[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Running a Tor exit node on an academic network?

To: Joseph Lorenzo Hall <joehall@xxxxxxxxx>
Subject: Re: Running a Tor exit node on an academic network?
From: Michael J Freedman <mfreed@xxxxxxxxxx>
Date: Sat, 28 Jan 2006 14:36:16 -0500 (EST)
Cc: or-talk@xxxxxxxxxxxxx
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Sat, 28 Jan 2006 14:36:21 -0500
In-reply-to: <928946aa0601281034n578bc7efge502b06ef1c272@mail.gmail.com>
References: <928946aa0601271837y51ba17faied9535531f97a723@mail.gmail.com> <913086632.20060127211353@gmail.com> <43DAEAA4.3090205@eff.org> <928946aa0601281034n578bc7efge502b06ef1c272@mail.gmail.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

Hi Joe,

* The Library has electronic subscriptions to certain services that
are based on IP addresses only.  Proposal: block exit connections to
those IP addresses given a list or build a list as needed.  The
eventual list could be thousands of IP addresses long which would have
a undetermined impact on Tor's performance.

I run CoralCDN (http://www.coralcdn.org/), although I also used to work with Roger on the Free Haven Project. We have many of the same issues with running CoralCDN, which is deployed at ~150 PlanetLab sites, most at universities. We push out a bit over 2 TB per day in web traffic to > 1 million clients.

Part of our solution for handling some of these issues to to limit bandwidth consumption, part is to enforce blacklists for websites that send abuse complaints (although operating at the HTTP layer this is a bit easier for us), and part is to make sure we add all the appropriate HTTP headers.

HTTP headers like X-Forwarded-For, Via, and Proxy-Connection all communicate to the third-party services performing address authentication (such as the ACM or IEEE digital library) that the communication is from elsewhere. While you certainly won't be able to / don't want to identify the correct X-Forwarded-For address, you can at least synthesize some fake one (perhaps just a 10.x.x.x address). But again, this operates at the application layer.

* They're not confident that Tor will obey its exit policies.
Proposal: include kernel-level software firewall and possibly a
hardware-based firewall device on the Tor box.

* They're concerned about bandwidth (although this one is not a
biggie).  Proposal: limit to 5% of my departments bandwidth (5MBit/s)
and then explore burst settings and see how this impacts our
department.

Our experience is that universities don't care as much about peak bandwidth as they do about steady-state traffic: 5 Mbit/s at steady state translates to over 50 GB / day. We've found many universities get uncomfortable around 15-20 GB / day. In CoralCDN, we employ application-level bandwidth tracking that allows higher burst rates, but ensure that steady-state consumption over the long period stays below this high water mark.

Good luck,
--mike


-----
www.michaelfreedman.org                              www.coralcdn.org

References:
- Running a Tor exit node on an academic network?
  - From: Joseph Lorenzo Hall
- Re: Running a Tor exit node on an academic network?
  - From: Arrakistor
- Re: Running a Tor exit node on an academic network?
  - From: Chris Palmer
- Re: Running a Tor exit node on an academic network?
  - From: Joseph Lorenzo Hall

Prev by Author: Re: Voting for nym
Next by Author: Re: Anonym.OS
Previous by thread: Re: Running a Tor exit node on an academic network?
Next by thread: Re: Running a Tor exit node on an academic network?
Index(es):
- Author
- Thread