Opened 3 years ago

Closed 3 years ago

#18456 closed defect (implemented)

Exits on 0.2.7 publicise all their IP addresses in their descriptor

Reported by: teor Owned by:
Priority: Medium Milestone: Tor: 0.2.9.x-final
Component: Core Tor/Tor Version: Tor: 0.2.7.2-alpha
Severity: Normal Keywords: CoreTorTeam201607
Cc: Actual Points: 0.2
Parent ID: Points: 3
Reviewer: Sponsor:

Description

Roger and I just spoke about the feature in 0.2.7 where Exits ban all their local / configured IP addresses in their descriptor.

If processes on an Exit trust connections from the local machine, this prevents Exits being attacked by making a connection to their IP addresses.

But it also means that all exit addresses appear in the consensus.

Roger thinks this will surprise some Exit operators. It also makes Exit IP addresses easier to censor.

That said, if we silently block connections to these IP addresses, then clients can scan Exits and see which addresses are refused even though they are not banned in the Exit policy.

We should contact relay operators with multiple IP addresses, and see if they appreciate this feature, or if they are surprised by it.

Child Tickets

TicketStatusOwnerSummaryComponent
#19543closedteorGETINFO exit-policy/reject-private/relay and ExitPolicyRejectLocalInterfacesCore Tor/Tor

Change History (8)

comment:1 Changed 3 years ago by nickm

Keywords: must-fix-before-028-rc added

Marking these as must-fix-before-028-rc.

Actually, some of them may not need to get 'fixed' before the rc, but I believe that they should either get fixed, or we should have a good explanation of why they don't need to get fixed.

comment:2 Changed 3 years ago by dgoulet

Keywords: must-fix-before-028-rc removed
Milestone: Tor: 0.2.8.x-finalTor: 0.2.9.x-final
Sponsor: None

Pushing this one to 029 as discussed with nickm.

The We should contact relay operators with multiple IP addresses, and see if they appreciate this feature, or if they are surprised by it. should be done _sooner_ rather than later.

comment:3 Changed 3 years ago by nickm

Points: medium

comment:4 Changed 3 years ago by nickm

Sponsor: None

These tickets had Sponsor == "None". Our convention seems to be Sponsor == "".

comment:5 Changed 3 years ago by isabela

Points: medium3

comment:6 Changed 3 years ago by teor

Actual Points: 0.2
Status: newneeds_review

Please see my branch bug18456 on https://github.com/teor2345/tor.git
The corresponding torspec patch is in #19453.

I fixed this issue by making ExitPolicyRejectPrivate only reject IP addresses we are going to put in the descriptor anyway (that is, the relay's advertised IPv4 and IPv6 address).

Then, I added another option ExitPolicyRejectLocalInterfaces that also blocks the IPv4 and IPv6 OutboundBindAddresses, and the configured port addresses, and any interface addresses. (If a specific bind address is configured for the ORPort and DirPort, it is included by both options. This is ok, and necessary because of public-to-public address redirection. Also, any duplicate rules are removed.)

I didn't modify the sample torrcs, but I can do that if we think it's a good idea.

I made this patch on master because we've made multiple changes to this code since 0.2.7.2-alpha. And it's not really a security issue.

comment:7 Changed 3 years ago by teor

Keywords: CoreTorTeam201607 added

comment:8 Changed 3 years ago by nickm

Resolution: implemented
Status: needs_reviewclosed

Merged to 0.2.9!

Note: See TracTickets for help on using tickets.