is explicit DirPort needed anymore under Tor 0.2.8.6?
The release notes for Tor 0.2.8.6 have this tidbit about the DirPort: "Previously only relays that explicitly opened a directory port (DirPort) accepted directory requests from clients. Now all relays, with and without a DirPort, accept and serve tunneled directory requests that they receive through their ORPort. You can disable this behavior using the new DirCache option. Closes ticket 12538." With this new behavior, is there any reason to keep an open DirPort on our relays? If I just use an ORPort on 443 (or another reachable TCP port) is this sufficient? Might it make sense to leave the DirPort up for a while for legacy clients? Will (up-to-date) authorities have any concerns with a ORPort-only relay? Thanks.
On 3 Aug 2016, at 10:13, Green Dream <greendream848@gmail.com> wrote:
The release notes for Tor 0.2.8.6 have this tidbit about the DirPort:
"Previously only relays that explicitly opened a directory port (DirPort) accepted directory requests from clients. Now all relays, with and without a DirPort, accept and serve tunneled directory requests that they receive through their ORPort. You can disable this behavior using the new DirCache option. Closes ticket 12538."
With this new behavior, is there any reason to keep an open DirPort on our relays? If I just use an ORPort on 443 (or another reachable TCP port) is this sufficient? Might it make sense to leave the DirPort up for a while for legacy clients? Will (up-to-date) authorities have any concerns with a ORPort-only relay?
Yes, it is needed. In brief: please keep an IPv4 DirPort on your relay, so that: * older clients and authorities can use the IPv4 DirPort - they may take a year or two to upgrade, * other relays can fetch directory documents from your relay, and * your relay can be selected as a fallback directory mirror. Here are the details: Clients on 0.2.7.6 and earlier still use the IPv4 DirPort. (Tor Browser is still 0.2.7.6, and apps in general may take some time to upgrade.) Authorities on0.2.7.6 and earlier will only assign the HSDir flag to relays with an IPv4 DirPort. (Authorities may take some time to upgrade, because running different versions increases authority diversity.) Fallback directory mirrors must have a DirPort, and we'd only think about changing that when: * all recommended relay versions are 0.2.8 and later, and * relays no longer fetch documents using the DirPort (so maybe never). All relays running any Tor version will continue to use the IPv4 DirPort to fetch consensuses from other relays. So we haven't obsoleted the IPv4 DirPort yet. We've just made sure that clients fetch directory documents over an encrypted channel. (The IPv6 DirPort was briefly introduced in the 0.2.8 alpha series, and then obsoleted in a subsequent alpha, because only clients use IPv6 for directory fetches, and clients only use the IPv6 ORPort. There's no way to advertise an IPv6 DirPort, and no reason for a relay to have one.) Tim Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmmp: teor at torproject dot org
Hi Green. Besides the things teor mentioned the DirPort also provides easier access to directory information which Stem's remote module... https://stem.torproject.org/api/descriptor/remote.html ... and curl can take advantage of... % curl 128.31.0.34:9131/tor/server/all
* relays no longer fetch documents using the DirPort (so maybe never).
Hope we can amend this to be 'relays *and* stem', otherwise DocTor and quite a few things will be very sad. :P Cheers! -Damian
On 3 Aug 2016, at 10:35, I <beatthebastards@inbox.com> wrote:
Does that mean it is pointless to set-up IPV6 on all relays?
IPv6 relays are still very useful for Tor clients. I was only talking about IPv6 DirPorts being obsolete. An IPv6 ORPort allows clients that use IPv6 to connect to the Tor network. An IPv6 Exit allows clients to access sites on IPv6. Some clients are IPv6-only, others can circumvent network blocks using IPv6 (both blocked guards and blocked websites) and others simply prefer IPv6 because it's faster or more reliable on their networks. Please enable IPv6 on your relay, if you can. Tim Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmmp: teor at torproject dot org
On 3 Aug 2016, at 10:29, teor <teor2345@gmail.com> wrote:
Clients on 0.2.7.6 and earlier still use the IPv4 DirPort. (Tor Browser is still 0.2.7.6, and apps in general may take some time to upgrade.)
Authorities on0.2.7.6 and earlier will only assign the HSDir flag to relays with an IPv4 DirPort. (Authorities may take some time to upgrade, because running different versions increases authority diversity.)
For the record, even though the man page entry for HidServDirectoryV2 says the DirPort is not required to be a HSDir, authorities on 0.2.7 and earlier still check for it before assigning the HSDir flag. Authorities on 0.2.8 and later behave in a way that's consistent with HidServDirectoryV2, assigning the HSDir flag to any relay that wants to be a HSDir, and either supports being a directory cache, or has a DirPort. HidServDirectoryV2 0|1 When this option is set, Tor accepts and serves v2 hidden service descriptors. Setting DirPort is not required for this, because clients connect via the ORPort by default. (Default: 1)
Fallback directory mirrors must have a DirPort, and we'd only think about changing that when: * all recommended relay versions are 0.2.8 and later, and * relays no longer fetch documents using the DirPort (so maybe never).
All relays running any Tor version will continue to use the IPv4 DirPort to fetch consensuses from other relays.
So we haven't obsoleted the IPv4 DirPort yet. We've just made sure that clients fetch directory documents over an encrypted channel.
Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/03/2016 02:13 AM, Green Dream wrote:
With this new behavior, is there any reason to keep an open DirPort on our relays? Yes, it is a convenient way to tell others to fetch a HTML document from the Tor exit ip address (eg in <our RIPE or WHOIS entry) like http://5.9.158.75/
- -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlehkvIACgkQxOrN3gB26U4+ogD/XWHq5lHhhOUEigVOzhPQ0mRq 40Dq/BfPFT4aG6rB5mkA/2XI8bw1E0SHPZtD8RoHb3LWkH7nz1S2SHf5FBI5/+55 =DvaQ -----END PGP SIGNATURE-----
participants (5)
-
Damian Johnson -
Green Dream -
I -
teor -
Toralf Förster