[tor-relays] IPv6 Only Exit Node

Tim Wilson-Brown - teor teor2345 at gmail.com
Tue Dec 15 18:25:54 UTC 2015 

> On 16 Dec 2015, at 04:23, Hans Wurscht <tor at x2a.ch> wrote:
> 
> Hi
> 
> I would like to operate an IPv6 only exit node. I.e. it's fine if tor relays through IPv4, but I want exiting traffic only through IPv6 (because I don't want my (only) IPv4 to be blocked, abused and such).

You won't get the Exit flag unless you exit to at least one IPv4 /8, on at least:
* port 80 & 443, or
* port 80 & 6667, or
* port 443 & 6667.

It's a documented issue that a relay can still get the Exit flag by exiting to an unused IPv4 /8 that's not in Tor's list of private addresses.

> The way I thought this would work is with the ExitPolicy set as below. But atlas says my IPv6 Exit Policy Summary would be "ExitPolicy reject *:*".

I don't know if Atlas does this because your relay doesn't have the Exit flag, or because your relay's policy rejects everything, or because your relay's policy doesn't allow IPv4.

> Now I'm wondering if my ExitPolicy is wrong defined or if that's a bug of some kind.

What is the exit policy in your relay's descriptor?

> I'm running Tor v0.2.7.5 (git-6184c873e90d93b2) on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8.

These rules look like they should work as you describe.
(Tor 0.2.7 was fixed to make accept6/reject6 only produce IPv6 rules.)
Let me do some testing to see if you've uncovered a bug.

> # No IPv4 exit, no exit to my own subnet, no exit to private network, no exit to link local

This is wise. Tor will block your own IPv6 address, but it doesn't know about your subnet:

> ExitPolicy reject6 [2A02:168:4A06::]/42:*  # Block my subnet

Tor blocks private addresses by default, so these lines are redundant, but harmless:

> ExitPolicy reject6 [FC00::]/7:*            # Block private IPv6
> ExitPolicy reject6 [FE80::]/10:*           # Block link-local IPv6

Tor doesn't block 6to4 addresses by default, so this is useful:

> ExitPolicy reject6 [2002::]/16:*           # Block 6to4 addresses

> ...

This should make sure most IPv6 ports are accepted, because it comes before the reject rules.
You could try: "ExitPolicy accept6 *6:*", but it should have exactly the same outcome.

> ExitPolicy accept6 *:*                     # All else

This actually blocks private IPv4 and IPv6, and it's redundant because Tor blocks private addresses by default:

> ExitPolicy reject private:*                # Block private IPv4

This actually blocks IPv4 and IPv6:

> ExitPolicy reject *:*                      # Block all IPv4
> 
> ## If set, and we are an exit node, allow client to use us for IPv6 traffic
> IPv6Exit 1

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B

teor at blah dot im
OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20151216/33309c1a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20151216/33309c1a/attachment-0001.sig>

More information about the tor-relays mailing list