and a description + * the description includes any variants + (for example: IP address literal, or hostname) + * columns describe each variant's state management. + + The state management key is: + a. What kind of API is used to perform the address resolution? + * . a CPU-bound API + * S a synchronous query API + * ? an API that is probably CPU-bound, but may be synchronous on some + platforms + * D tor automatically updates the stored directory address, whenever a + directory document is received + b. What does the API depend on? + * . a CPU-bound API + * N a network-bound API + * ? an API that is probably CPU-bound, but may be network-bound on some + platforms + c. How are any discovered addresses stored? + * . addresses are not stored + (but they may be cached by some higher-level tor modules) + * D addresses are stored in the directory address suggestion variable + * C addresses are stored in the port config listener list + d. What event makes the address resolution happen? + * . when tor wants to know its own address + * D when a directory document is received + * C when tor parses its config at startup, and during reconfiguration + e. What conditions make tor attempt this address resolution method? + * . this method is always attempted + * F this method is only attempted when all other higher-priority + methods fail to return an address + f. Can this method timeout? + * . can't time out + * T might time out + * ? probably doesn't time out, but might time out on some platforms + * A can't time out, because it is asynchronous. If a stored address + is available, it is returned immediately. + 3.2. Finding Relay IPv6 Addresses We propose that relays (and bridges) try to find their IPv6 address. For @@ -251,8 +311,8 @@ Ticket: #33073 The ORPort address may be a hostname. If it is, tor should try to use it to resolve an IPv4 and IPv6 address, and open ORPorts on the first available IPv4 and IPv6 address. Tor should respect the IPv4Only and IPv6Only port - flags, if specified. (Tor currently resolves IPv4 addresses in ORPort - lines. It might not look for an IPv6 address.) + flags, if specified. (Tor currently resolves IPv4 and IPv6 addresses from + hostnames in ORPort lines.) Relays (and bridges) currently use the first advertised ORPort IPv6 address as their IPv6 address. We propose to use the first advertised IPv4 ORPort @@ -265,6 +325,18 @@ Ticket: #33073 In rare cases, relays may have been using non-advertised ORPorts for their addresses. This change may also change their addresses. + Tor currently uses its listener port list to look up its IPv6 ORPort for + its descriptor. We propose that tor's address discovery uses the listener + port list for both IPv4 and IPv6. (And does not attempt to independently + parse or resolve ORPort configs.) + + This design decouples ORPort option parsing, ORPort listener opening, and + address discovery. It also implements a form of caching: IPv4 and IPv6 + addresses resolved from hostnames are stored in the listener port list, + then used to open listeners. Therefore, tor should continue to use the same + address, while the listener remains open. (See also sections 3.2.7 and + 3.2.8.) + For security reasons, directory authorities only use addresses that are explicitly configured in their torrc. Therefore, we propose that directory authorities only accept IPv4 or IPv6 address literals in the address part @@ -460,15 +532,18 @@ Ticket: #33073 3.2.7. Automatically Enabling an IPv6 ORPort We propose that relays (and bridges) that discover their IPv6 address, - should open an ORPort on that address, and test its reachability (see + should open an IPv6 ORPort, and test its reachability (see [Proposal 311: Relay IPv6 Reachability], particularly section 4.3.1). The ORPort should be opened on the port configured in the relay's ORPort torrc option. Relay operators can use the IPv4Only and IPv6Only options to configure different ports for IPv4 and IPv6. - If an ORPort is configured, but there is no specific bind address, relays - may attempt to bind to all IPv4 and IPv6 addresses (or all interfaces). + If the ORPort is auto-detected, there will not be any specific bind + address. (And the detected address may actually be on a NAT box, rather + than the local machine.) Therefore, relays should attempt to bind to all + IPv4 and IPv6 addresses (or all interfaces). + Some operating systems expect applications to bind to IPv4 and IPv6 addresses using separate API calls. Others don't support binding only to IPv4 or IPv6, and will bind to all addresses whenever there is no specified @@ -484,6 +559,33 @@ Ticket: #33073 * stop publishing their IPv6 ORPort in their descriptor, and * log a notice about the failed IPv6 ORPort reachability check. +3.2.8. Proposed Relay IPv4 and IPv6 Address State Management + + We propose that relays (and bridges) manage their IPv4 and IPv6 address + discovery state, as described in the following table: + + a b c d e f + 1. Address literal . . . . . . + 1. Address hostname S N . . . T + 2. ORPort listener . . C . F . + 2. ORPort literal . . C C F . + 2. ORPort hostname S N C C F T + 3. auto interface ? ? . . F ? + 3. auto socket ? ? . . F ? + 4. auto hostname S N . . F T + 5. auto dir header D N D D F A + + See section 3.1.1 for a description and key for this table. See the rest of + section 3.2 for a detailed description of each method and variant. + + For security reasons, directory authorities only use addresses that are + explicitly configured in their torrc. Therefore, they stop after step 2. + (And don't use the "hostname" variants in steps 1 and 2.) + + For anonymity reasons, bridges are unable to fetch directory documents over + IPv6, until clients start to do so. (See + [Proposal 306: Client Auto IPv6 Connections].) + 3.3. Consequential Tor Client Changes We do not propose any required client address resolution changes at this

1 0