[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] New release candidate: Tor

On Fri, 5 Feb 2021 08:51:56 -0500
David Goulet <dgoulet@xxxxxxxxxxxxxx> wrote:

> Can you expand here on why you think an operator using a /64 is worst than an
> operator using an IPv4 /24 to run their relays?

In the IPv4 a single person will rarely have an entire /24 to themselves; as
such connections coming from different IPs in a /24 more often assumed to have
no relation to each other.

...but in IPv6 a single person *most often* will have a /64, or more. Given
the current kinds of deployments maybe not always in datacenters, but always -
on broadband customer connections.

...so anyone and their dog can now be "using a /64" in IPv6, and if any
filtering, rate-limiting or banning solution happens to believe a /64 to be on
the equal grounds with a /24 of IPv4, they can now gain the benefit of doubt
of being considered as separate distinct entities, and reap whatever profit to
be had from that, if any.

> We have large Exit operators on the network that have racks of servers but
> only have a /48 available to them and thus they run a "fleet" of Exits on that
> very close by address range.

A /48 is 65.5 thousands of /64s, so they could use a separate /64 for each
relay and that'd still fit more relays than in the entire Tor network.

> As for sybil, we are looking for more than 2 relays per address which is the
> limit that has been for a long time now. That is true on IPv4 and IPv6 as
> well, the checked masked are /32 and /128 respectively.

The argument is that since a /64 in IPv6 is often controlled by a single
person, for the purposes of spam filtering, rate-limiting, or in this case
sybil detection, a /64 by itself should be equaled to "an address" (or "one
user"), i.e. treated the same as 1 IP (/32) in the IPv4 world.

With respect,
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to