active connections when hibernating

Scott Bennett bennett at cs.niu.edu
Sun Jul 15 22:05:52 UTC 2007 

     On Sun, 15 Jul 2007 09:22:00 -0700 "Michael_google gmail_Gersten"
<keybounce at gmail.com> wrote:

>On 7/14/07, Scott Bennett <bennett at cs.niu.edu> wrote:
>>      On Fri, 13 Jul 2007 14:59:44 -0700 "Michael_google gmail_Gersten"
>> <keybounce at gmail.com> wrote:
>> >Hours? Possibly. They'll stay open until the other side closes them,
>> >as I understand; that's one hour by default.
>>
>>      But those are client-side connections.  When routers connect to other
>> routers, they tend to keep those connections open.  As I understand it,
>> this not only avoids the unnecessary overhead of tearing down and setting
>> up new connections to the same places repeatedly, it provides another
>> obstruction to anyone trying to do traffic analysis.
>
>Alright, lets see. I have one tor configured as a client only, and one
>as a client (on an unused port) and a server. Lsof reports 88 outgoing
>connections, and 48 incoming connections. I just closed the ORListener
>port, so that one is only doing client (and old server connections).
>
>10 minutes later, I still have 81 outgoing, and 32 incoming.

     Okay.  I don't know what tor is "supposed to" do about existing server
connections and circuits when a SIGHUP results in ORPort being closed.
However, I can see why the continuing operation of the client side of tor
would make it desirable to maintain any currently open connections to its
chosen entry guards.
>
>Oh foo, I fell asleep. Next morning: Client has one outgoing
>connection to Lefkada, and server has one connection to pppool:9030
>(directory server?), one outgoing to a brazil site on a "random" port,
>and one incoming tor connection.
>
>Turning on Vidalia: Vidalia shows two connections to Lefkada, but lsof
>only shows one actual socket connection. Dang, but that changes how I
>thought tor did communication.
>
>Re-enabling the ORListener on the server (Odd, it's ORPort in the
>config, but OR Listener in the logs), and waiting a moment: Wow. I'm

     ORPort is the advertised port, and Address is the advertised address,
whereas ORListenAddress specifies the actual IP address and port that the
socket is bound to.  It is possible to advertise a port via the server's
descriptor that differs from the one the server is actually using.  For
example, in FreeBSD if you use IPFW or PF, you can translate the address
and/or port on incoming packets to whatever you want them to be, thereby
routing them to your tor server at whatever port it is using.

>looking at 5 SYN_SENT, one established outgoing tor, one established
>incoming tor (and we're talking seconds after publishing the
>descriptor), and one established unknown outgoing (Local port is not a
>listening port; remote port is a "random" high numbered port). And
>that's before the bandwidth test.

     Perhaps it's publishing its descriptor (i.e., sending the descriptor
to an authority).
>
>Which is itself an interesting question. How can tor publish its
>descriptor before it knows how much bandwidth to claim in the
>descriptor?

     There are three values published in the descriptor.  The first and
second come from BandwidthRate and BandwidthBurst, possibly overridden by
MaxAdvertisedBandwidth, in the configuration file.  The third value is the
actual "high water mark" in the last x seconds (24 hours, IIRC).  Note that
BandwidthRate defaults to 3 MB/s, and BandwidthBurst defaults to 6 MB/s.
>
>> >Heck, if I shut down my or-port (so no new connections arrive), and
>> >turn it off in my browser (so no new outgoing connections are made),
>>
>>      The client is supposed to continue to maintain some circuits, so
>> that some will be ready for use anytime the client should come to need
>> them.  Because circuits are old after ten minutes, no new connections
>> are made through them, and they are torn down when the last connection
>> through them is closed.  In order to keep circuits available, the client
>> therefore must keep building new circuits from time to time to replace
>> the ones that get aged and closed.
>
>In the past, I've seen that if the client has no activity, it does not
>replace the connections. I have seen an idle tor client wind up with
>no open sockets.

     Huh.  Now that you mention it, I've suspected the same thing, though
I've never checked it out very closely.  Maybe Roger Dingledine could
comment on whether this is actually the intended behavior and why it is or
is not.
>
>> >then my tor winds up with no sockets open in about 2 hours. (Maybe
>> >less, I haven't checked that frequently)
>>
>>      Then perhaps there is something wrong with your network connection
>> that it breaks all circuits from time to time.
>
>Nope. I have circuits open for days (ssh).
>
     Do you mean ssh through tor?  Or just ssh direct connections?


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

More information about the tor-talk mailing list