...
Filename: xxx-anycast-exit.txt
Title: Anycast Exit
Author: Jeffrey Burdges
Created: 28 September 2015
Status: ?
Implemented-In: ?
…
Server Side
We propose an AnycastExit Tor configuration option
AnycastExit <protocol> <host>:<port>
Here protocol must be a string consisting of letters, numbers, and
underscores.
There are two changes Tor's behavior resulting from this option :
First, Tor adds the line "ACE <protocol> <host>:<port>" to the node's
full descriptor.
Second, Tor allows connections to ip:port as if the torrc contains :
ExitPolicy allow<host>:<port>
As ExitPolicyRejectPrivate defaults to 1, these policies should be
allowed even if the ip lies in a range usually restricted.
In particular localhost and 127.0.0.1 are potentially allowed.
Tor exit policies don’t contain hostnames like “localhost", did you mean 127.0.0.0/8 and ::1?
I am concerned about the security considerations of opening up local addresses, as local processes often trust connections from the local machine. Perhaps we could clarify it to say that only the specific port on 127.0.0.0/8 and ::1 is allowed?
I also suggest that we specify the following rules based on the current (0.2.7.3) implementation of policies_parse_exit_policy_internal:
* Block all IPv6 if IPv6Exit is 0
* If AnycastExit is set, allow 127.0.0.0/8:port and, if IPv6Exit is 1, [::1]:port
* If ExitPolicyRejectPrivate is 1:
* reject private addresses (0.0.0.0/8, 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, [::]/8, [fc00::]/7, [fe80::]/10, [fec0::]/10, [ff00::]/8, [::]/127)
* reject relay’s configured IPv4 and IPv6 address
* reject relay’s interfaces’ IPv4 and IPv6 addresses
* Then add the default exit policy
Regards
Tim