[tor-bugs] #31011 [Core Tor/Tor]: Make the bridge authority reject private PT addresses when DirAllowPrivateAddresses is 0

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Dec 17 23:38:15 UTC 2019 

#31011: Make the bridge authority reject private PT addresses when
DirAllowPrivateAddresses is 0
-----------------------------------------------+---------------------------
 Reporter:  teor                               |          Owner:  (none)
     Type:  defect                             |         Status:  new
 Priority:  Medium                             |      Milestone:  Tor:
                                               |  unspecified
Component:  Core Tor/Tor                       |        Version:
 Severity:  Normal                             |     Resolution:
 Keywords:  anti-censorship-roadmap-september  |  Actual Points:
Parent ID:  #31009                             |         Points:  1
 Reviewer:                                     |        Sponsor:
                                               |  Sponsor28-can
-----------------------------------------------+---------------------------
Changes (by phw):

 * cc: cohosh (added)


Comment:

 Replying to [comment:8 teor]:
 > I think we need to know how many bridges are affected by this issue,
 before we can make this decision.
 [[br]]
 As of Dec 17, 2019, 1,382 bridges support a pluggable transport. Among
 these, 10 bridges use an address in 10.0.0.0/8, 10 bridges use
 192.168.0.0/16, and 2 bridges use 172.16.0.0/12, so a total of 24 bridges
 use private addresses.
 [[br]]
 > Replying to [comment:7 cjb]:
 > > Replying to [comment:1 arma]:
 > > > Another option here is to leave the bridge authority alone, and
 teach bridgedb that if there's an internal address in the extrainfo
 descriptor, it should swap it out in favor of the public address in the
 descriptor.
 > > >
 > > > Then once the #31009 fix is sufficiently deployed, it shouldn't
 matter anymore.
 > > >
 > > > (That way we could make use of the current obfs4 bridges even if
 they haven't upgraded yet.)
 > >
 > > I think I could volunteer to work on this ticket, but it looks like we
 still need to decide what to do.  Options:
 >
 > There's a tradeoff here, so maybe we should ask the anti-censorship team
 what they'd like.
 [[br]]
 I prefer having the bridge authority reject descriptors with private
 addresses. In my opinion, a private address has no business being in the
 descriptor and we should reject such descriptors rather than guessing what
 the bridge operators meant to do.

 In parallel, we could teach BridgeDB to rewrite private to public IP
 addresses but given that only 24 bridges are affected by this issue, I
 don't consider this a priority.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31011#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list