The rationale is making mixmaster work by default.

https://github.com/Whonix/anon-mixmaster/blob/master/etc/skel/.Mix/mix.cfg

Any suggestions for invalid IP addresses that we can use instead?

first rule: don't use public IP addresses that are not assigned to you

The rationale is making mixmaster work by default.

does that require a MapAddress entry?

My advice is to use a private address range reserved for this purpose by IANA. These will never be used in the future by anyone. Sine we use 10.x.x.x and moved away from 192.x.x.x, this leaves 172.x.x.x

172.16.0.0 – 172.31.255.255

https://en.wikipedia.org/wiki/Private_network

In T878#17661, @HulaHoop wrote:

My advice is to use a private address range reserved for this purpose by IANA. These will never be used in the future by anyone. Sine we use 10.x.x.x and moved away from 192.x.x.x, this leaves 172.x.x.x

172.16.0.0 – 172.31.255.255

https://en.wikipedia.org/wiki/Private_network

Ok.

Please pick some range in the middle. Not the very first ones. This is to prevent issues for someone changing internal IP addresses (not likely using the same) or perhaps also to avoid issues with VPNs.

172.24.0.0
&
172.24.0.1

Middle of the range solution. How does this sound? Confirmed it falls within the private address CIDR:

https://ipduh.com/ip/cidr/?172.24.0.0/24

172.24.0.0 is in the 172.16.0.0/12 block which is set aside for use in private networks. Addresses within this block do not legitimately appear on the public Internet. Addresses within 172.16.0.0/12 can be used without any coordination with IANA or an Internet registry.

Sounds good!

Other imporvements in this thread such as functioning SMTP gateways are also part of this ticket:

https://forums.whonix.org/t/mixmaster-no-longer-working-in-whonix-14/6761

@Patrick Are pull requests needed?

Yes.

https://github.com/Whonix/anon-gw-anonymizer-config/pull/17/commits/5351bd4765476e9522c77cea5a8e30e6c4f94083

@Patrick Now we have to figure out how or if we can use the version in sid on Buster since it is no longer available in stable-next after the freeze. Let me know what you think and I will open a ticket for it is doable.

https://github.com/Whonix/anon-gw-anonymizer-config/pull/17

On a second thought I wonder if this is still a Whonix specific fingerprinting vector. Any DNS request for 172.24.0.0 would resolve to bshc44ac76q3kskw.onion. Not something a remote website could exploit?

https://github.com/Whonix/anon-gw-anonymizer-config/commit/57e3976d9726fc636741865ee90d1bb2bbf3dfad

On a second thought I wonder if this is still a Whonix specific fingerprinting vector. Any DNS request for 172.24.0.0 would resolve to bshc44ac76q3kskw.onion. Not something a remote website could exploit?

No because Tor Browser blocks access to localhost and all private IANA addresses by default to prevent malicious websites tricking itinto leaking a user's identity.

But this isn't a Tor Browser only thing. Applies to any application, specifically those using system default networking (Tor's TransPort).

Can you think of any other app besides a browser that parses JS/Remote code that can manipulate it into requesting those particular addresses?

No user would consciously configure a daemon running on the internal network to use these IPs since it doesn't make sense - they are not within the 10.x.x.x range that we use.

In T878#18059, @HulaHoop wrote:

Can you think of any other app besides a browser that parses JS/Remote code that can manipulate it into requesting those particular addresses?

Yes. A file sharing protocol or messenger protocol (something with a feature to get around firewalls / discovery protocol like retroshare).

mixmaster said to be dead upstream and permanently removed from Debian

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880101