On 3 Aug 2016, at 10:13, Green Dream greendream848@gmail.com wrote:
The release notes for Tor 0.2.8.6 have this tidbit about the DirPort:
"Previously only relays that explicitly opened a directory port (DirPort) accepted directory requests from clients. Now all relays, with and without a DirPort, accept and serve tunneled directory requests that they receive through their ORPort. You can disable this behavior using the new DirCache option. Closes ticket 12538."
With this new behavior, is there any reason to keep an open DirPort on our relays? If I just use an ORPort on 443 (or another reachable TCP port) is this sufficient? Might it make sense to leave the DirPort up for a while for legacy clients? Will (up-to-date) authorities have any concerns with a ORPort-only relay?
Yes, it is needed.
In brief: please keep an IPv4 DirPort on your relay, so that: * older clients and authorities can use the IPv4 DirPort - they may take a year or two to upgrade, * other relays can fetch directory documents from your relay, and * your relay can be selected as a fallback directory mirror.
Here are the details:
Clients on 0.2.7.6 and earlier still use the IPv4 DirPort. (Tor Browser is still 0.2.7.6, and apps in general may take some time to upgrade.)
Authorities on0.2.7.6 and earlier will only assign the HSDir flag to relays with an IPv4 DirPort. (Authorities may take some time to upgrade, because running different versions increases authority diversity.)
Fallback directory mirrors must have a DirPort, and we'd only think about changing that when: * all recommended relay versions are 0.2.8 and later, and * relays no longer fetch documents using the DirPort (so maybe never).
All relays running any Tor version will continue to use the IPv4 DirPort to fetch consensuses from other relays.
So we haven't obsoleted the IPv4 DirPort yet. We've just made sure that clients fetch directory documents over an encrypted channel. (The IPv6 DirPort was briefly introduced in the 0.2.8 alpha series, and then obsoleted in a subsequent alpha, because only clients use IPv6 for directory fetches, and clients only use the IPv6 ORPort. There's no way to advertise an IPv6 DirPort, and no reason for a relay to have one.)
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmmp: teor at torproject dot org