On 08/28/2016 11:09 PM, Bernhard R. Fischer wrote: > On 2016-08-28 23:35, grarpamp wrote: >> On 8/28/16, Mirimir <miri...@riseup.net> wrote: >>> On 08/28/2016 02:00 AM, grarpamp wrote: >> >>> OK. As I understand it, all that matters is using a /48 that won't be >>> provisioned by ISPs. In case it hits the public Internet. Right? >> >> If your users are the masses, yes. In a private install / userbase >> you could pick anything that doesn't collide in your stacks, >> and then anything that hasn't been allocated via rfc / registry, >> which is almost the entire /128. Use filters, not rely whatever isp >> do or iana docs say. >> >>> And I could configure onion services to route among multiple /48 >>> networks, yes? >> >> Well you would bind apps to the ipv6/128 on the tun interface, >> onioncat takes care of routing that /48 among tor's onions >> after the hosts routing table sends its packets to the tun. >> Basically yes. > > > Exactly. To be more precise, OnionCat does not "route packets" in terms > of the IP protocol. In respect to IP, OC is like an Ethernet switch, > i.e. it works on layer 2. > Thus, routing has to be set up on the host computer (your Linux box, or > whatever) as usual. Think of Onioncat (and its tun device) as being just > another Ethernet port on you computer.
Yes, I get that. > This basically implies all kinds of security risks (firewalling,...) you > could have on a network port with an IP address assigned to it. > > You may also have a look at > https://www.cypherpunk.at/onioncat_trac/wiki/Security As I wrote in another subthread, I restrict traffic by local and remote OnionCat IPv6 addresses, both in ip6tables and for ip4ip6 tunnels. And I'll also be using HiddenServiceAuthorizeClient. >>> OK, so I get that -t is the SocksPort used for outbound connections. And >>> for inbound connections, I get that -l is the listening address and >>> port, and that -s is the virtual hidden service port. >>> >>> So for now, each instance would have its own pair of -t and -l/-s. But >>> I'm having a hard time imagining what multiplexing would look like. And >>> anyway, isn't it better to split stuff across multiple SocksPorts? >> >> Socks5 port is a bit different from onion p2p. >> I meant having single onioncat handling multiple /48's would give another >> abstract management option, in addition today multiple onioncats with >> one /48 each. > > > For me, it sounds very complicated what you are trying to do. So even > one /48 prefix contains more addresses than the whole IPv4 address space. I mainly just wanted a different /48, as another kind of isolation. And perhaps that's unnecessary. > And OC is not a multi-cast network, thus you cannot simply "arp" for > other OCs. Thanks, I glossed over that. You can only route to OnionCat IPv6 that you know already. Because they're basically just transformed hostnames. > So why would you try to use several different /48 prefixes? Upon reflection, I wouldn't ;) > Bernhard > > -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
