|
|
= IPv6 Feature Matrix =
|
|
|
# IPv6 Feature Matrix
|
|
|
|
|
|
|
|
|
[[TOC]]
|
|
|
|
|
|
This is a list of core tor network features, and their support for IPv6.
|
|
|
|
|
|
== Overview ==
|
|
|
## Overview
|
|
|
|
|
|
Because clients connect through Guard relays, we want to prioritise IPv6 features in this order:
|
|
|
* More dual-stack Guard and Middle Relays
|
... | ... | @@ -16,7 +16,7 @@ Here are our long-term goals: |
|
|
* IPv6-only Guards and Middles
|
|
|
* IPv6-only Authorities (Feature Parity)
|
|
|
|
|
|
=== IPv6 Extends ===
|
|
|
### IPv6 Extends
|
|
|
|
|
|
We want to deploy IPv6 extends in this order to make it harder to identify clients with IPv6 support:
|
|
|
* ~~IPv6 single onion services (in any order, because they only use IPv6 in create cells)~~
|
... | ... | @@ -31,7 +31,7 @@ In the same release, to avoid version distinguishers: |
|
|
|
|
|
Better support for exiting to IPv6 sites #26664 and children
|
|
|
|
|
|
=== Relay IPv6 ===
|
|
|
### Relay IPv6
|
|
|
|
|
|
We need to get more IPv6 guards, before we make IPv6 work automatically on clients.
|
|
|
|
... | ... | @@ -46,7 +46,7 @@ Here's the longer-term plan: |
|
|
* IPv6-only Bridges
|
|
|
* IPv6-only Exits
|
|
|
|
|
|
=== Client IPv6 ===
|
|
|
### Client IPv6
|
|
|
|
|
|
We need to get more IPv6 guards, before we make IPv6 work automatically on clients.
|
|
|
|
... | ... | @@ -57,7 +57,7 @@ We need to get more IPv6 guards, before we make IPv6 work automatically on clien |
|
|
* Tor Browser and other apps have IPv4 and IPv6 bridges
|
|
|
* (Tor Browser has some IPv6 bridges already, but we don't know how well they work)
|
|
|
|
|
|
== Statuses ==
|
|
|
## Statuses
|
|
|
|
|
|
* Auto: this works automatically in the default configuration.
|
|
|
* Manual: this requires manual config on the client or relay.
|
... | ... | @@ -67,7 +67,7 @@ We need to get more IPv6 guards, before we make IPv6 work automatically on clien |
|
|
|
|
|
Each manual, workaround, or broken feature should also have a ticket.
|
|
|
|
|
|
== Entry Nodes ==
|
|
|
## Entry Nodes
|
|
|
|
|
|
What does an entry node need to do to use each IP version for its ORPort?
|
|
|
(There are no IPv6 DirPorts.)
|
... | ... | @@ -79,14 +79,15 @@ Authorities, Relays and Bridges set: |
|
|
If they do not set `Address`, Relays and Bridges will automatically detect their IPv4 address.
|
|
|
But IPv6 addresses require manual configuration.
|
|
|
|
|
|
||= Entry Node =||= IPv4 Only =||||= Dual-Stack =||= IPv6 Only =||
|
|
|
||= =||= Publicly Routable =||= IPv4 Publicly Routable =||= IPv6 Publicly Routable =||= Publicly Routable =||
|
|
|
|| Authority || Manual || Manual || Manual || Needs Research #4565 ||
|
|
|
|| Relay || Auto || Auto || Manual #5940 || Needs Research #4565 ||
|
|
|
|| Bridge || Auto || Auto || Manual #5940, Private/NAT IPv4 #4847 || Broken #23824 ||
|
|
|
|= Entry Node =|= IPv4 Only =||= Dual-Stack =|= IPv6 Only =|
|
|
|
|--------------|--------------||---------------|--------------|
|
|
|
|= =|= Publicly Routable =|= IPv4 Publicly Routable =|= IPv6 Publicly Routable =|= Publicly Routable =|
|
|
|
| Authority | Manual | Manual | Manual | Needs Research #4565 |
|
|
|
| Relay | Auto | Auto | Manual #5940 | Needs Research #4565 |
|
|
|
| Bridge | Auto | Auto | Manual #5940, Private/NAT IPv4 #4847 | Broken #23824 |
|
|
|
|
|
|
|
|
|
== Client Connection to Entry Nodes ==
|
|
|
## Client Connection to Entry Nodes
|
|
|
|
|
|
What does a client need to do to bootstrap off or connect to an entry node?
|
|
|
|
... | ... | @@ -96,26 +97,28 @@ Clients can set these options: |
|
|
* `ClientPreferIPv6ORPort 1`: Use IPv6 whenever they can
|
|
|
* `ClientUseIPv4 0`: Only use IPv6
|
|
|
|
|
|
||= Entry Node =||= IPv4 Only =||||= Dual-Stack =||= IPv6 Only =||
|
|
|
||= =||= =||= IPv4 =||= IPv6 =||= =||
|
|
|
|| Authority Dir || Auto || Auto || Manual #17835 || Manual #17835 ||
|
|
|
|| Fallback Dir || Auto || Auto || Manual #17835 || Manual #17835 ||
|
|
|
|| Guard Dir || Auto || Auto || Manual #17835 || Manual #17835 ||
|
|
|
|| Guard microdesc || Auto || Auto || Workaround #19610, #20916 || Workaround #19610, #20916 ||
|
|
|
|| Guard OR || Auto || Auto || Manual #17835, #17217 || Manual #17835, #17217 ||
|
|
|
|= Entry Node =|= IPv4 Only =||= Dual-Stack =|= IPv6 Only =|
|
|
|
|---------------|--------------||---------------|-------------|
|
|
|
|= =|= =|= IPv4 =|= IPv6 =|= =|
|
|
|
| Authority Dir | Auto | Auto | Manual #17835 | Manual #17835 |
|
|
|
| Fallback Dir | Auto | Auto | Manual #17835 | Manual #17835 |
|
|
|
| Guard Dir | Auto | Auto | Manual #17835 | Manual #17835 |
|
|
|
| Guard microdesc | Auto | Auto | Workaround #19610, #20916 | Workaround #19610, #20916 |
|
|
|
| Guard OR | Auto | Auto | Manual #17835, #17217 | Manual #17835, #17217 |
|
|
|
|
|
|
Bridge clients set `UseBridges 1`, and configure bridge lines using `Bridge ...`.
|
|
|
They will use the configured addresses of their bridges, including IPv6 addresses.
|
|
|
They can also set `ClientPreferIPv6ORPort 1` to prefer IPv6 bridge addresses.
|
|
|
|
|
|
||= Entry Node =||= IPv4 Only =||||= Dual-Stack =||= IPv6 Only =||
|
|
|
||= =||= =||= IPv4 =||= IPv6 =||= =||
|
|
|
|| Bridge Auth Dir || Auto || Auto || Unknown || Unknown ||
|
|
|
|| Bridge Dir || Auto || Auto || Auto || Auto ||
|
|
|
|| Bridge OR || Auto || Auto || Auto || Auto ||
|
|
|
|| Bridge PT || Auto || Auto || Workaround #7961 || Workaround #7961 ||
|
|
|
|= Entry Node =|= IPv4 Only =||= Dual-Stack =|= IPv6 Only =|
|
|
|
|--------------|--------------||---------------|-------------|
|
|
|
|= =|= =|= IPv4 =|= IPv6 =|= =|
|
|
|
| Bridge Auth Dir | Auto | Auto | Unknown | Unknown |
|
|
|
| Bridge Dir | Auto | Auto | Auto | Auto |
|
|
|
| Bridge OR | Auto | Auto | Auto | Auto |
|
|
|
| Bridge PT | Auto | Auto | Workaround #7961 | Workaround #7961 |
|
|
|
|
|
|
== Reachability Checks ==
|
|
|
## Reachability Checks
|
|
|
|
|
|
Authorities do reachability checks automatically on relay IPv4 ORPorts, and do IPv6 ORPort reachability checks when AuthDirHasIPv6Connectivity is set.
|
|
|
|
... | ... | @@ -130,7 +133,7 @@ Relays do reachability checks automatically on their IPv4 ORPort and DirPort, bu |
|
|
|
|
|
The Bridge Authority may do reachability checks automatically on bridge IPv4 ORPorts and IPv6 ORPorts (#24264).
|
|
|
|
|
|
== Exit Connections ==
|
|
|
## Exit Connections
|
|
|
|
|
|
IPv4 and IPv6 mostly work, exits handle literal addresses and DNS.
|
|
|
|
... | ... | @@ -138,7 +141,7 @@ IPv6-only DNS resolves should send a hint to the client, so it tries an IPv6 Exi |
|
|
|
|
|
IPv6 editing can be unreliable, see the children of #26664
|
|
|
|
|
|
== Onion Service Protocol ==
|
|
|
## Onion Service Protocol
|
|
|
|
|
|
v2 only supports IPv4, which only matters for single onion services, as long as all relays have IPv4.
|
|
|
|
... | ... | @@ -146,7 +149,7 @@ v3 only supports IPv4 in 0.3.2. In 0.4.2 we added IPv6 addresses to the v3 onion |
|
|
|
|
|
When we put IPv6 addresses in EXTEND cells for onion services (#24181), we should also put them in normal client extend cells (#24451), so we don't split the anonymity set of v3 onion service circuits and other client circuits. (Hiding v2 onion service circuits is a lost cause, they are the only circuits that use TAP for the final client intro and service rend hops.)
|
|
|
|
|
|
== Reporting ==
|
|
|
## Reporting
|
|
|
|
|
|
Consensus health has a ReachableIPv6 pseudo-flag for authority to relay IPv6 ORPort reachability checks (#24287):
|
|
|
* https://consensus-health.torproject.org/
|
... | ... | @@ -158,11 +161,11 @@ Metrics reports relay IPv6 ORPorts and IPv6 Exit policies (#23761, #24218): |
|
|
|
|
|
Reporting IPv6 traffic on ORPorts and Exits needs Core Tor to report these statistics (ticket?).
|
|
|
|
|
|
== Tor Browser ==
|
|
|
## Tor Browser
|
|
|
|
|
|
Tor Browser shows IPv4 addresses for dual-stack relays, even if the client connects over IPv6 (#14939). We might need to modify the Tor control protocol to fix this issue.
|
|
|
|
|
|
== Draft Long-Term Transition Plan ==
|
|
|
## Draft Long-Term Transition Plan
|
|
|
|
|
|
Here is one possible way to transition between IPv4 and IPv6.
|
|
|
We need more research to know if this is a good plan.
|
... | ... | @@ -201,7 +204,7 @@ Remove IPv4-only relays: |
|
|
1. Wait until the proportion of IPv4-only guards, middles, or exits is small enough
|
|
|
2. Remove IPv4-only relays from that role (we can turn guards and exits into middles)
|
|
|
|
|
|
== Related Tickets ==
|
|
|
## Related Tickets
|
|
|
|
|
|
This is a list of all open IPv6 tickets:
|
|
|
|
... | ... | |