Opened 8 months ago

Last modified 4 months ago

#33224 assigned enhancement

Prop 311: 4.3.2. Add AssumeReachableIPv6 Option and Consensus Parameter

Reported by: teor Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Normal Keywords: ipv6, prop311, 044-deferred
Cc: Actual Points:
Parent ID: #33221 Points: 1
Reviewer: Sponsor: Sponsor55-must

Description (last modified by teor)

We add an AssumeReachableIPv6 torrc option and consensus parameter.

If IPv6 ORPort checks have bugs that impact the health of the network,
they can be disabled by setting AssumeReachableIPv6=1 in the consensus
parameters.

If IPv6 ORPort checks have bugs that impact a particular relay (or bridge),
they can be disabled by setting "AssumeReachableIPv6 1" in the relay's
torrc.

This option disables IPv6 ORPort reachability checks, so relays publish
their descriptors if their IPv4 ORPort reachability checks succeed.
(Unlike AssumeReachable, AssumeReachableIPv6 has no effect on the existing
dirauth IPv6 reachability checks, which connect directly to relay ORPorts.)

The default for the torrc option is "auto", which checks the consensus
parameter. If the consensus parameter is not set, the default is "0".

"AssumeReachable 1" overrides all values of "AssumeReachableIPv6",
disabling both IPv4 and IPv6 ORPort reachability checks. Tor should warn if
AssumeReachable is 1, but AssumeReachableIPv6 is 0. (On directory
authorities, "AssumeReachable 1" also disables dirauth IPv4 and IPv6
reachability checks, which connect directly to relay ORPorts.
AssumeReachableIPv6 does not disable directory authority to relay IPv6
checks.)

See proposal 311, section 4.3.2:
https://gitweb.torproject.org/torspec.git/tree/proposals/311-relay-ipv6-reachability.txt#n403

Child Tickets

Change History (7)

comment:1 Changed 6 months ago by teor

This ticket is optional, but there are some risks if we don't implement it.

Here are the risks and mitigations:

Don't implement the AssumeReachableIPv6 torrc option:

  • Low Risk
  • Issue:
    • Operators can't disable IPv6 self-tests, but continue using IPv4 self-tests.
  • Workaround:
    • Operators use AssumeReachable to disable IPv4 and IPv6 self-tests.

Don't implement the AssumeReachableIPv6 consensus parameter:

  • Medium Risk
  • Issue:
    • If there is a network-wide issue with IPv6 self-tests:
      • all IPv6 relays (30%) and bridges (unknown percentage) may go down, and
      • we won't be able to react quickly to bugs or overloads.
  • Workaround:
    • There is no workaround.
  • Mitigation:
    • Make sure chutney fails when relay and bridge reachability self-tests fail. Chutney ensures relay self-tests work, but doesn't check bridges. There are two alternative ways to do bridge checks:
      • Fix tor bridge descriptor uploads (#33582) and check them in chutney (#33407), or
      • Make chutney check tor's logs for reachability self-tests (#34037).

If we implement the consensus parameter, we should also implement the
torrc option, so operators can configure the option independently.

Since this option stops relays publishing their descriptors, we should probably test it in chutney, or on the public tor network. (See #33229 and #33230.)

Last edited 6 months ago by teor (previous) (diff)

comment:2 Changed 6 months ago by teor

Summary: Prop 311: 4.3.2. Add AssumeIPv6Reachable OptionProp 311: 4.3.2. Add AssumeIPv6Reachable Option and Consensus Parameter

comment:3 Changed 6 months ago by teor

Description: modified (diff)
Summary: Prop 311: 4.3.2. Add AssumeIPv6Reachable Option and Consensus ParameterProp 311: 4.3.2. Add AssumeReachableIPv6 Option and Consensus Parameter

Use consistent names: AssumeReachableIPv6 and AddressDisableIPv6

comment:4 Changed 6 months ago by teor

Owner: teor deleted

Un-assign myself from future Sponsor 55 tasks.

comment:5 Changed 6 months ago by teor

In the meeting today, we decided to do this ticket, because:

  • it won't take much work, and
  • it lets us react quickly to any bugs in the new reachability code.

For similar reasons, we also want an AssumeReachable consensus parameter for IPv4 and IPv6, see #34064.

comment:6 Changed 4 months ago by nickm

Keywords: 044-deferred added
Milestone: Tor: 0.4.4.x-finalTor: unspecified

Bulk-remove tickets from 0.4.4. Add the 044-deferred label to them.

comment:7 Changed 4 months ago by nickm

Milestone: Tor: unspecified

Bulk-move prop311 and prop312 to 0.4.5

Note: See TracTickets for help on using tickets.