Proposal: Separate streams across circuits by destination port or destination host

Jacob Appelbaum jacob at appelbaum.net
Sun Jul 25 19:56:26 UTC 2010


On 07/23/2010 09:09 PM, Linus Nordberg wrote:
> Jacob Appelbaum <jacob at appelbaum.net> wrote
> Fri, 23 Jul 2010 17:03:09 +0200:
> 
> | Filename: 171-separate-streams-by-port-or-host.txt
> 
> 1. Is 'connections' a well established term here?  I'm thinking TCP
>    connection but that clearly doesn't make sense in a UDP context, such
>    as DNS.  One could use 'packet' in one way or another instead, I
>    guess.

I think so. There is only TCP with Tor; I don't think it makes much
sense to discuss packets.

> 
> 2. >IsolateStreamsByPort will take a list of ports or optionally the
>    >keyword 'All' in place of a port list. The use of the keyword 'All'
>    >will ensure that all connections attached to streams will be
>    >isolated to separate circuits by port number.
> 
>    Just to make it clear, would a packet sent to hostA:port1 end up
>    on the same circuit as one sent to hostB:port1?
> 

Yes.

> 3. If 2 says yes, would this turn into a no if IsolateStreamsByHost was
>    enabled?
> 

Yes.


> 4. 
> 
> 
> 

Thanks for the patch!

> Remote: origin http://git.torproject.org/ioerror/tor.git
> Local:  isolated-streams /u/src/tor.ioerror/
> Head:   b32947a tpyo correction
> 
> Changes:
> 	Modified doc/spec/proposals/171-separate-streams-by-port-or-host.txt
> diff --git a/doc/spec/proposals/171-separate-streams-by-port-or-host.txt b/doc/spec/proposals/171-separate-streams-by-port-or-host.txt
> index 3f745dc..3bd0532 100644
> --- a/doc/spec/proposals/171-separate-streams-by-port-or-host.txt
> +++ b/doc/spec/proposals/171-separate-streams-by-port-or-host.txt
> @@ -20,7 +20,7 @@ we must balance network load issues and stream privacy. The Tor network will not
>  currently scale to one circuit per connection nor should it anytime soon.
>  
>  Circuits are currently created with a few constraints and are rotated within
> -a reasonable time window. This allows a rogue exit nodes to correlate all
> +a reasonable time window. This allows a rogue exit node to correlate all
>  streams on a given circuit.
>  
>  Design:
> @@ -36,7 +36,7 @@ number.
>  IsolateStreamsByHost will take a boolean value. When enabled, all connections,
>  regardless of port number will be isolated with separate circuits per host. If
>  this option is enabled, we should ensure that the client has a reasonable
> -number of pre-built circuits to ensure percieved performance. This should also
> +number of pre-built circuits to ensure perceived performance. This should also
>  intentionally limit the total number of circuits a client will build to ten
>  circuits to prevent abuse and load on the network. This is a tradeoff of
>  performance for anonymity. Tor will issue a warning if a client encounters this
> @@ -45,7 +45,7 @@ limit.
>  Security implications:
>  
>  It is believed that the proposed changes will improve the anonymity for end
> -user stream privacy.  The end user will no longer link all of their traffic at
> +user stream privacy.  The end user will no longer link all of its traffic at
>  a single exit node during a given time window.
>  
>  Specification:
> 

All the best,
Jake



More information about the tor-dev mailing list