Opened 5 years ago

Closed 4 years ago

#17788 closed enhancement (duplicate)

Block local addresses for rendezvous on RSOS servers

Reported by: teor Owned by: teor
Priority: Medium Milestone: Tor: 0.2.9.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: rsos, tor-hs
Cc: Actual Points:
Parent ID: Points: 3
Reviewer: Sponsor:


Build on the work in #8976 to block local addresses for rendezvous on RSOS servers.

We'll need to add to the function:

  • tor_addr_is_local
  • any local interface address on the RSOS
  • any configured address on the RSOS

(This is very similar to #17027, I wonder if we could re-use that code?)

Child Tickets

Change History (14)

comment:1 Changed 5 years ago by teor

Keywords: rsos added

comment:2 Changed 5 years ago by teor

Like #17027, we probably need a RendezvousPolicy (like ExitPolicy) that allows RSOS operators to ban rendezvous connections to addresses on or nearby their servers.

(I can't see any need for this for SOS as there is no rendezvous, and for HS as server addresses are hidden.)

comment:3 Changed 5 years ago by teor

Keywords: TorCoreTeam201602 added; TorCoreTeam201601 removed

No way this is getting done in January

comment:4 Changed 5 years ago by nickm

Milestone: Tor: 0.2.8.x-finalTor: 0.2.9.x-final

It is impossible that we will fix all 226 currently open 028 tickets before 028 releases. Time to move some out. This is my second pass through the "new" and tickets, looking for things to move to 0.2.9.

comment:5 Changed 5 years ago by teor

Milestone: Tor: 0.2.9.x-finalTor: 0.2.8.x-final
Owner: set to teor
Status: newassigned

I think I can get this fixed as part of #17178.

comment:6 Changed 5 years ago by teor

I need to merge dgoulet's bug8976_01_028 from #8976 and my feature-17178-rsos from #17178, then add the following two options:

  • RendPolicy (like ExitPolicy, but for HS & RSOS, mainly useful for RSOS)
  • RendPolicyRejectPrivate (like ExitPolicyRejectPrivate, but for HS & RSOS)

While I'm doing this, I'm happy to update dgoulet's branch to block tor_addr_is_multicast() and tor_addr_is_internal() when RendPolicyRejectPrivate is set (default 0, in test networks defaults to 1).

We need to warn if RendPolicyRejectPrivate is 0 on a non-test network.
We also need to warn if RendPolicy is set on a HS, as a small set of rend points can lead to loss of anonymity.

comment:7 Changed 5 years ago by dgoulet

Keywords: tor-hs added

comment:8 Changed 5 years ago by teor

Parent ID: #17178

Operators can work around this issue using firewall rules, so it's not a dependency of #17178.

comment:9 Changed 5 years ago by teor

Here's my TODO list for this task:

  • define ExtendPolicy like ExitPolicy
  • implement ExtendAllowPrivateAddresses based on the ExitPolicyRejectPrivate code
  • (I'm up to about here in feature-17178-8976-17788)
  • fold ExtendAllowPrivateAddresses into ReachableAddresses (#17840)
    • keep extend_info_addr_is_allowed() for the HS case
  • apply to relays, not just RSOS
  • re-parse when IP address changes for relays and RSOS
  • automatically reject addresses in ExtendPolicy via extend_info_for_node() (#17840)
  • warn/notice relay/RSOS operators
  • don't block anything other than private addresses for HS, as it may reveal the HS address

comment:10 Changed 5 years ago by teor

Status: assignedneeds_revision

comment:11 Changed 5 years ago by teor

Milestone: Tor: 0.2.8.x-finalTor: 0.2.9.x-final

This feature isn't going to be ready and reviewed for 0.2.8.

comment:12 Changed 5 years ago by dgoulet

Keywords: TorCoreTeam201602 removed
Points: medium
Type: defectenhancement

comment:13 Changed 4 years ago by isabela

Points: medium3

comment:14 Changed 4 years ago by teor

Resolution: duplicate
Status: needs_revisionclosed

This can be done using the same strategy we use to avoid single-hop exits: make sure that the rendezvous point is in the consensus.

Closing in favour of #17945, which solves both this issue and the Tor2Web issue.

Note: See TracTickets for help on using tickets.