OTF Concept Note

What is your idea?

Emerald Onion is a recently founded ISP/community non-profit organization based in Seattle seeded by a Tor Servers grant and personal donations. Our goal is to expand the privacy community by lowering the cost and learning curve for community organizations in the US to operate infrastructure.

Existing organizations in this space, Calyx and Riseup, have succeeded in rapidly becoming focal points for the community, but are inherently difficult to scale and are most effective in their local geographic communities. Thus, while Riseup has excelled at providing technical software, there is no easy path to establishing similar organizations. We want to change that!

In beginning the process of establishing ourselves, we have been documenting every step of the way. We are already running multiple unfiltered Tor exit nodes, and have both legally vetted abuse letters and educational material for law enforcement published. Now, we want to take this knowledge and export it to other communities. In particular, we want to focus on areas near Internet Exchange Points that are in at least 49 metro locations around the US, which can provide economical pricing and good connectivity for Internet traffic. We hope to spur wider deployment of Tor, onion services, and surrounding privacy technologies by helping other local groups follow our path.

Part of this mission is becoming a focal point for privacy operations work ourselves. Working with researchers at Berkeley, we are contributing to easier handling of abuse complaints. With academics in the Tor community, we are piloting new exit strategies to limit the impact of censorship. With the open source community, we are increasing platform diversity through the use and documentation of HardenedBSD as an alternative software stack. Our trajectory as an organization will include partnering with these organizations to improve usage and deployability, education of other network operators, and increasing our network presence and capacity.

What are your goals / long-term effects?

Our goal is that most major communities in the US have local organizations focused on operating privacy technology. Hackerspaces today are a mixed bag, and are often centered around physical rather than digital creation. Despite the presence of major IXPs, there are many urban centers today without community-driven organizations working to bolster privacy. We envision providing the groundwork and enthusiasm to support a network of ISPs around the country that can rectify this situation. Getting these entities in place will be important underlying infrastructure for future decentralized and federated networks to follow the model of Tor today.

Emerald Onion will directly evangelize operational best practices as it matures as a community organization and fits into the Seattle privacy community. To take advantage of Seattle’s position as one of the largest exchange points in the world, Emerald Onion will actively seek out peering agreements and aim to transit a significant amount of Tor traffic. Through our ISP operations, we hope for two primary longer term effects: First, that we are able to disseminate knowledge of peering agreements to make it significantly easier for other entities to understand how to enter into these negotiations. Second, that we can help Tor and other privacy enhancing networks gain capacity, reliability, and strategies for resilience to censorship. These technologies have focused on their software properties, but there are significant operational and networking challenges that need to be solved in tandem. We believe entities like Emerald Onion are the right complement to help privacy technologies succeed.

How will you do it?

Concretely, Emerald Onion will work to bring at least 10 new, independent, Privacy-focused ISPs into existence within the next 12 months. We will also speak in conferences, and use our existing communication pathways to advertise and publish our work. We will work to find other supporters and help them establish their own organizations. In addition, we will work to make shared support networks, like legal funds, peering databases, and abuse systems to be more accessible to these community groups.

Specifically, we will focus on the following areas of capacity:

  1. Funding and organizational stability strategies
  2. Nonprofit ISP incorporation setup and management
  3. Data center co-location setup and management
  4. ARIN registration and AS and IP scope management
  5. IP transit setup and management
  6. BGP setup and management
  7. Peering agreement setup and management
  8. Legal response setup and management

To stabilize ourselves as a focal point of the Seattle privacy community, Emerald Onion will continue to develop both its own sustainability model, and its infrastructure.

We expect to receive 501c3 status by the end of the year, and have already begun soliciting donations for our general operations. We have had initial success in approaching local members of the community to contribute the funds for one relay worth of cost in exchange for “naming rights” of that node. We believe direct community contributions can provide sustainability, and will complement this income stream with grant funding for growth.

We will also continue to increase our network presence to improve our fault tolerance and gain access to more network peers. Higher capacity will allow us to provide incubation for a larger range of privacy enhancing technologies.

Who is it for?

Emerald Onion is not just for the ~60 million monthly Tor users or the Seattle privacy community. We are not just a testing ground for encountering and solving operational issues in the deployment of privacy technologies. Emerald Onion is strategically developing as a model steward of privacy networks that is focused on quality and integrity. Our actions and relationships further legitimize Tor within communities that operate the backbones of the Internet and will help normalize the use of Tor for business-driven service providers.  We will continue to be an inspiration for community groups and other ethically-conscious ISPs alike.

Emerald Onion’s day-to-day work at present focuses on existing and new Tor router operators, who with the organizations that they create will immediately impact public perception. In Emerald Onion’s short existence, we have made direct, personal connections with at least 50 professional network administrators, datacenter operators, and Internet service providers. Imagine that happening in every major IXP community around the United States.

