Re: [tor-relays] Script to get top relays, AS and countries weights

[Karsten Loesing]

On 7/26/12 4:50 PM, Moritz Bartl wrote:
> On 26.07.2012 16:39, delber wrote:
>> Compass is fine by me. Although, you have to admit that it does not say
>> more than `tor-relay-stats`.

I agree that Compass does not say more than tor-relay-stats.  But it's a
name, and once you know about it, it's much easier to refer to the thing
by using the name.  tor-relay-stats is not as useful as a name, because
it's long and trying to be descriptive.  But tor-relay-stats can be
pretty much anything.  metrics.tpo is full of Tor relay stats. ;)

> I opt for tor-relay-stats. I don't believe a helper script needs a made
> up name that doesn't say anything :)

Maybe, yes.  Not feeling strongly, sticking with tor-relay-stats. :)

Best,
Karsten

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[grarpamp]

>> 4) What exactly do we mean by diversity?
>
> I would look at this almost entirely from a jurisdictional and ISP level.  I
> believe the biggest "sudden impact" threats to the tor network are going to
> be from legal changes (jurisdictional, i.e. "save the children, nullroute
> the nodes") and local business policy changes ("sorry tor customers, no more
> tor egress from our DC due to complaints").

I'm not sure which thread I mentioned this on so I'll put it here to be sure.
I think one main thing needed is a project to catalog all the current
exits as to their diversity...
Box: ISP/hoster, AS, datacenter, country, upstream AS/Tier-n path,
relay-operator
Relay-operator: country

Without that, seems like placing nodes amounts to, 'Well,
we don't have any in Iran, let's go there'. If it turns out that
IP is more or less fed as a courtesy from UAE across the
gulf, there's not much gain. Repeat analysis for any of the
above parameters.

More nodes are probably good, just not all as USA, Equinix,
Level3, with whatever hoster has a rack in all the DC's.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[Andy Isaacson]

On Tue, Jul 24, 2012 at 02:36:32AM +, k...@damnfbi.tk wrote:
> Hey all,
> Has anyone contemplated pitching this towards hackerspaces running
> their own fast nodes?

I wouldn't recommend running an exit node on a network link that will
make you sad if it goes away for a few days.  Most hackerspaces would be
very sad without Internet, and "shut off the account" is a common ISP
response to even fairly small amounts of abuse traffic.

> While most have a decent connection to support their space and users
> I'm sure it would pair well and also allow them to supplement their
> meager income.

I didn't get the impression from Roger's email that "profit" is part of
the equation.  The purpose of the proposed funding is to defray costs;
most hackerspaces that run exit nodes run them at break-even with
donations, not even counting the value of the volunteer time needed to
run the node.  That would probably continue with the proposed funding.

-andy
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[Josh]

Excuse me, as I'm rather new to mailing lists an the sort, but I've been 
tailing the conversation on and off the last few days.


I'm currently using Secured Servers through PheonixNAP as my dedicated 
provider. I've used them for roughly a year now and have had no real 
problems. They are located in Pheonix, Arizona.


Bandwidth through them is relatively cheap. I'm paying $25/month for a 
1Gbps line with 15TB of bandwidth. $10 for the 1Gbps line itself, then 
$1/TB of bandwidth I need per month. The overall cost of my server is 
around $170/month. It is a quad core Xeon E3-1270 with 16GB of RAM and a 
2TB hard disk. It's obviously not just for a Tor relay, but it is more 
than powerful enough to run one.


I had contacted one of my techs twice in the past and asked for 
confirmation that they would not have any problems with me running a Tor 
exit node on my server. I explained what Tor was, and explained what 
running an exit node would likely entail. They stated that they would 
not have a problem with it unless it caused a large amount of abuse 
reports in a short time span, and if it did, they would simply ask me to 
take it offline or take steps to reduce the rate of abuse reports, but 
he said it would likely not be a problem as long as I was not hosting 
anything illegal myself.


I have not talked to them regarding a SWIP on my IP range, but they seem 
like they might be willing to at least negotiate. They had no problems 
setting me up with Microsoft's JMRP (Junk Mail Reporting Program), which 
forwards all Hotmail/MSN abuse complaints to me personally.


Regardless, they're one of the most affordable dedicated hosting 
providers I've used, and I'm quite happy with their service. They may be 
a viable option for running TOR Relays, but I cannot 100% guarantee they 
will have no problems with it. It may be worth calling or e-mailing them 
yourselves to inquire further.


(If you don't mind me sending my affiliate link and using it if you 
decide to purchase from them, it would be greatly appreciated,)

http://www.securedservers.com/396.html

Regular links to SecuredServers/PheonixNAP,
http://www.securedservers.com/ 
http://www.phoenixnap.com/

On 07/26/2012 08:23 PM, Name Withheld wrote:


1) What exactly would we pay for?


Agree on 100+ mbps exit node funding.  Also agree with Moritz's 
suggestion that there be a form that limits fund disbursement on a 
per-ISP level, to encourage ISP diversity (and contribute to the 
discovery of new "known good" ISPs for tor).


*Continued* funding should be contingent on *simple* review 
requirements (e.g. node must be up and passing decent traffic during 
period, fund recipient must document experience with ISP on GoodBadISP 
wiki page, etc) without making it a paperwork nightmare.


2) Should we fund existing relays or new ones?


