Block local addresses for rendezvous on RSOS servers

Build on the work in #8976 (moved) to block local addresses for rendezvous on RSOS servers.

We'll need to add to the function:

• tor_addr_is_local
• any local interface address on the RSOS
• any configured address on the RSOS

(This is very similar to #17027 (moved), I wonder if we could re-use that code?)

changed milestone to %Tor: 0.2.9.x-final

added component::core tor/tor milestone::Tor: 0.2.9.x-final owner::teor points::3 priority::medium resolution::duplicate rsos severity::normal status::closed tor-hs type::enhancement labels

Trac:
Keywords: N/A deleted, rsos added

Like #17027 (moved), we probably need a RendezvousPolicy (like ExitPolicy) that allows RSOS operators to ban rendezvous connections to addresses on or nearby their servers.

(I can't see any need for this for SOS as there is no rendezvous, and for HS as server addresses are hidden.)

No way this is getting done in January

Trac:
Keywords: TorCoreTeam201601 deleted, TorCoreTeam201602 added

It is impossible that we will fix all 226 currently open 028 tickets before 028 releases. Time to move some out. This is my second pass through the "new" and tickets, looking for things to move to 0.2.9.

Trac:
Milestone: Tor: 0.2.8.x-final to Tor: 0.2.9.x-final

I think I can get this fixed as part of #17178 (moved).

Trac:
Owner: N/A to teor
Status: new to assigned
Milestone: Tor: 0.2.9.x-final to Tor: 0.2.8.x-final

I need to merge dgoulet's bug8976_01_028 from #8976 (moved) and my feature-17178-rsos from #17178 (moved), then add the following two options:

• RendPolicy (like ExitPolicy, but for HS & RSOS, mainly useful for RSOS)
• RendPolicyRejectPrivate (like ExitPolicyRejectPrivate, but for HS & RSOS)

While I'm doing this, I'm happy to update dgoulet's branch to block tor_addr_is_multicast() and tor_addr_is_internal() when RendPolicyRejectPrivate is set (default 0, in test networks defaults to 1).

We need to warn if RendPolicyRejectPrivate is 0 on a non-test network. We also need to warn if RendPolicy is set on a HS, as a small set of rend points can lead to loss of anonymity.

Trac:
Keywords: N/A deleted, tor-hs added

Operators can work around this issue using firewall rules, so it's not a dependency of #17178 (moved).

Trac:
Parent: #17178 (moved) to N/A

Here's my TODO list for this task:

• define ExtendPolicy like ExitPolicy
• implement ExtendAllowPrivateAddresses based on the ExitPolicyRejectPrivate code
• (I'm up to about here in feature-17178-8976-17788)
• fold ExtendAllowPrivateAddresses into ReachableAddresses (#17840 (moved))
  • keep extend_info_addr_is_allowed() for the HS case
• apply to relays, not just RSOS
• re-parse when IP address changes for relays and RSOS
• automatically reject addresses in ExtendPolicy via extend_info_for_node() (#17840 (moved))
• warn/notice relay/RSOS operators
• don't block anything other than private addresses for HS, as it may reveal the HS address

Trac:
Status: assigned to needs_revision

This feature isn't going to be ready and reviewed for 0.2.8.

Trac:
Milestone: Tor: 0.2.8.x-final to Tor: 0.2.9.x-final

Trac:
Keywords: TorCoreTeam201602 deleted, N/A added
Reviewer: N/A to N/A
Type: defect to enhancement
Points: N/A to medium

Trac:
Points: medium to 3

This can be done using the same strategy we use to avoid single-hop exits: make sure that the rendezvous point is in the consensus.

Closing in favour of #17945 (moved), which solves both this issue and the Tor2Web issue.

Trac:
Resolution: N/A to duplicate
Status: needs_revision to closed

closed

changed time estimate to 24h

mentioned in issue #18126 (moved)

mentioned in issue #18196 (moved)