[tor-bugs] #23819 [Core Tor/Tor]: Tor doesn't bind to link-local (ipv6) addresses

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Oct 10 20:05:53 UTC 2017 

#23819: Tor doesn't bind to link-local (ipv6) addresses
------------------------------+-----------------------------
     Reporter:  Zakhar        |      Owner:  (none)
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:
    Component:  Core Tor/Tor  |    Version:  Tor: 0.2.9.11
     Severity:  Normal        |   Keywords:  ipv6 link-local
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+-----------------------------
 This is either a '''bug''' or a '''documentation defect''' (didn't dive
 into the code yet).

 Standard routing with ipv6 happens with link-local as next hop.

 Hence, for the sake of making a transparent proxy for VMs, I am trying to
 specify a '''TransPort''' with the link-local of my bridge.

 The standard way of specifying that is: [fe80::xxxx:xxxx:xxxx:xxxx%iface]

 Tor parses correctly this ipv6 address (removing iface) but fails to bind.

 To reproduce:

 `$cat /etc/tor/torrc:`
 (...)
 `TransPort fe80::1c9a:c3ff:fec8:7768%vnet0:9040`
 (...)

 `$ ifconfig vnet0`
 `vnet0     Link encap:Ethernet  HWaddr 1e:9a:c3:c8:77:68`

 `  inet6: fe80::1c9a:c3ff:fec8:7768/64 c9a:c3ff:fec8:7768/64 Scope:Link`

 As you can see, I have a vnet0. It has the link-local address that is
 specified as TransPort.
 Now let's start tor:

 `$ sudo tor`
 `Oct 10 21:34:28.384 [notice] Tor 0.2.9.11 (git-aa8950022562be76) running
 on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2g and Zlib 1.2.8.`
 (...)
 `Oct 10 21:34:28.385 [notice] You configured a non-loopback address
 '[fe80::1c9a:c3ff:fec8:7768]:9040' for TransPort. This allows everybody on
 your local network to use your machine as a proxy. Make sure this is what
 you wanted.`
 (...)
 `Oct 10 21:34:28.386 [notice] Opening Transparent pf/netfilter listener on
 [fe80::1c9a:c3ff:fec8:7768]:9040`
 `Oct 10 21:34:28.386 [warn] Could not bind to
 fe80::1[c9a:c3ff:fec8:7768:9040 c9a:c3ff:fec8:7768:9040]: Invalid
 argument`

 As you can see, it is correctly striping the '''%vnet0''' and reading my
 link-local address from the /etc/tor/torrc

 It then tries to open the "pf/netfilter" and fails to bind, and says
 "invalid argument"!

 Indeed, binding a link-local ipv6 address needs one more argument in the
 syscall to bind: the interface!

 '''Other tests:'''

 Trying with fancy notations like

 TransPort [fe80::1c9a:c3ff:fec8:7768]%vnet0:9040

 fails at parsing.

 Trying with a global address (with ipV6 you can just add addresses to the
 interface) works but opens other headaches such as having to advertise a
 different router address to the clients.

 '''Conclusion''', this is either:

  * '''(bug)''' the implementation of the "interface" parameter when
 binding link-local addresses is missing or failing.
 or
  * '''(documentation)''' it works and it is a documentation defect since
 nowhere we can find how to bind a link-local ipv6 address or even a
 working example.


 '''Additional:''' there could be the exact same bug/missing documentation
 in other places where you can specify an ipv6 address.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23819>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list