[tor-talk] Tor in a world of IPv6: "Local Bridges" needed?

Michael Wolf mikewolf53 at gmail.com
Thu Nov 7 19:45:54 UTC 2013


Please forgive the length of this... I just wanted to outline the
problem/solution as I see it, in order to be as clear as possible.

One of the benefits of running a Tor relay is supposed to be "better
anonymity against some attacks[1]".  As such, I (and I assume others)
run a Tor relay from home on a separate machine that is up 24x7.  In an
internet dominated by IPv4 and NAT, it seems to hold true that a
downstream relay could not determine whether the traffic originated from
the relay or a separate client.  However, IPv6 will do away with NAT,
and it will be immediately evident that a machine other than the relay
is producing Tor traffic.

There are a few ways around this that I'm aware of, each with its own
problems:

1.  Setup the relay as a "transparent proxy" for the network.
2.  Use SSH to tunnel traffic to the relay.
3.  Configure the clients to use the relay as a "bridge".
4. ???

#1 suffers from the fact that all traffic is unencrypted in the local
network.  Perhaps not a huge deal, but Google and Yahoo also recently
learned of the dangers of assuming "private networks" are private.

#2 suffers from being difficult for some (many?) users to set up, and
the fact that the relay still receives the data unencrypted.  The relay
by necessity has at least one publicly accessible service (Tor daemon),
so it has a larger attack surface.  If one were to successfully mount an
attack against the relay, they'd be able to receive all the local
Tor-bound data in plaintext.

#3 protects all data headed to and through the relay... but unless I'm
misunderstanding what was said in a previous tor-talk message ("a bridge
will be used as the first of three hops[2]"), your total external hops
is reduced to 2.  In that same tor-talk message, there is a link to
Proposal 188-bridge-guards [3].  I don't know if this was ever
implemented, but it seems like this would stretch the number of external
hops back out to three, essentially?

Any thoughts here?  Is it safe to use a local (public) relay as a
"bridge"?  Has Proposal 188 been implemented?  If so, does the relay
need to actually be configured as a bridge in order to perform this
"loose routing"?  Or would the concept of "local bridge" need to be
developed?

Thank your for any input.

[1] https://www.torproject.org/docs/faq.html.en#BetterAnonymity
[2] https://lists.torproject.org/pipermail/tor-talk/2012-May/024378.html
[3]
https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/188-bridge-guards.txt


More information about the tor-talk mailing list