Bandwidth throttling (was Re: Padding)

Matej Pfajfar badbytes at
Wed Jul 10 09:14:32 UTC 2002

> We make the simplifying assumption that higher-reputation nodes are in
> some sense more valuable, and thus better-defended. Not true in all cases,
> but maybe more true than not.
How do you quantify reputation? 

> Speaking of which, something that's been bugging me:
> We treat each node as equal in terms of cost of compromise (which is
> reasonable, because it's much more complex to treat them as not equal),
> but one of the guidelines we keep repeating is "users should choose an
> OR they trust for their first hop". Is there some way to reconcile these
> two assumptions?
> > How bad would it be (anonymity-wise) if we made the OP set up a 
> > "permanent" (ish) connection to a random COR when the network interface 
> > comes up (be it eth, ppp whatever). And then multiplex all connections on 
> > that link, with dummy traffic when there is no real one (effectively 
> > making OP even more similar to a COR, some sort of a local-COR setup).
> Currently the code is designed so we can do this. The OP and OR basically
> are the same program, and can have the same traffic shaping, etc, rules.
> All circuits are multiplexed over a single connection, and if we ever get
> around to doing it, the new_route() function should:
>   * If we're not an OR, then always use the same first OR
>   * If we are an OR, then pick randomly but don't start with ourselves
>     (it would simply waste a hop to start with ourselves)
> (Feel free to patch the code. It should be an easy patch.)
Paul what do you think about this?

> If our adversary is a fixed (non-roaming) partial adversary, then either
> he owns the OR you chose or he doesn't. If he doesn't, then you should
> stick with it forever. If you keep hopping around, then at least some
> of the time you'll probably be using an adversary-owned OR. Users should
> choose behavior based on their anonymity goal:
> * If they're worried about profiling, they should jump around a lot.
> * If they're worried about linkability, they should stick with one OR.
> (On the other hand, maybe the roaming adversary becomes more plausible if
> we're talking about a long enough timeframe for the adversary to switch
> which nodes he owns.)
Yes that's why I prefer the concept of a roving adversary. True someone 
could just set up some nodes and use them to compromise the anonymity - 
but nodes can also get rooted, although probably not for very long. 
Relying on a node to be honest forever is the wrong thing to do isn't it?


Matej Pfajfar

GPG Public Keys @

More information about the tor-dev mailing list