commit 7a55bf166248a5ff210691cb219df1ec8e40ea29 Author: teor teor@torproject.org Date: Tue Feb 4 12:10:18 2020 +1000

Prop 312: Explain why untrusted addresses are bad

And describe a potential attack that gives a relay the wrong address, then monitors its traffic.

As suggested by Nick Mathewson.

Part of 33073. --- proposals/312-relay-auto-ipv6-addr.txt | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/proposals/312-relay-auto-ipv6-addr.txt b/proposals/312-relay-auto-ipv6-addr.txt index 05ff9de..ecea79b 100644 --- a/proposals/312-relay-auto-ipv6-addr.txt +++ b/proposals/312-relay-auto-ipv6-addr.txt @@ -1,6 +1,6 @@ Filename: 312-relay-auto-ipv6-addr.txt Title: Tor Relays Automatically Find Their IPv6 Address -Author: teor +Author: teor, Nick Mathewson Created: 28-January-2020 Status: Draft Ticket: #33073 @@ -131,8 +131,18 @@ Ticket: #33073 * Reliable is better than Unreliable. Within these constraints, we try to find the simplest working design.

- Therefore, we propose that tor tries to find relay IPv4 and IPv6 addresses - in this order: + If a relay is given the wrong address by an attacker, the attacker can + direct all inbound relay traffic to their own address. They can't decrypt + the traffic without the relay's private keys, but they can monitor traffic + patterns. + + Therefore, we only use untrusted address discovery methods, if every other + method has failed. Any method that uses DNS is potentially untrusted, + because DNS is often a remote, unauthenticated service. And addresses + provided by other directory servers are also untrusted. + + Based on these principles, we propose that tor tries to find relay IPv4 and + IPv6 addresses in this order: 1. the Address torrc option 2. the advertised ORPort address 3. the advertised DirPort address (IPv4 only; relays, not bridges)