[tor-talk] IPv6 /48 for OnionCat
Bernhard R. Fischer
bf at abenteuerland.at
Mon Aug 29 05:09:35 UTC 2016
On 2016-08-28 23:35, grarpamp wrote:
> On 8/28/16, Mirimir <mirimir at riseup.net> wrote:
>> On 08/28/2016 02:00 AM, grarpamp wrote:
>
>> OK. As I understand it, all that matters is using a /48 that won't be
>> provisioned by ISPs. In case it hits the public Internet. Right?
>
> If your users are the masses, yes. In a private install / userbase
> you could pick anything that doesn't collide in your stacks,
> and then anything that hasn't been allocated via rfc / registry,
> which is almost the entire /128. Use filters, not rely whatever isp
> do or iana docs say.
>
>> And I could configure onion services to route among multiple /48
>> networks, yes?
>
> Well you would bind apps to the ipv6/128 on the tun interface,
> onioncat takes care of routing that /48 among tor's onions
> after the hosts routing table sends its packets to the tun.
> Basically yes.
Exactly. To be more precise, OnionCat does not "route packets" in terms
of the IP protocol. In respect to IP, OC is like an Ethernet switch,
i.e. it works on layer 2.
Thus, routing has to be set up on the host computer (your Linux box, or
whatever) as usual. Think of Onioncat (and its tun device) as being just
another Ethernet port on you computer.
This basically implies all kinds of security risks (firewalling,...) you
could have on a network port with an IP address assigned to it.
You may also have a look at
https://www.cypherpunk.at/onioncat_trac/wiki/Security
>> OK, so I get that -t is the SocksPort used for outbound connections. And
>> for inbound connections, I get that -l is the listening address and
>> port, and that -s is the virtual hidden service port.
>>
>> So for now, each instance would have its own pair of -t and -l/-s. But
>> I'm having a hard time imagining what multiplexing would look like. And
>> anyway, isn't it better to split stuff across multiple SocksPorts?
>
> Socks5 port is a bit different from onion p2p.
> I meant having single onioncat handling multiple /48's would give another
> abstract management option, in addition today multiple onioncats with
> one /48 each.
For me, it sounds very complicated what you are trying to do. So even
one /48 prefix contains more addresses than the whole IPv4 address space.
And OC is not a multi-cast network, thus you cannot simply "arp" for
other OCs.
So why would you try to use several different /48 prefixes?
Bernhard
More information about the tor-talk
mailing list