[tor-relays] (de)bug IPv6 exit policies?

teor teor2345 at gmail.com
Mon Jan 30 22:54:39 UTC 2017


> On 31 Jan 2017, at 05:13, nusenu <nusenu at openmailbox.org> wrote:
> 
> tldr: would you send me your torrc if you aim to route IPv6 exit traffic
> and are in the list at the bottom with the third colmn set to NULL?
> 
> teor:
>> Either that, or there is a bug in Tor relating to IPv6 Exit policies.
>> But I can't see anywhere in the code that makes the IPv6 exit policy
>> dependent on anything except ExitPolicy and IPv6Exit.
>> 
>> Are there any log entries relating to IPv6 or exit policies?

Here are the log entries I'd like to see:

Any bug warnings

warnings:
Exit policy '%s' and all following policies are redundant
Weird family when summarizing address policy
policy_dump_to_string ran out of room

info:
Unrecognized policy summary keyword
Impossibly long policy summary
Found bad entry in policy summary
Found no port-range entries in summary

debug:
Adding new entry
Ignored policy
Adding a reject ExitPolicy
Removing exit policy

> moritz at torservers.net did sent me (unfortunately off-list) the torrc
> file for
> https://atlas.torproject.org/#details/FDAED15C98CFE7A416E5676F614254F78406105C
> 
> according to his torrc it is allowing IPv6 exit traffic but not
> according to its descriptor.
> 
> Do exits do any outbound IPv6 reachability test before they create their
> descriptor? (with the ipv6-policy entry)

No, there is no IPv6 reachability testing in Tor for anything,
except for authorities checking IPv6 ORPorts.

But tor does automatically reject configured ports and addresses.
(In 0.2.7 and 0.2.8, it does this with local interface addresses,
in 0.2.9, it only does this with local interfaces if
ExitPolicyRejectLocalInterfaces is set. In all versions, it does
this with private addresses and configured ports by default.)

So one thing that operators could do is try to disable the IPv6 ORPort
and the OutboundBindAddress, and see if that helps.

Operators could also tweak ExitPolicyRejectLocalInterfaces and
ExitPolicyRejectPrivate. Turning off ExitPolicyRejectPrivate can make
an exit insecure, so it should be done after blocking all traffic
from the exit on private addresses using a firewall.

> In total there are currently 57 exits with an IPv6 ORPort but no IPv6
> exit policy.
> That on its own doesn't mean anything because they
> might not set IPv6Exit to 1 but the big picture looks a bit odd.
> 
> Here is a (truncated) list of exits which have IPv6 connectivity
> (ORPort) and their respective v6 exit policy (the last column) since the
> v6 policy changes between none (NULL) to non-NULL even within the same
> operator this seems strange. Usually an operator uses highly identical
> torrc files across all their relays.
> 
> If you are on the this list with a NULL value in the v6_policy column
> and your torrc contains
> IPv6Exit 1
> we'd be interested to see your complete torrc files (do not forget to
> _remove_ any sensitive lines like HashedControlPassword).
> 
> I also had a look at the tor_version column but there was no correlation
> there.
> That said there _is_ a correlation with as_name, so maybe this not a bug
> but operators only enabling IPv6 exiting on specific hosters (which
> seems strange because I only list IPv6 enabled relays).

Some providers may require certain port configurations, which could
cause the issue.

> ...

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
------------------------------------------------------------------------



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20170131/eeb3f85a/attachment.sig>


More information about the tor-relays mailing list