[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Not using slow circuits (was Re: Tor slow no matter what I do.)

Scott Bennett wrote:
     On Sat, 02 Feb 2008 18:08:26 -0800 "F. Fox" <kitsune.or@xxxxxxxxx>
Chad Z. Hower aka Kudzu wrote:
Does TOR implement QOS or prioritization? That is only use bandwidth when
other traffic is not present?
This can be done further upstream of the Tor server, as long as the
server is on a dedicated machine. Just set the switch up to put the Tor
server's port in Low priority mode.

     That works for connections coming into the server, but not for
outbound connections made by the server, so one can control only part of
the traffic that way.  Control over some of the connections initiated by
the server by managing the traffic to and from the most common choices
of remote ports, but there isn't a good way to do that for all remote tor
servers.  A further refinement might be to add specific QoS rules for the
short list of very high-bandwidth servers and for the directory authorities.
     Some Windows firewall software does allow identification of traffic
to and from specific application programs, but I'm not aware of any that
handle QoS that way.
For Wondows, CFosSpeed handles priority. It is not a firewall, its primary goal is traffic prioritization. It is largely diffused in the P2P community to avoid the problem of uploads cannibalizing downloads (ACK prioritization), to permit browsing while heavy downloads are going in the background, etc.

For Linux, for outbound traffic, there are many options:
tc can be used to handle the priority, but first we need the filters that select Tor traffic


a, port based, as it was said before, is difficult since ports can be modified by Tor servers. A filter for 9051 and 9001 would do most of the job, if people leave it on default, but I don't know whether this is the case. Otherwise, a nice long list of destination addresses and ports could be created, even automatically, but that's kind of rude.

b, iptables has an owner module, which could do the job in some cases:

   --cmd-owner name
Matches if the packet was created by a process with the given command name. (this option is present only if iptables was com-
             piled under a kernel supporting this feature)

      NOTE: pid, sid and command matching are broken on SMP

c, filters can be based on the TOS field, which can be set as a socket option. This means a small modification to the Tor code, like adding one line of setsockopt.