[tor-relays] Exit node rejection of special IPv4 blocks
Zack Weinberg
zackw at cmu.edu
Wed Apr 23 19:12:36 UTC 2014
I'd like a sanity check on this list of special-purpose IPv4 blocks
which I'm currently forbidding in the CMU exit node's policy. I'm
most uncertain about denying access to multicast (224.0.0.0/4) and
6to4 router anycast (192.88.99.0/24) -- I *think* there are no
scenarios where someone would actually need to get at either of those
via Tor, but I could be wrong.
# Reserved IPv4 addresses, sorted by RFC and then numerically
reject 255.255.255.255/32:* # RFC 0919: "limited broadcast"
reject 224.0.0.0/4:* # RFC 1112: multicast
reject 240.0.0.0/4:* # RFC 1112: future addressing modes
reject 0.0.0.0/8:* # RFC 1122: "This host" source address
reject 127.0.0.0/8:* # RFC 1122: Loopback
reject 10.0.0.0/8:* # RFC 1918: private use
reject 172.16.0.0/12:* # " " "
reject 192.168.0.0/16:* # " " "
reject 198.18.0.0/15:* # RFC 2544: test environments
reject 192.88.99.0/24:* # RFC 3068: 6to4 relay anycast (???)
reject 169.254.0.0/16:* # RFC 3927: link-local
reject 192.0.2.0/24:* # RFC 5737: documentation
reject 198.51.100.0/24:* # " " "
reject 203.0.113.0/24:* # " " "
reject 100.64.0.0/10:* # RFC 6598: "shared space"/"carrier grade NAT"
reject 192.0.0.0/24:* # RFC 6890: future special purposes
TIA,
zw
More information about the tor-relays
mailing list