Re: [tor-bugs] #31011 [Core Tor/Tor]: Make the bridge authority reject private PT addresses when DirAllowPrivateAddresses is 0

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#31011: Make the bridge authority reject private PT addresses when
DirAllowPrivateAddresses is 0
-----------------------------------------------+---------------------------
 Reporter:  teor                               |          Owner:  (none)
     Type:  defect                             |         Status:  new
 Priority:  Medium                             |      Milestone:  Tor:
                                               |  unspecified
Component:  Core Tor/Tor                       |        Version:
 Severity:  Normal                             |     Resolution:
 Keywords:  anti-censorship-roadmap-september  |  Actual Points:
Parent ID:  #31009                             |         Points:  1
 Reviewer:                                     |        Sponsor:
                                               |  Sponsor28-can
-----------------------------------------------+---------------------------

Comment (by teor):

 Replying to [comment:9 phw]:
 > I prefer having the bridge authority reject descriptors with private
 addresses. In my opinion, a private address has no business being in the
 descriptor and we should reject such descriptors rather than guessing what
 the bridge operators meant to do.

 Thanks, that seems like a sensible decision.

 We can add bridge authority code that rejects extra-info descriptors with
 a private address in any `transport` line.

 We should probably also add a config error on the bridge side, if
 ServerTransportListenAddress is an internal address,
 compute_publishserverdescriptor() is bridge, and the bridge is using the
 default bridge authority.

 Here's how the `transport` line is created on the bridge side:
 https://github.com/torproject/tor/blob/f6c9ca3a1d1c29a293915612e26cdbfeb050c192/src/feature/relay/router.c#L3190
 https://github.com/torproject/tor/blob/60d5ff303d65bb7caf5c064675c661faac4cecf1/src/feature/client/transports.c#L1615

 Here's where we reject extra-info descriptors in dirserv_add_extrainfo():
 https://github.com/torproject/tor/blob/53bdd21179b3507b8d8aa2788e4955df8619f6db/src/feature/dirauth/process_descs.c#L789

 See dirserv_router_has_valid_address() for some example code. This code
 rejects relay descriptors with private IPv4 or IPv6 addresses, when
 DirAllowPrivateAddresses is 0:
 https://github.com/torproject/tor/blob/53bdd21179b3507b8d8aa2788e4955df8619f6db/src/feature/dirauth/process_descs.c#L456

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31011#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs