[tor-relays] Re: automatic exit restriction policy does not include IPv6

[Roger Dingledine via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>]

On Wed, Dec 17, 2025 at 09:41:33PM +0100, Marco Moock via tor-relays wrote:
> I noticed that the implicit exit policy includes IPv4 localhost, RFC1918
> IPv4 ranges etc, but does not include IPv6 by default, e.g. ::1,
> fe80::/10, fec0::/10 and not the public IPv6 itself. Is that a bug or a
> configuration issue?

Hm! I think it is a bug. Our ipv6 integration is still not as
comprehensive as it should be.

We prepend those reject lines to the default exit policy to avoid security
surprises when people run their relay in a position where localhost or
192.168/16 etc are trusted. For examples:

* There was a time when the default apache config allowed localhost to
read /server/status

* It turns out for many operating systems, connecting to 0.0.0.0 means
connecting to localhost

* 192.168/16 too often gets access to your local wifi router

* If you run your exit relay on your DMZ and it has access to your
otherwise-firewalled corporate network on 10/8, now the relay lets
traffic pass between them

Those types of reasons probably apply to ipv6 as well, right? Can
somebody with a good ipv6 understanding open a gitlab ticket with the
address blocks that will introduce these surprises for ipv6 operators?

Thanks,
--Roger

_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx