> On 22 Oct. 2016, at 07:38, [email protected] wrote: > > Summarized question: > > Do you recommend allowing Workstation VMs of different security levels to > communicate with the same Tor instance? Note that they connect via separate > internal networks to the Gateway and have different interfaces & controlports > so inter-workstation communication should not be possible. > > > Single Tor Gateway, Multiple Workstations > > Pros: > *Same guard node means less chance of picking a malicious one > *Single Gateway VM uses less resources > > Cons: > *Some unforeseen way malicious VM "X" can link activities of or influence > traffic of VM "Y" > **Maybe sending NEWNYM requests in a timed pattern that changes exit IPs of > VM Y's traffic, revealing they are behind the same client? > **Maybe eavesdropping on HSes running on VM Y's behalf? > **Something else we are not aware of?
* Caching of DNS, HS descriptors, preemptive circuits, etc. * VMs can leak other VM's guards and even entire circuits * easily without a control port filter * perhaps some discovery attacks even with a filter > > > Multi-Tor Gateways mapped 1:1 to Workstation VMs > > Pros: > *Conceptually simple. Uses a different Tor instance so no need to worry about > all these questions. > > Cons: > *Uses a different entry guard which can increase chance of running into a > malicious relay that can deanonymize some of the traffic. > * Uses extra resources (though not much as a Tor Gateway can run with as > little as 192MB RAM) * Links traffic at different guards to the same source IP address * Even VM-level isolation is not proof against some attacks T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------------ _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
