Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-13T14:50:11Zhttps://gitlab.torproject.org/legacy/trac/-/issues/5460Write proposal(s) to implement improved relay/circuit crypto authentication2020-06-13T14:50:11ZMike PerryWrite proposal(s) to implement improved relay/circuit crypto authenticationWe need to write a proposal to determine the best way to provide authentication to our circuit crypto, so that cells that have been tagged/tampered with/duplicated cause circuit failure at the 2nd hop, not the third.
As I understand it...We need to write a proposal to determine the best way to provide authentication to our circuit crypto, so that cells that have been tagged/tampered with/duplicated cause circuit failure at the 2nd hop, not the third.
As I understand it, there are two competing possibilities:
1. Self-authenticating crypto (BEAR/LION/LIONESS, others?)
2. Per-hop MAC
The main disadvantage of 1 is that it's likely slow and not very many people use it. The disadvantage of 2 is that it requires us to disclose path length count and position to nodes, as well as have MACs that either grow with increased path length, or become less secure with increased path length.
There are probably other issues. I believe the current plan is to produce both options in one or more proposals and compare and contrast them.Tor: 0.2.8.x-finalNick MathewsonNick Mathewsonhttps://gitlab.torproject.org/legacy/trac/-/issues/16056getinfo exit-policy/ipv6 does not show masks >= 322020-06-13T14:46:14ZTracgetinfo exit-policy/ipv6 does not show masks >= 32After enabling IPv6 on an exit node, I was discouraged by the lack of IPv6 policy displayed on Atlas, where there is a section in which IPv6 policy should be displayed, but the list is empty for my node, causing me to fear that my exit n...After enabling IPv6 on an exit node, I was discouraged by the lack of IPv6 policy displayed on Atlas, where there is a section in which IPv6 policy should be displayed, but the list is empty for my node, causing me to fear that my exit node could be used to relay spam on port 25 over IPv6, etc.
So I connected to the ControlPort and issued "getinfo exit-policy/ipv6" to confirm that there are sane defaults being applied to IPv6 policy. Indeed there are, and even private networks like "reject6 [fc00::]/7:*" are automatically configured, great!
However policies that I manually added, for example:
ExitPolicy reject6 [2610:148:1f10::]/48:*
...are not being output correctly by the getinfo command, for example:
reject6 [2610:148:1f10::]:*
...no mask!
Turns out that in function policy_write_item in src/or/policies.c the mask is being hidden if mask bits is >= 32, which makes sense for IPv4, but for IPv6 the test should be 128.
Attached is a trivial patch which I've tested and confirmed it corrects the getinfo policy output.
**Trac**:
**Username**: gturnerTor: 0.2.8.x-final