onionoo: understanding 'exit_policy_v6_summary'

List overview All Threads
Download

newer

older

generate relay fingerprint without...

[RFC] Directory structure of...

nusenu

27 Jan 2017 27 Jan '17

11:07 p.m.

Hi Karsten,

given this torrc configuration and exit policy: https://lists.torproject.org/pipermail/tor-relays/2017-January/011806.html

would you expect onionoo's 'exit_policy_v6_summary' to be not set? [1]

https://onionoo.torproject.org/protocol.html#details writes:

...

Missing if the relay rejects all connections to IPv6 addresses.

thanks, nusenu

[1] https://atlas.torproject.org/#details/5E762A58B1F7FF92E791A1EA4F18695CAC6677...

{"nickname":"sorrentini","fingerprint":"5E762A58B1F7FF92E791A1EA4F18695CAC6677CE","or_addresses":["128.199.76.145:443","[2400:6180:0:d0::18a7:d001]:443"],"last_seen":"2017-01-27 13:00:00","last_changed_address_or_port":"2017-01-11 09:00:00","first_seen":"2016-11-30 03:00:00","running":true,"flags":["Exit","Fast","Running","Stable","Valid"],"country":"sg","country_name":"Singapore","region_name":"Central Singapore Community Development Council","city_name":"Singapore","latitude":1.2855,"longitude":103.8565,"as_number":"AS133165","as_name":"Digital Ocean, Inc.","consensus_weight":420,"host_name":"128.199.76.145","last_restarted":"2017-01-21 03:29:31","bandwidth_rate":1073741824,"bandwidth_burst":1073741824,"observed_bandwidth":1225379,"advertised_bandwidth":1225379,"exit_policy":["reject 0.0.0.0/8:*","reject 169.254.0.0/16:*","reject 127.0.0.0/8:*","reject 192.168.0.0/16:*","reject 10.0.0.0/8:*","reject 172.16.0.0/12:*","reject 128.199.76.145:*","accept *:53","accept *:80","accept *:110","accept *:143","accept *:220","accept *:443","accept *:873","accept *:989-990","accept *:991","accept *:992","accept *:993","accept *:995","accept *:1194","accept *:1293","accept *:3690","accept *:4321","accept *:5222-5223","accept *:5228","accept *:9418","accept *:11371","accept *:64738","reject *:*"],"exit_policy_summary":{"accept":["53","80","110","143","220","443","873","989-993","995","1194","1293","3690","4321","5222-5223","5228","9418","11371","64738"]},"contact":"0x44BB1BA79F6C6333 <tor-admin AT zumbi dot com dot ar>","platform":"Tor 0.2.9.8 on Linux","effective_family":["$82C92FBAF2196EC346670D12BB9650FE9FF55741","$EFD2EEB91E5C5D8CB999B1EC68D89E51F8776AC7"],"consensus_weight_fraction":8.568019E-6,"guard_probability":0.0,"middle_probability":0.0,"exit_probability":3.799685E-5,"recommended_version":true,"measured":true}

Attachments:

signature.asc (application/pgp-signature — 801 bytes)

Show replies by date

nusenu

28 Jan 28 Jan

9:47 p.m.

New subject: how to enable IPv6 exiting - aka "how to get p6 lines into your microdescriptors" (was: onionoo: understanding 'exit_policy_v6_summary')

tldr; How do you enable IPv6 exiting in torrc?

the following torrc part is apparently _not_ enough:

IPv6Exit 1 ExitRelay 1 ExitPolicy reject *:25 ExitPolicy accept *:* ExitPolicy reject6 *:25, accept6 *:* # AFAIU from the tor man page this line is redundant

https://trac.torproject.org/projects/tor/wiki/doc/IPv6RelayHowto

@moritz: can you tell why exit 'amazonas' is different when it comes to IPv6 exit policies? he is your only exit with p6 lines [4]

...

https://onionoo.torproject.org/protocol.html#details writes:

...
Missing if the relay rejects all connections to IPv6 addresses.

