[tor-talk] corridor, a Tor traffic whitelisting gateway

Patrick Schleizer adrelanos at riseup.net
Sat Feb 15 08:05:19 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I think the topic Bridge Firewall is also related here:
https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/BridgeFirewall

(The topic didn't move there yet, but it's all very similar ideas
we're discussing here.)

>> What's the threat model here? As I understand, it's ensuring
>> stream isolation for one workstation while another workstation
>> is compromised.
> 
> The goal is to make each workstation (or even each user on a
> shared workstation) responsible for building their own circuits and
> for using whatever policy they like when it comes to stream
> isolation. Consequently, streams from different workstations can
> never share a circuit.

>> The problem is, anyone, including adversaries can run Tor
>> relays.
> 
> Interesting consideration. I'd prefer limiting the tor_routers
> ipset to relays with a Guard flag, which would make an attack more
> difficult to pull off.

Getting the guard flag isn't really difficult. It's an documented and
automated process.

> But a freshly installed Tor client will not necessarily fetch its
> first consensus through a Guard, right?

When using the public Tor network:
If TunnelDirConns is set to 1 (which is the default), quote Tor manual:
"...when a directory server we contact supports it, we will build a
one-hop circuit and make an encrypted connection via its ORPort..."

Some guards and directory mirrors are hardcoded in Tor.

See also:
- -
https://tor.stackexchange.com/questions/287/how-can-tor-use-a-one-hop-circuit-to-a-directory-server-during-initial-bootstrap
- -
https://tor.stackexchange.com/questions/286/why-does-tor-use-only-one-hop-instead-of-three-hops-to-connect-to-a-directory-se

When using bridges:
You'll get consensus from the bridge.

(Please someone correct me here, if it is wrong.)

>> I am wondering if the advantages of corridor and Whonix can be 
>> combined. Without running Tor over Tor, which is recommended
>> against.
> 
> Maybe we misunderstand each other?
> 
> You put a physical corridor box between your
> TBB/Tails/Whonix/Qubes workstation(s) and your router: That's not
> Tor over Tor, because corridor is not a proxy, it's a filter.
> 
> A corridor gateway should never increase the chance of clearnet
> leaks, because you can always just treat it as untrusted, like you
> should probably treat your DSL router and definitely your ISP's
> network. But if the corridor box is in fact in a trustworthy state,
> it acts as the leak stopper of last resort.

Yes, a misunderstanding.

Corridor's advantages:
- - streams from different workstations can never share a circuit

Whonix's advantage:
- - malicious software on the workstation can not find out it's real
external IP address

I am wondering, can we get both advantages using just one gateway?

Whonix-Gateway could be modified to only allow connections to Tor
relays [guard flag, bridges, etc.]. But all the Tor clients running on
various workstations would itself be tunneled through Tor by
Whonix-Gateway. That would be a combination for corridor's and
Whonix's advantages. But it would also be Tor over Tor, thus
recommended against [reference in my last mail].

Another idea would be to leverage Tor's IsolateClientAddr option.
Quote Tor manual:
"Don’t share circuits with streams from a different client address.
(On by default and strongly recommended;..."
Whonix-Gateway profits from this. The problem is, any
Whonix-Workstation behind Whonix-Gateway - once compromised - can
claim to be another Whonix-Workstation, thus not being stream isolated
anymore.

This could be solved, when there was a defense, that prevented
impersonating other workstations. VPN and/or Static ARP entries and/or
OpenSSH could be used for that purpose.

I wrote quite a lot about this topic already:
- -
https://www.whonix.org/wiki/Connections_between_Whonix-Gateway_and_Whonix-Workstation
- - https://www.whonix.org/wiki/Multiple_Whonix-Workstations

Documented some workarounds (multiple Whonix-Gateways or using
additional (isolated) network interfaces). These are inconvenient and
probably only used by a very few people.

Considering Whonix-Gateway would authenticate Whonix-Workstation's and
thus better enforce stream isolation, would this be a substitute for
corridor?

-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJS/x++XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2RTk3OUIyOEE2RjM3QzQzQkUzMEFGQTFD
QjhENTBCQjc3QkIzQzQ4AAoJEMuNULt3uzxIfLoP/in2cCV9IOrq6hZOg8CMIRJf
IlveWbJeXEtMejqEhr0vKTvtEgD6z/wBCsYThbcLLpIj6x4ghzp8beQhQrukY9v5
zo1U8rO4YC6dP3dFsR0P16AnpnXdora/O7vUHL3L2AKR6M34SbtArKKghJUIdzRJ
OUbWQ/n580GgurY7eGR3ZMrcfHy6wQEB+s28Dh7Ck8QvP9Y9YLyIsoHqe9B8nONd
6fHqjvNMiP+utQYqB5UHgxvqZcIb73r1WeJcJgCLA/r3WruM+UiX6VxE4NzDMwrJ
5esIfFeZkw8MoHjvw1G7t0vMHdkounSIT3CiFMnf3Lk7IebVAkh1eMJ88e63mGB6
Vbbo6lqg98FNU7FVqzflLHkpWVg5zUPpsx1c+MAMPr9NVz4TIszxiJNU+SyJW/eO
MpcxlnLd4Ro8DHQWcFY22PA13xFA4axkvOgmpp7eBtMHKQkKo2wCpSRasuZYIeB3
2xqBMPV+mzp0CMPU4YZjEaff6Cnx6E0zvdCQHgvTNRIBHoens8ebpIWv5Z7NoTOC
qsSHh61Cmfld12KaojC4l8gblCXp9DGLtwiH3h8airV6gzE2naIT5ukMfBQ3EXnz
d3BWVjwbduKLIRzTI9HqYW/1zPaisK+9Adp5fY2BVl5Lvk2kYSOpsUQchuv62rnA
V5I53IPDJQ1F1C7AfFpi
=C+c4
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list