[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Exit node rejection of special IPv4 blocks

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] Exit node rejection of special IPv4 blocks
From: Zack Weinberg <zackw@xxxxxxx>
Date: Wed, 23 Apr 2014 15:12:36 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 23 Apr 2014 15:42:17 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

I'd like a sanity check on this list of special-purpose IPv4 blocks
which I'm currently forbidding in the CMU exit node's policy.  I'm
most uncertain about denying access to multicast (224.0.0.0/4) and
6to4 router anycast (192.88.99.0/24) -- I *think* there are no
scenarios where someone would actually need to get at either of those
via Tor, but I could be wrong.

# Reserved IPv4 addresses, sorted by RFC and then numerically
reject 255.255.255.255/32:*  # RFC 0919: "limited broadcast"
reject 224.0.0.0/4:*         # RFC 1112: multicast
reject 240.0.0.0/4:*         # RFC 1112: future addressing modes

reject 0.0.0.0/8:*           # RFC 1122: "This host" source address
reject 127.0.0.0/8:*         # RFC 1122: Loopback

reject 10.0.0.0/8:*          # RFC 1918: private use
reject 172.16.0.0/12:*       # "   "     "
reject 192.168.0.0/16:*      # "   "     "

reject 198.18.0.0/15:*       # RFC 2544: test environments
reject 192.88.99.0/24:*      # RFC 3068: 6to4 relay anycast (???)
reject 169.254.0.0/16:*      # RFC 3927: link-local

reject 192.0.2.0/24:*        # RFC 5737: documentation
reject 198.51.100.0/24:*     # "   "     "
reject 203.0.113.0/24:*      # "   "     "

reject 100.64.0.0/10:*       # RFC 6598: "shared space"/"carrier grade NAT"
reject 192.0.0.0/24:*        # RFC 6890: future special purposes

TIA,
zw
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Exit node rejection of special IPv4 blocks
  - From: Roger Dingledine

Prev by Author: Re: [tor-relays] Relays vulnerable to OpenSSL bug: Please upgrade
Next by Author: Re: [tor-relays] SSH scans from Tor exit
Previous by thread: Re: [tor-relays] Bridge Operators - Heartbleed, Heartwarming, and Increased Help
Next by thread: Re: [tor-relays] Exit node rejection of special IPv4 blocks
Index(es):
- Author
- Thread