117-ipv6-exits.txt 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393
  1. Filename: 117-ipv6-exits.txt
  2. Title: IPv6 exits
  3. Version: $Revision$
  4. Last-Modified: $Date$
  5. Author: coderman
  6. Created: 10-Jul-2007
  7. Status: Open
  8. Overview
  9. Extend Tor for TCP exit via IPv6 transport and DNS resolution of IPv6
  10. addresses. This proposal does not imply any IPv6 support for OR
  11. traffic, only exit and name resolution.
  12. Contents
  13. 0. Motivation
  14. As the IPv4 address space becomes more scarce there is increasing
  15. effort to provide Internet services via the IPv6 protocol. Many
  16. hosts are available at IPv6 endpoints which are currently
  17. inaccessible for Tor users.
  18. Extending Tor to support IPv6 exit streams and IPv6 DNS name
  19. resolution will allow users of the Tor network to access these hosts.
  20. This capability would be present for those who do not currently have
  21. IPv6 access, thus increasing the utility of Tor and furthering
  22. adoption of IPv6.
  23. 1. Design
  24. 1.1. General design overview
  25. There are three main components to this proposal. The first is a
  26. method for routers to advertise their ability to exit IPv6 traffic.
  27. The second is the manner in which routers resolve names to IPv6
  28. addresses. Last but not least is the method in which clients
  29. communicate with Tor to resolve and connect to IPv6 endpoints
  30. anonymously.
  31. 1.2. Router IPv6 exit support
  32. In order to specify exit policies and IPv6 capability new directives
  33. in the Tor configuration will be needed. If a router advertises IPv6
  34. exit policies in its descriptor this will signal the ability to
  35. provide IPv6 exit. There are a number of additional default deny
  36. rules associated with this new address space which are detailed in
  37. the addendum.
  38. When Tor is started on a host it should check for the presence of a
  39. global unicast IPv6 address and if present include the default IPv6
  40. exit policies and any user specified IPv6 exit policies.
  41. If a user provides IPv6 exit policies but no global unicast IPv6
  42. address is available Tor should generate a warning and not publish the
  43. IPv6 policies in the router descriptor.
  44. It should be noted that IPv4 mapped IPv6 addresses are not valid exit
  45. destinations. This mechanism is mainly used to interoperate with
  46. both IPv4 and IPv6 clients on the same socket. Any attempts to use
  47. an IPv4 mapped IPv6 address, perhaps to circumvent exit policy for
  48. IPv4, must be refused.
  49. 1.3. DNS name resolution of IPv6 addresses (AAAA records)
  50. In addition to exit support for IPv6 TCP connections, a method to
  51. resolve domain names to their respective IPv6 addresses is also
  52. needed. This is accomplished in the existing DNS system via AAAA
  53. records. Routers will perform both A and AAAA requests when
  54. resolving a name so that the client can utilize an IPv6 endpoint when
  55. available or preferred.
  56. To avoid potential problems with caching DNS servers that behave
  57. poorly all NXDOMAIN responses to AAAA requests should be ignored if a
  58. successful response is received for an A request. This implies that
  59. both AAAA and A requests will always be performed for each name
  60. resolution.
  61. For reverse lookups on IPv6 addresses, like that used for
  62. RESOLVE_PTR, Tor will perform the necessary PTR requests via
  63. IP6.ARPA.
  64. All routers which perform DNS resolution on behalf of clients
  65. (RELAY_RESOLVE) should perform and respond with both A and AAAA
  66. resources.
  67. 1.4. Client interaction with IPv6 exit capability
  68. 1.4.1. Usability goals
  69. There are a number of behaviors which Tor can provide when
  70. interacting with clients that will improve the usability of IPv6 exit
  71. capability. These behaviors are designed to make it simple for
  72. clients to express a preference for IPv6 transport and utilize IPv6
  73. host services.
  74. 1.4.2. SOCKSv5 IPv6 client behavior
  75. The SOCKS version 5 protocol supports IPv6 connections. When using
  76. SOCKSv5 with hostnames it is difficult to determine if a client
  77. wishes to use an IPv4 or IPv6 address to connect to the desired host
  78. if it resolves to both address types.
  79. In order to make this more intuitive the SOCKSv5 protocol can be
  80. supported on a local IPv6 endpoint, [::1] port 9050 for example.
  81. When a client requests a connection to the desired host via an IPv6
  82. SOCKS connection Tor will prefer IPv6 addresses when resolving the
  83. host name and connecting to the host.
  84. Likewise, RESOLVE and RESOLVE_PTR requests from an IPv6 SOCKS
  85. connection will return IPv6 addresses when available, and fall back
  86. to IPv4 addresses if not.
  87. 1.4.3. MAPADDRESS behavior
  88. The MAPADDRESS capability supports clients that may not be able to
  89. use the SOCKSv4a or SOCKSv5 hostname support to resolve names via
  90. Tor. This ability should be extended to IPv6 addresses in SOCKSv5 as
  91. well.
  92. When a client requests an address mapping from the wildcard IPv6
  93. address, [::0], the server will respond with a unique local IPv6
  94. address on success. It is important to note that there may be two
  95. mappings for the same name if both an IPv4 and IPv6 address are
  96. associated with the host. In this case a CONNECT to a mapped IPv6
  97. address should prefer IPv6 for the connection to the host, if
  98. available, while CONNECT to a mapped IPv4 address will prefer IPv4.
  99. It should be noted that IPv6 does not provide the concept of a host
  100. local subnet, like 127.0.0.0/8 in IPv4. For this reason integration
  101. of Tor with IPv6 clients should consider a firewall or filter rule to
  102. drop unique local addresses to or from the network when possible.
  103. These packets should not be routed, however, keeping them off the
  104. subnet entirely is worthwhile.
  105. 1.4.3.1. Generating unique local IPv6 addresses
  106. The usual manner of generating a unique local IPv6 address is to
  107. select a Global ID part randomly, along with a Subnet ID, and sharing
  108. this prefix among the communicating parties who each have their own
  109. distinct Interface ID. In this style a given Tor instance might
  110. select a random Global and Subnet ID and provide MAPADDRESS
  111. assignments with a random Interface ID as needed. This has the
  112. potential to associate unique Global/Subnet identifiers with a given
  113. Tor instance and may expose attacks against the anonymity of Tor
  114. users.
  115. Tor avoid this potential problem entirely MAPADDRESS must always
  116. generate the Global, Subnet, and Interface IDs randomly for each
  117. request. It is also highly suggested that explicitly specifying an
  118. IPv6 source address instead of the wildcard address not be supported
  119. to ensure that a good random address is used.
  120. 1.4.4. DNSProxy IPv6 client behavior
  121. A new capability in recent Tor versions is the transparent DNS proxy.
  122. This feature will need to return both A and AAAA resource records
  123. when responding to client name resolution requests.
  124. The transparent DNS proxy should also support reverse lookups for
  125. IPv6 addresses. It is suggested that any such requests to the
  126. deprecated IP6.INT domain should be translated to IP6.ARPA instead.
  127. This translation is not likely to be used and is of low priority.
  128. It would be nice to support DNS over IPv6 transport as well, however,
  129. this is not likely to be used and is of low priority.
  130. 1.4.5. TransPort IPv6 client behavior
  131. Tor also provides transparent TCP proxy support via the Trans*
  132. directives in the configuration. The TransListenAddress directive
  133. should accept an IPv6 address in addition to IPv4 so that IPv6 TCP
  134. connections can be transparently proxied.
  135. 1.5. Additional changes
  136. The RedirectExit option should be deprecated rather than extending
  137. this feature to IPv6.
  138. 2. Spec changes
  139. 2.1. Tor specification
  140. In '6.2. Opening streams and transferring data' the following should
  141. be changed to indicate IPv6 exit capability:
  142. "No version of Tor currently generates the IPv6 format."
  143. In '6.4. Remote hostname lookup' the following should be updated to
  144. reflect use of ip6.arpa in addition to in-addr.arpa.
  145. "For a reverse lookup, the OP sends a RELAY_RESOLVE cell containing an
  146. in-addr.arpa address."
  147. In 'A.1. Differences between spec and implementation' the following
  148. should be updated to indicate IPv6 exit capability:
  149. "The current codebase has no IPv6 support at all."
  150. 2.2. Directory specification
  151. In '2.1. Router descriptor format' a new set of directives is needed
  152. for IPv6 exit policy. The existing accept/reject directives should
  153. be clarified to indicate IPv4 or wildcard address relevance. The new
  154. IPv6 directives will be in the form of:
  155. "accept6" exitpattern NL
  156. "reject6" exitpattern NL
  157. The section describing accept6/reject6 should explain that the
  158. presence of accept6 or reject6 exit policies in a router descriptor
  159. signals the ability of that router to exit IPv6 traffic (according to
  160. IPv6 exit policies).
  161. The "[::]/0" notation is used to represent "all IPv6 addresses".
  162. "[::0]/0" may also be used for this representation.
  163. If a user specifies a 'reject6 [::]/0:*' policy in the Tor
  164. configuration this will be interpreted as forcing no IPv6 exit
  165. support and no accept6/reject6 policies will be included in the
  166. published descriptor. This will prevent IPv6 exit if the router host
  167. has a global unicast IPv6 address present.
  168. It is important to note that a wildcard address in an accept or
  169. reject policy applies to both IPv4 and IPv6 addresses.
  170. 2.3. Control specification
  171. In '3.8. MAPADDRESS' the potential to have to addresses for a given
  172. name should be explained. The method for generating unique local
  173. addresses for IPv6 mappings needs explanation as described above.
  174. When IPv6 addresses are used in this document they should include the
  175. brackets for consistency. For example, the null IPv6 address should
  176. be written as "[::0]" and not "::0". The control commands will
  177. expect the same syntax as well.
  178. In '3.9. GETINFO' the "address" command should return both public
  179. IPv4 and IPv6 addresses if present. These addresses should be
  180. separated via \r\n.
  181. 2.4. Tor SOCKS extensions
  182. In '2. Name lookup' a description of IPv6 address resolution is
  183. needed for SOCKSv5 as described above. IPv6 addresses should be
  184. supported in both the RESOLVE and RESOLVE_PTR extensions.
  185. A new section describing the ability to accept SOCKSv5 clients on a
  186. local IPv6 address to indicate a preference for IPv6 transport as
  187. described above is also needed. The behavior of Tor SOCKSv5 proxy
  188. with an IPv6 preference should be explained, for example, preferring
  189. IPv6 transport to a named host with both IPv4 and IPv6 addresses
  190. available (A and AAAA records).
  191. 3. Questions and concerns
  192. 3.1. DNS A6 records
  193. A6 is explicitly avoided in this document. There are potential
  194. reasons for implementing this, however, the inherent complexity of
  195. the protocol and resolvers make this unappealing. Is there a
  196. compelling reason to consider A6 as part of IPv6 exit support?
  197. 3.2. IPv4 and IPv6 preference
  198. The design above tries to infer a preference for IPv4 or IPv6
  199. transport based on client interactions with Tor. It might be useful
  200. to provide more explicit control over this preference. For example,
  201. an IPv4 SOCKSv5 client may want to use IPv6 transport to named hosts
  202. in CONNECT requests while the current implementation would assume an
  203. IPv4 preference. Should more explicit control be available, through
  204. either configuration directives or control commands?
  205. Many applications support a inet6-only or prefer-family type option
  206. that provides the user manual control over address preference. This
  207. could be provided as a Tor configuration option.
  208. An explicit preference is still possible by resolving names and then
  209. CONNECTing to an IPv4 or IPv6 address as desired, however, not all
  210. client applications may have this option available.
  211. 3.3. Support for IPv6 only transparent proxy clients
  212. It may be useful to support IPv6 only transparent proxy clients using
  213. IPv4 mapped IPv6 like addresses. This would require transparent DNS
  214. proxy using IPv6 transport and the ability to map A record responses
  215. into IPv4 mapped IPv6 like addresses in the manner described in the
  216. "NAT-PT" RFC for a traditional Basic-NAT-PT with DNS-ALG. The
  217. transparent TCP proxy would thus need to detect these mapped addresses
  218. and connect to the desired IPv4 host.
  219. The IPv6 prefix used for this purpose must not be the actual IPv4
  220. mapped IPv6 address prefix, though the manner in which IPv4 addresses
  221. are embedded in IPv6 addresses would be the same.
  222. The lack of any IPv6 only hosts which would use this transparent proxy
  223. method makes this a lot of work for very little gain. Is there a
  224. compelling reason to support this NAT-PT like capability?
  225. 3.4. IPv6 DNS and older Tor routers
  226. It is expected that many routers will continue to run with older
  227. versions of Tor when the IPv6 exit capability is released. Clients
  228. who wish to use IPv6 will need to route RELAY_RESOLVE requests to the
  229. newer routers which will respond with both A and AAAA resource
  230. records when possible.
  231. One way to do this is to route RELAY_RESOLVE requests to routers with
  232. IPv6 exit policies published, however, this would not utilize current
  233. routers that can resolve IPv6 addresses even if they can't exit such
  234. traffic.
  235. There was also concern expressed about the ability of existing clients
  236. to cope with new RELAY_RESOLVE responses that contain IPv6 addresses.
  237. If this breaks backward compatibility, a new request type may be
  238. necessary, like RELAY_RESOLVE6, or some other mechanism of indicating
  239. the ability to parse IPv6 responses when making the request.
  240. 3.5. IPv4 and IPv6 bindings in MAPADDRESS
  241. It may be troublesome to try and support two distinct address mappings
  242. for the same name in the existing MAPADDRESS implementation. If this
  243. cannot be accommodated then the behavior should replace existing
  244. mappings with the new address regardless of family. A warning when
  245. this occurs would be useful to assist clients who encounter problems
  246. when both an IPv4 and IPv6 application are using MAPADDRESS for the
  247. same names concurrently, causing lost connections for one of them.
  248. 4. Addendum
  249. 4.1. Sample IPv6 default exit policy
  250. reject 0.0.0.0/8
  251. reject 169.254.0.0/16
  252. reject 127.0.0.0/8
  253. reject 192.168.0.0/16
  254. reject 10.0.0.0/8
  255. reject 172.16.0.0/12
  256. reject6 [0000::]/8
  257. reject6 [0100::]/8
  258. reject6 [0200::]/7
  259. reject6 [0400::]/6
  260. reject6 [0800::]/5
  261. reject6 [1000::]/4
  262. reject6 [4000::]/3
  263. reject6 [6000::]/3
  264. reject6 [8000::]/3
  265. reject6 [A000::]/3
  266. reject6 [C000::]/3
  267. reject6 [E000::]/4
  268. reject6 [F000::]/5
  269. reject6 [F800::]/6
  270. reject6 [FC00::]/7
  271. reject6 [FE00::]/9
  272. reject6 [FE80::]/10
  273. reject6 [FEC0::]/10
  274. reject6 [FF00::]/8
  275. reject *:25
  276. reject *:119
  277. reject *:135-139
  278. reject *:445
  279. reject *:1214
  280. reject *:4661-4666
  281. reject *:6346-6429
  282. reject *:6699
  283. reject *:6881-6999
  284. accept *:*
  285. # accept6 [2000::]/3:* is implied
  286. 4.2. Additional resources
  287. 'DNS Extensions to Support IP Version 6'
  288. http://www.ietf.org/rfc/rfc3596.txt
  289. 'DNS Extensions to Support IPv6 Address Aggregation and Renumbering'
  290. http://www.ietf.org/rfc/rfc2874.txt
  291. 'SOCKS Protocol Version 5'
  292. http://www.ietf.org/rfc/rfc1928.txt
  293. 'Unique Local IPv6 Unicast Addresses'
  294. http://www.ietf.org/rfc/rfc4193.txt
  295. 'INTERNET PROTOCOL VERSION 6 ADDRESS SPACE'
  296. http://www.iana.org/assignments/ipv6-address-space
  297. 'Network Address Translation - Protocol Translation (NAT-PT)'
  298. http://www.ietf.org/rfc/rfc2766.txt