-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384

Message: 5 Date: Tue, 26 Aug 2014 19:50:21 +0200 From: Anders Andersson <pipatron@gmail.com> To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Advantage in more exits in the same /8? Message-ID: <CAKkunMYKgXKT1OEbV5Lft9edqLhvAJsbxv7QkHQn6dCbpuj36Q@mail.gmail.com> Content-Type: text/plain; charset=UTF-8

On Tue, Aug 26, 2014 at 3:47 PM, Jesse Victors <jvictors@jessevictors.com> wrote:

...

I run some relays and an exit in a university setting. The nodes are in the same /8 block and are physically close to one another as well. Is there any advantage in turning one of the relays into another exit? This is something that my ISP would be agreeable to, but I'm also pondering the effects on the Tor network as a whole. Just want to be clear here: Do you really mean /8 and not /24? There's only one university I can find with a /8 block. Anders, no I literally mean the same /8. The university has its own /16 and recently required another /16, but since my nodes are physically close to one another they are in the same /8. My concern is that too many nodes in a small block can result in a large concentration of Tor circuits in that block. No circuit should use any two nodes from the same /16 unless forced to, so my question really revolved around how many is too many Tor circuits and how much is too much traffic through the same /8 or /16 in people's opinion.

- -- Jesse V. On 08/27/2014 06:00 AM, tor-relays-request@lists.torproject.org wrote:

Message: 2 Date: Tue, 26 Aug 2014 16:24:42 +0200 From: Moritz Bartl <moritz@torservers.net> To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Advantage in more exits in the same /8? Message-ID: <53FC98AA.2000607@torservers.net> Content-Type: text/plain; charset=ISO-8859-1

Hi Jesse,

On 08/26/2014 03:47 PM, Jesse Victors wrote:

...

...

It seems to me that too many nodes under the same ISP is problematic because it concentrates too much traffic in the same AS, but on the other hand, Tor could use more exits. More importantly, how many is too many nodes in the same /8, or in the same /16? Where would you draw the line? Very good question. Ideally, the Tor client would be AS-aware, and you would not have to worry about it. For the interested reader, see for example [1]. Until then, my thinking is that I compare to other locations. https://compass.torproject.org/ is very helpful for that: For example, if you group by AS, the largest AS right now (i3d, NL) in regards to exit capacity has 11%, and OVH tops the overall network at 10% consensus weight.

As a rough rule, I'd avoid to push more than 1-2Gbit/s of traffic at one ISP. On the plus side, as long as you don't top the list, you're weighing down other locations. And universities are a preferred location.

Make sure to use the MyFamily statement correctly: Unless relays are on the same /16, Tor might pick multiple of them for a circuit. Also, if you want to push more than ~100 Mbit/s on a single machine, you need AES-NI or run multiple relays, for more than 400 Mbit/s you need to run multiple relays in any case. The multi-relay initscript can be quite helpful for that.

[1] http://freehaven.net/anonbib/#ccs2013-usersrouted [2] https://www.torservers.net/wiki/setup/server#multiple_tor_processes

-- Moritz Bartl https://www.torservers.net/ Thanks Moritz,

Ok, so I think 1-2 Gbit/s is a good number, that just seems like an awful lot of data to me and I'd rather see that spread out more diversely of course. I'm aware that no circuit should contain two nodes from the same /16 unless forced to, and the MyFamily value further helps with that. My concern was not with a single circuit using multiple nodes there, but rather many circuits preferring that AS. Diversity helps security. That being said, by your advice I'm nowhere near that threshold, so I could keep going. Thanks for the tips on the multiple Tor instances and the optimization tips. - -- Jesse V. /CS, Network Security / -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQF8BAEBCQBmBQJT/e7iXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxMjgyMjhENjEyODQ1OTU1NzBCMjgwRkFB RDk3MzY0RkMyMEJFQzgwAAoJEK2XNk/CC+yAu0wIAK3rn17vEWQZTZy5KVBgOnUI TstJAkqO9Wjkfxf++E/5h8OMRdU1f3rV2mArJgGbgc344ttueM8iPntneaK4jI9W 4FrEqiMf7X6boYZXyeG81gYaGT6nf8ePSK5+1xY3pGR+2R3gXbDt/AU/LIZFsL2w r+9znukltzWBudfM76Fzd7jJcrwC+2giguHKU1/oxpKDh1xWuQC4maOYxZexGSLw JFz/O9Ca/CIDH/5Pbm6uJFe3Ec1zzm6z8cgsfBmGY8GHj3xBM8bNttP+a+fW7J5Z W01uoYss6tuw3jhVAp/+LKm4GcXsdtUjJIAX56yvEURCa6L9CbuTYha4cBI4zFw= =OHSc -----END PGP SIGNATURE-----