Hello Chris,
My response is inline with the message thread.
On Mon, Sep 15, 2008 at 11:25 AM, Roger Dingledine
<arma@xxxxxxx> wrote:
On Mon, Sep 15, 2008 at 02:12:12PM -0400, Chris Akins wrote:
> The basic idea
> is to build a zero-configuration Tor relay in hardware that sits between the
> home user's router and their computer. Two plugs: one to the outside world,
> one to the computer.
Two thoughts come to mind immediately. First, you will want to use
Tor's transparent proxy interface with iptables / pf:
https://wiki.torproject.org/noreply/TheOnionRouter/TransparentProxy
Yup, this is what you want to use.
You might like Incognito's firewall rules:
https://svn.torproject.org/svn/incognito/trunk/root_overlay/var/lib/iptables/rules-save
Incognito has a couple of good additional rules which might be of use.
For the software side, you should look at coderman's draft thoughts on
a self-contained Tor in a VM:
https://svn.torproject.org/svn/torvm/trunk/doc/design.html
Based on the best transparent Tor solution, this is a must read! ;)
Second, if you want this Tor to be able to act as a relay too (aka a Tor
server), it will need some non-trivial hardware. Exactly what hardware is
needed is an open question, and worth exploring more. The Tor software
development process seems to have cycles where we 1) accidentally cause
Tor to use too many resources, then 2) fix that, then go back to 1.
I've been working on a 400MHz StrongARM XScale PXA255 CPU, 16MB of Flash storage, and 64MB of RAM, and 2 x 100Mbps Ethernet ports.
With better memory management with the newer 2.x alpha versions of Tor, this seems very realistic now.
Right now TorVM can run as a client on as little as 16MB of RAM, so I think 64MB will cover it.
I believe coderman has been using the TorVM as a server, so he would have a better answer as to how much RAM it uses running as a server node.
The benchmarks[1] for crypto on this are as follows (sorry if the spacing is off).
16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128 cbc 3113.35k 3187.56k 3207.59k 3206.59k 3213.99k
sign verify sign/s verify/s
rsa 512 0.0162s 0.0016s 61.9 635.0
rsa 1024 0.0946s 0.0053s 10.6 190.2
rsa 2048 0.6269s 0.0190s 1.6 52.7
rsa 4096 4.4033s 0.0700s 0.2 14.3
Running a server would be possible, but it would be much slower than if you ran it on your P4.
In it's current state, it take about 60 seconds to boot.
So some versions of Tor are much more friendly, cpu and memory wise,
than others. The current 0.2.1.5-alpha version is quite good I believe.
So far, it has been very good with the memory usage compared to older version which consumed hundreds of MB.
> The relay would automatically handle all the configuration details, and
> render interception almost impossible, barring subversion of the target
> machine.
You may find that some config details, like how much rate limiting the
user wants to put in place, are hard to guess automatically.
There are a few things that you may want to take into consideration:
- How would you configure the device in different environments? (Work vs Home vs On the road).
- How do you handle being behind a proxy?
- What if the router on the LAN is using MAC filtering?
- What if you want to run a hidden service?
- How do you update it?
I've been focused on this for awhile now, and have solutions to most of the questions people find themselves asking about this type of implementation.
The goal has been to get the same level of transparency that you see in JanusVM or TorVM into hardware.
As a matter of fact, I got my first build for the hardware working last night. Funny you should ask about this today! :)
Next step is to bring Tor 0.2.1.5-alpha into the build (on today's to-do list).
The last step will be the Universal User Interface with different Profiles (work, home, etc..), and it'll be finished.
I'm hoping for my Tor on a stick by this weekend!
(Fingers crossed as builds take about 1.5 hours to complete and bugs are a bitch)
Best Regards,
Kyle
[1]
http://docwiki.gumstix.org/index.php/Benchmarks