Bridges.torproject does not give ipv6 bridges

I get empty line when asking for obfs4 ipv6 bridge and error message: It seems there was an error getting your QRCode. Confirmed by a user, who also reported this issue

assigned to @meskio

assigned to @meskio

added Next Sponsor 150 labels

removed Sponsor 150 label

The first debugging question is: is bridgedb/rdsys behaving correctly here, but it simply doesn't have any running ipv6 bridges in the https pool to give out (for example because bridgestrap says they are down or because they never got placed into the pool)? Or are there ipv6 bridges in the https pool but for some reason bridgedb/rdsys does not find them to offer them?

(Behavior is still happening today. I don't know if it has consistently happened in the two months since the ticket got filed.)

I need to review rdsys code, I kind of recall it ignoring dual stack bridges but we should do better here.

But your questions are good ones, I should check how many IPv6 bridges are around.

Tails seems to require IPv6 bridges to support IPv6: https://gitlab.tails.boum.org/tails/tails/-/issues/20490

This issue might be relevant to them.

This also can be fixed as part of project 158 before doing the new deployment. Is this something you can test in the staging that you setup or not?

I'll need to improve the staging to produce IPv6 descriptors, is not a lot of work and I think this does fit well with P158 and is a nice improvement to have. So yes, let's do that.

added Tails label

added Bug Project 158 labels

marked this issue as related to team#139 (closed)

added Doing label and removed Next label

There are:

• 8 bridges that publishes IPv6 transport addresses in their cache extra info
  • 2 of those publish IPv4 transport address as well
• 833 bridges publish an IPv6 or-address

We have too few bridges that do publish an IPv6 transport to actually distribute them. I guess those bridge do configure manually their Address in torrc and tor is not publishing the transport line for IPv6 unless manually stated.

Would be nice if tor would publish transport lines by default also for IPv6 addresses and not only for IPv4, maybe something to add to the arti relay roadmap. @ahf is there an issue where we can add a comment? Or should we create an issue about it?

I will test if those 833 IPv6 or-addresses are reachable on their PT port. rdsys could distribute those if enough of them work.

I produced 684 obfs4 bridge lines, I assume the other 150 were not obfs4 or had non public IPs but I haven't check. I tested them with bridgestrap. Out of those 538 are functional on their PT port published with their IPv4 transport line and 146 were dysfunctional. That gives us a ~79% of functional bridges with is not that far from the 87% of functional bridges that we have overall.

I think we should distribute the IPv6 address of those bridges. As a start I think we should only hand them in the https distributor when the user asks for ipv6 bridges but in the future we might consider including the IPv6 address of the bridges we are already handing in moat or other distributors.

This actually has an issue #73 (closed)

Wow and I created that issue myself, I see I have a very short memory span. Thank you for the find, I guess I'll close the old issue and continue here as there is already more work here.

And here are your previous ideas on handling that: team#40 (closed)

Good stuff!

One thing to note: if we give out an ipv6 address for an obfs4 bridge with an ipv4 address, then a censor who gets the ipv6 address can use it to discover the ipv4 address.

So in a sense this is like the situation where a volunteer runs more than one bridge type on their ip address, and if we give out both bridge types, then whichever is weaker can be enough to get the bridge blocked.

I wonder if there are ideas on how to distribute them so we 'pin' the ipv4 and ipv6 together in some way.

Hm - I think we could even fix this in C Tor if there is a need for it now?

Updating bridges takes time so we might anyway write the code in rdsys to try using the IPv6 address from the network-status file. AFAIK this is what C Tor will do, to add a transport line with that IP address, isn't it?

I think for the future will be nice to add that transport line in arti, but unless is trivial to do in C Tor I don't think is worth it to do the work now for it.

moved from bridgedb#40071 (moved)

mentioned in issue #216 (closed)

marked this issue as related to #216 (closed)

mentioned in issue team#139 (closed)

marked this issue as related to #73 (closed)

mentioned in issue #73 (closed)