Opened 8 months ago

Closed 7 months ago

#32637 closed defect (fixed)

SocksPort IPv6 flags differs in default config and in Torlauncher prefs, and exits can distinguish them

Reported by: cypherpunks Owned by: teor
Priority: Medium Milestone: Tor: 0.4.3.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: 043-should, ipv6, security-low, no-backport, teor-backlog
Cc: teor, gk Actual Points: 0.2
Parent ID: Points: 1
Reviewer: dgoulet Sponsor:


By default tor daemon set only IPv6Traffic flag in client sockets, but not PreferIPv6

But Torlauncher sets them both when launch tor daemon with Tor Browser

As i can see in spec, this flags sets bits in "FLAGS" value in RELAY_BEGIN cell, and exit relays can recognize which flags sets in client port settings. So, exits can distinguish circuits from Tor Browser Bundle clients and, as example, from daemons in linux distro repositories, with high level of probability.

Is there any reasons why PreferIPv6 flag is not turned on by default? This issue raises up in past (#21269), but solution is not efficient - anyway flags sent to exit by default differs from vast majority of real usecases - surfing web with TBB.

Child Tickets

Change History (5)

comment:1 Changed 8 months ago by nickm

Cc: teor gk added
Milestone: Tor: 0.4.3.x-final

Adding teor for ipv6 expertise, gk for TB expertise.

comment:2 Changed 8 months ago by teor

Keywords: 043-should ipv6 security-low no-backport added
Points: 1

This is a low-severity security issue, because it involves one bit of information leakage from clients to exits, and the anonymity sets are still quite large. (Particularly because every client creates preemptive circuits, and many send traffic over those circuits.)

We should set PreferIPv6 by default in our first 0.4.3 alpha, and expect a small amount of breakage:

  • A few tools may use dual-stack DNS, but expect IPv4-only connections. Or the IPv6 might be broken at the remote end.
  • IPv6 exits are still rarer than IPv4 exits
  • Tor's retry logic may be able to do better with IPv6-only sites, but that risks leaking information about previous exits' responses to the client

We should not backport:

  • Some long-standing IPv6 bugs are only fixed in 0.4.3

comment:3 Changed 8 months ago by teor

Keywords: teor-backlog added
Owner: set to teor
Status: newassigned

I'm probably the best person to do this, and the next 2 months are a good time to do it,

comment:4 Changed 7 months ago by teor

Actual Points: 0.2
Status: assignedneeds_review

See my PR:

The flags code is needlessly complex, changing the default requires setting it in 3 places. I opened #32994 to fix this technical debt.

comment:5 Changed 7 months ago by dgoulet

Resolution: fixed
Reviewer: dgoulet
Status: needs_reviewclosed


Note: See TracTickets for help on using tickets.