[tor-bugs] #31009 [Core Tor/Tor]: Tor lets transports advertise private IP addresses in descriptor

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Dec 20 01:29:53 UTC 2019 

#31009: Tor lets transports advertise private IP addresses in descriptor
-------------------------------------------------+-------------------------
 Reporter:  phw                                  |          Owner:  (none)
     Type:  defect                               |         Status:
                                                 |  needs_revision
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.4.3.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-pt, tor-bridge, 035-backport,    |  Actual Points:
  040-backport, 041-backport, anti-censorship-   |
  roadmap-july, 042-deferred-20190918            |
Parent ID:                                       |         Points:  0.5
 Reviewer:  ahf                                  |        Sponsor:
                                                 |  Sponsor28-can
-------------------------------------------------+-------------------------
Changes (by teor):

 * keywords:
     tor-pt, tor-bridge, 029-backport, 035-backport, 040-backport,
     041-backport, anti-censorship-roadmap-july, 042-deferred-20190918
     =>
     tor-pt, tor-bridge, 035-backport, 040-backport, 041-backport, anti-
     censorship-roadmap-july, 042-deferred-20190918
 * status:  needs_review => needs_revision
 * milestone:  Tor: unspecified => Tor: 0.4.3.x-final


Comment:

 Thanks for this patch!

 This patch has two issues:
 * if the address is an IPv6 address, it is replaced with an IPv4 address
   * we should use the advertised IPv6 ORPort address to replace internal
 IPv6 addresses
 * the replacement happens in test and internal networks, as well as the
 public Tor network
   * there's no way that the bridge can know if internal addresses are
 acceptable to the bridge authority or BridgeDB. But I think it's still ok
 to replace the address, because the published address should be the right
 kind of address for these networks, anyway. But we should add comments
 explaining why it's ok.

 I think we should also base this patch on maint-0.3.5, so we can backport
 it if needed.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31009#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list