Emerald Onion has paid for professional legal services, and has already published our verified Legal FAQ and abuse complaint responses that are valid within the United States. Similarly, the organization is working with Academics to better understand the operational reality of abuse complaints, and to understand opportunities for making use of the IP space. These services benefit the larger privacy community both operationally, and as an incubator for projects.

What is the existing community?

The Tor relay community is already strong, but lacks strong US-based advocacy for growth. In Europe, TorServers.net has evolved into a grant-giving organization, which is able to provide advice and financial support to help new relays get started, but is not well positioned to support US-based relays. In Canada, Coldhak runs a valuable relay, but has not attempted to export its knowledge to external entities.

In the US, the largest relay presences come from Riseup.net and Calyx networks. Riseup is focused on services like email and VPNs in tandem with important education. This is valuable work, but does not extend to directly advocating for new groups to enter the ISP space. Calyx is supported through a cellular ISP model focusing on end-users but does not focus on supporting new relay operators.

Emerald Onion aims to fill this gap through direct advocacy to guide and support new relay operators and encourage the existence and creation of privacy supporting entities in a diverse set of IXPs around the country.

Complementary Efforts?

The Tor Project itself provides a basic level of support for new entities, particularly with technical support. In addition to a wide-reaching and engaging community, the presence of the Tor-relays mailing list provides a valuable community-wide support network between operators. The EFF has been a long-time supporter of the legal aspects of relay operation, and has helped with several legal papers supporting helping to establish the legal protections of Tor exit operation, along with providing counsel when new legal issues arise. It remains the case that new entities establishing Tor exit nodes in the US face thousands of dollars of legal fees to properly prepare themselves with the needed form letters for abuse and a tricky navigation of legal guidelines to establish themselves as legal entities with the authority to respond to complaints without fear of retribution.

Emerald Onion hopes to fill these gaps by making it easier for others by defining clear direction, freely published in the public domain, so that new operators don’t need to duplicate work that we’ve already performed. Building a shared legal defense fund and sharing how to navigate data center costs and contracts will allow groups to form with much less risk or uncertainty.

Why is it needed?

In building Emerald Onion so far, we have already found that many of the steps we are taking are undocumented, or rely on verbally communicated lore. That situation is not sustainable, and cannot scale or significantly improve the current state of the world.

More organizations are needed that focus on Internet privacy the same way hackerspaces have focused on hardware and technical development. Internet issues are inherently rooted in being part of the Internet and that barrier has so far been a high hurdle for community groups. We believe that this hurdle needs to be lower.

Without active development of these entities, we will continue to see even more centralization of the Internet and continued erosion of neutrality. Retaining a community presence in Internet operations is a key underlying infrastructure that we strongly believe has the potential to change the future development of the Internet.

 

Legal Responses to Tor Abuse Complaints

Disclaimer: This is not legal advice due to the fact that Emerald Onion is not your lawyer. Further, it is based on laws and court cases in the United States and does not apply to most of the world. If you are planning on becoming an ISP dedicated to transiting Tor traffic, please seek out and maintain active support from your own lawyer.

One of Emerald Onion’s priorities when establishing was to work with professional legal services for specific language when communicating with other organizations negatively impacted by the anonymous Tor traffic that we transit. Another priority is to freely share our work, to help others who take on the cause.

If you value our not-for-profit work, like the information shared here, please keep in mind that we graciously accept donations.

There are three documents that we use for addressing Tor abuse complaints. The first one has been published on our site for over a month, our Legal FAQ. We use this document whenever someone contacts us about any issue that is not a DMCA issue, so it is used a lot. Keep in mind that Emerald Onion only operates full (not reduced) exit relays, so we get lots of infringement related complaints.

The two other documents (below) should be used based on where an abuse complaint is coming from. Most Tor operators are used to working with their upstream ISP directly. This is because these operators lease IP space from their upstream ISP. In this case, it is important to use the “Complaint Forwarded By Your ISP(s)”.

The other way that abuse complaints can come in is directly from third-parties, typically the ones who have recorded your IP address(es) as being the cause of perceived abuse. Emerald Onion went through the process of obtaining our own Autonomous System (AS) number, IPv6 and IPv4 scopes, and because of this, we receive all abuse complaints directly. Third-parties at the other end of the anonymous Tor traffic that we transit only see our contact information in the WHOIS for our IP space, and not the contact information of our upstream providers.

We encourage other Tor operators to replicate our work so that they can directly manage all abuse complaints. Doing so removes a tremendous amount of legal stress from upstream providers. When this is applicable to you, use the “Direct Complaint” document below.

