Running a Tor exit node on an academic network?

Michael J Freedman mfreed at cs.nyu.edu
Sat Jan 28 19:36:16 UTC 2006 

Hi Joe,

> * The Library has electronic subscriptions to certain services that
> are based on IP addresses only.  Proposal: block exit connections to
> those IP addresses given a list or build a list as needed.  The
> eventual list could be thousands of IP addresses long which would have
> a undetermined impact on Tor's performance.

I run CoralCDN (http://www.coralcdn.org/), although I also used to work 
with Roger on the Free Haven Project. We have many of the same issues with 
running CoralCDN, which is deployed at ~150 PlanetLab sites, most at 
universities.  We push out a bit over 2 TB per day in web traffic to > 1 
million clients.

Part of our solution for handling some of these issues to to limit 
bandwidth consumption, part is to enforce blacklists for websites that 
send abuse complaints (although operating at the HTTP layer this is a bit 
easier for us), and part is to make sure we add all the appropriate HTTP 
headers.

HTTP headers like X-Forwarded-For, Via, and Proxy-Connection all 
communicate to the third-party services performing address authentication 
(such as the ACM or IEEE digital library) that the communication is from 
elsewhere.  While you certainly won't be able to / don't want to identify 
the correct X-Forwarded-For address, you can at least synthesize some fake 
one (perhaps just a 10.x.x.x address).  But again, this operates at the 
application layer.

> * They're not confident that Tor will obey its exit policies.
> Proposal: include kernel-level software firewall and possibly a
> hardware-based firewall device on the Tor box.
>
> * They're concerned about bandwidth (although this one is not a
> biggie).  Proposal: limit to 5% of my departments bandwidth (5MBit/s)
> and then explore burst settings and see how this impacts our
> department.

Our experience is that universities don't care as much about peak 
bandwidth as they do about steady-state traffic: 5 Mbit/s at steady state 
translates to over 50 GB / day.  We've found many universities get 
uncomfortable around 15-20 GB / day.  In CoralCDN, we employ 
application-level bandwidth tracking that allows higher burst rates, but 
ensure that steady-state consumption over the long period stays below this 
high water mark.

Good luck,
--mike


-----
www.michaelfreedman.org                              www.coralcdn.org

More information about the tor-talk mailing list