On Wed, Sep 05, 2007 at 09:58:37AM -0700, Michael_google gmail_Gersten wrote: > I've noticed that my tor configured as a client will only have one > outgoing TCP connection to an entry node, no matter how many circuits > Vidalia shows as going to that entry guard. > > I'm assuming that this continues on other router to router channels -- > if there are three circuits that go from (for example) desync to > Tonga, there will only be one TCP connection. > > Is this necessary from a security standpoint? Tor can be sped up if > that "one channel per pair" restriction can be broken. Probably, yes? Otherwise, it is trivial for an external attacker to separate individual circuits and trace them more easily. (It may be possible to do this anyway with traffic analysis techniques, but also maybe not.) For more information on the Tor design, you might want to check out the design paper at http://tor.eff.org/doc/design-paper/tor-design.pdf . > (Just like IP itself. A layer two connection between two nodes has (I > forget exactly) 8 channels, each of which can only have one > outstanding packet. Allowing Tor to have multiple channels between two > nodes will prevent a single stopped TCP from stopping all traffic > going that way.) Another long-term solution is possibly to switch to a UDP transport between Tor servers (using DTLS in place of TLS) and then provide reliability and ordering at a higher layer of the protocol. Unfortunately, this is pretty hard, and we don't have a really solid idea of how to do it best. yrs, -- Nick Mathewson
Attachment:
pgpsY1xipL5AW.pgp
Description: PGP signature