Directory authorities on IPv6

Directory authorities don't know enough about IPv6. There are a lot of issues here, two of which are mentioned in #4847 (moved):

• init_keys()
• dirserv_generate_networkstatus_vote_obj()

changed milestone to %Tor: 0.2.8.x-final

added 026-deferrable 026-triaged-1 027-triaged-1-out SponsorF20130315 component::core tor/tor ipv6 milestone::Tor: 0.2.8.x-final nickm-patch parent::15228 points::medium pre028-patch priority::medium resolution::duplicate severity::normal status::closed tor-auth type::project labels

Trac:
Milestone: N/A to Tor: 0.2.4.x-final

Changing summary to reflect that this is not a bug per se. (This should have been an "enhancement" rather than a "defect".)

Trac:
Summary: Directory authorities on IPv6 to Enhancement: Directory authorities on IPv6

But... but... there is a way to change type of a ticket. Duh!

Trac:
Type: defect to enhancement
Summary: Enhancement: Directory authorities on IPv6 to Directory authorities on IPv6

Trac:
Keywords: ipv6 deleted, ipv6 tor-auth added

Trac:
Component: Tor Directory Authority to Tor

Grabbing this ticket for sponsor Z.

Trac:
Keywords: ipv6 tor-auth deleted, ipv6 tor-auth SponsorZ added
Type: enhancement to project

Replying to ln5:

Directory authorities don't know enough about IPv6. There are a lot of issues here, two of which are mentioned in #4847 (moved):

• init_keys()
• dirserv_generate_networkstatus_vote_obj()

• These data structures need to take multiple OR ports into account: trusted_dir_server_t, authority_cert_t and networkstatus_voter_info_t.

• tools/tor-gencert.c needs fixing

If we take my current favored approach to #572 (moved) , which involves implementing proposal 206, then we don't need to do this for authorities per se, though the code would be reusable.

Trac:
Keywords: ipv6 tor-auth SponsorZ deleted, ipv6 tor-auth SponsorF20130315 added

I've thrown up a sketch implementation in branch "bug6027" in my public repository. I believe that's sufficient to allow users to configure IPv6 addr:orports for DirAuthority and FallbackDir lines, which can let users without IPv6 bootstrap.

I haven't been able to test this; it could use testing and review.

This hasn't made the deadline for 0.2.4 features; I think it's deferrable to 0.2.5.

Trac:
Status: new to needs_review

FWIW, from the sponsor F POV, I think it's fine to defer this to 0.2.5.

On the year 3 page you write that we need somebody to fill in the IPv6 addresses and that this is a coordination project. Can you elaborate on that? What should that person do, and how often?

Replying to karsten:

FWIW, from the sponsor F POV, I think it's fine to defer this to 0.2.5.

On the year 3 page you write that we need somebody to fill in the IPv6 addresses and that this is a coordination project. Can you elaborate on that? What should that person do, and how often?

Make sure that there are directory authorities with long-term fixed IPv6 addresses. List those IPv6 addresses in config.c, or tell me those addresses so that I can do so.

Alternatively, make sure that there are some directories with long-term fixed IPv6 addresses. Start figuring out how we want to ship that list. Maintain that list.

Trac:
Milestone: Tor: 0.2.4.x-final to Tor: 0.2.5.x-final

Replying to nickm:

Make sure that there are directory authorities with long-term fixed IPv6 addresses. List those IPv6 addresses in config.c, or tell me those addresses so that I can do so.

I just asked authority operators. I'll collect addresses and let you know.

Alternatively, make sure that there are some directories with long-term fixed IPv6 addresses. Start figuring out how we want to ship that list. Maintain that list.

Okay. We could ask relay operators on tor-relays@, or I could write a simple script to parse apparently long-term fixed IPv6 addresses from consensuses. The latter is probably less work. But I guess this doesn't matter until we ship the first 0.2.5.x-alpha bundle. We can still run the script on archived consensuses then.

So far we have:

tor.noreply.org has IPv6 address 2001:858:2:2:aabb:0:563b:1526
maatuska runs on 2001:67c:289c::9.

Add:

Urras now has the following addresses:
[2607:ff58::d053:df22] a.k.a. [2607:ff58::208.83.223.34]
208.83.223.34

Or if you just want to remember one address:
[2607:ff58::208.83.223.34]

208.83.223.34 has an ORPort on 80
208.83.223.34 has an DirPort on 443
[2607:ff58::208.83.223.34] has an ORPort on 80

I'm trying to test your bug6027 branch, with no luck so far. Here's what I did:

• Set up an EC2 instance with outbound IPv6 connectivity and a firewall rule to drop all new outgoing IPv4 connections. curl -6 https://www.torproject.org/ works fine, and curl https://www.torproject.org/ doesn't do anything.

• Added three directory authority IPv6 addresses to src/or/config.c:

diff --git a/src/or/config.c b/src/or/config.c
index 6ae96ad..448472c 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -782,6 +782,7 @@ add_default_trusted_dir_authorities(dirinfo_type_t type)
       "v3ident=D586D18309DED4CD6D57C18FDB97EFA96D330566 "
       "128.31.0.39:9131 9695 DFC3 5FFE B861 329B 9F1A B04C 4639 7020 CE31",
     "tor26 v1 orport=443 v3ident=14C131DFC5C6F93646BE72FA1401C02A8DF2E8B4 "
+      "ipv6=[2001:858:2:2:aabb:0:563b:1526]:443 "
       "86.59.21.38:80 847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D",
     "dizum orport=443 v3ident=E8A9C45EDE6D711294FADF8E7951F4DE6CA56B58 "
       "194.109.206.212:80 7EA6 EAD6 FD83 083C 538F 4403 8BBF A077 587D D755",
@@ -797,9 +798,11 @@ add_default_trusted_dir_authorities(dirinfo_type_t type)
       "v3ident=585769C78764D58426B8B52B6651A5A71137189A "
       "193.23.244.244:80 7BE6 83E6 5D48 1413 21C5 ED92 F075 C553 64AC 7123",
     "urras orport=80 no-v2 v3ident=80550987E1D626E3EBA5E5E75A458DE0626D088C "
+      "ipv6=[2607:ff58::d053:df22]:80 "
       "208.83.223.34:443 0AD3 FA88 4D18 F89E EA2D 89C0 1937 9E0E 7FD9 4417",
     "maatuska orport=80 no-v2 "
       "v3ident=49015F787433103580E3B66A1707A00E60F2D15B "
+      "ipv6=[2001:67c:289c::9]:80 "
       "171.25.193.9:443 BD6A 8292 55CB 08E6 6FBE 7D37 4836 3586 E46B 3810",
     "Faravahar orport=443 no-v2 "
       "v3ident=EFCBE720AB3A82B99F9E953CD5BF50F7EEFC7B97 "

• Added fallback dirs from #8374 (moved) to torrc. Also added ClientUseIPv6 and ClientPreferIPv6ORPort options that looked relevant here:

DataDirectory /home/ubuntu/client/data/
Log info file /home/ubuntu/client/data/info.log
Log info stdout
ClientUseIPv6 1
ClientPreferIPv6ORPort 1
FallbackDir 77.247.181.162:80 orport=443 id=253DFF1838A2B7782BE7735F74E50090D46CA1BC weight=72700 ipv6=[2a00:1768:1001:21:1:0:32a3:201a]:443
FallbackDir 171.25.193.20:80 orport=443 id=DD8BD7307017407FCC36F8D04A688F74A0774C02 weight=50600 ipv6=[2001:67c:289c::20]:443
FallbackDir 128.6.224.107:9030 orport=9001 id=D67B28212377617448A2AC192E11372AD951FD13 weight=18000 ipv6=[2620:0:d60:401::2]:9001
FallbackDir 82.94.251.204:80 orport=443 id=9B02AA745B22B3FAB37C84B5E695623DD107A74D weight=15100 ipv6=[2001:888:2133:0:82:94:251:204]:443
FallbackDir 188.40.51.232:80 orport=443 id=CAF7986ECF1FBF903E68155531F8930C9ECC3A0D weight=13900 ipv6=[2a01:4f8:100:24e1:ffff::1]:443
FallbackDir 193.11.164.242:9030 orport=9001 id=980D326017CEF4CBBF4089FBABE767DC83D059AF weight=13800 ipv6=[2001:6b0:7:125::242]:9001
FallbackDir 171.25.193.21:80 orport=443 id=A10C4F666D27364036B562823E5830BC448E046A weight=13300 ipv6=[2001:67c:289c::21]:443
FallbackDir 149.20.52.51:9030 orport=5251 id=09C0E63BD41FE86A31CB3FB27C4D54F7D49A1F7C weight=12500 ipv6=[2001:4f8:3:2e::51]:5251
FallbackDir 91.121.245.171:80 orport=443 id=85670C66276B84F956FC9F2407DAFF9774104522 weight=2550 ipv6=[2001:41d0:2:90a8::3]:443
FallbackDir 78.47.134.6:3480 orport=3451 id=26220AEA188B8D0E47BB541E1A616EB3AD70295F weight=2360 ipv6=[2a01:4f8:d13:1602::2012]:3451

However, when starting the tor client it always attempts to download the consensus from a fallback directory (this part works), but using its IPv4 address:

May 14 19:17:38.000 [notice] Bootstrapped 5%: Connecting to directory server.
May 14 19:17:38.000 [info] connection_ap_make_link(): ... application connection created and linked.
May 14 19:17:38.000 [info] directory_send_command(): Downloading consensus from 171.25.193.20:443 using /tor/status-vote/current/consensus-microdesc/14C131+27B6B5+49015F+585769+805509+D586D1+E8A9C4+ED03BB+EFCBE7.z
May 14 19:17:38.000 [info] or_state_save(): Saved state to "/home/ubuntu/client/data//state"
May 14 19:17:38.000 [info] connection_edge_process_inbuf(): data from edge while in 'waiting for circuit' state. Leaving it on buffer.
May 14 19:17:38.000 [info] connection_edge_process_inbuf(): data from edge while in 'waiting for circuit' state. Leaving it on buffer.
May 14 19:19:38.000 [info] connection_ap_expire_beginning(): Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for circuit)

How would I tell my tor client that I don't have any outgoing IPv4 connectivity and that it should instead use only IPv6 addresses?

nickm, ln5, any ideas?

Trac:
screen-exchange