On 8 Feb 2017, at 04:51, Dr Gerard Bulger gerard@bulger.co.uk wrote:
I wonder if TOR design should now be more supportive of variable IPs and a spread of IPs for TOR exits. I am not an IT guru.
Tor relays detect their own IP address, and can use DNS to do so. ("Address" accepts a hostname.)
The directory authorities do not, because their addresses need to be fixed for bootstrapping.
I gather it was thought to be good manners that the IP of Tor exits were known to the public. It would at least let recipients know that the originating IP could not be traced when they see that it came from a TOR exit.
Alas many services simply trawl the TOR exit node list and block the IPs accordingly for no other reason than TOR must equal bad. BBC does this. This means the IP gets blocked for TOR and any other service using that IP.
Yes, this is a blocking model that has a number of issues, particularly on networks that are IPv4-address poor. Blocking should really be done based on behaviour, not by assuming the same user uses the same address for a single purpose.
Now IPV6 is coming along a TOR exit node could have a veritable range of IPs and even distribute its outputs across them. Indeed is it not possible for a tor exit node (whose IP is published) exit connections via another variable IP other or range of IPs ?
Yes, there is an OutboundBindAddress option for this purpose.
From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of Andrew Smith Sent: 07 February 2017 15:53 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Hostname in DirAuthority config
OK, thanks for the clarification and raising the ticket.
To answer the why - for starters I'm trying to run a local tor network for fun and to learn more about tor.
Why am I trying to put a hostname in there? Because the system I'm setting up the network in may not have static IPs. As I understand it I need to maintain a DirAuthority line with a hard coded IP for each and every directory authority I run myself. If I can use a DNS name, this will mean I end up updating the torrc with DirAuthority lines a lot less. With IPs I am forced to change every torrc in my network every time an IP changes.
There are certainly ways around this (I could have a script populate torrc based upon DNS, for example) but it would make my life easier if I didn't have to.
Thanks
On 6 February 2017 at 23:10, teor teor2345@gmail.com wrote:
On 7 Feb 2017, at 03:31, Andrew Smith me@andrewmichaelsmith.com wrote:
Hi
I'm experimenting running my own tor network. To achieve this I'm setting DirAuthority in torrc.
But it seems that I cannot use a hostname for my DirAuthority.
Why are you trying to do this? If you share your goal, we might be able to help you with a workaround or alternate strategy.
For example, if you use a hostname in the "Address" field, your authority will look it up, add the IPv4 to its descriptor, and then other authorities, relays, and clients will use that address. (After the network has bootstrapped using the original address.)
For example:
DirAuthority da1 orport=7000 no-v2 v3ident=xxx da1:7000 xxx
Results in the error:
Unrecognized flag 'da1:7000' on DirAuthority line
If I replace "da1" with an IP address there is no error. Is this expected behaviour?
It is the implemented behaviour, and has been since at least 2006 (tor-0.1.2.2-alpha). The code responsible is:
while (smartlist_len(items)) { char *flag = smartlist_get(items, 0); if (TOR_ISDIGIT(flag[0])) break;
Which means that only IPv4 addresses are guaranteed to work here.
I'm running tor v0.2.8.12. The documentation calls this an "address" (as opposed to other parts which refer to an "IP") which made me think a hostname would work.
The "Address" torrc option takes a hostname, as do some other options (I think the HiddenServicePort target is another.)
Thanks for the bug report, we'll fix the man page: https://trac.torproject.org/projects/tor/ticket/21405
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Andy Smith http://andrewmichaelsmith.com | @bingleybeep _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------