Re: end-to-end encryption question

[Peter Palfrader <peter@xxxxxxxxxxxxx>]

On Wed, 19 Sep 2007, Roger Dingledine wrote:

> If your webserver rejects requests from 127.0.0.1, that's bad, and it
> will break people trying to reach your website from your Tor server.
> 
> The reason for this is that many modern OSes look at the destination
> (1.2.3.4), realize they've got a better route for that, and decide to
> route it via 127.0.0.1.
> 
> (This might not be true for your favorite OS -- I'm not sure which OSes
> have this behavior -- but in practice it's true for enough of them that
> many people run into it.)
> 
> > > b) If I have "ExitPolicyRejectPrivate 1" in my torrc, does that
> > > prevent such end-to-end encryption?
> 
> No, because Tor looks at the address (1.2.3.4) and your exit policy is
> fine with it. It's only later, in the OS, that it gets switched over.

Not quite.

Assume my external interface - eth0 - is configured to have the IP
address 192.0.2.10.

If I connect to that address from my own computer the destination
address will always stay 192.0.2.10 - there's no magic switching behind
the scenes.  That request is routed - on linux at least - through the lo
interface however.

As for source address, that depends on a few factors again.  If you bind
to 192.0.2.10 using OutboundBindAddress then that's the source address
that will be used.  If you don't specify one then the kernel will pick
one for you.  That's probably going to be 192.0.2.10 again but there's
no reason why it couldn't be 127.0.0.1.  Especially IPv6 likes to use
::1 (IPv6's version of 127.0.0.1) in such instances.

Peter
-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/