[tor-bugs] #33898 [Core Tor/Tor]: Stop modifying addr on connections, and delete real_addr

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 30 02:06:26 UTC 2020


#33898: Stop modifying addr on connections, and delete real_addr
-------------------------------------------+-------------------------------
 Reporter:  teor                           |          Owner:  nickm
     Type:  defect                         |         Status:  assigned
 Priority:  High                           |      Milestone:  Tor:
                                           |  0.4.4.x-final
Component:  Core Tor/Tor                   |        Version:
 Severity:  Normal                         |     Resolution:
 Keywords:  ipv6, technical-debt, prop311  |  Actual Points:
Parent ID:  #33048                         |         Points:  1
 Reviewer:                                 |        Sponsor:  Sponsor55-can
-------------------------------------------+-------------------------------

Comment (by arma):

 Yeah, I can try to explain how we got here, and then folks can decide if
 they have a better place we can get to.

 When you receive a connection from a relay, it never comes from the
 relay's IP address and ORPort. At best, it comes from the relay's IP
 address and some high-numbered port. So if you rely on the address and
 port of the incoming connection to be able to learn which relay it is,
 there will at best be ambiguity in the cases where an IP address runs more
 than one relay ("which one is the one that connected to you?"), and at
 worst the connection came from a different IP address than is listed in
 the relay's descriptor, for example because the other side sets
 OutboundBindAddress, or because they *don't* set it but their default
 route goes out through a different IP address, or because you do some port
 forwarding thing on your side so it looks to you like connections come
 from your forwarder.

 Also there's the (hopefully less common) case where somebody is trying to
 do a person-in-the-middle attack where they ask the other side to extend
 to your identity but their address, and then they forward the connection
 to you. Or they ask you to connect to some remote relay but at a
 nonstandard address and port, and then they redirect that connection to
 the relay.

 Ok. Given that context, here are the rules we followed back when I wrote
 this part:

 * If the connection is to (or from) a known relay, then addr and port will
 tell you which relay it is.
 * Else (not to/from a known relay), addr and port will be whatever you
 tried to connect to, or whatever TCP told you for the incoming connection.

 * real_addr will always be whatever-you-tried-to-connect-to or whatever-
 TCP-told-you. In the case where we overwrote addr and port because it's a
 known relay, there is no concept of real_port, i.e. that information is
 discarded.
 * address will always be a string version of addr. We keep it entirely so
 we don't have to keep recreating it every time we want to write addr
 somewhere.

 For extra context, the above conventions predate the "canonical" flag, and
 also predate the DoS subsystem (which rightly looks at real_addr rather
 than addr).

 I agree that these rules start to get ugly once relays have multiple
 canonical addresses.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33898#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list