Re: [tor-relays] Auto-detect and enable IPv6 // Re: Please enable IPv6 on your relay!
Date: Fri, 22 May 2015 19:29:43 +0500 From: Roman Mamedov r...@romanrm.net On Fri, 22 May 2015 13:31:02 + Speak Freely when2plus2...@riseup.net wrote: Uhh, I would like to point out that it would be exceptionally stupid to have Tor autoconfigure IP addresses, regardless of whether it's IPv4 or IPv6. On IPv4 it currently does. There is zero rationale as to why IPv6 must be different from IPv4 in this aspect. IP address autodetection is a useful feature for those servers which are dynamically assigned IP addresses. But it's not appropriate in every circumstance, which is why the ORPort and DirPort config options allow an IP address to be specified. It's only in the absence of a configured IP that autodetection is performed. Here are the enhancement requests in trac that need to be completed for IPv6 address autodetection: The enhancement request for Tor autodetecting IPv6 addresses is here: https://trac.torproject.org/projects/tor/ticket/5940 Since Tor normally autodetects its IPv4 address via its first directory request, this requires the directory authorities and/or fallback directories to be on IPv6 answering directory requests: Directory Authorities on IPv6 https://trac.torproject.org/projects/tor/ticket/6027 Fallback Directories on IPv6 https://trac.torproject.org/projects/tor/ticket/8374 Fallback Directories Initial Release on IPv4/IPv6 https://trac.torproject.org/projects/tor/ticket/15775 Clients/Relays will also need to query directory servers on both IPv4 and IPv6 to autoconfigure both addresses. Currently, directory requests are only made using the default IP protocol, or IPv4 (I'm not sure which). Once these client and server changes are in place, we then need to test clients to ensure they will bootstrap correctly: * When clients are on IPv4 only, mixed IPv4/IPv6, and IPv6 only; (3) Combined with: * On first run and subsequent runs; (2) Combined with: * When the directory authorities are available on IPv4 only, IPv4/IPv6, and IPv6 only; * When the directory authorities aren't available, and Fallback Directories are available on IPv4 only, IPv4/IPv6, and IPv6 only; (6) Combined with: * Using HTTP (DirPort) and Tunneled (ORPort) directory fetches. (2) 4 4/6 6 a4Y Y f a4/6 Y Y Y a6f Y Y f4Y Y N f4/6 Y Y Y f6N Y Y Y = Yes, Tor should bootstrap f = Tor should use other authorities or fallback directories with matching IP version(s) N = Tor should fail to bootstrap if it doesn't have access to any directories with matching IP version(s), and it doesn't have a recent consensus. Otherwise, it should find a directory with a matching IP version. This may involve a tunneled directory request if DirPorts are not available but ORPorts are, and Tor has enough information to tunnel over an ORPort (this might not apply in the first run case). That's a lot of different combinations that we need to test and ensure they work as intended. And I am concerned about the complexity of the N case. We'd appreciate any help on these IPv6 enhancements, particularly coding the server-side changes, as it's difficult to code and test the client-side changes without them. teor teor2345 at gmail dot com pgp 0xABFED1AC https://gist.github.com/teor2345/d033b8ce0a99adbc89c5 teor at blah dot im OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7 signature.asc Description: Message signed with OpenPGP using GPGMail ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Auto-detect and enable IPv6 // Re: Please enable IPv6 on your relay!
Hello, We still have a depressingly low number of relays that support IPv6 (currently only ~120 of ~1900 relays). If your host supports IPv6, please enable it, especially if you run an exit! This has to be done explicitly. If you (supposedly) care so much, then can you please make it automatic? There is no need to explicitly put the IPv4 address into the torrc. And there is no need to explicitly put the IPv6 address into the config file of virtually any other IPv4+IPv6 supporting software I can think of: web, mail, NTP, XMPP servers, those are all capable of automatically figuring out which IPs the host has. Can't think of any reason of why this has to be otherwise in Tor, aside from perhaps a certain lack of understanding of best IPv6 implementation practices from the Tor developers side and/or nobody simply giving much thought to this yet. I currently run 15 Tor relays, 14 of those IIRC are IPv6 capable. But since you did not bother to make enabling IPv6 in Tor anywhere near user-friendly [1], I am simply not going to bother pecking the IPs into each torrc individually. [ One of the practical reasons being that I sometimes need to migrate the Tor 'identity' (torrc + /var/lib/tor/*) between machines and providers with v4/v6 addresses obviously changing. ] Aside from migrations between providers, the requirement to specify the IP is also impractical in many other situations, e.g. my ISP at home provides only a __dynamic__ IPv6 subnet which changes to a different one with each new PPPoE session. [1] Ideally there should be no 'enabling' at all!!! IPv6 should be active by default, IF the relay has determined it is able to make a successful IPv6 connection with a dir-authority -- oh and also that's how you can discover the actual working IPv6 address to use; or at least with a simple IPv6Relay 1, but certainly with no requirement of specifying the IP address in the config file. -- With respect, Roman signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Auto-detect and enable IPv6 // Re: Please enable IPv6 on your relay!
Roman, First, I would like to apologize for the language below. It's not the nicest way for me to communicate, but I wrote it all down and don't want to have to re-write it to soften the content. An apologetic disclaimer is what you get instead. :) I'm sorry for the vulgarity. -- Uhh, I would like to point out that it would be exceptionally stupid to have Tor autoconfigure IP addresses, regardless of whether it's IPv4 or IPv6. Unless of course you have some automagical way of Tor determining which IP address you want to use. I'm sure fairy dust can be used to determine which IP address you want to use, but I can't think of a single method for any application to correctly guess which IP address you want to use that doesn't include Tinker Bell and her tiny friends. The examples you provided are for servers with 1 single IP address, a relatively trivial system. In that case, it's easy to guess which IP to use. So yes, Tor can *guess* which IPv4 to use, but it's a fecking guess! STUPID! What if I want to run a webserver on one IP address, and Tor on another? What if I decide to also run a mail server on a third IP address? What if I want to run an Onion Service? What if I have a beefy system with quad 100mbit connections and want to run 4 Tor relays on the same system? What about a complicated network setup that uses VMs and requires punching through NAT and port forwarding through two firewalls to the outside world? Does Apache correctly guess which IP you want to use, when there are multiple choices? Does your favourite mail server *know* which IP address to use? NO! So why should Tor be made of fairy dust? A certain lack of understanding of best practices seems to be your problem, not Tor's. This is a security *FEATURE*. The consequences of magic can be catastrophic, and you should be able to understand the very real and serious implications. We're all running relays for what is arguably the very best anonymity software available, not minecraft servers. You need to take security seriously. Write a script if it's such a problem! Learn to love sed. This is a non-problem. This is trivial. You're running 15 relays - which is awesome, so you're not retarded - you can do this. But seriously, you need to think about what you just said, and why it's such a terrible idea. Accusing the developers of a lack of understanding is wholly unwarranted. You should apologize. Regards, Matt Speak Freely ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
