Re: [Tails-dev] Using VMs in Tails

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Using VMs in Tails
Hi,

David Wolinsky wrote (20 Dec 2013 03:37:15 GMT) :
> I spoke with a colleague today and we discussed the following:
> - Initially we'll target a single VM running full screen using KVM


So, this is the Pseudonym VM, right? And you mean only one concurrent
Pseudonym VM will be supported to start with, or did I misunderstand?

> - Worry about LXC at the end


Full ACK.

> - Different network model:
> option 1) KVM uses NATs, use IPTables process id matching to redirect
> packets to a specific redsocks instance and dns requests to the Tor
> dns


I'm curious what's the benefit of using redsocks, at this point.
I mean, once we're already doing netfilter/iptables to process packets
coming out of the Pseudonym VMs, we can as well directly pass it to
the relevant TransPort, no?

> option 2) KVM uses a TAP device connected to an external SLIRP daemon (Qemu
> user nat) that either talks to redsocks or another socks client stub. We
> can easily forward the dns requests to the Tor dns


I don't see any advantage on option 1, and these are things I believe
we don't have good knowledge of in the current state of our team.

> option 3) KVM uses tsocks? but we'll have an issue with dns resolution


Hmmm, my intuition says this would be very tempting and easy in the
beginning, but we would very soon have issues with this option.
I've nothing to back this claim, though.

> Of course this brings up another problem. If we don't run unique Tor
> instances for each VM, they'll be using a common DNS service. Would this
> compromise anonymity among the different VMs?


Yes, sharing a (Tor) DNS resolver has a huge potential for an attacker
correlating the Pseudonym VMs together. We definitely don't want this
running in production.

> Perhaps we really do need to run one instance of Tor per VM.


At least to start with, using a Tor DNSPort per VM should be enough,
no? One would have to check the documentation (and perhaps the code,
or ask Roger or Nick), but IIRC the idea is that each DNSPort should
be isolated from each other.

Anyway, I would be surprised if no other reason came up at some point,
that would convince us to simply run one Tor client per VM. I might be
wrong, and would be happy to.

> For the short term, I'm going to focus on option 1 and a single VM.


Option 1 looks good to me, mostly because that's the kind of things
our team already knows quite well.

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc