Proposal: MapAddress wilcards [*]

grarpamp grarpamp at gmail.com
Fri Oct 30 06:40:40 UTC 2009


This proposal regarding domain name mapping is still alive and
maybe made it into a developer queue somewhere :)

However I forgot to add the IP address version of it. This is very
rough... wanted to get it out there for comment as time is short
to do much with it atm.

It is known that both fqdn's and ip's are commonly published,
embedded and otherwise used for various purposes on the internet
at large. Therefore:

Mapaddress should also be able to map any destination IPv4 or IPv6
address in CIDR notation through any particular exit. The CIDR
notation is what's new and provides the wildcard function. Example:

# catch just one address, route it through this exit
MAPADDRESS 1.2.3.4/32 1.2.3.4/32.<fingerprint>.exit
# map a range of addresses
MAPADDRESS 10.0.0.0/22 10.0.0.0/22.<fingerprint>.exit
# map all traffic
MAPADDRESS 0.0.0.0/0 0.0.0.0/0.<fingerprint>.exit

Other interesting variations may be possible or useful:

# one to one by name, name could be wildcarded
MAPADDRESS foo.com 1.2.3.4/32.<fingerprint>.exit

# many to one name/ip
MAPADDRESS 10.0.0.0/22 foo.com.<fingerprint>.exit
MAPADDRESS 10.0.0.0/22 1.2.3.4/32.<fingerprint>.exit

# address translation
MAPADDRESS 2.3.4.5/20 7.8.9.0/20.<fingerprint>.exit


There should be a control flag somewhere that says socks requests
for fqdn's that are resolved to ip addresses should then be final
checked against the CIDR maps. Default = 1.

# MapFqdnCidr = 0
foo.com -> socks -> tor_resolve [ip1] -> exit -> internet [ip1]
# MapFqdnCidr = 1
foo.com -> socks -> tor_resolve [ip1] -> tor_map [ip2] -> exit -> internet [ip2]


There could also be something where tor will auto-create a matching
one to one host map like 1.2.3.4/32 1.2.3.4/32.<fingerprint>.exit.
foo.com maps to an ip, so might as well also map whatever that
resolves to to the same exit. I think it already does this to some
extent but would catch the cases where say, a webserver admin coded
both the fqdn and ip in html page. Could get funky if multiple A
records come back. And could be covered by 0/0 ip and *. fqdn maps,
so a non priority.

Just thinking... thanks!



More information about the tor-dev mailing list