Since none of the microdescriptors of that relay in Jan 2017 contained a "p6" line onionoo works as expected.

(this relay might be a bad example since this relay switched from non-exit to exit not to long ago, but almost all - except one - of torservers' exits have no p6 lines either)

So I'm wondering why is there no p6 line in the microdescriptors even though the relay's exit policy allows IPv6 traffic [3] and IPv6Exit set to 1?

https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n1408 writes:

...

 "p6" SP ("accept" / "reject") SP PortList NL

    The IPv6 exit policy summary as specified in sections 3.4.1 and 3.8.2. A
    missing "p6" line is equivalent to "p6 reject 1-65535".

To provide an example exit relay with p6 line: https://atlas.torproject.org/#details/D30226D0F4771E93B562AC650C9093931408D8...

from its descriptor [5] (note the last line: 'ipv6-policy'):

reject 0.0.0.0/8:* [...] accept *:5222-5223 accept *:5900 accept *:6660-6669 accept *:6697 accept *:11371 reject *:* ipv6-policy accept 20-21,23,53,79,81,110,143,443,554,1194,5222-5223,5900,6660-6669,6697,11371

[5] (temporary URL) https://collector.torproject.org/recent/relay-descriptors/server-descriptors...

[3] (temporary URL) https://collector.torproject.org/recent/relay-descriptors/server-descriptors... wrote:

...

accept *:53 accept *:80 accept *:110 accept *:143 accept *:220 accept *:443 accept *:873 accept *:989-990 accept *:991 accept *:992 accept *:993 accept *:995 accept *:1194 accept *:1293 accept *:3690 accept *:4321 accept *:5222-5223 accept *:5228 accept *:9418 accept *:11371 accept *:64738 reject *:*

[4]

...

...
+------------+----------------+------------------------+ | first_seen | nickname | exit_policy_v6_summary | +------------+----------------+------------------------+ | 2014-02-13 | amazonas | {u'reject': [u'25']} | | 2014-02-13 | politkovskaja2 | NULL | | 2014-02-13 | politkovskaja | NULL | | 2014-05-01 | rehm | NULL | | 2016-09-02 | hessel0 | NULL | | 2016-09-02 | hessel2 | NULL | | 2016-09-02 | hessel1 | NULL | | 2016-11-15 | andregorz0 | NULL | | 2016-11-15 | edwardsnowden2 | NULL | | 2016-11-15 | edwardsnowden1 | NULL | | 2016-12-23 | russellteapot | NULL | | 2016-12-23 | dorrisdeebrown | NULL | | 2016-12-30 | criticalmass | NULL | | 2016-12-30 | zwiebelfreund | NULL | | 2017-01-09 | zwiebelfreund2 | NULL | | 2017-01-22 | zwiebelfreund3 | NULL | +------------+----------------+------------------------+

nusenu

1 Feb 1 Feb

9:51 a.m.

New subject: how to enable IPv6 exiting - aka "how to get p6 lines into your microdescriptors"

nusenu:

...

tldr; How do you enable IPv6 exiting in torrc?

the following torrc part is apparently _not_ enough:

IPv6Exit 1 ExitRelay 1 ExitPolicy reject *:25 ExitPolicy accept *:* ExitPolicy reject6 *:25, accept6 *:* # AFAIU from the tor man page this line is redundant

ftr:

The bug is about to get fixed: https://trac.torproject.org/projects/tor/ticket/21357#comment:8

teor

10:43 p.m.

New subject: how to enable IPv6 exiting - aka "how to get p6 lines into your microdescriptors"

...

On 1 Feb 2017, at 20:51, nusenu nusenu@openmailbox.org wrote:

nusenu:

...
tldr; How do you enable IPv6 exiting in torrc?

the following torrc part is apparently _not_ enough:

IPv6Exit 1 ExitRelay 1 ExitPolicy reject *:25 ExitPolicy accept *:* ExitPolicy reject6 *:25, accept6 *:* # AFAIU from the tor man page this line is redundant

ftr:

The bug is about to get fixed: https://trac.torproject.org/projects/tor/ticket/21357#comment:8

We think we have fixed this bug in master.

You can help us get it backported to 0.3.0 and 0.2.9 by testing tor master (or tor nightlies if your packager build them) on your IPv6 Exit.

Please let us know if it works!

Also, please look for any "bug" warnings in your logs.

-- Tim Wilson-Brown (teor)

teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------

Karsten Loesing

29 Jan 29 Jan

1:51 p.m.

On 28/01/17 00:07, nusenu wrote:

...

Hi Karsten,

Hi nusenu,

...

given this torrc configuration and exit policy: https://lists.torproject.org/pipermail/tor-relays/2017-January/011806.html

would you expect onionoo's 'exit_policy_v6_summary' to be not set? [1]

https://onionoo.torproject.org/protocol.html#details writes:

...
Missing if the relay rejects all connections to IPv6 addresses.

It looks like that relay doesn't include an "ipv6-policy" line in its server descriptor, and that's what Onionoo puts in its "exit_policy_v6_summary" field. If that line is not present, it omits that field.

I'm including a server descriptor published by that relay and another server descriptor published by another relay that includes an "ipv6-policy" line.

Not much we can do in Onionoo here, I'm afraid.

All the best, Karsten

@type server-descriptor 1.0 router sorrentini 128.199.76.145 443 0 0 identity-ed25519 -----BEGIN ED25519 CERT----- AQQABk6tATJwpoULEu5H8HCHYVLNZXDiISzqjcVnkaqWOM3vLEoDAQAgBADpkqcx UBgQJwILiFx0QzbguYeKDdNmm9W69fwOQi1tz594JOaj5yNu8LNMiWVzr1YoTDRh d/tpHeqb+tJkQlSIPdpdeS54voU/RuFPuMzpNvQEZY3ZWQLfNNGCa5vNrAE= -----END ED25519 CERT----- master-key-ed25519 6ZKnMVAYECcCC4hcdEM24LmHig3TZpvVuvX8DkItbc8 or-address [2400:6180:0:d0::18a7:d001]:443 platform Tor 0.2.9.8 on Linux proto Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2 published 2017-01-29 11:24:39 fingerprint 5E76 2A58 B1F7 FF92 E791 A1EA 4F18 695C AC66 77CE uptime 719708 bandwidth 1073741824 1073741824 1794389 extra-info-digest 33D4178248F3C6CB2F65F5C88EC3F13A9779A21F NQuYjUhIVzt2ottgQ4PUro8KX0zoEk2UnUO1gM3kDLY onion-key -----BEGIN RSA PUBLIC KEY----- MIGJAoGBAKcAM5bLS516y9QYp4XQYYCQohS6EwFdx/2K4PYgMuBfIOO/OnKaGy97 wSmU1XMVUNdfry8nvbmCHhgtnSXBE4h3VemDyHZSrk6qYg8tV4OdytU06uw1Ht01 RMrSOnHD8HHD2ZOuqI9whzBvAeYPKEYN1DuogMc0Oi7XoI4EyOQxAgMBAAE= -----END RSA PUBLIC KEY----- signing-key -----BEGIN RSA PUBLIC KEY----- MIGJAoGBAMcFm6QomBKSr2yaMNa0oEZ6UEOk8s2XFzfYemqZjn1Hyw6IHHUxHJDp b47fGNy0ftJWi5uWLNhAiJCBonlzFMCvyExXAnXR7Yp8xtjgL7mQzpXPA52T8uGN vasorifvrzqvz7q+8ch7cBWMxzl6HgSHZSQsvX71R1LjZo7ghALZAgMBAAE= -----END RSA PUBLIC KEY----- onion-key-crosscert -----BEGIN CROSSCERT----- E2kutDFW+cLFijxU/Lqvq16IP4QnUoJFmRxIF2XDozkS5cfA+E9C85jwNv9VR/4f 0xt2NsKVaez4jDwrOIY7mJ/1diztLYVUCxMKKXiSp1R6TTsfaOIR7c1Eoqz/25QR rFJZQGOmyfU00LTcKz9mclsTDpeS9Eh3DC/R8jCteeM= -----END CROSSCERT----- ntor-onion-key-crosscert 1 -----BEGIN ED25519 CERT----- AQoABky8AemSpzFQGBAnAguIXHRDNuC5h4oN02ab1br1/A5CLW3PAEZCTkgOK9Y4 9C2pJTTxQUtLMcH4qyM5+P9VAM/uHzNyrSsUAm7BtqrfWE55wMiaNE//zHttJzoC HOS0rSt+PwA= -----END ED25519 CERT----- family $82C92FBAF2196EC346670D12BB9650FE9FF55741 $EFD2EEB91E5C5D8CB999B1EC68D89E51F8776AC7 hidden-service-dir contact 0x44BB1BA79F6C6333 <tor-admin AT zumbi dot com dot ar> ntor-onion-key NxlQ1ZK2FDW361t8v9EPuru5wSuGPM63gGz5p4X5aBs= reject 0.0.0.0/8:* reject 169.254.0.0/16:* reject 127.0.0.0/8:* reject 192.168.0.0/16:* reject 10.0.0.0/8:* reject 172.16.0.0/12:* reject 128.199.76.145:* accept *:53 accept *:80 accept *:110 accept *:143 accept *:220 accept *:443 accept *:873 accept *:989-990 accept *:991 accept *:992 accept *:993 accept *:995 accept *:1194 accept *:1293 accept *:3690 accept *:4321 accept *:5222-5223 accept *:5228 accept *:9418 accept *:11371 accept *:64738 reject *:* router-sig-ed25519 smKoIRGEyT0uUQDtuQSJ0r95+3aId6WX8ippWbdmIXTRtSTOSx+tNszEVcNQGEO3BoZk5WlSycfWoscdwN//Bg router-signature -----BEGIN SIGNATURE----- KC5UaCUD+CxhmsIDivIzzNOlHIHB1CRODtg+txUeDE9sPZGffv7+x0g+93tSsSLq GM5JApWwdljFMioE5W688lTqWC9vfoRkBL1zJJUhuSENFOhB+VqdpLw6k/L9Jv6h XK8sFmN/m2lkXMaqPykOLSOrCi+zZzOYDYQ3hV3DPJ8= -----END SIGNATURE-----

