I spoke with a colleague today and we discussed the following:
- Initially we'll target a single VM running full screen using KVM
- Worry about LXC at the end
- Different network model:
option 1) KVM uses NATs, use IPTables process id matching to redirect
packets to a specific redsocks instance and dns requests to the Tor dns
option 2) KVM uses a TAP device connected to an external SLIRP daemon (Qemu
user nat) that either talks to redsocks or another socks client stub. We
can easily forward the dns requests to the Tor dns
option 3) KVM uses tsocks? but we'll have an issue with dns resolution
Of course this brings up another problem. If we don't run unique Tor
instances for each VM, they'll be using a common DNS service. Would this
compromise anonymity among the different VMs? Perhaps we really do need to
run one instance of Tor per VM.
For the short term, I'm going to focus on option 1 and a single VM.
Feedback is greatly appreciated.
Cheers,
David
On Wed, Dec 18, 2013 at 10:14 PM, David Wolinsky
<isaac.wolinsky@???>wrote:
> Per the thread on the Tor tracker (
> https://trac.torproject.org/projects/tor/ticket/7681), I want to start
> working on integrating the of Pseudonymity as defined by WiNoN into Tails.
> Namely, users run multiple, independent VMs connected to independent paths
> through the Tor network in order to wear multiple hats. A user accessing
> IRC and GMail under two different contexts would do so in two different
> VMs. There are other benefits of using VMs as the Whonix folks have
> recognized. Namely, that information about the host cannot (easily) leak
> into the guest and vice-versa. To do this I propose the following:
>
> - In the host, we run redsocks (http://darkk.net.ru/redsocks/), this will
> pick up traffic from the VMs and redirect it to Tor. Currently there exists
> no package for redsocks in Squeeze, should we check to see if the Wheezy
> package works or just build our own Redsocks package?
> - Install the necessary software for both LXC and KVM
> - Give amnesia the right sudo abilities to start LXC and KVM
> - Add start LXC Pseudonym and KVM Pseudonym to the desktop
> - Upon starting a Pseudonym, we'll add a Tap device and connect it to a
> bridge, where redsocks will pick up the traffic. For each pseudonym, we'll
> run a unique redsocks instance and start a new Tor proxy socket.
> - We can either a pseudonym watcher to clean up state or just run the
> pseudonym in a script, blocking on the VM execution. When the VM has been
> closed, it is automatically cleaned up.
> - Use IP Tables to enforce communication between the pseudonyms and Tor
>
> In this instance, each pseudonym will have a unique IP address, but it
> will only be able to talk to Tor running via the bridge and not other
> pseudonyms.
>
> Call this round 1, and we'll add more details as we discuss.
>
> Cheeers,
> David
>
