On Sat, 17 Sep 2016 07:46:05 +1000, teor wrote:
On 17 Sep 2016, at 05:20, grarpamp grarpamp@gmail.com wrote:
On Fri, Sep 16, 2016 at 5:13 AM, Alex Elsayed eternaleye@gmail.com wrote:
Hi, I'm using Tor in transparent mode, and I'm running into a rather inconvenient behavior.
VirtualAddrNetworkIPv6 refuses to parse unless the network address given is a /40 or broader. However, IPv6 ULA, which makes it very easy to give Tor its own subnet no-strings-attached, strictly grants a /48 prefix.
As a result, I am faced with a choice between deeply suboptimal options:
1.) Use VirtualAddrNetworkIPv4, as I've done in the past. This results in _fewer_ addresses being available to Tor than an IPv6 /48, which I feel illustrates the issues with requiring a /40 quite clearly.
2.) Squat on some portion of the IPv6 address space I don't actually own. This is entirely unpalatable
This impacts with onioncat as well. I'm curious as to any /40 rationale, though I suspect a historical brainfart typo.
In fact, a min/max typo, which contributed to the IPv6 /40 mistake: https://trac.torproject.org/projects/tor/ticket/20151 (Feel free to log tickets at https://trac.torproject.org/projects/tor when these sorts of issues come up.)
Ah, interesting; thanks for filing that! I'll be commenting on it with some nits on terminology (old code was max _prefix length_, the message and your change are min _subnet size_ - IMO, the old code was right-ish in its variable names, and the message simply reframed it to a less technical perspective).
In the interim, Alex, have you tried using [FC00::]/7 ? From the tor manual entry on VirtualAddrNetworkIPv6:
When providing proxy server service to a network of computers using a tool like dns-proxy-tor, change the IPv4 network to "10.192.0.0/10" or "172.16.0.0/12" and change the IPv6 network to "[FC00]/7".(Yes, there is a typo in the last IPv6 address as well. https://trac.torproject.org/projects/tor/ticket/20153 )
That's actually a separate complaint - Using [FC00]/7 _would_ be my option 2, and constitute squatting on sections of the address space I don't own. In particular:
- [FC00]/8 is _reserved by the IANA_, and beyond that, CJDNS is already squatting on it. :/ - [FD00]/8 is _in active, standards-blessed use_ - to be specific, it's what IPv6 ULA uses!
Using [FC00]/7 would actually cause me _practical_ problems as well, because I'm doing this on my OpenWRT router... which uses an IPv6 ULA for the LAN, with Network Prefix Translation to the WAN IPv6 network so that the local net doesn't renumber if upstream changes.
If I used [FC00]/7, Tor's manufactured addresses could overlap with my actual LAN!