Please also thank EFF and The Tor Project for their prior work in this area.

Complaint Forwarded By Your ISP(s)

I am writing on behalf of [Your Organization] in response to the notice copyright below.

[Your Organization] is a [Your State] State-based nonprofit corporation and encrypted transit internet service provider. I would like to assure you that [Your Organization] is neither infringing copyrights nor hosting the claimed infringing materials on behalf of users. The notice is likely based upon misunderstandings about the law and about some of the software we run.

As an initial matter, the faulty copyright notice was triggered by a routing program that we are running on our servers called Tor. The Tor network is a group of volunteer-operated routers on the Internet that helps people enhance their security, privacy, and safety. [Your Organization] only runs Tor traffic through our routers.

Tor bounces communications through routers on the network before sending those packets on to their final destinations. However, Tor tunnels the connections so that no router can learn both the source and destination of the packets, which protects users from nefarious snooping on network traffic. The result is that the final IP address that the recipient receives is not the IP address of the sender.

Tor is valuable because it promotes privacy and free expression around the world. It also protects users against hazards such as harassment, spam, identity theft, price discrimination, and even dissident surveillance by oppressive governments. To learn more about Tor, see https://www.torproject.org/.

[Your Organization] operates Tor exit routers with connectivity to the [Your Internet Exchange Point(s)]. Those routers are only a conduit of online traffic. We are thus protected by the Digital Millennium Copyright Act safe harbor provision of 512(a). That safe harbor also likely protects you, as our ISP, from liability arising from this complaint.

The DMCA creates four “safe harbors” that protect service providers from copyright liability for the acts of their users, provided that the ISPs fulfill certain requirements. 17 U.S.C. § 512. The DMCA’s requirements vary depending on the ISP’s role. You may be familiar with the “notice and takedown” provisions of section 512(c) of the DMCA, which applies to ISPs hosting content on behalf of users. However, those requirements do not apply when an ISP merely serves as a “conduit,” i.e., transmits, routes, or provides for connections through a system or network. The safe harbor of section 512(a) has different and less burdensome eligibility requirements for conduits. See Recording Indus. Ass’n of Am., Inc. v. Verizon Internet Servs., Inc., 351 F.3d 1229 (D.C. Cir. 2003); In re Charter Commc’ns, Inc., Subpoena Enforcement Matter, 393 F.3d 771 (8th Cir. 2005).

Under section 512(a), service providers like you are typically protected from damages for copyright infringement claims if you also maintain “a policy that provides for termination in appropriate circumstances of subscribers and account holders of the service provider’s system or network who are repeat infringers.” If you have and implement such a policy, and you otherwise qualify for the safe harbor, you should be free from fear of copyright damages.

As an organization committed to protecting the privacy of its customers, I hope you’ll agree that Tor is a valuable technology and will continue to support our effort to strengthen the Tor network.

Thank you for working with me on this matter. As a loyal subscriber, I appreciate your notifying me of this issue and hope that the protections of DMCA 512 put any concerns you may have to rest. If not, please contact me with any further questions.

Sincerely,

[Your Name], on behalf of [Your Organization]

 

Direct Complaint

I am writing on behalf of [Your Organization] in response to the notice copyright below.

[Your Organization] is a [Your State] State-based nonprofit corporation and encrypted transit internet service provider. I would like to assure you that [Your Organization] is neither infringing copyrights nor hosting the claimed infringing materials on behalf of users. The notice is likely based upon misunderstandings about the law and about some of the software we run.

As an initial matter, the faulty copyright notice was triggered by a routing program that we are running on our servers called Tor. The Tor network is a group of volunteer-operated routers on the Internet that helps people enhance their security, privacy, and safety. [Your Organization] only runs Tor traffic through our routers.

Tor bounces communications through routers on the network before sending those packets on to their final destinations. However, Tor tunnels the connections so that no router can learn both the source and destination of the packets, which protects users from nefarious snooping on network traffic. The result is that the final IP address that the recipient receives is not the IP address of the sender.

Tor is valuable because it promotes privacy and free expression around the world. It also protects users against hazards such as harassment, spam, identity theft, price discrimination, and even dissident surveillance by oppressive governments. To learn more about Tor, see https://www.torproject.org/.

As you may know, the DMCA creates four “safe harbors” that protect service providers from copyright liability for the acts of their users, provided that the ISPs fulfill certain requirements. 17 U.S.C. § 512. The DMCA’s requirements vary depending on the ISP’s role. You may be familiar with the “notice and takedown” provisions of section 512(c) of the DMCA, which applies to ISPs hosting content on behalf of users. However, those requirements do not apply when an ISP merely serves as a “conduit,” i.e., transmits, routes, or provides for connections through a system or network. The safe harbor of section 512(a) has different and less burdensome eligibility requirements for conduits. See Recording Indus. Ass’n of Am., Inc. v. Verizon Internet Servs., Inc., 351 F.3d 1229 (D.C. Cir. 2003); In re Charter Commc’ns, Inc., Subpoena Enforcement Matter, 393 F.3d 771 (8th Cir. 2005).

[Your Organization] operates Tor exit routers with connectivity to the [Your Internet Exchange Point(s)]. Because [Your Organization] serves as a conduit of online traffic, we fall within the section 512(a) safe harbor, and are not subject to the requirements of section 512(c).

Thank you for working with me on this matter. I hope that the protections of DMCA 512 put any concerns you may have to rest. If not, please contact me with any further questions.

Sincerely,

[Your Name], on behalf of [Your Organization]

 

DNSSEC is now fully implemented for our forward and reverse lookup zones

Last month (July 2017) we moved our DNS zone management to the Google Cloud Platform since our domains were already registered with Google. After applying for the DNSSEC alpha, we were granted access and turned on DNSSEC for all three of our forward (domain) and reverse (IPv6 and IPv4 scopes) lookup zones. Google’s alpha products come with no SLA, so we took a risk implementing DNSSEC through Google.

Turning on DNSSEC was as easy flipping a switch in the control panel. The last part is adding the DS entries at the Registrar.

In the upper-right hand corner of Zone Details is Registrar Setup. This is where we got our DS entry information.

This DS information translates to a specific Key Tag, Algorithm, Digest Type, and Digest that needs to go into Google Domains (the actual Registrar).

This completed the domain setup. Now we needed to configure DNSSEC for our reverse lookup zones. Because they are direct allocations from ARIN, we needed to copy over the DS details over to ARIN.

View and Manage Your Networks > View & Manage Network (for both our IPv6 and IPv4 scopes) > Actions > Manage Reverse DNS > (select the delegation) > Modify DS Records

String (for our IPv6) parsed:

3600 DS 46756 8 2 5396635C919BAF34F24011FAB2DE251630AE2B8C17F1B69D05BCFDD603510014

String (for our IPv4) parsed:

3600 DS 40286 8 2 54686118794BD67CC76295F3D7F1C269D70EB5646F5DA130CC590AE14B33935F

This completed the ARIN DNSSEC configuration. While Google provided a quick DNS update for validation, ARIN took over 12 hours.

Internet Exchange Points in the United States

Emerald Onion is researching IXPs in the U.S.A. in order to identify areas of priority as it concerns increasing global Tor network capacity by way of putting Tor routers directly on these highly interconnected networks. Putting Tor exit routers in IXPs, for example, may reduce network latency to end points. It may also reduce network hops, potentially minimizing the possibility of third-party surveillance. Emerald Onion envisions a future where the Tor network is composed of much larger and more stable network operators, globally.

Questions

  1. Are there any Tor routers connected to any United States-based IXPs? If so, which ones and who operates them?
  2. Is this IXP friendly to Tor?
  3. What is the organizational structure of this IXP? Such as corporate-run or community-driven, etc.
  4. What qualities of an IXP should impact how meaningful it would be for the Tor network?
    • Number of participants?
    • Access to specific participants?
    • Nonprofit?
    • Community driven?
    • Affordability?
    • Geolocation?
    • Prohibits network surveillance?

A top 20 list of cities to focus on for Tor development?

  1. Chicago, IL has at least 12 IXPs
  2. New York City, NY has at least 9 IXPs (and has Calyx Institute)
  3. Dallas, TX has at least 6 IXPs
  4. Los Angeles, CA has at least 6 IXPs
  5. Miami, FL has at least 6 IXPs
  6. Seattle, WA has at least 5 IXPs (and has Riseup and Emerald Onion)
  7. San Jose, CA has at least 5 IXPs
  8. Phoenix, AZ has at least 5 IXPs
  9. Ashburn, VA has at least 3 IXPs
  10. Reston, VA has at least 3 IXPs
  11. Boston, MA has at least 3 IXPs
  12. Atlanta, GA has at least 3 IXPs
  13. Portland, OR has at least 3 IXPs
  14. Honolulu, HI has at least 2 IXPs
  15. Denver, CO has at least 2 IXPs
  16. Vienna, VA has at least 2 IXPs
  17. Palo Alto, CA has at least 1 IXP
  18. Salt Lake City, UT has at least 1 IXP (and has XMission)
  19. Minneapolis, MN has at least 1 IXP
  20. Detroit, MI has at least 1 IXP

