forked from torproject/torspec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
312-relay-auto-ipv6-addr.txt
1565 lines (1205 loc) · 69.4 KB
/
312-relay-auto-ipv6-addr.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Filename: 312-relay-auto-ipv6-addr.txt
Title: Tor Relay Automatic IPv6 Address Discovery
Author: teor, Nick Mathewson, s7r
Created: 28-January-2020
Status: Accepted
Ticket: #33073
0. Abstract
We propose that Tor relays (and bridges) should automatically find their
IPv6 address.
Like tor's existing IPv4 address auto-detection, the chosen IPv6 address
will be published as an IPv6 ORPort in the relay's descriptor. Clients,
relays, and authorities connect to relay descriptor IP addresses.
Therefore, IP addresses in descriptors need to be publicly routable. (If
the relay is running on the public tor network.)
To discover their IPv6 address, some relays may fetch directory documents
over IPv6. (For anonymity reasons, bridges are unable to fetch directory
documents over IPv6, until clients start to do so.)
1. Introduction
Tor relays (and bridges) currently find their IPv4 address, and use it as
their ORPort and DirPort address when publishing their descriptor. But
relays and bridges do not automatically find their IPv6 address.
However, relay operators can manually configure an ORPort with an IPv6
address, and that ORPort is published in their descriptor in an "or-address"
line (see [Tor Directory Protocol]).
Many relay operators don't know their relay's IPv4 or IPv6 addresses. So
they rely on Tor's IPv4 auto-detection, and don't configure an IPv6
address. When operators do configure an IPv6 address, it's easy for them to
make mistakes. IPv6 ORPort issues are a significant source of relay
operator support requests.
Implementing IPv6 address auto-detection, and IPv6 ORPort reachability
checks (see [Proposal 311: Relay IPv6 Reachability]) will increase the
number of working IPv6-capable relays in the tor network.
2. Scope
This proposal modifies Tor's behaviour as follows:
Relays, bridges, and directory authorities:
* automatically find their IPv6 address, and
* for consistency between IPv4 and IPv6 detection:
* start using IPv4 ORPort for IPv4 address detection, and
* re-order IPv4 address detection methods.
Relays (but not bridges, or directory authorities):
* fetch some directory documents over IPv6.
For anonymity reasons, bridges are unable to fetch directory documents over
IPv6, until clients start to do so. (See
[Proposal 306: Client Auto IPv6 Connections].)
For security reasons, directory authorities must only use addresses that
are explicitly configured in their torrc.
This proposal makes a small, optional change to existing client behaviour:
* clients also check IPv6 addresses when rotating TLS keys for new
networks.
In addition to the changes to IPv4 address resolution, most of which won't
affect clients. (Because they do not set Address or ORPort.)
Throughout this proposal, "relays" includes directory authorities, except
where they are specifically excluded. "relays" does not include bridges,
except where they are specifically included. (The first mention of "relays"
in each section should specifically exclude or include these other roles.)
When this proposal describes Tor's current behaviour, it covers all
supported Tor versions (0.3.5.7 to 0.4.2.5), as of January 2020, except
where another version is specifically mentioned.
3. Finding Relay IPv6 Addresses
We propose that Tor relays (and bridges) should automatically find their
IPv6 address.
Like tor's existing IPv4 address auto-detection, the chosen IPv6 address
will be published as an IPv6 ORPort in the relay's descriptor. Clients,
relays, and authorities connect to relay descriptor IP addresses.
Therefore, IP addresses in descriptors need to be publicly routable. (If
the relay is running on the public tor network.)
Relays should ignore any addresses that are reserved for private networks,
and check the reachability of addresses that appear to be public (see
[Proposal 311: Relay IPv6 Reachability]). Relays should only publish IP
addresses in their descriptor, if they are public and reachable. (If the
relay is not running on the public tor network, it may use any IP address.)
To discover their IPv6 address, some relays may fetch directory documents
over IPv6. (For anonymity reasons, bridges are unable to fetch directory
documents over IPv6, until clients start to do so. For security reasons,
directory authorities only use addresses that are explicitly configured in
their torrc.)
3.1. Current Relay IPv4 Address Discovery
Currently, all relays (and bridges) must have an IPv4 address. IPv6
addresses are optional for relays.
Tor currently tries to find relay IPv4 addresses in this order:
1. the Address torrc option
2. the address of the hostname (resolved using DNS, if needed)
3. a local interface address
(by making an unused socket, if needed)
4. an address reported by a directory server (using X-Your-Address-Is)
When using the Address option, or the hostname, tor supports:
* an IPv4 address literal, or
* resolving an IPv4 address from a hostname.
If tor is running on the public network, and an address isn't globally
routable, tor ignores it. (If it was explicitly set in Address, tor logs an
error.)
If there are multiple valid addresses, tor chooses:
* the first address returned by the resolver,
* the first address returned by the local interface API, and
* the latest address(es) returned by a directory server, DNS, or the
local interface API.
3.1.1. Current Relay IPv4 and IPv6 Address State Management
Currently, relays (and bridges) manage their IPv4 address discovery state,
as described in the following table:
a b c d e f
1. Address literal . . . . . .
1. Address hostname S N . . . T
2. auto hostname S N . . F T
3. auto interface ? ? . . F ?
3. auto socket ? ? . . F ?
4. auto dir header D N D D F A
IPv6 address discovery only uses the first IPv6 ORPort address:
a b c d e f
1. ORPort listener . . C . F .
1. ORPort literal . . C C F .
1. ORPort hostname S N C C F T
The tables are structured as follows:
* rows are address resolution stage variants
* each address resolution stage has a number, and a description
* the description includes any variants
(for example: IP address literal, or hostname)
* columns describe each variant's state management.
The state management key is:
a. What kind of API is used to perform the address resolution?
* . a CPU-bound API
* S a synchronous query API
* ? an API that is probably CPU-bound, but may be synchronous on some
platforms
* D tor automatically updates the stored directory address, whenever a
directory document is received
b. What does the API depend on?
* . a CPU-bound API
* N a network-bound API
* ? an API that is probably CPU-bound, but may be network-bound on some
platforms
c. How are any discovered addresses stored?
* . addresses are not stored
(but they may be cached by some higher-level tor modules)
* D addresses are stored in the directory address suggestion variable
* C addresses are stored in the port config listener list
d. What event makes the address resolution happen?
* . when tor wants to know its own address
* D when a directory document is received
* C when tor parses its config at startup, and during reconfiguration
e. What conditions make tor attempt this address resolution method?
* . this method is always attempted
* F this method is only attempted when all other higher-priority
methods fail to return an address
f. Can this method timeout?
* . can't time out
* T might time out
* ? probably doesn't time out, but might time out on some platforms
* A can't time out, because it is asynchronous. If a stored address
is available, it is returned immediately.
3.2. Finding Relay IPv6 Addresses
We propose that relays (and bridges) try to find their IPv6 address. For
consistency, we also propose to change the address resolution order for
IPv4 addresses.
We use the following general principles to choose the order of IP address
methods:
* Explicit is better than Implicit,
* Local Information is better than a Remote Dependency,
* Trusted is better than Untrusted, and
* Reliable is better than Unreliable.
Within these constraints, we try to find the simplest working design.
If a relay is given the wrong address by an attacker, the attacker can
direct all inbound relay traffic to their own address. They can't decrypt
the traffic without the relay's private keys, but they can monitor traffic
patterns.
Therefore, relays should only use untrusted address discovery methods, if
every other method has failed. Any method that uses DNS is potentially
untrusted, because DNS is often a remote, unauthenticated service. And
addresses provided by other directory servers are also untrusted.
For security reasons, directory authorities only use addresses that are
explicitly configured in their torrc.
Based on these principles, we propose that tor tries to find relay IPv4 and
IPv6 addresses in this order:
1. the Address torrc option
2. the advertised ORPort address
3. a local interface address
(by making an unused socket, if needed)
4. the address of the host's own hostname (resolved using DNS, if needed)
5. an address reported by a directory server (using X-Your-Address-Is)
Each of these address resolution steps is described in more detail, in its
own subsection.
For anonymity reasons, bridges are unable to fetch directory documents over
IPv6, until clients start to do so. (See
[Proposal 306: Client Auto IPv6 Connections].)
We avoid using advertised DirPorts for address resolution, because:
* they are not supported on bridges,
* they are not supported on IPv6,
* they may not be configured on a relay, and
* it is unlikely that a relay operator would configure an ORPort without
an IPv4 address, but configure a DirPort with an IPv4 address.
While making these changes, we want to preserve tor's existing behaviour:
* resolve Address using the local resolver, if needed,
* ignore private addresses on public tor networks, and
* when there are multiple valid addresses:
* if a list of addresses is received, choose the first address, and
* if different addresses are received over time, choose the most recent
address.
3.2.1. Make the Address torrc Option Support IPv6
First, we propose that relays (and bridges) use the Address torrc option
to find their IPv4 and IPv6 addresses.
There are two cases we need to cover:
1. Explicit IP addresses:
* allow the option to be specified up to two times,
* use the IPv4 address for IPv4,
* use the IPv6 address for IPv6.
Configuring two addresses in the same address family is a config error.
2. Hostnames / DNS names:
* allow the option to be specified up to two times,
* look up the configured name,
* use the first IPv4 and IPv6 address returned by the resolver, and
Resolving multiple addresses in the same address family is not a
runtime error, but only the first address from each family will be
used.
These lookups should ignore private addresses on public tor networks. If
multiple IPv4 or IPv6 addresses are returned, the first public address from
each family should be used.
We should support the following combinations of address literals and
hostnames:
Legacy configurations:
A. No configured Address option
B. Address IPv4 literal
C. Address hostname (use IPv4 and IPv6 DNS addresses)
New configurations:
D. Address IPv6 literal
E. Address IPv4 literal / Address IPv6 literal
F. Address hostname / Address hostname (use IPv4 and IPv6 DNS addresses)
G. Address IPv4 literal / Address hostname (only use IPv6 DNS addresses)
H. Address hostname (only use IPv4 DNS addresses) / Address IPv6 literal
If we can't find an IPv4 or IPv6 address using the configured Address
options:
No IPv4: guess IPv4, and its reachability must succeed.
No IPv6: guess IPv6, publish if reachability succeeds.
Combinations A and B are the most common legacy configurations. We want to
support the following outcomes for all legacy configurations:
* automatic upgrades to guessed and reachable IPv6 addresses,
* continuing to operate on IPv4 when the IPv6 address can't be guessed,
and
* continuing to operate on IPv4 when the IPv6 address has been guessed,
but it is unreachable.
At this time, we do not propose guessing multiple IPv4 or IPv6 addresses
and testing their reachability (see section 3.4.2).
It is an error to configure an Address option with a private IPv4 or IPv6
address. Tor should warn if a configured Address hostname does not resolve
to any publicly routable IPv4 or IPv6 addresses. (In both these cases, if
tor is configured with a custom set of directory authorities, private
addresses should be allowed, with a notice-level log.)
For security reasons, directory authorities only use addresses that are
explicitly configured in their torrc. Therefore, we propose that directory
authorities only accept IPv4 or IPv6 address literals in their Address
option. They must not attempt to resolve their Address using DNS. It is a
config error to provide a hostname as a directory authority's Address.
If the Address option is not configured for IPv4 or IPv6, or the hostname
lookups do not provide both IPv4 and IPv6 addresses, address resolution
should go to the next step.
3.2.2. Use the Advertised ORPort IPv4 and IPv6 Addresses
Next, we propose that relays (and bridges) use the first advertised ORPort
IPv4 and IPv6 addresses, as configured in their torrc.
The ORPort address may be a hostname. If it is, tor should try to use it to
resolve an IPv4 and IPv6 address, and open ORPorts on the first available
IPv4 and IPv6 address. Tor should respect the IPv4Only and IPv6Only port
flags, if specified. (Tor currently resolves IPv4 and IPv6 addresses from
hostnames in ORPort lines.)
Relays (and bridges) currently use the first advertised ORPort IPv6 address
as their IPv6 address. We propose to use the first advertised IPv4 ORPort
address in a similar way, for consistency.
Therefore, this change may affect existing relay IPv4 addressses. We expect
that a small number of relays may change IPv4 address, from a guessed IPv4
address, to their first advertised IPv4 ORPort address.
In rare cases, relays may have been using non-advertised ORPorts for their
addresses. This change may also change their addresses.
Tor currently uses its listener port list to look up its IPv6 ORPort for
its descriptor. We propose that tor's address discovery uses the listener
port list for both IPv4 and IPv6. (And does not attempt to independently
parse or resolve ORPort configs.)
This design decouples ORPort option parsing, ORPort listener opening, and
address discovery. It also implements a form of caching: IPv4 and IPv6
addresses resolved from hostnames are stored in the listener port list,
then used to open listeners. Therefore, tor should continue to use the same
address, while the listener remains open. (See also sections 3.2.7 and
3.2.8.)
For security reasons, directory authorities only use addresses that are
explicitly configured in their torrc. Therefore, we propose that directory
authorities only accept IPv4 or IPv6 address literals in the address part
of the ORPort and DirPort options. They must not attempt to resolve these
addresses using DNS. It is a config error to provide a hostname as a
directory authority's ORPort or DirPort.
If directory authorities don't have an IPv4 address literal in their
Address or ORPort, they should issue a configuration error, and refuse to
launch. If directory authorities don't have an IPv6 address literal in their
Address or ORPort, they should issue a notice-level log, and fall back to
only using IPv4.
For the purposes of address resolution, tor should ignore private
configured ORPort addresses on public tor networks. (Binding to private
ORPort addresses is supported, even on public tor networks, for relays that
use NAT to reach the Internet.) If an ORPort address is private, address
resolution should go to the next step.
3.2.3. Use Local Interface IPv6 Address
Next, we propose that relays (and bridges) use publicly routable addresses
from the OS interface addresses or routing table, as their IPv4 and IPv6
addresses.
Tor has local interface address resolution functions, which support most
major OSes. Tor uses these functions to guess its IPv4 address. We propose
using them to also guess tor's IPv6 address.
We also propose modifying the address resolution order, so interface
addresses are used before the local hostname. This decision is based
on our principles: interface addresses are local, trusted, and reliable;
hostname lookups may be remote, untrusted, and unreliable.
Some developer documentation also recommends using interface addresses,
rather than resolving the host's own hostname. For example, on recent
versions of macOS, the man pages tell developers to use interface addresses
(getifaddrs) rather than look up the host's own hostname (gethostname and
getaddrinfo). Unfortunately, these man pages don't seem to be available
online, except for short quotes (see [getaddrinfo man page] for the
relevant quote).
If the local interface addresses are unavailable, tor opens a UDP socket to
a publicly routable address, but doesn't actually send any packets.
Instead, it uses the socket APIs to discover the interface address for the
socket. (UDP is used because it is stateless, so the OS will not send any
packets to open a connection.)
For security reasons, directory authorities only use addresses that are
explicitly configured in their torrc. Since local interface addresses are
implicit, and may depend on DHCP, directory authorities do not use this
address resolution method (or any of the other, lower-priority address
resolution methods).
Relays that use NAT to reach the Internet may have no publicly routable
local interface addresses, even on the public tor network. The NAT box has
the publicly routable addresses, and it may be a separate machine.
Relays may also be unable to detect any local interface addresses. The
required APIs may be unavailable, due to:
* missing OS or library features, or
* local security policies.
Tor already ignores private IPv4 interface addresses on public relays. We
propose to also ignore private IPv6 interface addresses. If all IPv4 or
IPv6 interface addresses are private, address resolution should go to the
next step.
3.2.4. Use Own Hostname IPv6 Addresses
Next, we propose that relays (and bridges) get their local hostname, look
up its addresses, and use them as its IPv4 and IPv6 addresses.
We propose to use the same underlying lookup functions to look up the IPv4
and IPv6 addresses for:
* the Address torrc option (see section 3.2.1), and
* the local hostname.
However, OS APIs typically only return a single hostname. (Rather than a
separate hostname for IPv4 and IPv6.)
For security reasons, directory authorities only use addresses that are
explicitly configured in their torrc. Since hostname lookups may use DNS,
directory authorities do not use this address resolution method.
The hostname lookup should ignore private addresses on public relays. If
multiple IPv4 or IPv6 addresses are returned, the first public address from
each family should be used. If all IPv4 or IPv6 hostname addresses are
private, address resolution should go to the next step.
3.2.5. Use Directory Header IPv6 Addresses
Finally, we propose that relays get their IPv4 and IPv6 addresses from the
X-Your-Address-Is HTTP header in tor directory documents. To support this
change, we propose that relays start fetching directory documents over IPv4
and IPv6.
We propose that bridges continue to only fetch directory documents over
IPv4, because they try to imitate clients. (Most clients only fetch
directory documents over IPv4, a few clients are configured to only fetch
over IPv6.) When client behaviour changes to use both IPv4 and IPv6 for
directory fetches, bridge behaviour can also change to match. (See
section 3.4.1 and [Proposal 306: Client Auto IPv6 Connections].)
For security reasons, directory authorities only use addresses that are
explicitly configured in their torrc. Since directory headers are provided
by other directory servers, directory authorities do not use this address
resolution method.
We propose to use a simple load balancing scheme for IPv4 and IPv6
directory requests:
* choose between IPv4 and IPv6 directory requests at random.
We do not expect this change to have any load-balancing impact on the public
tor network, because the number of relays is much smaller than the number
of clients. However, the 6 directory authorities with IPv6 enabled may see
slightly more directory load, particularly over IPv6.
To support this change, tor should also change how it handles IPv6
directory failures on relays:
* avoid recording IPv6 directory failures as remote relay failures,
because they may actually be due to a lack of IPv6 connectivity on the
local relay, and
* issue IPv6 directory failure logs at notice level, and rate-limit them
to one per hour.
If a relay is:
* explicitly configured with an IPv6 address, or
* a publicly routable, reachable IPv6 address is discovered in an
earlier step,
tor should start issuing IPv6 directory failure logs at warning level. Tor
may also record these directory failures as remote relay failures. (Rather
than ignoring them, as described in the previous paragraph.)
(Alternately, tor could stop doing IPv6 directory requests entirely. But we
prefer designs where all relays behave in a similar way, regardless of their
internal state.)
For some more complex directory load-balancing schemes, see section 3.5.4.
Tor already ignores private IPv4 addresses in directory headers. We propose
to also ignore private IPv6 addresses in directory headers. If all IPv4 and
IPv6 addresses in directory headers are private, address resolution should
return a temporary error.
Whenever address resolution fails, tor should warn the operator to set the
Address torrc option for IPv4 and IPv6. (If IPv4 is available, and only
IPv6 is missing, the log should be at notice level.) These logs may need to
be rate-limited.
The next time tor receives a directory header containing a public IPv4 or
IPv6 address, tor should use that address for reachability checks. If the
reachability checks succeed, tor should use that address in its descriptor.
Doing relay directory fetches over IPv6 will create extra IPv6 connections
and IPv6 bandwidth on the tor network. (See
[Proposal 313: Relay IPv6 Statistics].) In addition, some client circuits
may use the IPv6 connections created by relay directory fetches.
3.2.6. Disabling IPv6 Address Resolution
Relays (and bridges) that have a reachable IPv6 address, but that address
is unsuitable for the relay, need to be able to disable IPv6 address
resolution.
Based on [Proposal 311: Relay IPv6 Reachability], and this proposal, those
relays would:
* discover their IPv6 address,
* open an IPv6 ORPort,
* find it reachable,
* publish a descriptor containing that IPv6 ORPort,
* have the directory authorities find it reachable,
* have it published in the consensus, and
* have it used by clients,
regardless of how the operator configures their tor instance.
Currently, relays are required to have an IPv4 address. So if the guessed
IPv4 address is unsuitable, operators can set the Address option to a
suitable IPv4 address. But IPv6 addresses are optional, so relay operators
may need to disable IPv6 entirely.
We propose a new torrc-only option, AddressDisableIPv6. This option is set
to 0 by default. If the option is set to 1, tor disables IPv6 address
resolution, IPv6 ORPorts, IPv6 reachability checks, and publishing an IPv6
ORPort in its descriptor.
3.2.6.1. Disabling IPv6 Address Resolution: Alternative Design
As an alternative design, tor could change its interpretation of the
IPv4Only flag, so that the following configuration lines disable IPv6:
(In the absence of any non-IPv4Only ORPort lines.)
* ORPort 9999 IPv4Only
* ORPort 1.1.1.1:9999 IPv4Only
However, we believe that this is a confusing design, because we want to
enable IPv6 address resolution on this similar, very common configuration:
* ORPort 1.1.1.1:9999
Therefore, we avoid this design, becuase it changes the meaning of existing
flags and options.
3.2.7. Automatically Enabling an IPv6 ORPort
We propose that relays (and bridges) that discover their IPv6 address,
should open an IPv6 ORPort, and test its reachability (see
[Proposal 311: Relay IPv6 Reachability], particularly section 4.3.1).
The ORPort should be opened on the port configured in the relay's ORPort
torrc option. Relay operators can use the IPv4Only and IPv6Only options
to configure different ports for IPv4 and IPv6.
If the ORPort is auto-detected, there will not be any specific bind
address. (And the detected address may actually be on a NAT box, rather
than the local machine.) Therefore, relays should attempt to bind to all
IPv4 and IPv6 addresses (or all interfaces).
Some operating systems expect applications to bind to IPv4 and IPv6
addresses using separate API calls. Others don't support binding only to
IPv4 or IPv6, and will bind to all addresses whenever there is no specified
IP address (in a single API call). Tor should support both styles of
networking API.
In particular, if binding to all IPv6 addresses fails, relays should still
try to discover their public IPv6 address, and check the reachability of
that address. Some OSes may not support the IPV6_V6ONLY flag, but they may
instead bind to all addresses at runtime. (The tor install may also have
compile-time / runtime flag mismatches.)
If both reachability checks succeed, relays should publish their IPv4 and
IPv6 ORPorts in their descriptor.
If only the IPv4 ORPort check succeeds, and the IPv6 address was guessed
(rather than being explicitly configured), then relays should:
* publish their IPv4 ORPort in their descriptor,
* stop publishing their IPv6 ORPort in their descriptor, and
* log a notice about the failed IPv6 ORPort reachability check.
3.2.8. Proposed Relay IPv4 and IPv6 Address State Management
We propose that relays (and bridges) manage their IPv4 and IPv6 address
discovery state, as described in the following table:
a b c d e f
1. Address literal . . . . . .
1. Address hostname S N . . . T
2. ORPort listener . . C . F .
2. ORPort literal . . C C F .
2. ORPort hostname S N C C F T
3. auto interface ? ? . . F ?
3. auto socket ? ? . . F ?
4. auto hostname S N . . F T
5. auto dir header D N D D F A
See section 3.1.1 for a description and key for this table. See the rest of
section 3.2 for a detailed description of each method and variant.
For security reasons, directory authorities only use addresses that are
explicitly configured in their torrc. Therefore, they stop after step 2.
(And don't use the "hostname" variants in steps 1 and 2.)
For anonymity reasons, bridges are unable to fetch directory documents over
IPv6, until clients start to do so. (See
[Proposal 306: Client Auto IPv6 Connections].)
3.3. Consequential Tor Client Changes
We do not propose any required client address resolution changes at this
time.
However, clients will use the updated address resolution functions to detect
when they are on a new connection, and therefore need to rotate their TLS
keys.
This minor client change allows us to avoid keeping an outdated version of
the address resolution functions, which is only for client use.
Clients should skip address resolution steps that don't apply to them, such
as:
* the ORPort option, and
* the Address option, if it becomes a relay module option.
3.4. Alternative Address Resolution Designs
We briefly mention some potential address resolution designs, and the
reasons that they were not used in this proposal.
(Some designs may be proposed for future Tor versions, but are not necessary
at this time.)
3.4.1. Future Bridge IPv6 Address Resolution Behaviour
When clients automatically fetch directory documents via relay IPv4 and
IPv6 ORPorts by default, bridges should also adopt this dual-stack
behaviour. (For example, see [Proposal 306: Client Auto IPv6 Connections].)
When bridges fetch directory documents via IPv6, they will be able to find
their IPv6 address using directory headers (see 3.2.5).
3.4.2. Guessing Muliple IPv4 or IPv6 Addresses
We avoid designs which guess (or configure) multiple IPv4 or IPv6
addresses, test them all for reachability, and choose one that works.
Using multiple addresses is rare, and the code to handle it is complex. It
also requires careful design to avoid:
* conflicts between multiple relays (or bridges) on the same address
(tor allows up to 2 relays per IPv4 address),
* relay flapping,
* race conditions, and
* relay address switching.
3.4.3. Rejected Address Resolution Designs
We reject designs that try all the different address resolution methods,
score addresses, and then choose the address with the highest score.
These designs are a generalisation of designs that try different methods in
a set order (like this proposal). They are more complex than required.
Complex designs can confuse operators, particularly when they fail.
Operators should not need complex address resolution in tor: most relay
(and bridge) addresses are fixed, or change occasionally. And most relays
can reliably discover their address using directory headers, if all other
methods fail. (Bridges won't discover their IPv6 address from directory
headers, see section 3.2.5.)
If complex address resolution is required, it can be configured using a
dynamic DNS name in the Address torrc option, or via the control port.
We also avoid designs that use any addresses other than the first
(or latest) valid IPv4 and IPv6 address. These designs are more complex, and
they don't have clear benefits:
* sort addresses numerically (avoid address flipping)
* sort addresses by length, then numerically
(also minimise consensus size)
* store a list of previous addresses in the state file, and use the most
recently used address that's currently available.
Operators who want to avoid address flipping should set the Address option
in the torrc. Operators who want to minimise the size of the consensus
should use all-zero IPv6 host identifiers.
3.5. Optional Efficiency and Reliability Changes
We propose some optional changes for efficiency and reliability, and
describe their impact.
Some of these changes may be more appropriate in future releases, or
along with other proposed features.
Some of these changes make tor ignore some potential IP addresses.
Ignoring addresses risks relays having no available ORPort addresses, and
refusing to publish their descriptor. So before we ignore any addresses, we
should make sure that:
* tor's other address detection methods are robust and reliable, and
* we would prefer relays to shut down, rather than use the ignored
address.
As a less severe alternative, low-quality methods can be put last in the
address resolution order. (See section 3.2.)
If relays prefer addresses from particular sources (for example: ORPorts),
they should try these sources regularly, so that their addresses do not
become too old.
If relays ignore addresses from some sources (for example: DirPorts), they
must regularly try other sources (for example: ORPorts).
3.5.1. Using Authenticated IPv4 and IPv6 Addresses
We propose this optional change, to improve relay (and bridge) address
accuracy and reliability.
Relays should try to use authenticated connections to discover their own
IPv4 and IPv6 addresses.
Tor supports two kinds of authenticated address information:
* authenticated directory connections, and
* authenticated NETINFO cells.
See the following sections for more details.
See also sections 3.5.2 to 3.5.4.
3.5.1.1. Authenticated Directory Connections
We propose this optional change, to improve relay address accuracy and
reliability. (Bridges are not affected, because they already use
authenticated directory connections, just like clients.)
Tor supports authenticated, encrypted directory fetches using BEGINDIR over
ORPorts (see the [Tor Specification] for details).
Relays currently fetch unencrypted directory documents over DirPorts. The
directory document itself is signed, but the HTTP headers are not
authenticated. (Clients and bridges only fetch directory documents using
authenticated directory fetches.)
Using authenticated directory headers for relay addresses:
* provides authenticated address information,
* reduces the number of attackers that can deliberately give a relay an
incorrect IP address, and
* avoids caches (or other machines) accidentally mangling, deleting, or
repeating X-Your-Address-Is headers.
To make this change, we need to modify tor's directory connection code:
* when making directory requests, relays should fetch some directory
documents using BEGINDIR over ORPorts.
Once tor regularly gets authenticated X-Your-Address-Is headers, relays can
change how they handle unauthenticated addresses. When they receive an
unauthenticated address suggestion, relays can:
* ignore the address, or
* use the address as the lowest priority address method.
See section 3.5 for some factors to consider when making this design
decision.
For security reasons, directory authorities only use addresses that are
explicitly configured in their torrc. Since directory headers are provided
by other directory servers, directory authorities do not use this address
resolution method.
For anonymity reasons, bridges are unable to fetch directory documents over
IPv6, until clients start to do so. (See
[Proposal 306: Client Auto IPv6 Connections].)
Bridges currently use authenticated IPv4 connections for all their
directory fetches, to imitate default client behaviour.
We describe a related change, which is also optional:
We can increase the number of ORPort directory fetches:
* if tor has an existing ORPort connection to a relay that it has selected
for a directory fetch, it should use an ORPort fetch, rather than
opening an additional DirPort connection.
Using an existing ORPort connection:
* saves one DirPort connection and file descriptor,
* but slightly increases the cryptographic processing done by the relay,
and by the directory server it is connecting to.
However, the most expensive cryptographic operations have already happened,
when the ORPort connection was opened.
This change does not increase the number of NETINFO cells, because it
re-uses existing OR connections. See the next section for more details.
3.5.1.2. Authenticated NETINFO Cells
We propose this optional change, to improve relay (and bridge) address
accuracy and reliability. (Bridge IPv6 addresses are not affected, because
bridges only make OR connections over IPv4, to imitate default client
behaviour.)
Tor supports authenticated IPv4 and IPv6 address information, using the
NETINFO cells exchanged at the beginning of each ORPort connection (see the
[Tor Specification] for details).
Relays do not currently use any address information from NETINFO cells.
Using authenticated NETINFO cells for relay addresses:
* provides authenticated address information,
* reduces the number of attackers that can deliberately give a relay an
incorrect IP address, and
* does not require a directory fetch (NETINFO cells are sent during
connection setup).
To make this change, we need to modify tor's cell processing:
* when processing NETINFO cells, tor should store the OTHERADDR field,
like it currently does for X-Your-Address-Is HTTP headers, and
* IPv4 and IPv6 addresses should be stored separately.
See the previous section, and section 3.2.5 for more details about the
X-Your-Address-Is HTTP header.
Once tor uses NETINFO cell addresses, relays can change how they handle
unauthenticated X-Your-Address-Is headers. When they receive an
unauthenticated address suggestion, relays can:
* ignore the address, or
* use the address as the lowest priority address method.
See section 3.5 for some factors to consider when making this design
decision.
We propose that tor continues to use the X-Your-Address-Is header, and adds
support for addresses in NETINFO cells. X-Your-Address-Is headers are sent
once per directory document fetch, but NETINFO cells are only sent once per
OR connection.
If a relay:
* only gets addresses from NETINFO cells from authorities, and
* has an existing, long-term connection to every authority,
then it may struggle to detect address changes.
Once all supported tor versions use NETINFO cells for address detection, we
should review this design decision. If we are confident that almost all
relays will be forced to make new connections when their address changes,
then tor may be able to stop using X-Your-Address-Is HTTP headers.
For security reasons, directory authorities only use addresses that are
explicitly configured in their torrc. Since NETINFO cells are provided
by other directory servers, directory authorities do not use this address
resolution method.
Bridges only make OR connections, and those OR connections are only over
IPv4, to imitate default client behaviour.
For anonymity reasons, bridges are unable to make regular connections over
IPv4 and IPv6, until clients start to do so. (See
[Proposal 306: Client Auto IPv6 Connections].)
As an alternative design, if tor's addresses are stale, it could close some
of its open directory authority connections. (Similar to section 4.4.2
in [Proposal 311: Relay IPv6 Reachability], where relays close existing OR
connections, before testing their own reachability.) However, this design is
more complicated, because it involves tracking address age, as well as the
address itself.
3.5.2. Preferring IPv4 and IPv6 Addresses from Directory Authorities
We propose this optional change, to improve relay (but not bridge) address
accuracy and reliability.
Relays prefer IPv4 and IPv6 address suggestions received from Directory
Authorities.
Directory authorities do not use these address detection methods to
discover their own addresses, for security reasons.
When they receive an address suggestion from a directory mirror, relays can:
* ignore the address, or
* use the address as the lowest priority address method.
See section 3.5 for some factors to consider when making this design
decision.
Bridges only make OR connections, and those OR connections are only over
IPv4, to imitate default client behaviour.
For anonymity reasons, bridges are unable to make regular connections over
IPv6, until clients start to do so. (See
[Proposal 306: Client Auto IPv6 Connections].)
See also sections 3.5.1 to 3.5.4.
3.5.3. Ignoring Addresses on Inbound Connections
We propose this optional change, to improve relay (and bridge) address
accuracy and reliability.
Relays ignore IPv4 and IPv6 address suggestions received on inbound
connections.
We make this change, because we want to detect the IP addresses of the
relay's outbound routes, rather than the addresses that that other relays
believe they are connecting to for inbound connections.
If we make this change, relays may need to close some inbound connections,
before doing address detection. If we also make the changes in sections
3.5.1 and 3.5.2, busy relays could have persistent, inbound OR connections
from all directory authorities. (Currently, there are 9 directory
authorities with IPv4 addresses, and 6 directory authorities with IPv6
addresses.)
Directory authorities do not use these address detection methods to
discover their own addresses, for security reasons.
See also sections 3.5.1 to 3.5.4.
3.5.4. Load Balancing
We propose some optional changes to improve relay (and bridge)
load-balancing across directory authorities.
Directory authorities do not use these address detection methods to
discover their own addresses, for security reasons.
See also sections 3.5.1 to 3.5.3.
3.5.4.1. Directory Authority Load Balancing
Relays may prefer:
* authenticated connections (section 3.5.1).
Relays and bridges may prefer:
* connecting to Directory Authorities (section 3.5.2), or
* ignoring addresses on inbound connections (section 3.5.3)
(and therefore, they may close some inbound connections,
leading to extra connection re-establishment load).
All these changes are optional, so they might not be implemented.
Directory authorities do not use these address detection methods to
discover their own addresses, for security reasons.
If both changes are implemented, we would like all relays (and bridges) to
do frequent directory fetches:
* using BEGINDIR over ORPorts,
* to directory authorities.
However, this extra load from relays may be unsustainable during high
network load (see
[Ticket 33018: Dir auths using an unsustainable 400+ mbit/s]).
For anonymity reasons, bridges should avoid connecting to directory
authorities too frequently, to imitate default client behaviour.
Therefore, we propose a simple load-balancing scheme between address
resolution and non-address resolution requests:
* when relays first start up, they should make two directory authority
ORPort fetch attempts, one on IPv4, and one on IPv6,
* relays should also make occasional directory authority ORPort directory
fetch attempts, on IPv4 and IPv6, to learn if their addresses have
changed.
We propose a new torrc option and consensus parameter:
RelayMaxIntervalWithoutAddressDetectionRequest N seconds|minutes|hours
Relays make most of their directory requests via directory mirror DirPorts,
to reduce the load on directory authorities.
When this amount of time has passed since a relay last connected to a
directory authority ORPort, the relay makes its next directory request via
a directory authority ORPort. (Default: 15 minutes)
The final name and description for this option will depend on which optional
changes are actually implemented in tor. In particular, this option should
only consider requests that tor may use to discover its IP addresses.
For example:
* if tor uses NETINFO cells for addresses (section 3.5.1.2), then all
OR connections to an authority should be considered,
* if tor does not use NETINFO cells for addresses, and only uses
X-Your-Address-Is headers, then only directory fetches from authorities
should be considered.
We set the default value of this option to 15 minutes, because:
* tor's reachability tests fail if the ORPort is unreachable after 20
minutes. So we want to do at least two address detection requests in
the first 20 minutes;
* the minimum consensus period is 30 minutes, and we want to do at least
one address detection per consensus period. (Consensuses are usually
created every hour. But if there is no fresh consensus, directory
authorities will try to create a consensus every 30 minutes); and
* the default value for TestingAuthDirTimeToLearnReachability is 30
minutes. So directory authorities will make reachability test OR
connections to each relay, at least every 30 minutes. Therefore, relays
will see NETINFO cells from directory authorities about this often.
(Relays may use NETINFO cells for address detection, see section
3.5.1.2.)
See also section 3.5.4.3, for some general load balancing criteria, that
may help when tuning the address detection interval.
We propose a related change, which is also optional: