[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #26646 [Core Tor/Tor]: add support for multiple OutboundBindAddressExit IP(ranges)

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #26646 [Core Tor/Tor]: add support for multiple OutboundBindAddressExit IP(ranges)
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 05 Jul 2018 00:58:15 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 04 Jul 2018 20:58:25 -0400
In-reply-to: <046.5aea0b481b890c9dc2f30b2cbbe5ade7@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <046.5aea0b481b890c9dc2f30b2cbbe5ade7@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#26646: add support for multiple OutboundBindAddressExit IP(ranges)
-------------------------------------------------+-------------------------
 Reporter:  nusenu                               |          Owner:  (none)
     Type:  enhancement                          |         Status:  new
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  unspecified
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  needs-proposal, tor-exit, ipv6,      |  Actual Points:
  censorship                                     |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by teor):

 * keywords:   => needs-proposal, tor-exit, ipv6, censorship
 * milestone:   => Tor: unspecified


Comment:

 Replying to [ticket:26646 nusenu]:
 > tor has support for dedicated outbound IP addresses
 > for on exit relays via OutboundBindAddressExit.
 > This parameter supports only a single IPv4 and a single IPv6 address.
 >
 > I propose to add an extension of this feature to support IPv4 and IPv6
 > ranges/prefixes.

 Ideally, operators should be able to specify mutliple OutboundBindAddress
 options, with masks.

 > The idea is to assign an IP address to each tor circuit. The exit IP
 > address must never change during the lifetime of the circuit.
 >
 > Exit IP addresses would be randomly assigned to circuits. Once
 > the exit runs out of IPs it cycles through his pool of IPs again.

 Non-replacement is complicated, and has some nasty failure modes.
 Instead, just choose an address at random.

 > With IPv6 address space availability this can take a long time
 > with IPv4 it will be limited.
 >
 > This aims to reduce the negative impact of few "bad" users on many
 "good"
 > users since they will not share the same IP address on the exit.
 >
 > This might also have some negative? side effect since
 > it demultiplexes tor clients to multiple source IPs on the exit
 > and an external observer (not running the exit itself)
 > can tell clients apart by looking at source IPs.

 Perhaps we could limit the number of source IPs with a consensus
 parameter?

 > Instead of doing it on the circuit level you could do it
 > based on time. Change the exit IP every 5 minutes (but
 > do _not_ change the exit IPs for _existing_ circuits even if they
 > live longer than 5 minutes).

 I don't know which design is better: changing the exit IP address based on
 time makes old circuits easier to identify. If we do use time, I suggest
 we use 10 minutes, because it's the default circuit rotation time.

 > https://lists.torproject.org/pipermail/tor-dev/2018-March/013036.html

 This feature is complicated enough that it needs a (short) proposal:
 https://gitweb.torproject.org/torspec.git/tree/proposals/001-process.txt

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26646#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #26646 [Core Tor/Tor]: add support for multiple OutboundBindAddressExit IP(ranges)
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #25050 [Metrics/Relay Search]: add sum row at the bottom of the search results
Next by Author: Re: [tor-bugs] #26919 [Metrics/Onionoo]: Remove fingerprint parameter
Previous by thread: [tor-bugs] #26646 [Core Tor/Tor]: add support for multiple OutboundBindAddressExit IP(ranges)
Next by thread: Re: [tor-bugs] #10519 [Core Tor/Tor]: tor uses default IP for dirport instead of the one defined in DirPort
Index(es):
- Author
- Thread