Hello,
I've noticed that the non-publicly routable CGNAT subnet of 100.64.0.0/10 is not in the default exit policy reject list like 192.168/16 and 10/8 are.
This range is not publicly routed, and should never need to be accessed from a Tor exit.
Tailscale and other ISPs use this block.
How many exit relays connected to a Tailscale network are unknowingly exposing all of their other Tailscale devices to the Tor network?
ISPs may be less willing to allow exit relays if there are bots using Tor to toy with the ISPs 100.64/10 range.
Maybe there is something I am missing for it to not be included?
Thanks,
Likogan.Dev
Sorry for the late answer, I noticed that this range has been added in
tor_addr_is_internal_() now.
Anyway, shouldn't TOR ExitPolicy reject all special IP ranges?
See Reserved IP addresses - Wikipedia
DS-Lite (192.0.0.0/24) seems to be some kind of CG-nat too.
Isn't 198.18.0.0/15 a private range, like RFC 1918?
224.0.0.0/4 and 255.255.255.255 should be probably be blocked too, as
well as ff00::/8
I did not look deep into all the IPv6 special ranges.
Currently reserved IP ranges are not routed but may be revived later
and have security consequences
My 2 ¢
···
On Sun, 06 Jul 2025 19:13:36 +0000 admin--- via tor-relays <tor-relays@lists.torproject.org> wrote:
I've noticed that the non-publicly routable CGNAT subnet of
100.64.0.0/10 is not in the default exit policy reject list like
192.168/16 and 10/8 are. This range is not publicly routed, and
should never need to be accessed from a Tor exit.
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org
Hello.
Isn't 198.18.0.0/15 a private range, like RFC 1918?
Its RFC 2544, which contains ranges reserved for internal benchmarking.
The term here is "bogon". That is any address which should not be seen
being routed on the public internet. This includes special-purpose
addresses like CG-NAT and benchmarking addresses, as well as reserved
addresses that have not been allocated.
Currently reserved IP ranges are not routed but may be revived later
and have security consequences
In 2011, the IETF wrote RFC 6441 (BCP 171), in which they recommend
that unallocated ranges should no longer be considered bogons due to
the IPv4 exhaustion. Any range that are reserved for "eventual" public
use should just be considered allocated.
I don't believe Tor does any special filtering for bogons, only for
certain local addresses in tor_addr_is_internal_(), specifically:
fc00/7
fc80/10
fec0/10
::/127
10/8
0/8
127/8
100.64/10
169.254/16
172.16/12
192.168/16
With special cases for binding to 0/32 and 100.64/10.
See: Bogon Prefixes – BGP Filter Guide – Guidance on BGP Filtering
Regards,
forest
···
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org