@type server-descriptor 1.0 router adressaparken 62.92.70.116 9001 0 0 platform Tor 0.2.4.27 on Linux protocols Link 1 2 Circuit 1 published 2017-01-29 11:10:16 fingerprint 6393 1108 6F33 D534 D8FF 1A5B 516D B88A D17B EAA7 uptime 2463016 bandwidth 1073741824 1073741824 0 extra-info-digest DEC779FA2E344CFEA3DE9EC6685BB35733C1EBB9 onion-key -----BEGIN RSA PUBLIC KEY----- MIGJAoGBAL5ww4bCutH6mun4Arx6P9Z7a8diu5zxC736c4mlyCS7auoCNLOzIcPZ /a1dGRi15nCfwFDsgjzVe+8IGS6AMHQK1XJTq9DL1fspV56vBG6vZe+JBMjr/WKB F4gyR0/HN1VNe8wi4jlu/YMwZijDDxP7Lj+EmOnkm1eCBQ/sAL6HAgMBAAE= -----END RSA PUBLIC KEY----- signing-key -----BEGIN RSA PUBLIC KEY----- MIGJAoGBALsDS0ae9LmDkkeEvMDBt/AeJqhpex03dadnRgzyagfFTyh1Z79RFk9t Q6Rc6H46So3eaoibHN0cuugQ5qJwi5lck6K4uCjIEQlbeTYOVZrl6dEnRtY+Y5WK tFUpfCkBJYT35qCuyiyDn46IYW/lqSm2K6D8XGcnsIHEZ6KNbxFBAgMBAAE= -----END RSA PUBLIC KEY----- hibernating 1 hidden-service-dir ntor-onion-key BshmNFxEThf5tAsdhPuoSTjtlnT8GylNqv5olVxw5Ro= reject 0.0.0.0/8:* reject 169.254.0.0/16:* reject 127.0.0.0/8:* reject 192.168.0.0/16:* reject 10.0.0.0/8:* reject 172.16.0.0/12:* reject 62.92.70.116:* accept *:22 accept *:43 accept *:53 accept *:554 accept *:563 accept *:636 accept *:873 accept *:1194 accept *:4321 accept *:3690 accept *:5222-5223 accept *:5900 accept *:6660-6669 accept *:6679 accept *:6697 accept *:9418 reject *:* ipv6-policy accept 22,43,53,554,563,636,873,1194,3690,4321,5222-5223,5900,6660-6669,6679,6697,9418 router-signature -----BEGIN SIGNATURE----- Zmb5Zws6Abjao9zINGAht/OvNuyS/y+fiFeon6k+UyamwSvPgn6vF6nGyKSBemga Y4hQ1LbVUwO697PyDNeQCpc7NVdCo0z06sVXqgOcK1909+VTitVVDfzoU527DKOI ZXb2NiLjFXn3tUz238q/55RwruN9Sj5YFs/4jS54jC4= -----END SIGNATURE-----

...

thanks, nusenu

[1] https://atlas.torproject.org/#details/5E762A58B1F7FF92E791A1EA4F18695CAC6677...

{"nickname":"sorrentini","fingerprint":"5E762A58B1F7FF92E791A1EA4F18695CAC6677CE","or_addresses":["128.199.76.145:443","[2400:6180:0:d0::18a7:d001]:443"],"last_seen":"2017-01-27 13:00:00","last_changed_address_or_port":"2017-01-11 09:00:00","first_seen":"2016-11-30 03:00:00","running":true,"flags":["Exit","Fast","Running","Stable","Valid"],"country":"sg","country_name":"Singapore","region_name":"Central Singapore Community Development Council","city_name":"Singapore","latitude":1.2855,"longitude":103.8565,"as_number":"AS133165","as_name":"Digital Ocean, Inc.","consensus_weight":420,"host_name":"128.199.76.145","last_restarted":"2017-01-21 03:29:31","bandwidth_rate":1073741824,"bandwidth_burst":1073741824,"observed_bandwidth":1225379,"advertised_bandwidth":1225379,"exit_policy":["reject 0.0.0.0/8:*","reject 169.254.0.0/16:*","reject 127.0.0.0/8:*","reject 192.168.0.0/16:*","reject 10.0.0.0/8:*","reject 172.16.0.0/12:*","reject 128.199.76.145:*","accept *:53","accept *:80","accept *:110","accept *:143","accept *:220","accept *:443","accept *:873","accept *:989-990","accept *:991","accept *:992","accept *:993","accept *:995","accept *:1194","accept *:1293","accept *:3690","accept *:4321","accept *:5222-5223","accept *:5228","accept *:9418","accept *:11371","accept *:64738","reject *:*"],"exit_policy_summary":{"accept":["53","80","110","143","220","443","873","989-993","995","1194","1293","3690","4321","5222-5223","5228","9418","11371","64738"]},"contact":"0x44BB1BA79F6C6333 <tor-admin AT zumbi dot com dot ar>","platform":"Tor 0.2.9.8 on Linux","effective_family":["$82C92FBAF2196EC346670D12BB9650FE9FF55741","$EFD2EEB91E5C5D8CB999B1EC68D89E51F8776AC7"],"consensus_weight_fraction":8.568019E-6,"guard_probability":0.0,"middle_probability":0.0,"exit_probability":3.799685E-5,"recommended_version":true,"measured":true}

nusenu

1:57 p.m.

Karsten Loesing:

...

Not much we can do in Onionoo here, I'm afraid.

I agree that is what I meant with:

...

Since none of the microdescriptors of that relay in Jan 2017 contained a "p6" line onionoo works as expected.

sorry to bother you.

2836

Age (days ago)

2841

Last active (days ago)

tor-dev@lists.torproject.org

5 comments

3 participants

tags (0)

participants (3)

Karsten Loesing
nusenu
teor