On 12 Jan 2016, at 21:01, Fabio Pietrosanti (naif) - lists lists@infosecurity.ch wrote:
On 1/12/16 4:43 AM, David Fifield wrote:
I wanted to know how many exits exit from an address that is different from their OR address. The answer is about 10.7%, 109/1018 exits. The interesting part is that of those 109 mismatches, 87 have an exit address that differs from the OR address in all four octets; i.e., the IP addresses used by the exit are not even in the same /8.
It would be nice to prevent different IP traffic for Exit, unless OutBoundBindAddress is defined and/or OutBoundExitAddress (ie:https://trac.torproject.org/projects/tor/ticket/17975) is implemented and defined.
The current tor implementation simply calls connect() if OutBoundBindAddress is not set for the destination address family. This means that the connection will be made from a source address based on the routing table entry for the destination address. Tor really doesn't have much control over this, it's an OS-level decision.
We could set the default value of OutboundBindAddress(es) to the ORPort address(es), but this would override the OS's routing tables. I'm not sure this is a great idea on multi-homed hosts, as routing tables are typically set up for good reasons, and it would surprise operators to have them overridden. There would also be no way to switch this default off, and simply use the OS routing tables.
In other environments, the routing may be done at the VPS or ISP level, at which point tor can't even detect it without asking a (potentially unreliable) remote host.
Of course, if the operator specifically configures an outbound address, or an outbound address for Exit traffic (#17975), that's a different matter - tor should obey explicit configuration directives.
From a "transparency" point of view, i think that any routing aspects shall stay into the consensus database, so that it could be checked for possible sign of manipulations.
If someone want to do asymmetric routing, then that information must be in the consensus (IMHO).
I'm not sure that adding "exit" IP addresses to the consensus is that helpful, given that: * multi-homed hosts may have different exit IPs for different destinations or address families, and * tor may not be able to detect which address(es) it is exiting from, or it may be an expensive or unreliable process.
But please feel free to submit a proposal to include exit IP addresses in the consensus - it would help if it included strategies to address these concerns.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F