[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-relays] Re: Add CGNAT 100.64.0.0/10 to Default Exit Relay Reject Policy
- To: tor-relays@xxxxxxxxxxxxxxxxxxxx
- Subject: [tor-relays] Re: Add CGNAT 100.64.0.0/10 to Default Exit Relay Reject Policy
- From: vm666--- via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 3 Dec 2025 11:23:53 +0100
- In-reply-to: <ylM1p7_mMMGeKe7-IdOWslpKLXr4qUgdoOWsZu7ekZcCJRDfOuEc5vXymEO5O4mNPwHUXw3r3CGdYspaCVOElk2cQeiLEwNZq5BGrMtERGU=@likogan.dev>
- List-id: "support and questions about running Tor relays (exit, non-exit, bridge)" <tor-relays.lists.torproject.org>
- Organization: SOS Besoin de rien
- References: <ylM1p7_mMMGeKe7-IdOWslpKLXr4qUgdoOWsZu7ekZcCJRDfOuEc5vXymEO5O4mNPwHUXw3r3CGdYspaCVOElk2cQeiLEwNZq5BGrMtERGU=@likogan.dev>
- Reply-to: vm666@xxxxxxxxxxxxxxxxxxx
On Sun, 06 Jul 2025 19:13:36 +0000
admin--- via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx> wrote:
> I've noticed that the non-publicly routable CGNAT subnet of
> 100.64.0.0/10 is not in the default exit policy reject list like
> 192.168/16 and 10/8 are. This range is not publicly routed, and
> should never need to be accessed from a Tor exit.
Sorry for the late answer, I noticed that this range has been added in
tor_addr_is_internal_() now.
Anyway, shouldn't TOR ExitPolicy reject all special IP ranges?
See https://en.wikipedia.org/wiki/Reserved_IP_addresses
DS-Lite (192.0.0.0/24) seems to be some kind of CG-nat too.
Isn't 198.18.0.0/15 a private range, like RFC 1918?
224.0.0.0/4 and 255.255.255.255 should be probably be blocked too, as
well as ff00::/8
I did not look deep into all the IPv6 special ranges.
Currently reserved IP ranges are not routed but may be revived later
and have security consequences
My 2 ¢
_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx