IPv6 Feature Matrix

This is a list of core tor network features, and their support for IPv6.


We want to deploy IPv6 extends in this order to make it harder to identify clients with IPv6 support:

  • IPv6 single onion services (in any order, because they only use IPv6 in create cells)
  • IPv6 relay extends
  • IPv6 relay reachability (provides cover traffic for IPv6 client extends)
  • IPv6 client extends for exit circuits
  • IPv6 client extends for multi-hop onion service circuits


  • Auto: this works automatically in the default configuration.
  • Manual: this requires manual config on the client or relay.
  • Workaround: this works, but we could make it work much better.
  • Broken: this should work, but it doesn't.
  • Never: this can't work, or we won't implement it any time soon.

Each manual, workaround, or broken feature should also have a ticket.

Entry Nodes

What does an entry node need to do to use each IP version for its ORPort? (There are no IPv6 DirPorts.)

Authorities, Relays and Bridges set:

  • Address IPv4 and ORPort Port
  • ORPort [IPv6]:Port

If they do not set Address, Relays and Bridges will automatically detect their IPv4 address. But IPv6 addresses require manual configuration.

Entry Node IPv4 Only Dual-Stack IPv6 Only
Publicly Routable IPv4 Publicly Routable IPv6 Publicly Routable Publicly Routable
Authority Manual Manual Manual Needs Research #4565
Relay Auto Auto Manual #5940 Needs Research #4565
Bridge Auto Auto Manual #5940, Private/NAT IPv4 #4847 Broken #23824

Client Connection to Entry Nodes

What does a client need to do to bootstrap off or connect to an entry node?

Clients can set these options:

  • Default: Use IPv4 only
  • ClientUseIPv6 1: Use IPv6 occasionally
  • ClientPreferIPv6ORPort 1: Use IPv6 whenever they can
  • ClientUseIPv4 0: Only use IPv6
Entry Node IPv4 Only Dual-Stack IPv6 Only
IPv4 IPv6
Authority Dir Auto Auto Manual #17835 Manual #17835
Fallback Dir Auto Auto Manual #17835 Manual #17835
Guard Dir Auto Auto Manual #17835 Manual #17835
Guard microdesc Auto Auto Workaround #19610, #20916 Workaround #19610, #20916
Guard OR Auto Auto Manual #17835, #17217 Manual #17835, #17217

Bridge clients set UseBridges 1, and configure bridge lines using Bridge .... They will use the configured addresses of their bridges, including IPv6 addresses. They can also set ClientPreferIPv6ORPort 1 to prefer IPv6 bridge addresses.

Entry Node IPv4 Only Dual-Stack IPv6 Only
IPv4 IPv6
Bridge Auth Dir Auto Auto Unknown Unknown
Bridge Dir Auto Auto Auto Auto
Bridge OR Auto Auto Auto Auto
Bridge PT Auto Auto Workaround #7961 Workaround #7961

Reachability Checks

Authorities do reachability checks automatically on relay IPv4 ORPorts, and do IPv6 ORPort reachability checks when AuthDirHasIPv6Connectivity is set. Authorities don't assume that their own IPv6 ORPorts are reachable (#24338).

Relays do reachability checks automatically on their IPv4 ORPort and DirPort, but don't IPv6 ORPort reachability checks (#24403):

  1. Declare Relay protover 3, in which relays with IPv6 ORPorts start attempting to connect to IPv6 ORPorts in response to EXTEND2 cells containing IPv6 addresses. Relays should choose between IPv4 and IPv6 when extending (how? at random?). (proposal: #24404, code: #24405)
  2. Relays with IPv6 ORPorts check the reachability of their IPv6 ORPort via a multi-hop path using an EXTEND2 cell with their own IPv4 and IPv6 ORPorts for the final hop (#6939, #22781), using a relay that supports protover Relay >= 3 as the second-last hop, and making sure that relay is not in the same IPv4 or IPv6 address block (?) (#24393, #15518).
  3. When a CREATED cell is received on an origin connection, and it contains one of our our ORPort addresses, we know we are reachable at that address (#13112, #17782 (IPv4)).
  4. If we don't confirm ourselves reachable within 20 minutes (this can happen because relays will use existing canonical connections to another relay, rather than making a new one to a different address), use a fallback mechanism (see #24406 for details). Using saved NETINFO from incoming connections is probably the best way forward here.
  5. Authorities do IPv6 reachability checks, and warn if their ORPort is unreachable (but still publish the address: #24338). If an authority publishes an unreachable IPv6 address, it will be marked not running as long as a majority of authorities (that does not include that authority) are on IPv6.

The Bridge Authority may do reachability checks automatically on bridge IPv4 ORPorts and IPv6 ORPorts (#24264).

Exit Connections

IPv4 and IPv6 mostly work, exits handle literal addresses and DNS.

IPv6-only DNS resolves should send a hint to the client, so it tries an IPv6 Exit.

Onion Service Protocol

v2 only supports IPv4, which only matters for single onion services, as long as all relays have IPv4.

v3 only supports IPv4 in 0.3.2. In 0.3.3 we will add IPv6 addresses and single onion service multi-hop fallback on failure (#23493). When we put IPv6 addresses in EXTEND cells for onion services (#24181), we should also put them in normal client extend cells (#24451), so we don't split the anonymity set of v3 onion service circuits and other client circuits. (Hiding v2 onion service circuits is a lost cause, they are the only circuits that use TAP for the final client intro and service rend hops.)


Consensus health has a ReachableIPv6 pseudo-flag for authority to relay IPv6 ORPort reachability checks (#24287):

Metrics reports relay IPv6 ORPorts and IPv6 Exit policies (#23761, #24218):

Reporting IPv6 traffic on ORPorts and Exits needs Core Tor to report these statistics (ticket?).

Related Tickets

This is a list of all open IPv6 tickets:

Ticket Summary Keywords Status Owner Type Priority
#4565 Enable relays to talk to other relays via IPv6 ipv6 tor-relay needs-design assigned ln5 project Medium
#4806 Detect and warn when running IPv6-using client without IPv6 address privacy ipv6, tor-client, nickm-patch, intro, privacy needs_revision enhancement High
#4847 Fix IPv6 bridges with a private/dynamic IPv4 address ipv6, tor-bridge assigned ln5 defect Medium
#5532 Reconstruct and merge 4561 leftover code that adds wrappers for address-access functions tor-relay ipv6 multihome addressing needs_revision nickm task Medium
#5788 Add support for relays without an IPv4 address ipv6, tor-relay non-clique new ln5 enhancement Medium
#5940 Figure out own IPv6 address ipv6, tor-relay, lorax new enhancement Medium
#6772 Fall back to alternative OR or Dir port if the current fails ipv6 tor-client tor-hs single-onion robustness address-handling new enhancement Medium
#6878 Make outbound DNS requests honor OutboundBindAddressIPv6 ipv6, exit, tor-relay dns needs-libevent-change new enhancement Medium
#6939 Missing IPv6 ORPort reachability check ipv6, tor-relay, ipv6-relay self-test needs_revision defect High
#7193 Tor's sybil protection doesn't consider IPv6 ipv6, intro, tor-dirauth security sybil new enhancement Medium
#7478 Allow routersets to include/exclude nodes by IPv6 address tor-client, ipv6 needs_revision enhancement High
#7482 Discard nonsense in address.c about v4-mapped addresses tor-client, ipv6 refactor code-removal needs_revision defect Medium
#7961 Publish transports that bind on IPv6 addresses tor-bridge, pt, ipv6 anticensorship needs-spec refactor easy new defect Medium
#11211 Multiple ServerTransportListenAddr entries should be allowed per transport. tor-bridge, pt, needs-spec, tor-pt, bridgedb-parsers, ipv6, triaged-out-20170124 assigned nickm enhancement Medium
#11360 Listen on IPv6 by default for SocksPort *:Port tor-client, ipv6, torrc, ui, intro new enhancement Medium
#11625 Tor DNSPORT returns NXDOMAIN for AAAA records? tor-client, dns, exit-node-choice, ipv6 new defect Medium
#12138 No IPv6 support when suggesting a bindaddr to a PT tor-pt, tor-bridge ipv6 new enhancement Medium
#13112 Some things are probably broken when we advertise multiple ORPorts and only some are reachable tor-relay reachability self-testing needs-design ipv6 tor-bridge needs_revision teor defect Medium
#15518 Tor considers routers in the same IPv6 /16 to be "in the same subnet" ipv6, path, path-bias, tor-client easy new defect High
#17011 chutney doesn't verify using IPv6 addresses SponsorS, testing, ipv6, tor-tests-integration new defect High
#17013 Does chutney need to test various rare IPv6/IPv4 combinations? testing, SponsorS, tor-tests-integration, ipv6 new enhancement Medium
#17217 Change clients to automatically use IPv6 if they can bootstrap over it ipv6 tor-client robustness censorship-resistance new enhancement Low
#17230 Local DNS resolver will not resolve AAAA records with fc00::/8 prefixes. tor-client tor-relay cjdns ipv6 needs-insight maybe-bad-idea new defect Medium
#17636 Can a single IPv6 bridge failure stop Tor connecting? tor-client tor-bridges, ipv6 needs-diagnosis new defect Medium
#17787 Improve address detection on multihomed relays tor-relay ipv6 multihome address-detection new defect Low
#17811 Tor Clients on IPv6 ipv6 tor-client master-ticket new task High
#17835 Make ClientPreferIPv6ORPort smarter tor-client ipv6 new defect Medium
#17845 Add unit tests for IPv6 relay descriptors ipv6, tor-tests-coverage, tor-tests-unit, tor-relay new enhancement Medium
#17952 Make address family search via ioctl more accurate on obscure platforms ipv6, easy, lorax tor-relay address-detection new enhancement Very Low
#18674 Tor rejects [::]/8 and [::]/127 explicitly, but the latter is sometimes eliminated tor-relay exit-policy ipv6 new defect Low
#19487 Meek and ReachableAddresses ipv6, bridges, pluggable-transports, regression, 032-unreached needs_revision dcf defect Medium
#20045 FAQ + man page entry for using Tor from an IPv6 only host. FAQ tor-doc easy ipv6 new enhancement Medium
#20067 Chutney should verify IPv6 SOCKSPorts testing, ipv6 new enhancement Medium
#20068 Chutney tests for IPv6-only bridge clients ipv6 new teor defect Medium
#20071 Tor clients need 4 routers when connecting via IPv6, but only 3 using IPv4 testing, ipv6, chutney, tiny-network, tor-client, needs-diagnosis new defect Low
#20175 Allow the fallback script to ignore temporary IPv6 addresses fallback, ipv6 assigned haxxpop enhancement Medium
#20916 Proposal: Put Relay IPv6 Addresses in the microdesc consensus prop283, ipv6, regression new teor task Medium
#21003 extend_info_describe should list IPv6 address (if present) easy intro ipv6 logging new defect Medium
#21043 Make ClientUseIPv4 and ClientUseIPv6 equivalent to ReachableAddresses ipv6, tor-client reachableaddresses torrc configuration new defect Medium
#21310 Exits should tell clients when they are connecting to an IPv6-only hostname ipv6 needs_revision teor defect Medium
#21311 Exits should resolve IPv6 addresses, regardless of IPv6Exit ipv6, 031-deferred-20170425 needs_information defect Medium
#21346 Clients with NoIPv4Traffic should only choose IPv6-supporting Exits ipv6, 031-deferred-20170425, 032-unreached new defect Medium
#21355 Warn when IPv6Exits have no ipv6-policy line in their descriptor ipv6 easy intro log tor-relay tor-dirauth new defect Medium
#21397 Tor TransparentProxy documentation: add IPv6 support / port to nftables tor-doc wiki nftables ipv6 transproxy tor-client new enhancement Medium
#21499 client_dns_incr_failures while passing not hostname but only IP tor-client, ipv6, triaged-out-20170308, annoying dns new defect Medium
#21524 private:* contains valid IPv6 addresses ipv6 exit-policies tor-relay new defect Medium
#21902 evdns adds default DNS servers, but chutney wants a consistent environment chutney-wants, ipv6, tor-relay dns exit testing new defect Medium
#22469 tor should probably reject "0x00" in port range specifications tor-relay torrc configuration intro ipv6 new defect Medium
#22697 Tor should mandatory require brackets around ipv6 address tor-client tor-relay parsing ipv6 compatibility-issues new enhancement Medium
#22781 hs: Unify link specifier API/ABI tor-cell, tor-relay, ipv6 needs_revision dgoulet enhancement Very High
#23493 IPv6 v3 Single Onion Services fail with a bug warning prop224, tor-hs, single-onion, ipv6 new defect Medium
#23507 Add single onion unreachable address algorithm to prop224 doc, tor-spec, prop224, tor-hs, single-onion, ipv6 accepted dgoulet defect Medium
#23576 Make service_intro_point_new() take a node instead of an extend_info prop224, tor-hs, single-onion, ipv6 assigned dgoulet defect Medium
#23588 Write fascist_firewall_choose_address_ls() and use it in hs_get_extend_info_from_lspecs() prop224, tor-hs, single-onion, ipv6 new defect Medium
#23759 Refactor common code out of setup_introduce1_data and intro point functions prop224, tor-hs, single-onion, ipv6, refactor assigned dgoulet defect Medium
#23818 Make v3 single onion services retry failed connections with a 3-hop path prop224, tor-hs, single-onion, ipv6 new defect Medium
#23819 Support IPv6 link-local interface addresses ipv6 link-local needs_revision enhancement Medium
#23824 Make IPv6-only bridges work ipv6, tor-bridge new enhancement Medium
#23975 Make node_get_pref_ipv6_orport() check addresses in the right order ipv6, review-group-29 needs_revision teor defect Medium
#24000 circuit_send_intermediate_onion_skin() and extend_cell_format() should check for IPv6 ipv6 new defect Medium
#24006 IPv6-only Tor2web has never actually connected to rend points over IPv6 tor-hs, tor2web, ipv6 new defect Medium
#24181 Put IPv6 and unrecognised link specifiers in onion service EXTEND cells prop224, tor-hs, single-onion, ipv6, tor-spec accepted dgoulet defect Medium
#24193 Make v3 single onion services parse and use IPv6 introduce link specifiers prop224, tor-hs, single-onion, ipv6 accepted dgoulet enhancement Medium
#24264 Enable IPv6 reachability testing for the Bridge Authority dirauth, bridgeauth, ipv6 reopened isis task High
#24344 Add an "UnreachableIPv6" flag to relays in consensus health IPv6 new tom enhancement Medium
#24393 Clients should check IPv4 and IPv6 subnets when choosing circuit paths ipv6, intro, tor-dirauth security sybil new defect Medium
#24403 Propose and implement IPv6 ORPort reachability checks on relays ipv6, tor-relay assigned teor task Medium
#24404 Propose a relay protover that allows IPv6 extends needs-proposal, ipv6, tor-relay new enhancement Medium
#24405 Implement relay IPv6 extends with proposed protover needs-proposal, ipv6, tor-relay new enhancement Medium
#24406 Implement IPv6 ORPort reachability fallback ipv6, tor-relay new enhancement Medium
#24451 Put IPv6 link specifiers in client EXTEND cells ipv6 tor-client accepted dgoulet enhancement Medium
#24535 Document which address functions we should use, and when ipv6, doc new defect Medium
#24546 Use tor_addr_is_v4() rather than family, or reject all v6-mapped IPv4 addresses tor-dirauth, ipv6 new defect Medium
#24603 Update control spec to allow decorated IPv6 addresses in reachability events ipv6, tor-relay, tor-spec needs_revision teor defect Medium
#24604 Decorate IPv6 addresses in connection_t->address to avoid ambiguity ipv6, tor-relay new defect Medium
#24731 Stop checking routerinfos for addresses when we use microdescs for circuits ipv6, tor-relay new defect Medium
#24732 Remove unused IPv6 DirPort code ipv6, tor-relay new enhancement Medium
#24734 Remove the return value of fascist_firewall_choose_address_node() ipv6, tor-relay new defect Medium
#24735 Always check for the null address when calling address functions ipv6, tor-relay new defect Medium
#24777 Make relays try IPv6 ORPorts for directory uploads and downloads ipv6, tor-relay new defect Low
#24833 DNS not reliably returning AAAA records ipv6 tor-client tor-exit tor-dns new enhancement Medium
#24867 Do relays keep more than one canonical connection when they extend over IPv6? ipv6, tor-relay new defect Medium
#24868 Check a consensus parameter before activating onion service IPv6 features prop224, tor-hs, single-onion, ipv6, must-do-before-033-stable assigned teor defect High

Last modified 4 weeks ago Last modified on Dec 22, 2017, 11:23:46 PM