#33018: Dir auths using an unsustainable 400+ mbit/s, need to diagnose and fix ---------------------------------------+----------------------------------- Reporter: arma | Owner: dgoulet Type: defect | Status: assigned Priority: Medium | Milestone: Tor: | 0.4.3.x-final Component: Core Tor/Tor | Version: Severity: Normal | Resolution: Keywords: network-health 043-should | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: ---------------------------------------+-----------------------------------
Comment (by teor): Replying to [comment:12 Sebastian]: > Replying to [comment:8 teor]: > > Replying to [comment:2 Sebastian]: > > > I am not concerned about relays connecting from a wrong IP address. I basically feel like that shouldn't even be possible configuration-wise > > > > Relays can set different addresses in the Address and OutboundBindAddress options, and their inbound and outbound traffic will be on different addresses. Some operators use these options, others put their Address on a non-default route. > > > > So we do need to consider this case, particularly when relays are trying to discover their own IP address from an authority. But relays should fall back to discovering their address and getting a consensus from other relays, if all the authorities fail. > > > > So maybe it will work anyway? We should do a test to make sure. > > I know these kinds of configurations are possible, but why is that and why are we OK with it. That's my point here, we should IMO change your stance to this being not supported behaviour. At the moment, relays (and directory authorities) use the system default route for outbound traffic, rather than the advertised address. If you want to change OutboundBindAddress, here's what we could do: 1. make OutboundBindAddress default to the advertised addresses (IPv4 and IPv6), but fall back to unbound if binding to a specific address doesn't work - fixes most relays 2. deprecate OutboundBindAddress - needs proposal (or consultation with relay operators), fixes some of the rest We can't fix all the relays, because operators can still use firewalls (and other weird network configs) to change the outbound address. I'll put step 1 in my upcoming IPv6 address discovery proposal as optional work. I think it's best we do step 2 separately. Because it's likely to be controversial. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33018#comment:16> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs