[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [torspec/master] Prop 312: Explain why untrusted addresses are bad



commit 7a55bf166248a5ff210691cb219df1ec8e40ea29
Author: teor <teor@xxxxxxxxxxxxxx>
Date:   Tue Feb 4 12:10:18 2020 +1000

    Prop 312: Explain why untrusted addresses are bad
    
    And describe a potential attack that gives a relay the wrong address,
    then monitors its traffic.
    
    As suggested by Nick Mathewson.
    
    Part of 33073.
---
 proposals/312-relay-auto-ipv6-addr.txt | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/proposals/312-relay-auto-ipv6-addr.txt b/proposals/312-relay-auto-ipv6-addr.txt
index 05ff9de..ecea79b 100644
--- a/proposals/312-relay-auto-ipv6-addr.txt
+++ b/proposals/312-relay-auto-ipv6-addr.txt
@@ -1,6 +1,6 @@
 Filename: 312-relay-auto-ipv6-addr.txt
 Title: Tor Relays Automatically Find Their IPv6 Address
-Author: teor
+Author: teor, Nick Mathewson
 Created: 28-January-2020
 Status: Draft
 Ticket: #33073
@@ -131,8 +131,18 @@ Ticket: #33073
      * Reliable is better than Unreliable.
    Within these constraints, we try to find the simplest working design.
 
-   Therefore, we propose that tor tries to find relay IPv4 and IPv6 addresses
-   in this order:
+   If a relay is given the wrong address by an attacker, the attacker can
+   direct all inbound relay traffic to their own address. They can't decrypt
+   the traffic without the relay's private keys, but they can monitor traffic
+   patterns.
+
+   Therefore, we only use untrusted address discovery methods, if every other
+   method has failed. Any method that uses DNS is potentially untrusted,
+   because DNS is often a remote, unauthenticated service. And addresses
+   provided by other directory servers are also untrusted.
+
+   Based on these principles, we propose that tor tries to find relay IPv4 and
+   IPv6 addresses in this order:
      1. the Address torrc option
      2. the advertised ORPort address
      3. the advertised DirPort address (IPv4 only; relays, not bridges)



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits