[tor-bugs] #32604 [Core Tor/Tor]: Add HiddenServiceExportRendPoint and HiddenServiceExportInstanceID directive

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Dec 4 02:21:43 UTC 2019 

#32604: Add HiddenServiceExportRendPoint and HiddenServiceExportInstanceID
directive
-----------------------------------------+---------------------------------
 Reporter:  moonsikpark                  |          Owner:  (none)
     Type:  enhancement                  |         Status:
                                         |  needs_information
 Priority:  Medium                       |      Milestone:  Tor:
                                         |  0.4.3.x-final
Component:  Core Tor/Tor                 |        Version:
 Severity:  Normal                       |     Resolution:
 Keywords:  tor-hs tor-dos extra-review  |  Actual Points:
Parent ID:  #32511                       |         Points:
 Reviewer:  dgoulet, ahf                 |        Sponsor:  Sponsor27-can
-----------------------------------------+---------------------------------

Comment (by teor):

 Replying to [comment:9 ahf]:
 > I left some comments there. I think my biggest question is what is the
 IPv6 story in this? Encoding a 32-bit IPv4 address in an IPv6 address is
 smart, but encoding an IPv6 address in an IPv6 address whilst still
 leaving space for other data is going to be difficult.

 The PROXY protocol has 2 address fields and 2 port fields:
 `PROXY TCP6 (SOURCE_IPV6) (DEST_IPV6) (SOURCE_PORT) (DEST_PORT)`

 In the current Tor network, Tor relays must have one IPv4 address and
 port, and can optionally have an IPv6 address and port.

 So here's the information we might want to capture:
 * REND_IPV4 (4 bytes)
 * REND_IPV4_PORT (2 bytes)
 * REND_IPV6 (16 bytes)
 * REND_IPV6_PORT (2 bytes)
 * INSTANCE_ID (2 bytes)
 * CIRCUIT_ID (4 bytes)

 And here's how this patch does that:
 `PROXY TCP6
 (RESERVED_4_BYTES|REND_IPV4|REND_IPV4_PORT|INSTANCE_ID|CIRCUIT_ID)
 (DEST_IPV6?) (UNKNOWN?) (DEST_PORT?)`

 If we ever need to capture the IPv6 address and port:

 If we can use DEST_IPV6 and DEST_PORT:
 * Use DEST_IPV6 for REND_IPV6
 * Use DEST_PORT for REND_IPV6_PORT

 If we can't, we only have 4 bytes left to store 18 bytes, so we hash the
 IPv6 and port, and use the first 4 bytes:
 * RESERVED_4_BYTES = H(REND_IPV6|REND_IPV6_PORT)[:4]

 I think we can make this decision later?

 But we should definitely document that IPv6 is not supported, and that the
 address is the canonical IPv4 address of the rend point. (And not
 guaranteed to be the actual address that the circuit is connecting
 through.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32604#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list