On 31 Jan 2017, at 05:13, nusenu nusenu@openmailbox.org wrote:
tldr: would you send me your torrc if you aim to route IPv6 exit traffic and are in the list at the bottom with the third colmn set to NULL?
teor:
Either that, or there is a bug in Tor relating to IPv6 Exit policies. But I can't see anywhere in the code that makes the IPv6 exit policy dependent on anything except ExitPolicy and IPv6Exit.
Are there any log entries relating to IPv6 or exit policies?
Here are the log entries I'd like to see:
Any bug warnings
warnings: Exit policy '%s' and all following policies are redundant Weird family when summarizing address policy policy_dump_to_string ran out of room
info: Unrecognized policy summary keyword Impossibly long policy summary Found bad entry in policy summary Found no port-range entries in summary
debug: Adding new entry Ignored policy Adding a reject ExitPolicy Removing exit policy
moritz@torservers.net did sent me (unfortunately off-list) the torrc file for https://atlas.torproject.org/#details/FDAED15C98CFE7A416E5676F614254F7840610...
according to his torrc it is allowing IPv6 exit traffic but not according to its descriptor.
Do exits do any outbound IPv6 reachability test before they create their descriptor? (with the ipv6-policy entry)
No, there is no IPv6 reachability testing in Tor for anything, except for authorities checking IPv6 ORPorts.
But tor does automatically reject configured ports and addresses. (In 0.2.7 and 0.2.8, it does this with local interface addresses, in 0.2.9, it only does this with local interfaces if ExitPolicyRejectLocalInterfaces is set. In all versions, it does this with private addresses and configured ports by default.)
So one thing that operators could do is try to disable the IPv6 ORPort and the OutboundBindAddress, and see if that helps.
Operators could also tweak ExitPolicyRejectLocalInterfaces and ExitPolicyRejectPrivate. Turning off ExitPolicyRejectPrivate can make an exit insecure, so it should be done after blocking all traffic from the exit on private addresses using a firewall.
In total there are currently 57 exits with an IPv6 ORPort but no IPv6 exit policy. That on its own doesn't mean anything because they might not set IPv6Exit to 1 but the big picture looks a bit odd.
Here is a (truncated) list of exits which have IPv6 connectivity (ORPort) and their respective v6 exit policy (the last column) since the v6 policy changes between none (NULL) to non-NULL even within the same operator this seems strange. Usually an operator uses highly identical torrc files across all their relays.
If you are on the this list with a NULL value in the v6_policy column and your torrc contains IPv6Exit 1 we'd be interested to see your complete torrc files (do not forget to _remove_ any sensitive lines like HashedControlPassword).
I also had a look at the tor_version column but there was no correlation there. That said there _is_ a correlation with as_name, so maybe this not a bug but operators only enabling IPv6 exiting on specific hosters (which seems strange because I only list IPv6 enabled relays).
Some providers may require certain port configurations, which could cause the issue.
...
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------