On 22 Oct. 2016, at 07:38, bancfc@openmailbox.org wrote:
Summarized question:
Do you recommend allowing Workstation VMs of different security levels to communicate with the same Tor instance? Note that they connect via separate internal networks to the Gateway and have different interfaces & controlports so inter-workstation communication should not be possible.
Single Tor Gateway, Multiple Workstations
Pros: *Same guard node means less chance of picking a malicious one *Single Gateway VM uses less resources
Cons: *Some unforeseen way malicious VM "X" can link activities of or influence traffic of VM "Y" **Maybe sending NEWNYM requests in a timed pattern that changes exit IPs of VM Y's traffic, revealing they are behind the same client? **Maybe eavesdropping on HSes running on VM Y's behalf? **Something else we are not aware of?
* Caching of DNS, HS descriptors, preemptive circuits, etc. * VMs can leak other VM's guards and even entire circuits * easily without a control port filter * perhaps some discovery attacks even with a filter
Multi-Tor Gateways mapped 1:1 to Workstation VMs
Pros: *Conceptually simple. Uses a different Tor instance so no need to worry about all these questions.
Cons: *Uses a different entry guard which can increase chance of running into a malicious relay that can deanonymize some of the traffic.
- Uses extra resources (though not much as a Tor Gateway can run with as little as 192MB RAM)
* Links traffic at different guards to the same source IP address * Even VM-level isolation is not proof against some attacks
T