[tor-bugs] #33375 [Core Tor/Tor]: Stop advertising an IPv6 exit policy when DNS is broken for IPv6

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Mar 20 11:36:34 UTC 2020 

#33375: Stop advertising an IPv6 exit policy when DNS is broken for IPv6
-------------------------------------------------+-------------------------
 Reporter:  teor                                 |          Owner:  neel
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.4.4.x-final
Component:  Core Tor/Tor                         |        Version:  Tor:
                                                 |  0.2.9.14
 Severity:  Normal                               |     Resolution:
 Keywords:  security-review-dos-risk, extra-     |  Actual Points:
  review, no-backport, ipv6, tor-exit, tor-dns   |
Parent ID:  #24833                               |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by teor):

 * reviewer:  teor =>


Comment:

 I don't have time to keep on reviewing this patch right now. I'm really
 busy with google summer of code and outreachy. So I'm going to pass it to
 another reviewer.

 Here are some things for the reviewer to check:

 Replying to [comment:5 teor]:
 > This IPv6 DNS code is currently unused, so it has never been tested. So
 I want to make sure we have the design right.
 >
 > Here are some issues I noticed when reading the code:
 > * the code only counts DNS errors on timeout, but there are actually 11
 different DNS errors. We should consider which errors we want to track,
 and which ones we want to ignore. See
 http://www.wangafu.net/~nickm/libevent-2.1/doxygen/html/dns_8h.html

 Which errors should we turn off IPv6 DNS for? All of them? Only the ones
 that clients can't trigger?

 > * the minimum number of queries before failure is 10. But that could
 happen by chance, on server startup. Let's make the minimum something more
 reasonable. We can make it at least 1000. But maybe we should set it to 1
 when TestingTorNetwork is set. That way, broken IPv6 exits will fail
 quickly in chutney.

 The last version of the PR I reviewed changed the wrong "10". Please check
 that the new PR changes this code:
 https://github.com/torproject/tor/pull/1771/files#diff-
 ed2a85a7ec36e73dc681fe94a7dcf524L1556

 > We should find out which DNS errors can be triggered by tor clients, and
 ignore them. Otherwise, a client that floods an exit with bad DNS queries
 could disable IPv6 exiting on that relay. I think Nick might be able to
 help here.

 We also need to think about the risk of DNS-based attacks.

 > I think it's ok to fail thousands of client circuits, before an IPv6
 exit disables IPv6. Because getting the new descriptor to clients can take
 an hour or two. There's also a tradeoff here: we want quiet exits to
 disable IPv6 eventually. But we want busy exits to survive a momentary
 glitch.

 Overall, I wonder if this patch is the best way to solve this issue.
 Perhaps we should manually apply the BadExit flag through the network
 health team. Perhaps we should set the limits much, much higher.

 Do we know how many queries a busy exit processes? And how many timeouts
 they have?
 It's really hard to make a good design without good data.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33375#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list