> On 31 Jan 2017, at 05:13, nusenu <nusenu@xxxxxxxxxxxxxxx> wrote: > > tldr: would you send me your torrc if you aim to route IPv6 exit traffic > and are in the list at the bottom with the third colmn set to NULL? > > teor: >> Either that, or there is a bug in Tor relating to IPv6 Exit policies. >> But I can't see anywhere in the code that makes the IPv6 exit policy >> dependent on anything except ExitPolicy and IPv6Exit. >> >> Are there any log entries relating to IPv6 or exit policies? Here are the log entries I'd like to see: Any bug warnings warnings: Exit policy '%s' and all following policies are redundant Weird family when summarizing address policy policy_dump_to_string ran out of room info: Unrecognized policy summary keyword Impossibly long policy summary Found bad entry in policy summary Found no port-range entries in summary debug: Adding new entry Ignored policy Adding a reject ExitPolicy Removing exit policy > moritz@xxxxxxxxxxxxxx did sent me (unfortunately off-list) the torrc > file for > https://atlas.torproject.org/#details/FDAED15C98CFE7A416E5676F614254F78406105C > > according to his torrc it is allowing IPv6 exit traffic but not > according to its descriptor. > > Do exits do any outbound IPv6 reachability test before they create their > descriptor? (with the ipv6-policy entry) No, there is no IPv6 reachability testing in Tor for anything, except for authorities checking IPv6 ORPorts. But tor does automatically reject configured ports and addresses. (In 0.2.7 and 0.2.8, it does this with local interface addresses, in 0.2.9, it only does this with local interfaces if ExitPolicyRejectLocalInterfaces is set. In all versions, it does this with private addresses and configured ports by default.) So one thing that operators could do is try to disable the IPv6 ORPort and the OutboundBindAddress, and see if that helps. Operators could also tweak ExitPolicyRejectLocalInterfaces and ExitPolicyRejectPrivate. Turning off ExitPolicyRejectPrivate can make an exit insecure, so it should be done after blocking all traffic from the exit on private addresses using a firewall. > In total there are currently 57 exits with an IPv6 ORPort but no IPv6 > exit policy. > That on its own doesn't mean anything because they > might not set IPv6Exit to 1 but the big picture looks a bit odd. > > Here is a (truncated) list of exits which have IPv6 connectivity > (ORPort) and their respective v6 exit policy (the last column) since the > v6 policy changes between none (NULL) to non-NULL even within the same > operator this seems strange. Usually an operator uses highly identical > torrc files across all their relays. > > If you are on the this list with a NULL value in the v6_policy column > and your torrc contains > IPv6Exit 1 > we'd be interested to see your complete torrc files (do not forget to > _remove_ any sensitive lines like HashedControlPassword). > > I also had a look at the tor_version column but there was no correlation > there. > That said there _is_ a correlation with as_name, so maybe this not a bug > but operators only enabling IPv6 exiting on specific hosters (which > seems strange because I only list IPv6 enabled relays). Some providers may require certain port configurations, which could cause the issue. > ... T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
Attachment:
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays