IPv6 exit proposal

Nick Mathewson nickm at freehaven.net
Tue Jul 10 17:39:26 UTC 2007

On Sat, Jul 07, 2007 at 10:54:50AM -0700, coderman wrote:
> apologies for formatting; available at
> http://peertech.org/pub/tor-ipv6-exit-proposal.txt if this is
> unreadable.
> ---
> Proposal : IPv6 exit

Added as proposal 117, and re-wrapped to fit in 80 columns; thanks!


>   It should be noted that IPv4 mapped IPv6 addresses are not valid
>   exit destinations.  This mechanism is mainly used to interoperate
>   with both IPv4 and IPv6 clients on the same socket.  Any attempts
>   to use an IPv4 mapped IPv6 address, perhaps to circumvent exit
>   policy for IPv4, must be refused.

Alternatively, we could just apply IPv4 exit policies to IPv4-mapped
IPv6 addresses.  Would that be cleaner?
> 1.3. DNS name resolution of IPv6 addresses (AAAA records)
>   All routers which perform DNS resolution on behalf of clients
>   (RELAY_RESOLVE) should perform and respond with both A and AAAA
>   resources.

Hm.  We need some way to do this inside the current relay_resolve
format without confusing existing clients.

> 3. Questions and concerns
> 3.1. DNS A6 records
>   A6 is explicitly avoided in this document.  There are potential
>   reasons for implementing this, however, the inherent complexity of
>   the protocol and resolvers make this unappealing.  Is there a
>   compelling reason to consider A6 as part of IPv6 exit support?

I'm okay doing nothing with A6 for now.

> 3.3. Support for IPv6 only clients
>   It may be useful to support IPv6 only clients using IPv4 mapped IPv6
>   addresses.  This would require transparent DNS proxy using IPv6
>   transport and the ability to map A record responses into IPv4 mapped
>   IPv6 addresses.  The transparent TCP proxy would thus need to detect these
>   mapped addresses and connect to the desired IPv4 host.
>   The relative lack of any IPv6 only hosts or applications makes
>   this a lot of work for very little gain.  Is there a compelling
>   reason to support this capability?

I'd like to add support for ipv6-only clients, but I think that's a
separate proposal. 

Nick Mathewson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 652 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20070710/5f789a12/attachment.pgp>

More information about the tor-dev mailing list