Malicious relays may be able to be assigned Exit flag without exiting anywhere

The IANA for Multicast addresses indicates there are many /8's that are not yet allocated[0], such as 232.0.0.0-232.255.255.255.

The current voting mechanism in exit_policy_is_general_exit_helper allows an Exit flag to be assigned if it supports exiting to at least one /8 for 2 out of 3 ports of [80, 443, 6667]. exit_policy_is_general_exit_helper calls tor_addr_is_internal, this function only looks for the following IPv4 spaces: 10/8, 0/8, 127/8, 169.254/16, 172.16/12, 192.168/16.

A relay could put one of the unallocated IPv4 blocks and fool the Directory Authorities. Of course, if such a relay really wanted to do this, they could also set their relay up to exit to an uninteresting /8 no one would ever visit, such as one of the many military/DoD /8's.

Zack Weinberg's thread on tor-relays seems to have a good collection of addresses[1]. Other sources are the exclude list from massscan[2] and the IANA registry[3].

This would probably doubly true for IPv6, which only looks for fc00/7, fe80/10, fec0/10 - but right now exit_policy_is_general_exit_helper ignores IPv6.

[0] http://www.iana.org/assignments/multicast-addresses/multicast-addresses.xhtml [1] https://lists.torproject.org/pipermail/tor-relays/2014-April/004431.html [2] https://github.com/robertdavidgraham/masscan/blob/master/data/exclude.conf [3] http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml

changed milestone to %Tor: unspecified

added component::core tor/tor milestone::Tor: unspecified needs-proposal points::4 priority::medium resolution::duplicate severity::normal status::closed tor-dirauth type::defect version::tor 0.2.7 labels

It's possible to allow anything to get exit policy (for any exist or new exit_policy_is_general_exit_helper's rules) while to drop every packet. What profit to get Exit flag, anyway?

Trac:
Milestone: N/A to Tor: 0.2.6.x-final

Trac:
Keywords: N/A deleted, tor-auth 026-triaged-1 added

Related to #11264 (moved), which could reduce the likelihood of this issue, at the risk of adding more corner cases (in its current form, anyway.)

The core of this issue appears to be that the Exit flag code is optimistic (just needs a /8 and 2 ports), but the microdescriptor exit policy summary code is pessimistic (needs the entire internet).

We need a proposal to fix the microdescriptor exit policy summary code (and a new consensus method), but the Exit flag could be fixed to be more pessimistic straight away, as it is assigned by authorities.

Perhaps it is easiest to just make one depend on the other? (A quick fix would be to summarise the exit policy, then use that as input to the Exit flag determination. This would also require a documentation fix.)

Trac:
Milestone: Tor: 0.2.6.x-final to Tor: 0.2.7.x-final

Trac:
Keywords: tor-auth 026-triaged-1 deleted, tor-auth 026-triaged-1 needs-proposal added

Trac:
Status: new to assigned

Marking more tickets as triaged-in for 0.2.7

Trac:
Keywords: tor-auth 026-triaged-1 needs-proposal deleted, 026-triaged-1, tor-auth, needs-proposal, 027-triaged-1-in added

Trac:
Version: Tor: unspecified to Tor: 0.2.7
Points: N/A to unclear
Priority: minor to normal
Keywords: N/A deleted, SponsorU added

If we wind up with a nice patch for any of these in the appropriate window, we should sure merge it.

Trac:
Keywords: N/A deleted, PostFreeze027 added

Not expected patches for these by Monday. :(

Trac:
Milestone: Tor: 0.2.7.x-final to Tor: 0.2.8.x-final

Bulk-replace SponsorU keyword with SponsorU field.

Trac:
Sponsor: N/A to SponsorU
Keywords: SponsorU deleted, N/A added

Turn most 0.2.8 "assigned" tickets with no owner into "new" tickets for 0.2.9. Disagree? Find somebody who can do it (maybe you?) and get them to take it on for 0.2.8. :)

Trac:
Milestone: Tor: 0.2.8.x-final to Tor: 0.2.9.x-final
Status: assigned to new

Trac:
Sponsor: SponsorU to SponsorU-can

Trac:
Keywords: N/A deleted, tor-dos added

Trac:
Keywords: tor-dos deleted, N/A added
Sponsor: SponsorU-can to N/A

Trac:
Severity: N/A to Normal
Points: unclear to 4
Reviewer: N/A to N/A

Trac:
Milestone: Tor: 0.2.9.x-final to Tor: 0.2.???
Keywords: N/A deleted, isaremoved added