[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #28525 [Core Tor/Tor]: Make tor_addr_is_internal_() aware of RFC 6598 (Carrier Grade NAT/Large Scale NAT) IPv4 Ranges
#28525: Make tor_addr_is_internal_() aware of RFC 6598 (Carrier Grade NAT/Large
Scale NAT) IPv4 Ranges
-----------------------------------------+---------------------------------
Reporter: neel | Owner: neel
Type: enhancement | Status: needs_revision
Priority: Medium | Milestone: Tor:
| unspecified
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: ipv6, 040-deferred-20190220 | Actual Points:
Parent ID: | Points:
Reviewer: nickm | Sponsor:
-----------------------------------------+---------------------------------
Comment (by teor):
Here is what would happen in each of these cases, if we do what I describe
in my last comment:
Replying to [comment:11 nickm]:
> The main purpose of the rest of my review here is to see what else we
would need to change to make sure this change is safe. I'm going to do
this by looking at all the users of tor_addr_is_internal in the codebase.
>
> * In warn_nonlocal_client_ports(), we will stop warning about binding
a socksport to one of these addresses. Is this a problem? I need more
guidance from others.
We would continue to warn when client ports are on RFC6598 addresses.
> * In warn_nonlocal_ext_orports(), we will stop warning about binding
an extorport to one of these addresses. (same note as above)
We would continue to warn when extorports are on RFC6598 addresses.
> * In connection_is_rate_limited(), we no longer count connections to
or from one of these addresses as having any rate limits.
We would not rate-limit connections to RFC6598 addresses (addr is the
remote address). That's a rare case, and probably ok for clients with
private bridges on the same local network. It might be slightly worse for
(multiple) clients, with rate limiting, on the same mobile network as a
private bridge, but that's a rare case.
If intra-RFC6598 network connections become a more common case, we could
add a FOR_RATE_LIMITING flag, and mark RFC6598 addresses as external when
FOR_RATE_LIMITING is passed. Let's do that if needed, in a separate
ticket.
> * In channeltls.c [which calls tor_addr_is_internal via
is_local_addr()], we count any OR connections to these addresses as
"local", which seems unwise.
channel_is_local() is only called by onionskin_answer(), before calling
router_orport_found_reachable(). (There are other calls, but they're only
used for logging.)
We would stop calling router_orport_found_reachable() for remote
connections from RFC6598 addresses, which is good.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28525#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs