[tor-bugs] #33234 [Core Tor/Tor]: Prop 312: 3.2.1. Make the Address torrc Option Resolve IPv6 Hostnames
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Apr 28 11:28:42 UTC 2020
#33234: Prop 312: 3.2.1. Make the Address torrc Option Resolve IPv6 Hostnames
---------------------------+------------------------------------
Reporter: teor | Owner: teor
Type: enhancement | Status: assigned
Priority: Medium | Milestone: Tor: 0.4.4.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: prop312, ipv6 | Actual Points:
Parent ID: #33049 | Points: 2
Reviewer: | Sponsor: Sponsor55-must
---------------------------+------------------------------------
Description changed by teor:
Old description:
> Make relays and bridges use the Address torrc option to find their IPv6
> addresses.
>
> This ticket covers the IPv6 hostname / DNS case:
>
> 2. Hostnames / DNS names:
> * allow the option to be specified up to two times,
> * look up the configured name,
> * use the first IPv4 and IPv6 address returned by the resolver, and
> Resolving multiple addresses in the same address family is not a
> runtime error, but only the first address from each family will be
> used.
>
> These lookups should ignore private addresses on public tor networks. If
> multiple IPv4 or IPv6 addresses are returned, the first public address
> from each family should be used.
>
> Tor should warn if a configured Address hostname does not resolve
> to any publicly routable IPv4 or IPv6 addresses. (If
> tor is configured with a custom set of directory authorities, private
> addresses should be allowed, with a notice-level log.)
> For security reasons, directory authorities only use addresses that are
> explicitly configured in their torrc. Therefore, we propose that
> directory authorities only accept IPv4 or IPv6 address literals in their
> Address option. They must not attempt to resolve their Address using DNS.
> It is a config error to provide a hostname as a directory authority's
> Address.
>
> See proposal 312, section 3.2.1, case 2:
> https://gitweb.torproject.org/torspec.git/tree/proposals/312-relay-auto-
> ipv6-addr.txt#n258
New description:
This ticket depends on `Address IPv6` support in #33233.
Make relays and bridges use the Address torrc option to find their IPv6
addresses.
This ticket covers the IPv6 hostname / DNS case:
2. Hostnames / DNS names:
* allow the option to be specified up to two times,
* look up the configured name,
* use the first IPv4 and IPv6 address returned by the resolver, and
Resolving multiple addresses in the same address family is not a
runtime error, but only the first address from each family will be
used.
These lookups should ignore private addresses on public tor networks. If
multiple IPv4 or IPv6 addresses are returned, the first public address
from each family should be used.
Tor should warn if a configured Address hostname does not resolve
to any publicly routable IPv4 or IPv6 addresses. (If
tor is configured with a custom set of directory authorities, private
addresses should be allowed, with a notice-level log.)
For security reasons, directory authorities only use addresses that are
explicitly configured in their torrc. Therefore, we propose that directory
authorities only accept IPv4 or IPv6 address literals in their Address
option. They must not attempt to resolve their Address using DNS. It is a
config error to provide a hostname as a directory authority's Address.
See proposal 312, section 3.2.1, case 2:
https://gitweb.torproject.org/torspec.git/tree/proposals/312-relay-auto-
ipv6-addr.txt#n258
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33234#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list