On Thu, Jun 08, 2006 at 07:11:07PM -0400, Watson Ladd wrote: > Is tor IPv6 ready? Nope. There are two things that you might mean by IPv6-ready, and Tor is neither. You might mean, "Can Tor connect to hosts that only have IPv6 addresses?" or you might mean, "Can Tor support servers that only have IPv6 addresses?" Both are desirable; the former (connecting to ipv6-only destinations) is easier. It's easier because supporting it only requires changing our code, not changing our topology. IPv6-address-only servers present a topology problem: right now, we assume that (mostly) every Tor server can connect to every other. This has problems of its own, and adding IPv6-address-only servers adds problems too: it means that only servers with IPv6 abilities can connect to IPv6-address-only servers. This makes it possible for the attacker to make some inferences about client paths that it wouldn't be able to make otherwise. > And will tor use IPsec for securing communications > between nodes if available? Unlikely. Right now, it uses TLS; IPsec is not "more secure" than TLS for any meaningful fashion that matters to us. Also, if I understand correctly, adding IPsec to systems without it requires root-level access to the IP stack, which is not compatible with our no-root-required philosophy. If we add a non-TCP solution, DTLS-over-UDP seems likelier, since it doesn't need root. I suppose we could do IPsec-where-available, DTLS otherwise, but it doesn't make much sense: given the existence of non-IPsec hosts, we need TLS or DTLS. So far, nobody whatsoever has said "I need this"; it's firmly a nice-to-have-someday feature. > If not, what needs to be done to make this possible? It needs to be designed (explain what you think Tor should do), argued to be secure (explain why it's better or at least as good as what Tor does now), specified (explained at the byte level at approximately the level of detail in tor-spec.txt), and implemented (done in software). > Sincerely, > Watson Ladd > (sorry if this is a dupe.) Odd; this should really be in the FAQ. I must have missed it. -- Nick Mathewson
Attachment:
pgpOfM9V40UtA.pgp
Description: PGP signature