Changes

Page history
Apply conversion script to all *.md files. authored by Alexander Hansen Færøy's avatar Alexander Hansen Færøy
Show whitespace changes
Inline Side-by-side
org/roadmaps/Tor/IPv6Features.md
View page @ a1a4b621
= IPv6 Feature Matrix =
# IPv6 Feature Matrix
[[TOC]]
This is a list of core tor network features, and their support for IPv6.
== Overview ==
## Overview
Because clients connect through Guard relays, we want to prioritise IPv6 features in this order:
* More dual-stack Guard and Middle Relays
......@@ -16,7 +16,7 @@ Here are our long-term goals:
* IPv6-only Guards and Middles
* IPv6-only Authorities (Feature Parity)
=== IPv6 Extends ===
### IPv6 Extends
We want to deploy IPv6 extends in this order to make it harder to identify clients with IPv6 support:
* ~~IPv6 single onion services (in any order, because they only use IPv6 in create cells)~~
......@@ -31,7 +31,7 @@ In the same release, to avoid version distinguishers:
Better support for exiting to IPv6 sites #26664 and children
=== Relay IPv6 ===
### Relay IPv6
We need to get more IPv6 guards, before we make IPv6 work automatically on clients.
......@@ -46,7 +46,7 @@ Here's the longer-term plan:
* IPv6-only Bridges
* IPv6-only Exits
=== Client IPv6 ===
### Client IPv6
We need to get more IPv6 guards, before we make IPv6 work automatically on clients.
......@@ -57,7 +57,7 @@ We need to get more IPv6 guards, before we make IPv6 work automatically on clien
* Tor Browser and other apps have IPv4 and IPv6 bridges
* (Tor Browser has some IPv6 bridges already, but we don't know how well they work)
== Statuses ==
## Statuses
* Auto: this works automatically in the default configuration.
* Manual: this requires manual config on the client or relay.
......@@ -67,7 +67,7 @@ We need to get more IPv6 guards, before we make IPv6 work automatically on clien
Each manual, workaround, or broken feature should also have a ticket.
== Entry Nodes ==
## Entry Nodes
What does an entry node need to do to use each IP version for its ORPort?
(There are no IPv6 DirPorts.)
......@@ -79,14 +79,15 @@ Authorities, Relays and Bridges set:
If they do not set `Address`, Relays and Bridges will automatically detect their IPv4 address.
But IPv6 addresses require manual configuration.
||= Entry Node =||= IPv4 Only =||||= Dual-Stack =||= IPv6 Only =||
||= =||= Publicly Routable =||= IPv4 Publicly Routable =||= IPv6 Publicly Routable =||= Publicly Routable =||
|| Authority || Manual || Manual || Manual || Needs Research #4565 ||
|| Relay || Auto || Auto || Manual #5940 || Needs Research #4565 ||
|| Bridge || Auto || Auto || Manual #5940, Private/NAT IPv4 #4847 || Broken #23824 ||
|= Entry Node =|= IPv4 Only =||= Dual-Stack =|= IPv6 Only =|
|--------------|--------------||---------------|--------------|
|= =|= Publicly Routable =|= IPv4 Publicly Routable =|= IPv6 Publicly Routable =|= Publicly Routable =|
| Authority | Manual | Manual | Manual | Needs Research #4565 |
| Relay | Auto | Auto | Manual #5940 | Needs Research #4565 |
| Bridge | Auto | Auto | Manual #5940, Private/NAT IPv4 #4847 | Broken #23824 |
== Client Connection to Entry Nodes ==
## Client Connection to Entry Nodes
What does a client need to do to bootstrap off or connect to an entry node?
......@@ -96,26 +97,28 @@ Clients can set these options:
* `ClientPreferIPv6ORPort 1`: Use IPv6 whenever they can
* `ClientUseIPv4 0`: Only use IPv6
||= Entry Node =||= IPv4 Only =||||= Dual-Stack =||= IPv6 Only =||
||= =||= =||= IPv4 =||= IPv6 =||= =||
|| Authority Dir || Auto || Auto || Manual #17835 || Manual #17835 ||
|| Fallback Dir || Auto || Auto || Manual #17835 || Manual #17835 ||
|| Guard Dir || Auto || Auto || Manual #17835 || Manual #17835 ||
|| Guard microdesc || Auto || Auto || Workaround #19610, #20916 || Workaround #19610, #20916 ||
|| Guard OR || Auto || Auto || Manual #17835, #17217 || Manual #17835, #17217 ||
|= Entry Node =|= IPv4 Only =||= Dual-Stack =|= IPv6 Only =|
|---------------|--------------||---------------|-------------|
|= =|= =|= IPv4 =|= IPv6 =|= =|
| Authority Dir | Auto | Auto | Manual #17835 | Manual #17835 |
| Fallback Dir | Auto | Auto | Manual #17835 | Manual #17835 |
| Guard Dir | Auto | Auto | Manual #17835 | Manual #17835 |
| Guard microdesc | Auto | Auto | Workaround #19610, #20916 | Workaround #19610, #20916 |
| Guard OR | Auto | Auto | Manual #17835, #17217 | Manual #17835, #17217 |
Bridge clients set `UseBridges 1`, and configure bridge lines using `Bridge ...`.
They will use the configured addresses of their bridges, including IPv6 addresses.
They can also set `ClientPreferIPv6ORPort 1` to prefer IPv6 bridge addresses.
||= Entry Node =||= IPv4 Only =||||= Dual-Stack =||= IPv6 Only =||
||= =||= =||= IPv4 =||= IPv6 =||= =||
|| Bridge Auth Dir || Auto || Auto || Unknown || Unknown ||
|| Bridge Dir || Auto || Auto || Auto || Auto ||
|| Bridge OR || Auto || Auto || Auto || Auto ||
|| Bridge PT || Auto || Auto || Workaround #7961 || Workaround #7961 ||
|= Entry Node =|= IPv4 Only =||= Dual-Stack =|= IPv6 Only =|
|--------------|--------------||---------------|-------------|
|= =|= =|= IPv4 =|= IPv6 =|= =|
| Bridge Auth Dir | Auto | Auto | Unknown | Unknown |
| Bridge Dir | Auto | Auto | Auto | Auto |
| Bridge OR | Auto | Auto | Auto | Auto |
| Bridge PT | Auto | Auto | Workaround #7961 | Workaround #7961 |
== Reachability Checks ==
## Reachability Checks
Authorities do reachability checks automatically on relay IPv4 ORPorts, and do IPv6 ORPort reachability checks when AuthDirHasIPv6Connectivity is set.
......@@ -130,7 +133,7 @@ Relays do reachability checks automatically on their IPv4 ORPort and DirPort, bu
The Bridge Authority may do reachability checks automatically on bridge IPv4 ORPorts and IPv6 ORPorts (#24264).
== Exit Connections ==
## Exit Connections
IPv4 and IPv6 mostly work, exits handle literal addresses and DNS.
......@@ -138,7 +141,7 @@ IPv6-only DNS resolves should send a hint to the client, so it tries an IPv6 Exi
IPv6 editing can be unreliable, see the children of #26664
== Onion Service Protocol ==
## Onion Service Protocol
v2 only supports IPv4, which only matters for single onion services, as long as all relays have IPv4.
......@@ -146,7 +149,7 @@ v3 only supports IPv4 in 0.3.2. In 0.4.2 we added IPv6 addresses to the v3 onion
When we put IPv6 addresses in EXTEND cells for onion services (#24181), we should also put them in normal client extend cells (#24451), so we don't split the anonymity set of v3 onion service circuits and other client circuits. (Hiding v2 onion service circuits is a lost cause, they are the only circuits that use TAP for the final client intro and service rend hops.)
== Reporting ==
## Reporting
Consensus health has a ReachableIPv6 pseudo-flag for authority to relay IPv6 ORPort reachability checks (#24287):
* https://consensus-health.torproject.org/
......@@ -158,11 +161,11 @@ Metrics reports relay IPv6 ORPorts and IPv6 Exit policies (#23761, #24218):
Reporting IPv6 traffic on ORPorts and Exits needs Core Tor to report these statistics (ticket?).
== Tor Browser ==
## Tor Browser
Tor Browser shows IPv4 addresses for dual-stack relays, even if the client connects over IPv6 (#14939). We might need to modify the Tor control protocol to fix this issue.
== Draft Long-Term Transition Plan ==
## Draft Long-Term Transition Plan
Here is one possible way to transition between IPv4 and IPv6.
We need more research to know if this is a good plan.
......@@ -201,7 +204,7 @@ Remove IPv4-only relays:
1. Wait until the proportion of IPv4-only guards, middles, or exits is small enough
2. Remove IPv4-only relays from that role (we can turn guards and exits into middles)
== Related Tickets ==
## Related Tickets
This is a list of all open IPv6 tickets:
......
......