wiki:org/roadmaps/Tor/IPv6Features

IPv6 Feature Matrix

This is a list of core tor network features, and their support for IPv6.

Overview

We want to deploy IPv6 extends in this order to make it harder to identify clients with IPv6 support:

  • IPv6 single onion services (in any order, because they only use IPv6 in create cells)
  • IPv6 relay extends
  • IPv6 relay reachability (provides cover traffic for IPv6 client extends)
  • IPv6 client extends for exit circuits
  • IPv6 client extends for multi-hop onion service circuits

Statuses

  • Auto: this works automatically in the default configuration.
  • Manual: this requires manual config on the client or relay.
  • Workaround: this works, but we could make it work much better.
  • Broken: this should work, but it doesn't.
  • Never: this can't work, or we won't implement it any time soon.

Each manual, workaround, or broken feature should also have a ticket.

Entry Nodes

What does an entry node need to do to use each IP version for its ORPort? (There are no IPv6 DirPorts.)

Authorities, Relays and Bridges set:

  • Address IPv4 and ORPort Port
  • ORPort [IPv6]:Port

If they do not set Address, Relays and Bridges will automatically detect their IPv4 address. But IPv6 addresses require manual configuration.

Entry Node IPv4 Only Dual-Stack IPv6 Only
Publicly Routable IPv4 Publicly Routable IPv6 Publicly Routable Publicly Routable
Authority Manual Manual Manual Needs Research #4565
Relay Auto Auto Manual #5940 Needs Research #4565
Bridge Auto Auto Manual #5940, Private/NAT IPv4 #4847 Broken #23824

Client Connection to Entry Nodes

What does a client need to do to bootstrap off or connect to an entry node?

Clients can set these options:

  • Default: Use IPv4 only
  • ClientUseIPv6 1: Use IPv6 occasionally
  • ClientPreferIPv6ORPort 1: Use IPv6 whenever they can
  • ClientUseIPv4 0: Only use IPv6
Entry Node IPv4 Only Dual-Stack IPv6 Only
IPv4 IPv6
Authority Dir Auto Auto Manual #17835 Manual #17835
Fallback Dir Auto Auto Manual #17835 Manual #17835
Guard Dir Auto Auto Manual #17835 Manual #17835
Guard microdesc Auto Auto Workaround #19610, #20916 Workaround #19610, #20916
Guard OR Auto Auto Manual #17835, #17217 Manual #17835, #17217

Bridge clients set UseBridges 1, and configure bridge lines using Bridge .... They will use the configured addresses of their bridges, including IPv6 addresses. They can also set ClientPreferIPv6ORPort 1 to prefer IPv6 bridge addresses.

Entry Node IPv4 Only Dual-Stack IPv6 Only
IPv4 IPv6
Bridge Auth Dir Auto Auto Unknown Unknown
Bridge Dir Auto Auto Auto Auto
Bridge OR Auto Auto Auto Auto
Bridge PT Auto Auto Workaround #7961 Workaround #7961

Reachability Checks

Authorities do reachability checks automatically on relay IPv4 ORPorts, and do IPv6 ORPort reachability checks when AuthDirHasIPv6Connectivity is set. Authorities don't assume that their own IPv6 ORPorts are reachable (#24338).

Relays do reachability checks automatically on their IPv4 ORPort and DirPort, but don't IPv6 ORPort reachability checks (#24403):

  1. Declare Relay protover 3, in which relays with IPv6 ORPorts start attempting to connect to IPv6 ORPorts in response to EXTEND2 cells containing IPv6 addresses. Relays should choose between IPv4 and IPv6 when extending (how? at random?). (proposal: #24404, code: #24405)
  2. Relays with IPv6 ORPorts check the reachability of their IPv6 ORPort via a multi-hop path using an EXTEND2 cell with their own IPv4 and IPv6 ORPorts for the final hop (#6939, #22781), using a relay that supports protover Relay >= 3 as the second-last hop, and making sure that relay is not in the same IPv4 or IPv6 address block (?) (#24393, #15518).
  3. When a CREATED cell is received on an origin connection, and it contains one of our our ORPort addresses, we know we are reachable at that address (#13112, #17782 (IPv4)).
  4. If we don't confirm ourselves reachable within 20 minutes (this can happen because relays will use existing canonical connections to another relay, rather than making a new one to a different address), use a fallback mechanism (see #24406 for details). Using saved NETINFO from incoming connections is probably the best way forward here.
  5. Authorities do IPv6 reachability checks, and warn if their ORPort is unreachable (but still publish the address: #24338). If an authority publishes an unreachable IPv6 address, it will be marked not running as long as a majority of authorities (that does not include that authority) are on IPv6.

The Bridge Authority may do reachability checks automatically on bridge IPv4 ORPorts and IPv6 ORPorts (#24264).

Exit Connections

IPv4 and IPv6 mostly work, exits handle literal addresses and DNS.

IPv6-only DNS resolves should send a hint to the client, so it tries an IPv6 Exit.

Onion Service Protocol

v2 only supports IPv4, which only matters for single onion services, as long as all relays have IPv4.

v3 only supports IPv4 in 0.3.2. In 0.3.3 we will add IPv6 addresses and single onion service multi-hop fallback on failure (#23493). When we put IPv6 addresses in EXTEND cells for onion services (#24181), we should also put them in normal client extend cells (#24451), so we don't split the anonymity set of v3 onion service circuits and other client circuits. (Hiding v2 onion service circuits is a lost cause, they are the only circuits that use TAP for the final client intro and service rend hops.)

Reporting

Consensus health has a ReachableIPv6 pseudo-flag for authority to relay IPv6 ORPort reachability checks (#24287):

Metrics reports relay IPv6 ORPorts and IPv6 Exit policies (#23761, #24218):

Reporting IPv6 traffic on ORPorts and Exits needs Core Tor to report these statistics (ticket?).

Related Tickets

This is a list of all open IPv6 tickets:

Ticket Summary Keywords Status Owner Type Priority
#4565 Enable relays to talk to other relays via IPv6 ipv6 tor-relay needs-design assigned ln5 project Medium
#4806 Detect and warn when running IPv6-using client without IPv6 address privacy ipv6, tor-client, nickm-patch, intro, privacy needs_revision enhancement High
#4847 Fix IPv6 bridges with a private/dynamic IPv4 address ipv6, tor-bridge assigned ln5 defect Medium
#5298 Relay does not pick the right IP addr of local node when multiple interfaces are available tor-relay, ipv6, reachability, 034-triage-20180328, 034-removed-20180328 new defect Medium
#5532 Reconstruct and merge 4561 leftover code that adds wrappers for address-access functions tor-relay ipv6 multihome addressing needs_revision nickm task Medium
#5788 Add support for relays without an IPv4 address ipv6, tor-relay non-clique new ln5 enhancement Medium
#5940 Figure out own IPv6 address ipv6, tor-relay, lorax new enhancement Medium
#6772 Fall back to alternative OR or Dir port if the current fails ipv6 tor-client tor-hs single-onion robustness address-handling new enhancement Medium
#6878 Make outbound DNS requests honor IPv6 OutboundBindAddress ipv6, exit, tor-relay dns needs-libevent-change new enhancement Medium
#6939 Missing IPv6 ORPort reachability check ipv6, tor-relay, ipv6-relay, self-test, 034-triage-20180328, 034-removed-20180328 needs_revision defect High
#7193 Tor's sybil protection doesn't consider IPv6 ipv6, intro, tor-dirauth security sybil new enhancement Medium
#7478 Allow routersets to include/exclude nodes by IPv6 address tor-client, ipv6 needs_revision enhancement High
#7482 Discard nonsense in address.c about v4-mapped addresses tor-client, ipv6 refactor code-removal needs_revision defect Medium
#7961 Publish transports that bind on IPv6 addresses tor-bridge, pt, ipv6 anticensorship needs-spec refactor needs_information defect Medium
#11211 Multiple ServerTransportListenAddr entries should be allowed per transport. tor-bridge, pt, needs-spec, tor-pt, bridgedb-parsers, ipv6, triaged-out-20170124 assigned nickm enhancement Medium
#11360 Listen on IPv6 by default for SocksPort *:Port tor-client, ipv6, torrc, ui, intro new enhancement Medium
#11625 Tor DNSPORT returns NXDOMAIN for AAAA records? tor-client, dns, exit-node-choice, ipv6 new defect Medium
#12138 No IPv6 support when suggesting a bindaddr to a PT tor-pt, tor-bridge ipv6 new enhancement Medium
#13112 Some things are probably broken when we advertise multiple ORPorts and only some are reachable tor-relay, reachability, self-testing, needs-design, ipv6, tor-bridge, 034-triage-20180328, 034-removed-20180328 needs_revision teor defect Medium
#17011 chutney doesn't verify using IPv6 addresses SponsorS, testing, ipv6, tor-tests-integration new defect High
#17013 Does chutney need to test various rare IPv6/IPv4 combinations? testing, SponsorS, tor-tests-integration, ipv6 new enhancement Medium
#17217 Change clients to automatically use IPv6 if they can bootstrap over it ipv6 tor-client robustness censorship-resistance assigned neel enhancement Low
#17230 Local DNS resolver will not resolve AAAA records with fc00::/8 prefixes. tor-client tor-relay cjdns ipv6 needs-insight maybe-bad-idea new defect Medium
#17636 Can a single IPv6 bridge failure stop Tor connecting? tor-client tor-bridges, ipv6 needs-diagnosis new defect Medium
#17787 Improve address detection on multihomed relays tor-relay ipv6 multihome address-detection new defect Low
#17811 Tor Clients on IPv6 ipv6 tor-client master-ticket new task High
#17835 Make ClientPreferIPv6ORPort smarter tor-client ipv6 assigned neel defect Medium
#17845 Add unit tests for IPv6 relay descriptors ipv6, tor-tests-coverage, tor-tests-unit, tor-relay new enhancement Medium
#17952 Make address family search via ioctl more accurate on obscure platforms ipv6, easy, lorax tor-relay address-detection new enhancement Very Low
#18674 Tor rejects [::]/8 and [::]/127 explicitly, but the latter is sometimes eliminated tor-relay exit-policy ipv6 new defect Low
#19487 Meek and ReachableAddresses ipv6, bridges, pluggable-transports, regression, 032-unreached needs_revision dcf defect Medium
#20067 Chutney should verify IPv6 SOCKSPorts testing, ipv6 new enhancement Medium
#20068 Chutney tests for IPv6-only bridge clients ipv6 new defect Medium
#20071 Tor clients need 4 routers when connecting via IPv6, but only 3 using IPv4 testing, ipv6, chutney, tiny-network, tor-client, needs-diagnosis new defect Low
#20175 Allow the fallback script to ignore temporary IPv6 addresses fallback, ipv6 assigned haxxpop enhancement Medium
#20218 Fix and refactor and redocument routerstatus_has_changed ipv6, 029-proposed, tor-control, easy, spec-conformance, review-group-31, 034-triage-20180328, 034-removed-20180328 needs_revision defect Medium
#21003 extend_info_describe should list IPv6 address (if present) easy intro ipv6 logging new defect Medium
#21043 Make ClientUseIPv4 and ClientUseIPv6 equivalent to ReachableAddresses ipv6, tor-client reachableaddresses torrc configuration new defect Medium
#21310 Exits should tell clients when they are connecting to an IPv6-only hostname ipv6, 034-triage-20180328, 034-removed-20180328 needs_revision defect Medium
#21311 Exits should resolve IPv6 addresses, regardless of IPv6Exit ipv6, 031-deferred-20170425, 033-triage-20180320, 033-removed-20180320 needs_information defect Medium
#21355 Warn when IPv6Exits have no ipv6-policy line in their descriptor ipv6 easy intro log tor-relay tor-dirauth new defect Medium
#21397 Tor TransparentProxy documentation: add IPv6 support / port to nftables tor-doc wiki nftables ipv6 transproxy tor-client new enhancement Medium
#21499 client_dns_incr_failures while passing not hostname but only IP tor-client, ipv6, triaged-out-20170308, annoying dns new defect Medium
#21524 private:* contains valid IPv6 addresses ipv6 exit-policies tor-relay new defect Medium
#21902 evdns adds default DNS servers, but chutney wants a consistent environment chutney-wants, ipv6, tor-relay dns exit testing new defect Medium
#22469 tor should probably reject "0x00" in port range specifications tor-relay torrc configuration intro ipv6 new defect Medium
#22697 Tor should mandatory require brackets around ipv6 address tor-client tor-relay parsing ipv6 compatibility-issues new enhancement Medium
#22781 hs: Unify link specifier API/ABI tor-cell, tor-relay, ipv6, 034-triage-20180328, 034-removed-20180328 needs_revision dgoulet enhancement Medium
#23082 tor_addr_parse is overly permissive 032-unreached, ipv6 needs_review rl1987 defect Medium
#23493 IPv6 v3 Single Onion Services fail with a bug warning prop224, tor-hs, single-onion, ipv6, 034-triage-20180328, 034-removed-20180328 new defect Medium
#23507 Add single onion unreachable address algorithm to prop224 doc, tor-spec, prop224, tor-hs, single-onion, ipv6, 034-triage-20180328, 034-removed-20180328 accepted dgoulet defect Medium
#23576 Make service_intro_point_new() take a node instead of an extend_info prop224, tor-hs, single-onion, ipv6, 034-triage-20180328, 034-removed-20180328, fast-fix needs_revision teor defect Medium
#23588 Write fascist_firewall_choose_address_ls() and use it in hs_get_extend_info_from_lspecs() prop224, tor-hs, single-onion, ipv6, 034-triage-20180328, 034-removed-20180328 merge_ready neel enhancement Medium
#23759 Refactor common code out of setup_introduce1_data and intro point functions prop224, tor-hs, single-onion, ipv6, refactor, 034-triage-20180328, 034-removed-20180328 assigned dgoulet defect Medium
#23818 Make v3 single onion services retry failed connections with a 3-hop path prop224, tor-hs, single-onion, ipv6, 034-triage-20180328, 034-removed-20180328 assigned neel defect Medium
#23819 Support IPv6 link-local interface addresses ipv6, link-local, 034-triage-20180328, 034-removed-20180328 needs_revision enhancement Medium
#23824 Make IPv6-only bridges work ipv6, tor-bridge new enhancement Medium
#23975 Make node_get_pref_ipv6_orport() check addresses in the right order ipv6, review-group-29, 034-triage-20180328, 034-removed-20180328 assigned defect Medium
#24000 circuit_send_intermediate_onion_skin() and extend_cell_format() should check for IPv6 ipv6, 034-triage-20180328, merge-deferred, 035-triaged-in-20180711 merge_ready nickm defect Medium
#24006 IPv6-only Tor2web has never actually connected to rend points over IPv6 tor-hs, tor2web, ipv6 new defect Medium
#24181 Put IPv6 and unrecognised link specifiers in onion service EXTEND cells prop224, tor-hs, single-onion, ipv6, 034-triage-20180328, 034-removed-20180328 accepted dgoulet defect Medium
#24193 Make v3 single onion services parse and use IPv6 introduce link specifiers prop224, tor-hs, single-onion, ipv6, 034-triage-20180328, 034-removed-20180328 merge_ready dgoulet enhancement Medium
#24264 Enable IPv6 reachability testing for the Bridge Authority dirauth, bridgeauth, ipv6 reopened isis task High
#24344 Add an "UnreachableIPv6" flag to relays in consensus health IPv6 new tom enhancement Medium
#24393 Clients should check IPv4 and IPv6 subnets when choosing circuit paths ipv6, intro, tor-dirauth, security, sybil, 034-triage-20180328, 034-removed-20180328 needs_review neel enhancement Medium
#24403 Propose and implement IPv6 ORPort reachability checks on relays ipv6, tor-relay, 034-triage-20180328, 034-removed-20180328 assigned task Medium
#24404 Propose a relay protover that allows IPv6 extends needs-proposal, ipv6, tor-relay, 034-triage-20180328, 034-removed-20180328 new enhancement Medium
#24405 Implement relay IPv6 extends with proposed protover needs-proposal, ipv6, tor-relay, 034-triage-20180328, 034-removed-20180328 new enhancement Medium
#24406 Implement IPv6 ORPort reachability fallback ipv6, tor-relay, 034-triage-20180328, 034-removed-20180328 new enhancement Medium
#24451 Put IPv6 link specifiers in client EXTEND cells ipv6, tor-client, 034-triage-20180328, 034-removed-20180328 accepted dgoulet enhancement Medium
#24535 Document which address functions we should use, and when ipv6, doc, 034-triage-20180328, 034-removed-20180328 new defect Medium
#24546 Use tor_addr_is_v4() rather than family, or reject all v6-mapped IPv4 addresses tor-dirauth, ipv6, 033-triage-20180320, 033-removed-20180320, 035-triaged-in-20180711 needs_revision defect Medium
#24603 Update control spec to allow decorated IPv6 addresses in reachability events ipv6, tor-relay, tor-spec, 034-triage-20180328, 035-removed-20180711 needs_information defect Medium
#24604 Decorate IPv6 addresses in connection_t->address to avoid ambiguity ipv6, tor-relay, 034-triage-20180328, 034-removed-20180328 new defect Medium
#24731 Stop checking routerinfos for addresses when we use microdescs for circuits ipv6, tor-relay, 034-triage-20180328, 034-removed-20180328 new defect Medium
#24732 Remove unused IPv6 DirPort code ipv6, tor-relay, 034-triage-20180328, 035-triaged-in-20180711 needs_revision enhancement Medium
#24735 Always check for the null address when calling address functions ipv6, tor-relay, 034-triage-20180328, 034-removed-20180328 needs_revision defect Medium
#24777 Make relays try IPv6 ORPorts for directory uploads and downloads ipv6, tor-relay, 034-triage-20180328, 034-removed-20180328 new defect Low
#24833 DNS not reliably returning AAAA records ipv6, tor-client, tor-exit, tor-dns, 034-triage-20180328, 034-removed-20180328 new enhancement Medium
#24867 Do relays keep more than one canonical connection when they extend over IPv6? ipv6, tor-relay, 034-triage-20180328, 034-removed-20180328 new defect Medium
#25245 Crash in assert_connection_ok when changing Exit options crash, regression?, tor-exit, tor-relay, ipv6, 033-must, 033-triage-20180320, 033-included-20180320, 035-must, 035-triaged-in-20180711 needs_revision ahf defect Very High
#25784 Misleading error message when asking for IPv6 in a network with no IPv6-capable exits easy, ipv6 new defect Medium
#26436 Check uses of CMP_SEMANTIC for IP addresses tor-dirauth, ipv6, 033-triage-20180320, 033-removed-20180320 new defect Medium
#26646 add support for multiple OutboundBindAddressExit IP(ranges) needs-proposal, tor-exit, ipv6, censorship new enhancement Medium
#26664 When an exit tells a client about an IPv6-only hostname, the client should choose another IPv6 exit ipv6 tor-client tor-exit new defect Medium
#26992 Add intro point IPv6 address to service descriptors prop224, tor-hs, single-onion, ipv6, 034-triage-20180328, 034-removed-20180328 needs_revision teor enhancement Medium
#27086 Write unit tests for fascist_firewall_choose_address_ls() and hs_get_extend_info_from_lspecs() prop224, tor-hs, single-onion, ipv6, 034-triage-20180328, 034-removed-20180328 new defect Medium
#27251 Add single-onion-v23-ipv6-md to make test-network-all prop224, tor-hs, single-onion, ipv6, 034-triage-20180328, 034-removed-20180328 new enhancement Medium
#27284 Check IPv6 exit policies on microdescs 034-backport-maybe, ipv6 assigned teor defect Medium
#27490 When ClientPreferIPv6ORPort is set to auto, and a relay is being chosen for a directory or orport connection, prefer IPv4 or IPv6 at random ipv6 merge_ready neel enhancement Medium
#27647 When randomly choosing IPv4 or IPv6, set IPv6 probability based on IPv6 weight tor-client ipv6 assigned neel defect Medium
#27648 Stop setting the IPv6 preferred flag on nodes tor-client ipv6 assigned neel defect Medium
#27736 Make sure that Tor doesn't build an IPv4 and an IPv6 connection to the same relay tor-client ipv6 assigned teor defect Medium
#27753 Improve visibility of IPv6 related settings ipv6, tor-relay assigned enhancement Low
#28057 When randomly choosing IPv4 or IPv6, log better IPv6 preference info tor-client ipv6 new defect Medium

Last modified 10 months ago Last modified on Dec 22, 2017, 11:23:46 PM