[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Please consider allowing /48 for VirtualAddrNetworkIPv6



On Sat, 17 Sep 2016 07:46:05 +1000, teor wrote:

>> On 17 Sep 2016, at 05:20, grarpamp
>> <grarpamp@xxxxxxxxx> wrote:
>> 
>> On Fri, Sep 16, 2016 at 5:13 AM, Alex Elsayed
>> <eternaleye@xxxxxxxxx> wrote:
>>> Hi, I'm using Tor in transparent mode, and I'm running into a rather
>>> inconvenient behavior.
>>> 
>>> VirtualAddrNetworkIPv6 refuses to parse unless the network address
>>> given is a /40 or broader. However, IPv6 ULA, which makes it very easy
>>> to give Tor its own subnet no-strings-attached, strictly grants a /48
>>> prefix.
>>> 
>>> As a result, I am faced with a choice between deeply suboptimal
>>> options:
>>> 
>>> 1.) Use VirtualAddrNetworkIPv4, as I've done in the past. This results
>>> in _fewer_ addresses being available to Tor than an IPv6 /48, which I
>>> feel illustrates the issues with requiring a /40 quite clearly.
>>> 
>>> 2.) Squat on some portion of the IPv6 address space I don't actually
>>> own.
>>> This is entirely unpalatable
>> 
>> This impacts with onioncat as well.
>> I'm curious as to any /40 rationale, though I suspect a historical
>> brainfart typo.
> 
> In fact, a min/max typo, which contributed to the IPv6 /40 mistake:
> https://trac.torproject.org/projects/tor/ticket/20151 (Feel free to log
> tickets at https://trac.torproject.org/projects/tor when these sorts of
> issues come up.)

Ah, interesting; thanks for filing that! I'll be commenting on it with 
some nits on terminology (old code was max _prefix length_, the message 
and your change are min _subnet size_ - IMO, the old code was right-ish 
in its variable names, and the message simply reframed it to a less 
technical perspective).

> In the interim, Alex, have you tried using [FC00::]/7 ?
> From the tor manual entry on VirtualAddrNetworkIPv6:
> 
>           When providing proxy server service to a network of computers
>           using
>            a tool like dns-proxy-tor, change the IPv4 network to
>            "10.192.0.0/10" or "172.16.0.0/12" and change the IPv6
>            network to "[FC00]/7".
> 
> (Yes, there is a typo in the last IPv6 address as well.
> https://trac.torproject.org/projects/tor/ticket/20153 )

That's actually a separate complaint - Using [FC00]/7 _would_ be my 
option 2, and constitute squatting on sections of the address space I 
don't own. In particular:

- [FC00]/8 is _reserved by the IANA_, and beyond that, CJDNS is already 
squatting on it. :/
- [FD00]/8 is _in active, standards-blessed use_ - to be specific, it's 
what IPv6 ULA uses!

Using [FC00]/7 would actually cause me _practical_ problems as well, 
because I'm doing this on my OpenWRT router... which uses an IPv6 ULA for 
the LAN, with Network Prefix Translation to the WAN IPv6 network so that 
the local net doesn't renumber if upstream changes.

If I used [FC00]/7, Tor's manufactured addresses could overlap with my 
actual LAN!

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev