[tahoe-lafs-trac-stream] [tahoe-lafs] #1010: use only 127.0.0.1 as local address

tahoe-lafs trac at tahoe-lafs.org
Fri Aug 23 21:21:54 UTC 2013 

#1010: use only 127.0.0.1 as local address
-------------------------+-------------------------------------------------
     Reporter:  duck     |      Owner:  warner
         Type:           |     Status:  new
  enhancement            |  Milestone:  1.11.0
     Priority:  minor    |    Version:  1.6.1
    Component:  code-    |   Keywords:  privacy anonymity docs anti-
  network                |  censorship forward-compatibility i2p-collab
   Resolution:           |
Launchpad Bug:           |
-------------------------+-------------------------------------------------

Comment (by zooko):

 I just reviewed attachment:1010-use-only-127.patch (during Weekly Dev
 Chat).

 Thank you for updating this patch to apply to the current trunk! The patch
 makes sense and is usefully addressing this issue. However, we talked it
 over at our recent Weekly Dev Chat ([//pipermail/tahoe-
 dev/2013-August/008674.html notes]), and have a few requirements for
 safety of the configuration:

 1. Let's add a {{{[node]anonymize}}} flag to the {{{tahoe.cfg}}} file. The
 meaning of this flag is: stop the process and print an error message if
 any of the configuration options would compromise my identity. There are
 also probably going to be other meanings of this flag added in other
 patches (i.e., this flag will probably come to mean also: do not allow any
 outgoing connections that are not over a anonymous routing layer such as
 Tor or I2P).

 2. Instead of "{{{tub.location=}}}" (the empty string) meaning to not
 advertise any location, let {{{tub.location=UNREACHABLE}}} mean that.
 (This is in order to avoid confusion in the mind of the user about the
 distinction between {{{tub.location}}} being absent versus it being
 present with an empty value. See also below, about backward
 compatibility.)

 3. If {{{tub.location=UNREACHABLE}}}, then pass the special hardcoded
 value {{{unreachable.example.org:0}}} to foolscap instead of the empty
 string to foolscap. (This is because foolscap currently can't handle the
 empty string for its connection hints — see
 http://foolscap.lothar.com/trac/ticket/208 .)

 4. Instead of expressing that the node's IP address should be auto-
 detected by the absence of {{{tub.location}}}, express it by
 {{{tub.location}}} being set to {{{AUTODETECT}}}.

 Note that there is a third option besides {{{AUTODETECT}}} and
 {{{UNREACHABLE}}}, and that is to set {{{tub.location}}} to a specific set
 of IP address+port, DNS name+port, I2P addresses, or Tor (.onion)
 addresses. I don't know if Tor or I2P users would ''always'' do the
 latter, or if they would sometimes set it to {{{UNREACHABLE}}}.

 Therefore, if {{{[node]anonymize}}} is set to {{{True}}}, then:

 * If there is no {{{tub.location}}} setting (including if
 {{{tub.location}}} is commented-out), the node will abort on startup.
 (This is important because people who created their node with an older
 release of Tahoe-LAFS will have a {{{tahoe.cfg}}} with {{{tub.location}}}
 commented out. See below about backward-compatibility.)
 * If {{{tub.location}}} is set to {{{AUTODETECT}}}, the node will abort on
 a startup with an error message.
 * If {{{tub.location}}} is set to a specific connection-hints value which
 includes an IP address or domain name, then the node will abort on startup
 with an error message.
 * If {{{tub.location}}} is set to a {{{UNREACHABLE}}}, the node will start
 up normally.
 * If {{{tub.location}}} is set to a specific connection-hints value which
 contains only I2P and/or Tor (.onion) addresses, the node will start up
 normally.

 5. Newly generated {{{tahoe.cfg}}}'s (generated by the {{{create-client}}}
 or {{create-node}}} command) should come with {{{tub.location =
 AUTODETECT}}} instead of a commented out "{{{#tub.location = put your IP
 address here}}}" (see
 [source:trunk/src/allmydata/scripts/create_node.py?annotate=blame&rev=3ee950f09ed8b7f6cc72a98c26eefe9e02c11d85#L91
 create_node.py].)

 Okay, now what about backward-compatibility?

 6. For backwards compatibility, we still accept the absence of
 {{{tub.location}}} as meaning to AUTODETECT. But only if the
 {{{[node]anonymize}}} flag isn't on! Because if the {{{[node]anonymize}}}
 flag makes a setting for {{{tub.location}}} be required.

 7. Maybe in a future release we'll start emitting a warning about the
 absence of a {{{tub.location}}} setting, but for now, no warning.

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1010#comment:37>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list