diff options
author | teor <teor@torproject.org> | 2020-02-04 12:10:18 +1000 |
---|---|---|
committer | teor <teor@torproject.org> | 2020-02-05 22:02:52 +1000 |
commit | 7a55bf166248a5ff210691cb219df1ec8e40ea29 (patch) | |
tree | 62151004843af60fe6dd7594df40e6d2c5ccfc5a /proposals/312-relay-auto-ipv6-addr.txt | |
parent | 8a9ea6f2245ce3c60938bdb74a1a862b3d403fb4 (diff) | |
download | torspec-7a55bf166248a5ff210691cb219df1ec8e40ea29.tar.gz torspec-7a55bf166248a5ff210691cb219df1ec8e40ea29.zip |
Prop 312: Explain why untrusted addresses are bad
And describe a potential attack that gives a relay the wrong address,
then monitors its traffic.
As suggested by Nick Mathewson.
Part of 33073.
Diffstat (limited to 'proposals/312-relay-auto-ipv6-addr.txt')
-rw-r--r-- | proposals/312-relay-auto-ipv6-addr.txt | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/proposals/312-relay-auto-ipv6-addr.txt b/proposals/312-relay-auto-ipv6-addr.txt index 05ff9de..ecea79b 100644 --- a/proposals/312-relay-auto-ipv6-addr.txt +++ b/proposals/312-relay-auto-ipv6-addr.txt @@ -1,6 +1,6 @@ Filename: 312-relay-auto-ipv6-addr.txt Title: Tor Relays Automatically Find Their IPv6 Address -Author: teor +Author: teor, Nick Mathewson Created: 28-January-2020 Status: Draft Ticket: #33073 @@ -131,8 +131,18 @@ Ticket: #33073 * Reliable is better than Unreliable. Within these constraints, we try to find the simplest working design. - Therefore, we propose that tor tries to find relay IPv4 and IPv6 addresses - in this order: + If a relay is given the wrong address by an attacker, the attacker can + direct all inbound relay traffic to their own address. They can't decrypt + the traffic without the relay's private keys, but they can monitor traffic + patterns. + + Therefore, we only use untrusted address discovery methods, if every other + method has failed. Any method that uses DNS is potentially untrusted, + because DNS is often a remote, unauthenticated service. And addresses + provided by other directory servers are also untrusted. + + Based on these principles, we propose that tor tries to find relay IPv4 and + IPv6 addresses in this order: 1. the Address torrc option 2. the advertised ORPort address 3. the advertised DirPort address (IPv4 only; relays, not bridges) |