subject:"Restrict relay to internet2"

Re: Restrict relay to internet2

2008-01-10 Thread Peter Palfrader

On Wed, 09 Jan 2008, F. Fox wrote:

> There might be a way - create a separate autonomous Tor network on I2.
> However, I don't know if it'd be practical, or if it would potentially
> cause problems for I1's Tor (which would suck majorly!).

There is no such thing as I1.

And Internet2 is just another network making up the Internet*, just like
GÉANT, DFN, ACOnet or many others.  It's not even particularly special
or anything.

And no, it's probably not feasible and it's very like good idea to run
extra Tor networks on all of them.

Cheers,

* well, Internet2 is not even that, it's just the consortium that runs it
-- 
   |  .''`.  ** Debian GNU/Linux **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/

Re: Restrict relay to internet2

2008-01-09 Thread F. Fox


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter Palfrader wrote:
(snip)
| You are right, currently Tor requires each node be able to talk to every
| other node.  For servers there is no way to say they only want to talk
| to some other servers.
|
| Also, you can't configure different bandwidth limits based on
| destination or source IP address, AS, or AS path, and I doubt that will
| be added any time soon.
(snip)

There might be a way - create a separate autonomous Tor network on I2.
However, I don't know if it'd be practical, or if it would potentially
cause problems for I1's Tor (which would suck majorly!).

- --
F. Fox: A+, Network+, Security+
Owner of Tor node "kitsune"
http://fenrisfox.livejournal.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHhZSybgkxCAzYBCMRCBcsAJ9J5GKojctQL+UcRaOfoiWRDKFguwCfTZpj
oL4BxoVNzEZyMwrbfSVypyA=
=led7
-END PGP SIGNATURE-

Re: Restrict relay to internet2

2008-01-09 Thread Michael Holstein



The final part of my scheme would require that I be able to restrict 
my tor node to ONLY relay traffic to/from I2 nodes.  I can't figure 
out how to do this. 


I doubt your school will do this for you, but the only way it's gonna 
work is to get a BGP feed into quagga (or some other BGPd) and build 
your netfilter tables from that.


Here is a (somewhat dated) article on doing it : 
http://www.ibiblio.org/john/pubs/route-qos/index.html


I see why you're trying though .. when I was running a TOR node here, it 
was by far the largest user of Internet2 bandwidth (since many other TOR 
nodes are on academic sites).


Cheers,

Michael Holstein CISSP GCIA
Cleveland State University

Re: Restrict relay to internet2

2008-01-09 Thread Peter Palfrader

On Wed, 09 Jan 2008, Nathaniel Fairfield wrote:

> > It seems to me that I could do it with a lot of hairy routing rules,
> > but this would be bad because I'd be breaking circuits all the time.
> 
> It would be really wasteful if nodes that are trying to make circuits
> through my relay don't have any way of knowing that 90% of circuits are
> going to fail (because they try to connect to an I1 node).  But maybe
> thats ok, or maybe I don't understand how circuits are constructed?

You are right, currently Tor requires each node be able to talk to every
other node.  For servers there is no way to say they only want to talk
to some other servers.

Also, you can't configure different bandwidth limits based on
destination or source IP address, AS, or AS path, and I doubt that will
be added any time soon.

Cheers,
Peter
-- 
   |  .''`.  ** Debian GNU/Linux **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/

Re: Restrict relay to internet2

2008-01-09 Thread Nathaniel Fairfield

Ringo Kamens wrote:
> Couldn't you just make your node a middleman and ban tor from 
> connecting to your Internet One Connection? Comrade Ringo Kamens

Sorry, I meant to make clear that my node *is* a middleman, or what I've
been calling a relay.

And as I said in my initial email:

> It seems to me that I could do it with a lot of hairy routing rules,
> but this would be bad because I'd be breaking circuits all the time.

It would be really wasteful if nodes that are trying to make circuits
through my relay don't have any way of knowing that 90% of circuits are
going to fail (because they try to connect to an I1 node).  But maybe
thats ok, or maybe I don't understand how circuits are constructed?

Nathaniel

> 
> On Jan 9, 2008 12:40 PM, Nathaniel Fairfield < [EMAIL PROTECTED] 
> > wrote:
> 
> F. Fox wrote:
>> Another thing: How would the PKI work over Internet2? AFAIK, Tor 
>> needs to be able to talk to an authoritative directory server; 
>> also, the directory it gets would be full of Internet1 (as I'll 
>> refer to the "normal" Internet here) nodes.
>> 
>> Clearly, an entirely new PKI would have to be set up, via forcing 
>> options in copies of Tor (including, among other things, forcing a 
>> few copies into authoritative directory mode). It would be an 
>> interesting project, but it would take quite a bit of work.
> 
> I wasn't thinking of setting up an entirely separate Tor network on 
> Internet2.  As I mentioned, I2 is transparent for my machine:  when I
>  connect to another machine (google, whatever), it will use I2 if 
> possible and fall back to standard internet otherwise.
> 
> So I was hoping to exploit the fact that several of the main Tor 
> nodes (at MIT, Harvard, etc) are on I2, and I could relay a *lot* of 
> traffic between such nodes.  The problem is that I need to explicitly
>  restrict my relay to those nodes because my standard internet access
>  is bandwidth limited.
> 
> Nathaniel
> 
>

Re: Restrict relay to internet2

2008-01-09 Thread Ringo Kamens

Couldn't you just make your node a middleman and ban tor from connecting to
your Internet One Connection?
Comrade Ringo Kamens

On Jan 9, 2008 12:40 PM, Nathaniel Fairfield <[EMAIL PROTECTED]> wrote:

> F. Fox wrote:
> > Another thing: How would the PKI work over Internet2? AFAIK, Tor needs
> > to be able to talk to an authoritative directory server; also, the
> > directory it gets would be full of Internet1 (as I'll refer to the
> > "normal" Internet here) nodes.
> >
> > Clearly, an entirely new PKI would have to be set up, via forcing
> > options in copies of Tor (including, among other things, forcing a few
> > copies into authoritative directory mode). It would be an interesting
> > project, but it would take quite a bit of work.
>
> I wasn't thinking of setting up an entirely separate Tor network on
> Internet2.  As I mentioned, I2 is transparent for my machine:  when I
> connect to another machine (google, whatever), it will use I2 if
> possible and fall back to standard internet otherwise.
>
> So I was hoping to exploit the fact that several of the main Tor nodes
> (at MIT, Harvard, etc) are on I2, and I could relay a *lot* of traffic
> between such nodes.  The problem is that I need to explicitly restrict
> my relay to those nodes because my standard internet access is bandwidth
> limited.
>
> Nathaniel
>

Re: Restrict relay to internet2

2008-01-09 Thread Nathaniel Fairfield

F. Fox wrote:
> Another thing: How would the PKI work over Internet2? AFAIK, Tor needs
> to be able to talk to an authoritative directory server; also, the
> directory it gets would be full of Internet1 (as I'll refer to the
> "normal" Internet here) nodes.
> 
> Clearly, an entirely new PKI would have to be set up, via forcing
> options in copies of Tor (including, among other things, forcing a few
> copies into authoritative directory mode). It would be an interesting
> project, but it would take quite a bit of work.

I wasn't thinking of setting up an entirely separate Tor network on
Internet2.  As I mentioned, I2 is transparent for my machine:  when I
connect to another machine (google, whatever), it will use I2 if
possible and fall back to standard internet otherwise.

So I was hoping to exploit the fact that several of the main Tor nodes
(at MIT, Harvard, etc) are on I2, and I could relay a *lot* of traffic
between such nodes.  The problem is that I need to explicitly restrict
my relay to those nodes because my standard internet access is bandwidth
limited.

Nathaniel

Re: Restrict relay to internet2

2008-01-07 Thread F. Fox


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Nathaniel Fairfield wrote:
| Folks,
|
| I run a tor relay node (no exits) on my school's network.  Due to their
| bandwidth policy, I have to limit traffic to about 1 Gb per day.  Weak,
| I know.

Weak? Not really. I'm sure home users don't contribute too much, either
- - and every little bit helps. :-)

|
| HOWEVER, my school is also connected to the Abilene/Internet2 backbone,
| and they DON'T limit bandwidth usage over Internet2!
(snip)

I'd check into whether Internet2 has policies relating to how it's used,
first... I get the impression it's a research network mainly at
universities. If that's the case, they may not want people fooling with
it casually. However, I could be wrong.

Another thing: How would the PKI work over Internet2? AFAIK, Tor needs
to be able to talk to an authoritative directory server; also, the
directory it gets would be full of Internet1 (as I'll refer to the
"normal" Internet here) nodes.

Clearly, an entirely new PKI would have to be set up, via forcing
options in copies of Tor (including, among other things, forcing a few
copies into authoritative directory mode). It would be an interesting
project, but it would take quite a bit of work.

One thing to remember is, even if Internet2 gets its own Tor PKI, Tor
needs a decent userbase in order to provide a respectable degree of
anonymity (and preferably a distributed geography, including as many
foreign jurisdictions as possible). Could you get enough Tor users on
Internet2?

Remember, anonymity loves company.

Interesting "pet project" idea, though... :-D

- --
F. Fox: A+, Network+, Security+
Owner of Tor node "kitsune"
http://fenrisfox.livejournal.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHguMAbgkxCAzYBCMRCEI7AJ0UIkMGMlUeZfqo8jP2+F/mllQg0wCfU4lL
a7fSJpfeYwQFNgBtLczLmU4=
=Y/9Z
-END PGP SIGNATURE-

Restrict relay to internet2

2008-01-07 Thread Nathaniel Fairfield


Folks,

I run a tor relay node (no exits) on my school's network.  Due to their 
bandwidth policy, I have to limit traffic to about 1 Gb per day.  Weak, 
I know.


HOWEVER, my school is also connected to the Abilene/Internet2 backbone, 
and they DON'T limit bandwidth usage over Internet2!


Internet2 is set up such that it is transparent to my computer, but I've 
hacked together a simple script that uses traceroute to figure out if 
traffic between my machine and another host is going over Internet2.
So I can scan through the directory of Tor nodes with my script, and 
find which ones are on I2.


The final part of my scheme would require that I be able to restrict my 
tor node to ONLY relay traffic to/from I2 nodes.  I can't figure out how 
to do this.


Anyone have an idea for how to pull this off?  It seems to me that I 
could do it with a lot of hairy routing rules, but this would be bad 
because I'd be breaking circuits all the time.


Thanks,
Nathaniel

Re: Restrict relay to internet2

Re: Restrict relay to internet2

Re: Restrict relay to internet2

Re: Restrict relay to internet2

Re: Restrict relay to internet2

Re: Restrict relay to internet2

Re: Restrict relay to internet2

Re: Restrict relay to internet2

Restrict relay to internet2

9 matches

Site Navigation

Mail list logo

Footer information