IXPs in the United States

Ashburn, VA

    1. Equinix Ashburn Exchange (Equinix Ashburn)
    2. LINX Northern Virginia (LINX)
    3. MAE East

Ashland, VA

    1. Richmond Virginia Internet Exchange (RVA-IX)

Atlanta, GA

    1. Digital Realty / Telx Internet Exchange (TIE)
    2. Equinix Internet Exchange Atlanta (Equinix Atlanta)
    3. Southeast Network Access Point (SNAP)

Austin, TX

    1. CyrusOne Internet Exchange (CyrusOne IX)

Billings, MT

    1. Yellowstone Regional Internet eXchange (YRIX)

Boston, MA

    1. Boston Internet Exchange
    2. Massachusetts eXchange Point (MXP)
    3. CoreSite – Any2 Boston

Buffalo, NY

    1. Buffalo Niagara International Internet Exchange (BNIIX)

Chicago, IL

    1. AMS-IX Chicago
    2. CyrusOne Internet Exchange (CyrusOne IX)
    3. Equinix Chicago Exchange (Equinix Chicago)
    4. Greater Chicago International Internet Exchange (GCIIX)
    5. United IX – Chicago (ChIX)
    6. CoreSite – Any2 Chicago
    7. MAE Central

Columbus, OH

    1. OhioIX

Dallas, TX

    1. CyrusOne Internet Exchange (CyrusOne IX)
    2. DE-CIX, the Dallas Internet Exchange (DE-CIX Dallas)
    3. Digital Realty / Telx Internet Exchange (TIE)
    4. Equinix Dallas Exchange (Equinix Dallas)
    5. MAE Central
    6. Megaport MegaIX Dallas (MegaIX Dallas)

Denver, CO

    1. CoreSite – Any2 Denver
    2. Interconnection eXchange Denver (IX-Denver)

Detroit, MI

    1. Detroit Internet Exchange (DET-IX)

Duluth, NM

    1. Twin Ports Internet Exchange (TP-IX)

Gillette, WY

    1. BigHorn Fiber Internet Exchang (BFIX)

Hagåtña, Guam

    1. Guam Internet Exchange (GU-IX)

Honolulu, HI

    1. DRFortress Exchange (DRF IX)
    2. Hawaii Internet eXchange (HIX)

Houston, TX

    1. CyrusOne Internet Exchange (CyrusOne IX)

Indianapolis, IN

    1. Midwest Internet Exchange (MidWest-IX – Indy)

Jacksonville, FL

    1. Jacksonville Internet Exchange (JXIX)

Kansas City, MO

    1. Kansas City Internet eXchange (KCIX)

Los Angeles, CA

    1. CENIC International Internet eXchange (CIIX)
    2. Equinix Los Angeles Exchange (Equinix Los Angeles)
    3. Los Angeles International Internet eXchange (LAIIX)
    4. MAE West
    5. Pacific Wave Exchange in Los Angeles and Seattle (PacificWave)
    6. CoreSite – Any2 California

Madison, WI

    1. Madison Internet Exchange (MadIX)

Manassas, VA

    1. LINX Northern Virginia (LINX)

Medford, OR

    1. Southern Oregon Access Exchange (SOAX)

Miami, FL

    1. Equinix Internet Exchange Miami (Equinix Miami)
    2. MAE East
    3. Miami Internet Exchange (MiamiIX)
    4. NAP of the Americas (NOTA)
    5. The South Florida Internet Exchange (FL-IX)
    6. CoreSite – Any2 Miami

Milwaukee, WI

    1. The Milwaukee IX (MKE-IX)

Minneapolis, MN

    1. Midwest Internet Cooperative Exchange (MICE)

Moffett Field, CA

    1. NGIX West

Nashville, TN

    1. Nashville Internet Exchange (NashIX)

New York, NY

    1. AMS-IX New York (AMS-IX NY)
    2. Big Apple Peering Exchange (BigApe)
    3. Digital Realty / Telx Internet Exchange (TIE)
    4. Equinix Internet Exchange New York (Equinix New York)
    5. Free NYIIX Alternative (NYCX)
    6. New York, NY – (CoreSite – Any2 New York)
    7. DE-CIX, the New York / New Jersey Internet Exchange (DE-CIX New York)
    8. New York International Internet eXchange (NYIIX)
    9. MAE East

Omaha, NE

    1. Omaha Internet Exchange (OmahaIX)

Palo Alto, CA

    1. Equinix Internet Exchange Palo Alto (Equinix Palo Alto)

Philadelphia, PA

    1. Philadelphia Internet Exchange (PHILAIX)

Phoenix, AZ

    1. Arizona Internet Exchange (AZIX)
    2. Digital Realty / Telx Internet Exchange (TIE)
    3. Phoenix Internet Exchange, LLC (PHX-IX)
    4. Phoenix IX
    5. CyrusOne Internet Exchange (CyrusOne IX)

Portland, OR

    1. Central Oregon Internet eXchange (COIX)
    2. Northwest Access Exchange, Inc. (NWAX)
    3. Oregon Internet Exchange (OIX)

Reno, NV

    1. Tahoe Internet Exchange (TahoeIX)

Reston, VA

    1. LINX Northern Virginia (LINX)
    2. MAE East
    3. CoreSite – Any2 NorthEast

Saint George, UT

    1. Southern Utah Peering Regional Network (SUPRnet)

Salt Lake City, UT

    1. Salt Lake Internet Exchange (SLIX)

San Antonio, TX

    1. CyrusOne Internet Exchange (CyrusOne IX)

San Diego, CA

    1. San Diego NAP (SD-NAP)

San Francisco, CA

    1. San Francisco Internet Exchange (SFIX)
    2. San Francisco Metropolitan Internet Exchange (SFMIX)

San Jose, CA

    1. AMS-IX Bay Area (AMS-IX BA
    2. CoreSite – Any2 Northern California)
    3. Equinix San Jose / Bay Area Exchange (Equinix San Jose)
    4. NASA Ames Internet eXchange (AIX)
    5. MAE West

San Juan, Puerto Rico

    1. Internet Exchange of Puerto Rico (IX.PR)
    2. Puerto Rico Bridge Initiative (PRBI-IX)

Seattle, WA

    1. Megaport MegaIX Seattle (MegaIX Seattle)
    2. Pacific Wave Exchange in Los Angeles and Seattle (PacificWave)
    3. Seattle Internet Exchange (SIX)
    4. Seattle Internet Exchange (9000 MTU) (SIX Seattle (Jumbo))
    5. Seattle, WA Equinix Internet Exchange Seattle (Equinix Seattle)

Sterling, VA

    1. CyrusOne Internet Exchange (CyrusOne IX)

Tampa, FL

    1. Tampa Internet Exchange (TampaIX)
    2. Tampa Internet Exchange (TPAIX)

Tulsa, OK

    1. LiveAir Tulsa IX

Vienna, VA

  1. Equinix Internet Exchange Vienna, VA (Equinix Vienna (VA))
  2. MAE East

Tor router configuration v3

01 August 2017

We experienced a catastrophic hardware failure recently which will be detailed in an upcoming blog post. We are back online today with new router IDs and we added two more routers for a total of six Tor routers.

We moved to Google Cloud DNS recently to be able to manage our PTR records for reverse DNS since we have our own IP scopes now. We also moved our forward-lookup zone to Google Cloud DNS. Next on the agenda is setting up DNSSEC.

IPv6 PTR

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.0.0.0.0.c.8.1.0.0.2.6.2.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.1.0.0.0.0.c.8.1.0.0.2.6.2.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.1.0.0.0.0.c.8.1.0.0.2.6.2.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.1.0.0.0.0.c.8.1.0.0.2.6.2.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.1.0.0.0.0.c.8.1.0.0.2.6.2.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.1.0.0.0.0.c.8.1.0.0.2.6.2.ip6.arpa.

DNS

2620:18c:0:1100::1 tor01.emeraldonion.org
2620:18c:0:1200::1 tor02.emeraldonion.org
2620:18c:0:1300::1 tor03.emeraldonion.org
2620:18c:0:1400::1 tor04.emeraldonion.org
2620:18c:0:1500::1 tor05.emeraldonion.org
2620:18c:0:1600::1 tor06.emeraldonion.org
23.129.64.11 tor01.emeraldonion.org
23.129.64.12 tor02.emeraldonion.org
23.129.64.13 tor03.emeraldonion.org
23.129.64.14 tor04.emeraldonion.org
23.129.64.15 tor05.emeraldonion.org
23.129.64.16 tor06.emeraldonion.org

Tor router #1

Nickname EmeraldOnion01
Address tor01.emeraldonion.org
ContactInfo abuse_at_emeraldonion_dot_org
OutboundBindAddressExit 23.129.64.11
OutboundBindAddressOR 23.129.64.11
DirPort 23.129.64.11:80
ORPort 23.129.64.11:443
ORPort [2620:18c:0:1100::1]:443
RelayBandwidthRate 18 MBytes
RelayBandwidthBurst 18 MBytes
IPv6Exit 1
Exitpolicy accept *:*
ExitPolicy accept6 *:*

Tor router #2

Nickname EmeraldOnion02
Address tor02.emeraldonion.org
ContactInfo abuse_at_emeraldonion_dot_org
OutboundBindAddressExit 23.129.64.12
OutboundBindAddressOR 23.129.64.12
DirPort 23.129.64.12:80
ORPort 23.129.64.12:443
ORPort [2620:18c:0:1200::1]:443
RelayBandwidthRate 18 MBytes
RelayBandwidthBurst 18 MBytes
IPv6Exit 1
Exitpolicy accept *:*
ExitPolicy accept6 *:*

Tor router #3

Nickname EmeraldOnion03
Address tor03.emeraldonion.org
ContactInfo abuse_at_emeraldonion_dot_org
OutboundBindAddressExit 23.129.64.13
OutboundBindAddressOR 23.129.64.13
DirPort 23.129.64.13:80
ORPort 23.129.64.13:443
ORPort [2620:18c:0:1300::1]:443
RelayBandwidthRate 18 MBytes
RelayBandwidthBurst 18 MBytes
IPv6Exit 1
Exitpolicy accept *:*
ExitPolicy accept6 *:*

Tor router #4

Nickname EmeraldOnion04
Address tor04.emeraldonion.org
ContactInfo abuse_at_emeraldonion_dot_org
OutboundBindAddressExit 23.129.64.14
OutboundBindAddressOR 23.129.64.14
DirPort 23.129.64.14:80
ORPort 23.129.64.14:443
ORPort [2620:18c:0:1400::1]:443
RelayBandwidthRate 18 MBytes
RelayBandwidthBurst 18 MBytes
IPv6Exit 1
Exitpolicy accept *:*
ExitPolicy accept6 *:*

Tor router #5

Nickname EmeraldOnion05
Address tor05.emeraldonion.org
ContactInfo abuse_at_emeraldonion_dot_org
OutboundBindAddressExit 23.129.64.15
OutboundBindAddressOR 23.129.64.15
DirPort 23.129.64.15:80
ORPort 23.129.64.15:443
ORPort [2620:18c:0:1500::1]:443
RelayBandwidthRate 18 MBytes
RelayBandwidthBurst 18 MBytes
IPv6Exit 1
Exitpolicy accept *:*
ExitPolicy accept6 *:*

Tor router #6

Nickname EmeraldOnion06
Address tor06.emeraldonion.org
ContactInfo abuse_at_emeraldonion_dot_org
OutboundBindAddressExit 23.129.64.16
OutboundBindAddressOR 23.129.64.16
DirPort 23.129.64.16:80
ORPort 23.129.64.16:443
ORPort [2620:18c:0:1600::1]:443
RelayBandwidthRate 18 MBytes
RelayBandwidthBurst 18 MBytes
IPv6Exit 1
Exitpolicy accept *:*
ExitPolicy accept6 *:*

Starting the processes

sudo service tor@tor01 start
sudo service tor@tor02 start
sudo service tor@tor03 start
sudo service tor@tor04 start
sudo service tor@tor05 start
sudo service tor@tor06 start

Tor router configuration v2

22 July 2017

We are rearchitecting our network by eliminating the use of our ISP-provisioned /27 IP scope in order to utilize our ARIN-assigned /24. Doing so allows us to route across multiple networks with the same ASN, a requirement in order to use our ARIN-assigned IPv6 scope. For network simplification, we are also eliminating the use of NAT.

Tor router #1

Nickname EmeraldOnion01
Address tor01.emeraldonion.org
ContactInfo abuse_at_emeraldonion_dot_org
OutboundBindAddressExit 23.129.64.11
OutboundBindAddressOR 23.129.64.11
DirPort 23.129.64.11:80
ORPort 23.129.64.11:443
ORPort [2620:18c:0:1100::1]:443
RelayBandwidthRate 27.5 MBytes
RelayBandwidthBurst 27.5 MBytes
IPv6Exit 1
Exitpolicy accept *:*
ExitPolicy accept6 *:*

Tor router #2

Nickname EmeraldOnion02
Address tor02.emeraldonion.org
ContactInfo abuse_at_emeraldonion_dot_org
OutboundBindAddressExit 23.129.64.12
OutboundBindAddressOR 23.129.64.12
DirPort 23.129.64.12:80
ORPort 23.129.64.12:443
ORPort [2620:18c:0:1200::1]:443
RelayBandwidthRate 27.5 MBytes
RelayBandwidthBurst 27.5 MBytes
IPv6Exit 1
Exitpolicy accept *:*
ExitPolicy accept6 *:*

Tor router #3

Nickname EmeraldOnion03
Address tor03.emeraldonion.org
ContactInfo abuse_at_emeraldonion_dot_org
OutboundBindAddressExit 23.129.64.13
OutboundBindAddressOR 23.129.64.13
DirPort 23.129.64.13:80
ORPort 23.129.64.13:443
ORPort [2620:18c:0:1300::1]:443
RelayBandwidthRate 27.5 MBytes
RelayBandwidthBurst 27.5 MBytes
IPv6Exit 1
Exitpolicy accept *:*
ExitPolicy accept6 *:*