Difficult question.  Would say allow both, with the agreement that 
anyone those running existing relays agree to improve service in some 
way (increase monthly b/w cap, set up an additional node [even if it's 
a small vps that doesn't require the amount of money funded], etc).  
This would allow our big important providers to offset some of their 
existing costs while still expanding the network (even if it's in 
nominal terms in limited circumstances).


If there's suspected abuse, run a annual/semiannual funding review, 
but I imagine those gaming the system are more likely to be small 
players than the larger, established providers who were running nodes 
without any help.



4) What exactly do we mean by diversity?


I would look at this almost entirely from a jurisdictional and ISP 
level.  I believe the biggest "sudden impact" threats to the tor 
network are going to be from legal changes (jurisdictional, i.e. "save 
the children, nullroute the nodes") and local business policy changes 
("sorry tor customers, no more tor egress from our DC due to 
complaints").


Other threats are more likely to occur slowly, requiring less focus on 
pre-planning.


5) How much "should" an exit relay cost?


$150/mo minimum.  I pay roughly $130/mo with limehost/voxility, and 
they're almost the cheapest physical servers & bandwidth to be had on 
the internet.  Western Europe, US, & Asian locations are going to be 
more expensive for a quality provider.  Perhaps offer different 
funding amounts based on the ISP's region?


Also, review funding minimums and maximums every 3-6 months -- I think 
that as VPS providers become more competitive and reliable for tor 
purposes (i.e. losing the metering), this is going to could change 
very favorably.


6) How exactly should we choose which exit relay operators to
reimburse?


I think history is a good metric for determining how successfully an 
operator will be in setting up a new node.  If you get money to one of 
a the major operators on the condition of setting up a new node, I 
don't think they will have trouble setting up a new 

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[Name Withheld]

> 1) What exactly would we pay for?
>
>
Agree on 100+ mbps exit node funding.  Also agree with Moritz's suggestion
that there be a form that limits fund disbursement on a per-ISP level, to
encourage ISP diversity (and contribute to the discovery of new "known
good" ISPs for tor).

*Continued* funding should be contingent on *simple* review requirements
(e.g. node must be up and passing decent traffic during period, fund
recipient must document experience with ISP on GoodBadISP wiki page, etc)
without making it a paperwork nightmare.



> 2) Should we fund existing relays or new ones?
>
>
Difficult question.  Would say allow both, with the agreement that anyone
those running existing relays agree to improve service in some way
(increase monthly b/w cap, set up an additional node [even if it's a small
vps that doesn't require the amount of money funded], etc).  This would
allow our big important providers to offset some of their existing costs
while still expanding the network (even if it's in nominal terms in limited
circumstances).

If there's suspected abuse, run a annual/semiannual funding review, but I
imagine those gaming the system are more likely to be small players than
the larger, established providers who were running nodes without any help.


>
> 4) What exactly do we mean by diversity?
>
>
I would look at this almost entirely from a jurisdictional and ISP level.
I believe the biggest "sudden impact" threats to the tor network are going
to be from legal changes (jurisdictional, i.e. "save the children,
nullroute the nodes") and local business policy changes ("sorry tor
customers, no more tor egress from our DC due to complaints").

Other threats are more likely to occur slowly, requiring less focus on
pre-planning.



> 5) How much "should" an exit relay cost?
>
>
$150/mo minimum.  I pay roughly $130/mo with limehost/voxility, and they're
almost the cheapest physical servers & bandwidth to be had on the
internet.  Western Europe, US, & Asian locations are going to be more
expensive for a quality provider.  Perhaps offer different funding amounts
based on the ISP's region?

Also, review funding minimums and maximums every 3-6 months -- I think that
as VPS providers become more competitive and reliable for tor purposes
(i.e. losing the metering), this is going to could change very favorably.



> 6) How exactly should we choose which exit relay operators to reimburse?
>
>
I think history is a good metric for determining how successfully an
operator will be in setting up a new node.  If you get money to one of a
the major operators on the condition of setting up a new node, I don't
think they will have trouble setting up a new node.  If you give it to new
guy, you had better have strong a strong indication that they have the
skills necessary to handle becoming an overnight systems administrator.



> 7) How do we audit / track the sponsored relays?
>
>
Are there any known weaknesses with just checking the stats pages?  Require
those selected for funds to register their node nicknames, then check to
see if they're online (and passing a reasonable amount of traffic) couple
time a month (or week, or day... whatever).



> 8) Legal questions?
>
>
Really should ask friendly lawyer blogs about this one.  Given the million
different jurisdictions involved with tor, there's probably no safe answer,
but I would suggest phrasing everything as a "reimbursement" or "award"
rather than a payment to try and limit any perception that this is a
commercial activity.  State in the agreement that the funds are not to be
used for commercial purposes, or something similar, and that they do not
constitute a commercial relationship between funder and fundee.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[Jacob Appelbaum]

