<div dir="ltr"><font face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial;"></span></font>
Hello Chris,<br><br>My response is inline with the message thread.<br><br><br><div class="gmail_quote">On Mon, Sep 15, 2008 at 11:25 AM, Roger Dingledine <span dir="ltr"><<a href="mailto:arma@mit.edu">arma@mit.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">On Mon, Sep 15, 2008 at 02:12:12PM -0400, Chris Akins wrote:<br>
> The basic idea<br>
> is to build a zero-configuration Tor relay in hardware that sits between the<br>
> home user's router and their computer. Two plugs: one to the outside world,<br>
> one to the computer.<br>
<br>
</div>Two thoughts come to mind immediately. First, you will want to use<br>
Tor's transparent proxy interface with iptables / pf:<br>
<a href="https://wiki.torproject.org/noreply/TheOnionRouter/TransparentProxy" target="_blank">https://wiki.torproject.org/noreply/TheOnionRouter/TransparentProxy</a></blockquote><div><br>Yup, this is what you want to use.<br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><a href="https://wiki.torproject.org/noreply/TheOnionRouter/TransparentProxy" target="_blank"></a><br>
<br>
You might like Incognito's firewall rules:<br>
<a href="https://svn.torproject.org/svn/incognito/trunk/root_overlay/var/lib/iptables/rules-save" target="_blank">https://svn.torproject.org/svn/incognito/trunk/root_overlay/var/lib/iptables/rules-save</a><br>
</blockquote><div><br>Incognito has a couple of good additional rules which might be of use.<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
For the software side, you should look at coderman's draft thoughts on<br>
a self-contained Tor in a VM:<br>
<a href="https://svn.torproject.org/svn/torvm/trunk/doc/design.html" target="_blank">https://svn.torproject.org/svn/torvm/trunk/doc/design.html</a><br>
</blockquote><div><br>Based on the best transparent Tor solution, this is a must read! ;)<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
Second, if you want this Tor to be able to act as a relay too (aka a Tor<br>
server), it will need some non-trivial hardware. Exactly what hardware is<br>
needed is an open question, and worth exploring more. The Tor software<br>
development process seems to have cycles where we 1) accidentally cause<br>
Tor to use too many resources, then 2) fix that, then go back to 1.<br>
</blockquote><div><br>I've been working on a 400MHz StrongARM XScale PXA255 CPU, 16MB of Flash storage, and 64MB of RAM, and 2 x 100Mbps Ethernet ports.<br>With better memory management with the newer 2.x alpha versions of Tor, this seems very realistic now.<br>
Right now TorVM can run as a client on as little as 16MB of RAM, so I think 64MB will cover it.<br>I believe coderman has been using the TorVM as a server, so he would have a better answer as to how much RAM it uses running as a server node. <br>
<br>The benchmarks[1] for crypto on this are as follows (sorry if the spacing is off).<br> 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes<br>aes-128 cbc 3113.35k 3187.56k 3207.59k 3206.59k 3213.99k<br>
<br> sign verify sign/s verify/s<br>rsa 512 0.0162s 0.0016s 61.9 635.0<br>rsa 1024 0.0946s 0.0053s 10.6 190.2<br>rsa 2048 0.6269s 0.0190s 1.6 52.7<br>rsa 4096 4.4033s 0.0700s 0.2 14.3<br>
<br>Running a server would be possible, but it would be much slower than if you ran it on your P4.<br>In it's current state, it take about 60 seconds to boot.<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
So some versions of Tor are much more friendly, cpu and memory wise,<br>
than others. The current 0.2.1.5-alpha version is quite good I believe.<br>
<div class="Ih2E3d"></div></blockquote><div><br>So far, it has been very good with the memory usage compared to older version which consumed hundreds of MB.<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d"><br>
> The relay would automatically handle all the configuration details, and<br>
> render interception almost impossible, barring subversion of the target<br>
> machine.<br>
<br>
</div>You may find that some config details, like how much rate limiting the<br>
user wants to put in place, are hard to guess automatically.<br>
<font color="#888888"></font></blockquote><div><br>There are a few things that you may want to take into consideration:<br>- How would you configure the device in different environments? (Work vs Home vs On the road).<br>
- How do you handle being behind a proxy?<br>- What if the router on the LAN is using MAC filtering?<br>- What if you want to run a hidden service?<br>- How do you update it?<br><br></div></div>I've been focused on this for awhile now, and have solutions to most of the questions people find themselves asking about this type of implementation.<br>
The goal has been to get the same level of transparency that you see in JanusVM or TorVM into hardware.<br>As a matter of fact, I got my first build for the hardware working last night. Funny you should ask about this today! :)<br>
Next step is to bring Tor 0.2.1.5-alpha into the build (on today's to-do list).<br>The last step will be the Universal User Interface with different Profiles (work, home, etc..), and it'll be finished.<br><br>I'm hoping for my Tor on a stick by this weekend!<br>
(Fingers crossed as builds take about 1.5 hours to complete and bugs are a bitch)<br><br>Best Regards,<br><br>Kyle<br><br>
[1] <a href="http://docwiki.gumstix.org/index.php/Benchmarks">http://docwiki.gumstix.org/index.php/Benchmarks</a><br></div>