Tor router #4

Nickname EmeraldOnion04
Address tor04.emeraldonion.org
ContactInfo abuse_at_emeraldonion_dot_org
OutboundBindAddressExit 23.129.64.14
OutboundBindAddressOR 23.129.64.14
DirPort 23.129.64.14:80
ORPort 23.129.64.14:443
ORPort [2620:18c:0:1400::1]:443
RelayBandwidthRate 27.5 MBytes
RelayBandwidthBurst 27.5 MBytes
IPv6Exit 1
Exitpolicy accept *:*
ExitPolicy accept6 *:*

Tor router configuration v1

2 July 2017

We have started four Tor exit routers to saturate our unmetered-1Gbps, 10Gbps-burstable link.

DNS

216.176.186.131 tor01.emeraldonion.org
216.176.186.132 tor02.emeraldonion.org
216.176.186.133 tor03.emeraldonion.org
216.176.186.134 tor04.emeraldonion.org

Create instances

sudo tor-instance-create tor01
sudo tor-instance-create tor02
sudo tor-instance-create tor03
sudo tor-instance-create tor04

Tor router #1

sudo vim /etc/tor/instances/tor01/torrc
Nickname EmeraldOnion01
Address tor01.emeraldonion.org
ContactInfo abuse@emeraldonion.org
OutboundBindAddressExit 10.10.10.101
OutboundBindAddressOR 10.10.10.101
DirPort 216.176.186.131:80 NoListen
DirPort 10.10.10.101:80 NoAdvertise
ORPort 216.176.186.131:443 NoListen
ORPort 10.10.10.101:443 NoAdvertise
#ORPort [2620:18c:0:100::1]:443
RelayBandwidthRate 50 MBytes
RelayBandwidthBurst 50 MBytes
#IPv6Exit 1
Exitpolicy accept *:*
#ExitPolicy accept6 *:*

Tor router #2

sudo vim /etc/tor/instances/tor02/torrc
Nickname EmeraldOnion02
Address tor02.emeraldonion.org
ContactInfo abuse@emeraldonion.org
OutboundBindAddressExit 10.10.10.102
OutboundBindAddressOR 10.10.10.102
DirPort 216.176.186.132:80 NoListen
DirPort 10.10.10.102:80 NoAdvertise
ORPort 216.176.186.132:443 NoListen
ORPort 10.10.10.102:443 NoAdvertise
#ORPort [2620:18c:0:200::1]:443
RelayBandwidthRate 20 MBytes
RelayBandwidthBurst 20 MBytes
#IPv6Exit 1
Exitpolicy accept *:*
#ExitPolicy accept6 *:*

Tor router #3

sudo vim /etc/tor/instances/tor03/torrc
Nickname EmeraldOnion03
Address tor03.emeraldonion.org
ContactInfo abuse@emeraldonion.org
OutboundBindAddressExit 10.10.10.103
OutboundBindAddressOR 10.10.10.103
DirPort 216.176.186.133:80 NoListen
DirPort 10.10.10.103:80 NoAdvertise
ORPort 216.176.186.133:443 NoListen
ORPort 10.10.10.103:443 NoAdvertise
#ORPort [2620:18c:0:300::1]:443
RelayBandwidthRate 20 MBytes
RelayBandwidthBurst 20 MBytes
#IPv6Exit 1
Exitpolicy accept *:*
#ExitPolicy accept6 *:*

Tor router #4

sudo vim /etc/tor/instances/tor04/torrc
Nickname EmeraldOnion04
Address tor04.emeraldonion.org
ContactInfo abuse@emeraldonion.org
OutboundBindAddressExit 10.10.10.104
OutboundBindAddressOR 10.10.10.104
DirPort 216.176.186.134:80 NoListen
DirPort 10.10.10.104:80 NoAdvertise
ORPort 216.176.186.134:443 NoListen
ORPort 10.10.10.104:443 NoAdvertise
#ORPort [2620:18c:0:400::1]:443
RelayBandwidthRate 20 MBytes
RelayBandwidthBurst 20 MBytes
#IPv6Exit 1
Exitpolicy accept *:*
#ExitPolicy accept6 *:*

Start instances

sudo systemctl start tor@tor01
sudo systemctl start tor@tor02
sudo systemctl start tor@tor03
sudo systemctl start tor@tor04

Check logs

sudo journalctl --boot -u tor@tor01.service
sudo journalctl --boot -u tor@tor02.service
sudo journalctl --boot -u tor@tor03.service
sudo journalctl --boot -u tor@tor04.service

Tor changes + reloading

sudo service tor@tor01 reload
sudo service tor@tor02 reload
sudo service tor@tor03 reload
sudo service tor@tor04 reload