Andreas Fink:
> On 26.07.2012, at 19:52, Andrew Lewman  wrote:
> 
>> On Thu, 26 Jul 2012 16:05:53 +
>> k...@damnfbi.tk wrote:
>>> We should probably talk further then since I'm _in_ Iceland atm and 
>>> would also like to see a high capacity node here.
>>> May I ask for your reasoning though? A lot of people on both sides of 
>>> the pond have believed that IMMI  
>>> has been passed here already when it has in fact not (yet). I'm in
>>> touch with those trying to pass it and it comes up for major review
>>> in september. Have you tried talking to DataCell 
>>> ? 
>>
>> I talked to Datacell roughly a year ago. They were fine with an exit
>> relay, but at the time were distracted by suing Visa. 
>>
>> The only issue was pure cost. Traffic leaving Iceland costs a lot. I
>> wasn't prepared to spend ISK300,000 per month for a 100 mbps exit relay.
>>
>> Maybe times have changed and traffic from Iceland is not so expensive
>> anymore.
> 
> Traffic from Iceland is still relatively expensive. However we could host 
> some machines in other places where we interconnect on internet exchanges. We 
> are still distracted by suing Visa due to Wikileaks case but that doesn't 
> stop us doing good business.
> 
> I believe we have a couple of users running tor on their VM's. Not sure if 
> exit or not. But the first law enforcement request (identify the owner) was 
> already in (however not in proper format and from the wrong country so we 
> didn't have to answer it anyway. They couldn't even read whois entries 
> correctly or use traceroute to get an idea where the server really is). 
> 

Hi Andreas,

Thanks for continuing to sue Visa and thanks for your support of well,
everything you seem to support.

If we wanted to collectively pool some cash and pay for 100Mb or 1Gb of
bandwidth on a rented machine, specifically as a Tor exit - what would
you want to see from the Tor community in terms of a monthly payment?

All the best,
Jacob
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Electronic surveillance on major tor exits

[Ted Smith]

On Thu, 2012-07-26 at 18:57 +0100, mick wrote:
> On Mon, 23 Jul 2012 11:03:24 -1000
> Name Withheld  allegedly wrote:
>  
> > Most Tor users probably don't read the manual and follow best 
> > practices.  I'm sure we've all seen traffic where users are using
> > google maps to find directions from their home, or logging into their
> > true-name mail accounts.  When you combine this "State of our Method"
> > with a choke on the number
> 
> I'm surprised that no-one else seems to have picked up on this. But no,
> "we have /not/ all seen traffic where users" are doing something
> Because we aren't looking at user's traffic. And we damned well should
> not be.

You don't need to be sniffing exit traffic to see this. I use Tor for a
lot of traffic, including traffic that personally identifies me. That's
not contrary to the purpose of Tor or onion routing in general, which is
to separate routing from identity. My email provider doesn't need to
know where I'm connecting from, even if they know my legal name.

-- 
Sent from Ubuntu


signature.asc
Description: This is a digitally signed message part
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[Andrew Lewman]

On Thu, 26 Jul 2012 20:08:05 +0200
Andreas Fink  wrote:
> Traffic from Iceland is still relatively expensive. However we could
> host some machines in other places where we interconnect on internet
> exchanges. 

Is this true for IPv6 too?  I've found asking for IPv6-only servers is
almost free, because ISPs are trying to justify their investment of
IPv6-capable equipment. And having a customer run IPv6 without needing
IPv4 address space is a unicorn.

-- 
Andrew
http://tpo.is/contact
pgp 0x6B4D6475
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Electronic surveillance on major tor exits

[Name Withheld]

I meant "we" as in "our nodes."  I can guarantee any node you run (of 
size) sees that kind of traffic run through it.  If you think it 
doesn't, I suspect you'll change your mind after spending 30 seconds on 
IRC talking to an average user.




On 7/26/2012 7:57 AM, mick wrote:

On Mon, 23 Jul 2012 11:03:24 -1000
Name Withheld  allegedly wrote:
  

Most Tor users probably don't read the manual and follow best
practices.  I'm sure we've all seen traffic where users are using
google maps to find directions from their home, or logging into their
true-name mail accounts.  When you combine this "State of our Method"
with a choke on the number

I'm surprised that no-one else seems to have picked up on this. But no,
"we have /not/ all seen traffic where users" are doing something
Because we aren't looking at user's traffic. And we damned well should
not be.

Mick
-
blog: baldric.net
fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312

Note that I have recently upgraded my GPG key see:
http://baldric.net/2012/07/20/gpg-key-upgrade/
-



___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Electronic surveillance on major tor exits

[Sam Whited]

On Thu, Jul 26, 2012 at 2:47 PM, mick  wrote:
> He specifically used the word "traffic". That does not imply shoulder
> surfing.

I think the original messages point was simply: ``we all know that
some people don't use Tor properly." I doubt he is actually sniffing
traffic on his relay (or looking over a friend's shoulder). Perhaps
not though — I just wouldn't jump to any conclusions.

Best,
Sam

-- 
Sam Whited
pub 4096R/EC2C9934

SamWhited.com
s...@samwhited.com
404.492.6008
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Negative impact of MaxOnionsPending 250?

[markus reichelt]

* Moritz Bartl  wrote:

> What is the negative impact of setting MaxOnionsPending to 250? 
> Should we instead reduce the bandwidth as suggested in the warning?

I run several low/medium bandwidth relays and so far (~6 weeks)
haven't observed any negative effects with MaxOnionsPending set to
250. 

It might be a different matter on medium/high bandwidth relays that
also offer hidden services that are actually being used.

-- 
left blank, right bald


pgpGzZNSrT050.pgp
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Electronic surveillance on major tor exits

[mick]

On Thu, 26 Jul 2012 14:30:02 -0400 (EDT)
"Steve Snyder"  allegedly wrote:

> I took "seen" to mean looking over someone's shoulder as they used
> Tor, not sniffing their traffic.

He specifically used the word "traffic". That does not imply shoulder
surfing.

-
blog: baldric.net
fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312

Note that I have recently upgraded my GPG key see:
http://baldric.net/2012/07/20/gpg-key-upgrade/
-



signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[Andreas Fink]

On 26.07.2012, at 19:52, Andrew Lewman  wrote:

> On Thu, 26 Jul 2012 16:05:53 +
> k...@damnfbi.tk wrote:
>> We should probably talk further then since I'm _in_ Iceland atm and 
>> would also like to see a high capacity node here.
>> May I ask for your reasoning though? A lot of people on both sides of 
>> the pond have believed that IMMI  
>> has been passed here already when it has in fact not (yet). I'm in
>> touch with those trying to pass it and it comes up for major review
>> in september. Have you tried talking to DataCell 
>> ? 
> 
> I talked to Datacell roughly a year ago. They were fine with an exit
> relay, but at the time were distracted by suing Visa. 
> 
> The only issue was pure cost. Traffic leaving Iceland costs a lot. I
> wasn't prepared to spend ISK300,000 per month for a 100 mbps exit relay.
> 
> Maybe times have changed and traffic from Iceland is not so expensive
> anymore.

Traffic from Iceland is still relatively expensive. However we could host some 
machines in other places where we interconnect on internet exchanges. We are 
still distracted by suing Visa due to Wikileaks case but that doesn't stop us 
doing good business.

I believe we have a couple of users running tor on their VM's. Not sure if exit 
or not. But the first law enforcement request (identify the owner) was already 
in (however not in proper format and from the wrong country so we didn't have 
to answer it anyway. They couldn't even read whois entries correctly or use 
traceroute to get an idea where the server really is). 


Andreas Fink
CEO DataCell ehf

> -- 
> Andrew
> http://tpo.is/contact
> pgp 0x6B4D6475
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[mick]

On Mon, 23 Jul 2012 14:58:54 -0400
Roger Dingledine  allegedly wrote:

> The result though is a direct tradeoff
> with relay diversity: on today's network, clients choose one of the
> fastest 5 exit relays around 25-30% of the time, and 80% of their
> choices come from a pool of 40-50 relays.
> https://trac.torproject.org/projects/tor/ticket/6443

That cannot be good for the health of the network. It reduces the
size and complexity of the attackers target. 

> Since extra capacity is clearly good for performance, and since we're
> not doing particularly well at diversity with the current approach,
> we're going to try an experiment: we'll connect funding to exit relay
> operators so they can run bigger and/or better exit relays.
> 
> If we do it right (make more faster exit relays that aren't the
> current biggest ones, so there are more to choose from), we will
> improve the network's diversity as well as being able to handle more
> users.

Improving diversity (rather than outright speed) is, in my view, a
greater priority given your point above. 

> We've lined up our first funder (BBG, aka http://www.voanews.com/),
> and they're excited to have us start as soon as we can. They want to
> sponsor 125+ fast exits.

Forgive me, but what do they want in return? ("He who pays the
piper...")

I'm ambivalent about the idea of funding. Whilst I can see that it
might help the Tor network to grow, I see downstream problems if
funding dries up (or is "threatened" to be withdrawn). Whilst
volunteer funding (and resourcing) can probably never provide the size
and speed of network we would all like to see, it has the advantage
of freedom from a lot of potential constraints. Being a Brit, I also
prefer the model of "unpaid blood donation" to the commercial
model used in some countries. (It just makes you feel good) 

> More generally, we need to consider sustainability. Our current exit
> relay funding is for a period of 12 months, and while there's reason
> to think we will find continued support, the Tor network must not end
> up addicted to external funding. So long as everybody is running an
> exit relay because they want to save the world, I think we should be
> fine.

I agree 100%
 
Mick


-
blog: baldric.net
fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312

Note that I have recently upgraded my GPG key see:
http://baldric.net/2012/07/20/gpg-key-upgrade/
-



signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Electronic surveillance on major tor exits

[Steve Snyder]

On Thursday, July 26, 2012 1:57pm, "mick"  said:
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> On Mon, 23 Jul 2012 11:03:24 -1000
> Name Withheld  allegedly wrote:
> 
>> Most Tor users probably don't read the manual and follow best
>> practices.  I'm sure we've all seen traffic where users are using
>> google maps to find directions from their home, or logging into their
>> true-name mail accounts.  When you combine this "State of our Method"
>> with a choke on the number
> 
> I'm surprised that no-one else seems to have picked up on this. But no,
> "we have /not/ all seen traffic where users" are doing something
> Because we aren't looking at user's traffic. And we damned well should
> not be.

I took "seen" to mean looking over someone's shoulder as they used Tor, not 
sniffing their traffic.


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[mick]

On Tue, 24 Jul 2012 07:05:41 -0400
Mike  allegedly wrote:

> in closing, don't discredit the cheaper solutions. They do work just
> fine and you don't need a pocket of money to throw at something.
> Telling the provider what you plan on doing and educating them works
> wonders as well. It has for me at least.
> 

Seconded.


-
blog: baldric.net
fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312

Note that I have recently upgraded my GPG key see:
http://baldric.net/2012/07/20/gpg-key-upgrade/
-



signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Electronic surveillance on major tor exits

[mick]

On Mon, 23 Jul 2012 11:03:24 -1000
Name Withheld  allegedly wrote:
 
> Most Tor users probably don't read the manual and follow best 
> practices.  I'm sure we've all seen traffic where users are using
> google maps to find directions from their home, or logging into their
> true-name mail accounts.  When you combine this "State of our Method"
> with a choke on the number

I'm surprised that no-one else seems to have picked up on this. But no,
"we have /not/ all seen traffic where users" are doing something
Because we aren't looking at user's traffic. And we damned well should
not be.

Mick
-
blog: baldric.net
fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312

Note that I have recently upgraded my GPG key see:
http://baldric.net/2012/07/20/gpg-key-upgrade/
-



signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[Andrew Lewman]

On Thu, 26 Jul 2012 16:05:53 +
k...@damnfbi.tk wrote:
> We should probably talk further then since I'm _in_ Iceland atm and 
> would also like to see a high capacity node here.
> May I ask for your reasoning though? A lot of people on both sides of 
> the pond have believed that IMMI  
> has been passed here already when it has in fact not (yet). I'm in
> touch with those trying to pass it and it comes up for major review
> in september. Have you tried talking to DataCell 
> ? 

I talked to Datacell roughly a year ago. They were fine with an exit
relay, but at the time were distracted by suing Visa. 

The only issue was pure cost. Traffic leaving Iceland costs a lot. I
wasn't prepared to spend ISK300,000 per month for a 100 mbps exit relay.

Maybe times have changed and traffic from Iceland is not so expensive
anymore.

-- 
Andrew
http://tpo.is/contact
pgp 0x6B4D6475
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[Sebastian G.]

Roger Dingledine:
> - Should we prefer big collectives like torservers, noisetor, CCC,
> dfri.se, and riseup (which can get great bulk rates on bandwidth and are
> big enough to have relationships with local lawyers and ISPs), or should
> we prefer individuals since they maximize our operator diversity? I think
> "explore both approaches" is a fine first plan.

You should explore both approaches, but expect that individuals that
haven't run an exit before - but are willing to do so - could require
more support.

I could imagine that interested people would be concerned about abuse
complaints. Finding an reasonable ISP is another problem. I'm quite
confident that the Tor community would assist, but don't know how it
could be organized.

> - Does the overall Tor network change legal categories in some
> country,
> e.g. becoming a telecommunications service when it wasn't before?

I wonder what would happen when Tor had "official abuse devisions",
where some people care about the abuse complaints the Tor network
"produces". Compared to "TelcoUK" and "TelcoUS" where each "Telco"
reacts to abuse complaints. Could that make Tor a telecommunications
service?


Everything else has mostly said, I guess.

Regards,
Sebastian
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[Moritz Bartl]

On 26.07.2012 18:05, k...@damnfbi.tk wrote:
> Hi Moritz,
> We should probably talk further then since I'm _in_ Iceland atm and
> would also like to see a high capacity node here.
> May I ask for your reasoning though? 

Country/legal diversity.

> Have you tried talking to DataCell?

No, I have not yet.

Contrary to what has been posted on the list: Yes, we could afford
higher priced bandwidth than the average person, but we don't want to:
We are still committed to using donations for cheap bandwidth. Without
an additional "dedicated" Iceland sponsor, I don't feel I should touch
our current money for that.

-- 
Moritz Bartl
https://www.torservers.net/
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[mick]

On Thu, 26 Jul 2012 12:01:13 -0400 (EDT)
"Steve Snyder"  allegedly wrote:

> Is there any justification for a low-bandwidth Tor node?  And if so,
> what is the practical minimum bandwidth needed to actually see any
> traffic?

Yes. I run one. And have run two (or three at one time). I currently
run one on a rented VPS which shovels around 700-750 Meg per month.
The fastest I have run only gave 1Gig of traffic per month. I currently
don't allow exit (but have in the past) following a series of hassles
from my (otherwise quite accomodating) ISP who was getting flak about
abuse.

I guess I am typical of the low usage "domestic" type user who got fed
up with the impact on his ADSL line of running Tor locally so moved it
to a cheap VPS. I tunnel out to that VPS over SSH when I use Tor and
find that a much better way of accessing the network.

I choose to fund a Tor node because I am a Tor user and I believe in
giving something back to the Tor community by way of thanks. I do not
want, nor do I need, funding for that. 

Mick 

-
blog: baldric.net
fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312

Note that I have recently upgraded my GPG key see:
http://baldric.net/2012/07/20/gpg-key-upgrade/
-



signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[kupo]

Hi Moritz,
We should probably talk further then since I'm _in_ Iceland atm and 
would also like to see a high capacity node here.
May I ask for your reasoning though? A lot of people on both sides of 
the pond have believed that IMMI  
has been passed here already when it has in fact not (yet). I'm in touch 
with those trying to pass it and it comes up for major review in 
september. Have you tried talking to DataCell 
? They would be much more open to running an 
Exit node and if you talked to them personally might be able to offer 
some discounted rate here.

-kupo

On 07/26/2012 02:14 PM, Moritz Bartl wrote:

Hi,

What can I say that hasn't been said by others before... :)

We are in contact with reliable ISPs with endpoints in various
countries. They would be willing to cooperate on exits at these
locations. We have not yet talked about prices.

I would say we (as in Torservers.net) are in the position to run
multiple Gbit/s servers for prices at below $1/Mbit at "not your typical
ISP". In theory, we would be able to fulfill the 12.5 Gbit/s alone.
We're about to test a 10Gbit uplink with a Xeon behind it to find out
how far we can push a single server.

That said, we should discuss and come up with a good organizational
structure to reimburse people. Personally, I would only sponsor 100
Mbit/s or more (or maybe even only Gbit). I would set up a template that
asks for ISP information, so we can reject too many exits at one place
(say, a maximum of 1 Gbit/s or even one server per datacenter?).

Do you plan on reimbursing up front for a longer period, or only after?
We would likely need the money up front at least on a monthly basis.

Another option we have that might be more convenient is to decide on the
twelve/thirteen server locations up front and then ask the community to
fill the slots.

Given that there are places where you get Gbit for around or less than
$500, we could use the "extra money" to fund some slower locations. I
would very much like to see a high-bandwidth Iceland exit. The last
quote I got was 500 Euro for 200 Mbit/s (including hardware) at
Advania/ThorDC.



___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[Steve Snyder]

Roger Dingledine arma at mit.edu
Mon Jul 23 18:58:54 UTC 2012
[snip]
>At the same time, much of our performance improvement comes from better
>load balancing -- that is, concentrating traffic on the relays that can
>handle it better. The result though is a direct tradeoff with relay
>diversity: on today's network, clients choose one of the fastest 5 exit
>relays around 25-30% of the time, and 80% of their choices come from a
>pool of 40-50 relays.
[snip]

>From what I see on the TorStatus pages (torstatus.all.de, blutmagie.de) about 
>a third of the roughly 3000 relays listed are at or below 64KB/sec of 
>demonstrated bandwidth.  No doubt some of these are soon-to-be-high-bandwidth 
>servers that are just ramping up, and some are nodes having transitory 
>networking problems.  It seems reasonable to assume, though, that most of 
>these low-bandwidth nodes are intentionally low-bandwidth, perhaps on the 
>basis of the Tor doc stating a 20KB/sec minimum.

With "80% of their choices come from a pool of 40-50 relays" that leaves a 20% 
chance for the remaining 2950 nodes.  A case for low-bandwidth nodes can be 
made as a means to dissuade anticipated routing (due to pool size), but it 
seems from the stats quoted above that there is little chance that 2000+ of 
these 3000 nodes will ever carry Tor traffic, and thus can be ignored for 
purposes of traffic analysis.

Is there any justification for a low-bandwidth Tor node?  And if so, what is 
the practical minimum bandwidth needed to actually see any traffic?


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Negative impact of MaxOnionsPending 250?

[Moritz Bartl]

Hi,

We sometimes see "Your computer is too slow to handle this many circuit
creation requests!" on our servers. Scott Bennett suggested to set
MaxOnionsPending to 250 instead of the default of 100, which at least
makes the warnings disappear. [1]

I am thinking about modifying out torrc template we use as as basis for
all servers. What is the negative impact of setting MaxOnionsPending to
250? Should we instead reduce the bandwidth as suggested in the warning?

[1] https://lists.torproject.org/pipermail/tor-relays/2012-May/001352.html
-- 
Moritz Bartl
https://www.torservers.net/
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[Moritz Bartl]

On 26.07.2012 16:14, Moritz Bartl wrote:
> That said, we should discuss and come up with a good organizational
> structure to reimburse people. Personally, I would only sponsor 100
> Mbit/s or more (or maybe even only Gbit). 

To make this more explicit: I opt to have 13 organizations/people
running 1 Gbit/s each. If an organization already runs 1 Gbit/s or more
from other funding (like CCC and Torservers), they are not eligible for
receiving a node stipend.

-- 
Moritz Bartl
https://www.torservers.net/
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Script to get top relays, AS and countries weights

[Moritz Bartl]

On 26.07.2012 16:39, delber wrote:
> Compass is fine by me. Although, you have to admit that it does not say
> more than `tor-relay-stats`.

I opt for tor-relay-stats. I don't believe a helper script needs a made
up name that doesn't say anything :)

-- 
Moritz Bartl
https://www.torservers.net/
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Script to get top relays, AS and countries weights

[delber]

On Fri, Jul 20, 2012 at 04:31:48PM +0200, Karsten Loesing wrote:
> I made a couple more changes to the script.  We could clean up the code
> a bit and improve the documentation, but I consider the script pretty
> much feature-complete now.  Yay! :)

I have used it a bit. This is simply brilliant. :)
 
> Next step is to find a good product name.  "tor-relays-stats" doesn't
> say very much and is hard to remember.  How about Compass?  (Think:
> supplemental tool to Atlas to navigate the Tor network.)

Compass is fine by me. Although, you have to admit that it does not say
more than `tor-relay-stats`.
 
-- 
delber


pgpY9ZkHY0Lao.pgp
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[Moritz Bartl]

Hi,

What can I say that hasn't been said by others before... :)

We are in contact with reliable ISPs with endpoints in various
countries. They would be willing to cooperate on exits at these
locations. We have not yet talked about prices.

I would say we (as in Torservers.net) are in the position to run
multiple Gbit/s servers for prices at below $1/Mbit at "not your typical
ISP". In theory, we would be able to fulfill the 12.5 Gbit/s alone.
We're about to test a 10Gbit uplink with a Xeon behind it to find out
how far we can push a single server.

That said, we should discuss and come up with a good organizational
structure to reimburse people. Personally, I would only sponsor 100
Mbit/s or more (or maybe even only Gbit). I would set up a template that
asks for ISP information, so we can reject too many exits at one place
(say, a maximum of 1 Gbit/s or even one server per datacenter?).

Do you plan on reimbursing up front for a longer period, or only after?
We would likely need the money up front at least on a monthly basis.

Another option we have that might be more convenient is to decide on the
twelve/thirteen server locations up front and then ask the community to
fill the slots.

Given that there are places where you get Gbit for around or less than
$500, we could use the "extra money" to fund some slower locations. I
would very much like to see a high-bandwidth Iceland exit. The last
quote I got was 500 Euro for 200 Mbit/s (including hardware) at
Advania/ThorDC.

-- 
Moritz Bartl
https://www.torservers.net/
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] High speed Relays/Exit nodes

[Dennis Ljungmark]

On Thu, Jul 26, 2012 at 1:08 PM, Jacob Appelbaum wrote:

> Dennis Ljungmark:
> > Hi,
> >   We're currently running 6 different 100-200Mbit relay/guard nodes, and
> > are looking at some issues moving on towards high performant exit nodes.
> >
> >   There are some administrative issues ( needing another IP block due to
> > the RIPE registration, our ISP doesn't want their name on the exit nodes
> > that we are responsible for )
> >  which are generally minor ( are being resolved anyhow ) and then the big
> > stumbling block.
> >
> >  Right now, with iptables modifications ( raw tables hacks to disable
> > conntrack, bucket increases, following the general best practices ) our
> > firewall is running at high amounts of CPU, but coping.  However, once we
> > start introducing Exit Nodes into this equation, things turn sour.
> >
> > So, since we do not want to trust only routing level separation between
> > Exit Nodes and internal networks, we're going to have to invest into new
> > hardware that can cope with this.  Before this, we tried Ingate
> firewalls,
> > and they weren't capable of coping with the load of guard nodes.
> >
> >   ( The traditional "linux box in front" doesn't quite cut it due to
> > networking hardware in most cases. )
> >
> > So,
> >   in summary,  when you get to the point of actively dealing with
> 8-900Mbps
> > of Tor traffic ( on top of normal users and others) what hardware is
> needed
> > to cope with firewalling?
> >
>
> Hey Dennis,
>
> What hardware are you using? In general iptables/netfilter should be
> able to handle more than 200Mb without any trouble at all.
>
> I wonder if your network card is an issue? What CPUs are you using? What
> versions of OpenSSL and other relevant software are in use?
>
> All the best,
> Jacob
>
>
Hardware on the Firewall, or on the Tor nodes? Note here that the tor nodes
are not our current bottleneck, so SSL Decoding/OpenSSL isn't part of the
problems here. We're getting 200Mbps without trouble, but the network cards
in the current firewall   (separate from the Tor nodes) is capping out at
~800Mbps.  ( Not good enough imo, but another issue )

The problem that I have is that the current i686 (32bit) firewall  cannot
cope with the connections once we move into exit node land.

Due to other network issues, we cannot "carte blanche" disable connection
tracking ( Fex. Traffic from Tor exit nodes to other corporate networks
need to be tracked,  as well as corp net / public wifi need tracking and
tracing )
( Since it's all on a single fiber incoming, we don't have the option of
physically separating them. )

//D.S.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[kupo]

Just throwing my 2 cents in, we're running loki 
 
on a decade old dell pe1950 p3 (32bit) w/ 2GB of ram. We average about 
5.2 Mbps of traffic. That said I'm looking forward to seeing what 
increases a 64 cpu would bring.

-kupo


On 07/26/2012 07:28 AM, Andy Isaacson wrote:

On Wed, Jul 25, 2012 at 11:48:16PM -0700, Sriakhil Gogineni wrote:

Ball park quotes we got were 99$ / 100 Mbps or $599 / 1000 Mbps for transit
for a single 1U... we'll see if we can get something better...

That's a good quote for 1Gbps.


Would this be helpful / viable option for a Tor exit node ?

Yes.


I also had just one question: what are the specs required for a Tor node?
It does not seem too resource intensive but I have not been able to find
any minimum system requirements. Would a current / last-generation quad
core with 8GB + would suffice?

A quad-core Xeon X3350 at 2.66 GHz can easily push 500 Mbps of Tor
throughput (500 Mbps up, 500 Mbps down).  CPU is a fairly limiting
factor.  Having AES-NI is a benefit.  8GB RAM is reasonable; there's no
reason to have more, but less is a tight squeeze.

-andy
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] High speed Relays/Exit nodes

[Julian Wissmann]

> Dennis Ljungmark:
>> Hi,
>>  We're currently running 6 different 100-200Mbit relay/guard nodes, and
>> are looking at some issues moving on towards high performant exit nodes.
>> 
>>  There are some administrative issues ( needing another IP block due to
>> the RIPE registration, our ISP doesn't want their name on the exit nodes
>> that we are responsible for )
>> which are generally minor ( are being resolved anyhow ) and then the big
>> stumbling block.
>> 
>> Right now, with iptables modifications ( raw tables hacks to disable
>> conntrack, bucket increases, following the general best practices ) our
>> firewall is running at high amounts of CPU, but coping.  However, once we
>> start introducing Exit Nodes into this equation, things turn sour.
>> 
>> So, since we do not want to trust only routing level separation between
>> Exit Nodes and internal networks, we're going to have to invest into new
>> hardware that can cope with this.  Before this, we tried Ingate firewalls,
>> and they weren't capable of coping with the load of guard nodes.
>> 
>>  ( The traditional "linux box in front" doesn't quite cut it due to
>> networking hardware in most cases. )
>> 
>> So,
>>  in summary,  when you get to the point of actively dealing with 8-900Mbps
>> of Tor traffic ( on top of normal users and others) what hardware is needed
>> to cope with firewalling?
>> 
> 
> Hey Dennis,
> 
> What hardware are you using? In general iptables/netfilter should be
> able to handle more than 200Mb without any trouble at all.
> 
> I wonder if your network card is an issue? What CPUs are you using? What
> versions of OpenSSL and other relevant software are in use?
> 
> All the best,
> Jacob
> 
Also tweaking a few sysctls and playing around with txqueuelen will help.
See https://www.torservers.net/wiki/setup/server. I'll add some more stuff to 
the high bandwidth part of that page in a minute, also. I've done some more 
tweaking towards gbit that certainly helped, which I haven't documented yet.

Julian



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] High speed Relays/Exit nodes

[Jacob Appelbaum]

Dennis Ljungmark:
> Hi,
>   We're currently running 6 different 100-200Mbit relay/guard nodes, and
> are looking at some issues moving on towards high performant exit nodes.
> 
>   There are some administrative issues ( needing another IP block due to
> the RIPE registration, our ISP doesn't want their name on the exit nodes
> that we are responsible for )
>  which are generally minor ( are being resolved anyhow ) and then the big
> stumbling block.
> 
>  Right now, with iptables modifications ( raw tables hacks to disable
> conntrack, bucket increases, following the general best practices ) our
> firewall is running at high amounts of CPU, but coping.  However, once we
> start introducing Exit Nodes into this equation, things turn sour.
> 
> So, since we do not want to trust only routing level separation between
> Exit Nodes and internal networks, we're going to have to invest into new
> hardware that can cope with this.  Before this, we tried Ingate firewalls,
> and they weren't capable of coping with the load of guard nodes.
> 
>   ( The traditional "linux box in front" doesn't quite cut it due to
> networking hardware in most cases. )
> 
> So,
>   in summary,  when you get to the point of actively dealing with 8-900Mbps
> of Tor traffic ( on top of normal users and others) what hardware is needed
> to cope with firewalling?
> 

Hey Dennis,

What hardware are you using? In general iptables/netfilter should be
able to handle more than 200Mb without any trouble at all.

I wonder if your network card is an issue? What CPUs are you using? What
versions of OpenSSL and other relevant software are in use?

All the best,
Jacob

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] High speed Relays/Exit nodes

[Dennis Ljungmark]

Hi,
  We're currently running 6 different 100-200Mbit relay/guard nodes, and
are looking at some issues moving on towards high performant exit nodes.

  There are some administrative issues ( needing another IP block due to
the RIPE registration, our ISP doesn't want their name on the exit nodes
that we are responsible for )
 which are generally minor ( are being resolved anyhow ) and then the big
stumbling block.

 Right now, with iptables modifications ( raw tables hacks to disable
conntrack, bucket increases, following the general best practices ) our
firewall is running at high amounts of CPU, but coping.  However, once we
start introducing Exit Nodes into this equation, things turn sour.

So, since we do not want to trust only routing level separation between
Exit Nodes and internal networks, we're going to have to invest into new
hardware that can cope with this.  Before this, we tried Ingate firewalls,
and they weren't capable of coping with the load of guard nodes.

  ( The traditional "linux box in front" doesn't quite cut it due to
networking hardware in most cases. )

So,
  in summary,  when you get to the point of actively dealing with 8-900Mbps
of Tor traffic ( on top of normal users and others) what hardware is needed
to cope with firewalling?



Regards,
  D.S. Ljungmark
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Call for discussion: turning funding into more exit relays

[Andy Isaacson]

On Wed, Jul 25, 2012 at 11:48:16PM -0700, Sriakhil Gogineni wrote:
> Ball park quotes we got were 99$ / 100 Mbps or $599 / 1000 Mbps for transit
> for a single 1U... we'll see if we can get something better...

That's a good quote for 1Gbps.

> Would this be helpful / viable option for a Tor exit node ?

Yes.

> I also had just one question: what are the specs required for a Tor node?
> It does not seem too resource intensive but I have not been able to find
> any minimum system requirements. Would a current / last-generation quad
> core with 8GB + would suffice?

A quad-core Xeon X3350 at 2.66 GHz can easily push 500 Mbps of Tor
throughput (500 Mbps up, 500 Mbps down).  CPU is a fairly limiting
factor.  Having AES-NI is a benefit.  8GB RAM is reasonable; there's no
reason to have more, but less is a tight squeeze.

-andy
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Call for discussion: turning funding into more exit relays

[Sriakhil Gogineni]

Hello!

I saw this posted on slashdot and think this is an excellent way to donate
some of our time and expertise, especially considering Internet access has
been declared a human right by the UN.

We currently colocate with a provider and will be inquiring with them if
they are OK with hosting Tor, (the post here:
https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment was
extremely helpful for other just joining and we will be following such
advice when we bring it up with our provider).

Ball park quotes we got were 99$ / 100 Mbps or $599 / 1000 Mbps for transit
for a single 1U... we'll see if we can get something better...

Would this be helpful / viable option for a Tor exit node ?

I also had just one question: what are the specs required for a Tor node?
It does not seem too resource intensive but I have not been able to find
any minimum system requirements. Would a current / last-generation quad
core with 8GB + would suffice?

Best,
Sri
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays