[tor-bugs] #17605 [Core Tor/Tor]: Tell caches to remove X-Your-IP-Address-Is from Tor Directory documents
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Nov 29 11:18:24 UTC 2016
#17605: Tell caches to remove X-Your-IP-Address-Is from Tor Directory documents
----------------------------------+------------------------------
Reporter: teor | Owner:
Type: defect | Status: new
Priority: High | Milestone: Tor: 0.3.???
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-auth, isaremoved | Actual Points:
Parent ID: | Points: 2
Reviewer: | Sponsor:
----------------------------------+------------------------------
Comment (by teor):
Replying to [comment:5 teor]:
> Replying to [comment:4 arma]:
> > What if we went a step further and didn't include the header at all in
unencrypted connections? That is, we include it in the begin_dir response
but not in the naked dirport responses.
>
> I think this is an excellent idea. As the HTTP headers of a naked
dirport response are unauthenticated, they can be modified in transit, and
we can't know either way.
>
> > The main effect would be that relays, who use the naked dirport, would
no longer be able to learn their IP address from their directory authority
interactions.
>
> A relay believes any directory mirror, not just the authorities. But if
it doesn't know its IP address, it will only connect to authorities.
>
> > We could work around that by finally moving all dir traffic to
begin_dir (which still makes me uncomfortable because of the extra scaling
and load, but maybe this is a good additional kick for why we should do it
anyway), or by having relays who don't know their address launch a
begin_dir connection just for finding it out.
>
> With the introduction of fallback directory mirrors in 0.2.8 (#15775),
the extra load for bootstrap begindirs will be shared among 100-250 high-
uptime directory mirrors, rather than just the ~9 authorities.
>
> After bootstrap, with the introduction of "dir servers for all" (#12538)
in 0.2.8, it will be shared among almost all relays.
>
> So I think we can do begindirs for all directory fetches.
We made clients always use begindir in 0.2.8 in #18483.
> We might want to fix #17848 at the same time, otherwise clients and
relays won't know if they have an existing connection to a directory
server, and load balancing will suffer.
>
> > Actually, wait a minute, don't netinfo cells have your address in them
now too? Does that mean x-your-address-is on naked dirport answers is
redundant? And thus we should try to phase it out in favor of the
encrypted, authenticated mechanism that we built?
>
> It has the relay's IPv4 address.
>
> (Although it's somewhat orthogonal, we'd like to have some way for
relays to learn their IPv6 addresses, too. This would be somewhat easier
to do by adding a HTTP header, rather than changing the format of a
NETINFO cell. See #5940.)
Actually, the NETINFO format supports IPv6. If it doesn't work when you
connect to a relay's IPv6 ORPort, that's a bug.
>
> > The reason I want to get rid of the caching situation is because this
is an information leak, from one user to another. Now, it's mostly just
relays who suffer, since they're the ones who use naked dirport requests.
But this is still an uncomfortable state of affairs to leave in place.
>
> Let's fix it then!
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17605#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list