[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Load Balancing

     On Fri, 21 Sep 2007 15:06:39 -0700 "Michael_google gmail_Gersten"
<keybounce@xxxxxxxxx> wrote:
>On 9/21/07, Alexander W. Janssen <alexander.janssen@xxxxxxxxx> wrote:
>> On 9/21/07, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
>> > Short answer: Tor tries to group many streams on a single circuit.  If
>> > we didn't, that would be way too much PK.
>> Means, if the browser opens up 6 instances to grab stuff from a site,
>> Tor consolidates all requests into a single circuit?
>> Makes sense from a performance point of view.
>> > yrs,
>> > Nick Mathewson
>> Alex.
>If you have a web page with 30 sub-fetches (images, style sheets,
>script files, etc), then they will all fetch over a single circuit.

     Unless the circuit becomes "old" or is closed by a server going down,
of course.  Also, there is at least the possibility, however unlikely,
that one or more of the subordinate fetches will take a different circuit
because of some peculiarity in the relationship between the page and the
item on the page, e.g., the page is on a non-tor-related web server and the
item on the page is on a web server "near" a tor server allowing local exits
to that web server.
>It does NOT make sense from a performance point of view. Since
>everything will be encrypted, regardless of which circuit it takes,
>there is no performance impact.

     On modern CPUs, the encryption-decryption workload has to be a minor
factor in the performance of a circuit.  That is why NumCPUs > 1 makes so
little difference.  Performance for most circuits will be limited by the
network performance characteristics of their various servers and the
Internet paths currently connecting them.
>The question of network efficiency is an interesting one. A single
>circuit will be slower than many circuits. However, each new circuit
>will start off slower (TCP takes time to get up to speed). Many
>established circuits will be faster than one established circuit. [1]
>The question of anonymity is more interesting. When I asked on the
>development list, I was told that using a single circuit rather than
>many circuits helped users to remain anonymous. I didn't understand
>the explanation, so I can't repeat it; I trust that the people who
>have studied that more than I have know what they are talking about.
>[1] This is more true statistically than absolutely. If you have many
>circuits, some will be fast, and some slow. Rotating your usage,
>concentrating on those circuits with the smallest queue, will send
>more TCP channels over faster Tor circuits. However, with many
>circuits, you pretty much guarantee that one will be slow. With a
>single circuit, you have the "all eggs in one basket" case, and you
>may have a very slow connection.
     The above [1] seems correct as far as it goes, but it needs a bit
of tweaking because separate circuits originating in a particular client
are have a chance, and in the case of entry guard usage, a very high
chance, of sharing some tor server interconnections.  Tor servers normally
have no more than one open socket at a time to any other given tor server's
ORPort.  That socket may carry many circuit segments from different circuits
with no way to know, from the point of view of the tor server on either end
of the socket, whether any of those circuit segments originate from the same
client.  Each of those circuit segments may have many tunneled TCP streams
traversing it.
     Now back to those entry guards.  A client using entry guards picks a
few and connects sockets to their ORPorts.  As it builds circuits, all have
one of those entry guards as their first hop.  Therefore *all* circuits go
through one of those few (NumEntryGuards) sockets, and thus *all* tunneled
TCP streams also go through those few entry guards.  The default value of
NumEntryGuards is 3, so in that case, all circuits and all TCP streams
tunneled through them that originate from that user's browser will be split
across no more than three distinct first hops and are thus in competition
with each other for bandwidth to whichever entry guard(s) is(are) in use and
for bandwidth out the other side(s) of that(those) entry guard(s).  This
situation might also occur when UseEntryGuards = 0 because it is also the
same situation occurring whenever more than one tunneled TCP stream takes
a path sharing, at any hop, the same tor server as another tunneled TCP

                                  Scott Bennett, Comm. ASMELG, CFIAG
* Internet:       bennett at cs.niu.edu                              *
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *