#saltr (irc2p) | I2P+ 2.10.0-13+ >> i2pplus.github.io | skank.i2p | git.skank.i2p | purokishi.i2p | vituperative.github.io/i2pchat | notbob.i2p | ramble.i2p | drop.i2p | shinobi.i2p | wall.i2p | /msg an op for voice

orignal basically now I consdier a router as floodfill only if there was either tunnel accept or rject code from it or if it connected to me as Alice before

orignal otheraide I put it on hold and consider it as an ordinary router until one of those happens

xeiaso and you don't give it out as a response to a DatabaseLookup?

xeiaso as a not found response thingy

orignal correct

orignal no I do if it's requested explicitly

orignal but not in "closest" list

orignal unfortunally we can't rely if we connected to it

xeiaso that does look like it will fix it

orignal due this weakness of our protocol

xeiaso are you sure that it isn't an i2pd weakness? because I vaguely remember writing some code that could connect to i2pd but not java i2p

orignal after short time we always have only real floodfills

orignal no it's prptocol

orignal when you connect to Bob you never know you connect to right one

xeiaso i see

orignal it needs to be change

orignal one it's done we can also add if we connected to it

xeiaso I noticed in ntcp2 that in SessionRequest Alice's X key is obfuscated using Bob's router hash

eyedeekay I've been following dev but I don't read russian so I machine translate it and read it back, but re: Alice-only floodfills, I am also working on something like that by adding it to our profiling.

xeiaso if the bob RI is spoofed then bob shouldn't properly decode Alice's X key

eyedeekay What I am going to do is make it part of how we pick floodfills to put former alices at the top, and if there is an alice on the same IP as a non-alice we may drop the non-alices

eyedeekay The goals being to improve selection and reduce false-positive blocking

xeiaso Alices being inbound connections?

orignal no, unfortunately it uses i

orignal not Router's key from identity

xeiaso X :: 32 bytes, AES-256-CBC encrypted X25519 ephemeral key, little endian

xeiaso key: RH_B

orignal attack can also copy i

eyedeekay Alice's being peers we have connected to when they were Alice, recently, i.e. not spoofed

xeiaso iv: As published in Bobs network database entry

xeiaso it uses both?

orignal sec

orignal let me check

orignal xeiaso very good ctach

orignal if uses Bob's ident hash as AES key

orignal hence NTCP2 is securew

orignal so the only problem is SSU2

eyedeekay That's good news

xeiaso I wouldn't know, I haven't looked at SSU2

orignal I forgot about it though we alwyas use i

dr|z3d introducers?

orignal no. "i" key in an address

xeiaso salt

eyedeekay one problem is just usually better than two. I also tried a less-aggressive version of mesh's aggressive floodfills idea, and increased exploratory tunnels by 2, 4, and 6, which did correlate to better bsr overall by up to 20%

xeiaso eyedeekay: I'm guessing that's because it invalidated the garbage RIs faster.

eyedeekay That's my hypothesis too

dr|z3d ah, gotcha, orignal

dr|z3d eyedeekay: mesh's aggressive ff exclusion idea is based on observation of what I'm doing in I2P+ :)

dr|z3d I'm seeing just how aggressive we can be right now without unwittingly banning good floodfills.

eyedeekay Yeah some interesting stuff going on there

dr|z3d I wasn't using the correct variable for ff bans in the selector, so the bans weren't being put in effect there. elsewhere, because I'm banning at various entry points to the netdb, but not there. now testing fixed ff selector.

dr|z3d once I've determined it's not going to totally hose the router, I'll upload.

orignal eyedeekay I have another idea. Just introduce IdentHash block similar to RouterInfo

orignal kinda "brief" version

orignal why can't we just send RouterInfg with SessionCreated

orignal because it might not fit one packet

dr|z3d is there where a network rekey so everyone's on compressible RIs becomes more compelling?

orignal compressibel RI might not be a solution

orignal and we send 2 fragments from SessionConfirmed

xeiaso orignal: you could send it in the next frame after then SessionCreated

xeiaso and it's sent immediately after connect already

orignal you mean Data?

xeiaso yes as data

orignal it's another option

eyedeekay I don't think I can get away with an all-compressible RI switch here

eyedeekay In any case

dr|z3d it's something zzz raised in passing a while back when compressible RIs were introduced. I just wondered whether that's a potential piece of a solution. Do compressible RIs fit in 1 packet?

RN because of backward compatibility?

dr|z3d itsjustme: welcome back!

dr|z3d RN: in essence, yes. if we force compressible RIs on the network, then older routers get left behind.

orignal they do but you can't rely on it

xeiaso speaking of backwards compatibility, how far back does it go?

eyedeekay Oh jeez like, 0.9.22 or something like that, at least for regular I2P

eyedeekay We only talk SSU to routers that old

eyedeekay I am continually baffled as to why people run versions that old but there is a definite populatio out there

itsjustme thanks dr|z3d :)

dr|z3d all good over there, itsjustme? :)

itsjustme yeah all is well overall. Been busy but otherwise good :) hbu?

dr|z3d not bad, thanks, though the recent network attacks are tedious :|

itsjustme yeah, for a while things just weren't working so I turned off i2pd for a bit

itsjustme seems like things are working ok for now at least

dr|z3d if you can compile your own builds, worth keeping abreast of the git repo.

dr|z3d orignal's chasing down issues like nobody's business :)

mesh things aren't really normal here

mesh I've got 20k banned routers

eyedeekay It's been an abnormal day in that way, 17k here, how things otherwise

RN 47k and 15k banned on mine

albat hi RN :) all :)

albat pm?

mesh eyedeekay: it looks like the same as the previous 2-3 days... not exactly sure why people are celebrating

mesh eyedeekay: unusually high floodfill count followed by unusually high banned count. The number of active routers is down quite a bit

mesh fortunately by configuring the router to be a very aggressive floodfill we're not seeing loss of connectivity. i2p services are still available

xeiaso mesh: is there a site that shows the number of active routers like stats.i2p did?

mesh xeiaso: you can try i2pmetrics.i2p

eyedeekay It is skewed by the spam right now

xeiaso if the RIs are cloned, why does the "new" stats.i2p show tons more IPs?

eyedeekay They're not all cloned anymore

mesh xeiaso: a wave of fake floodfills are sending out wavess of forged RIs

RN if this was radio, we could find the frequency of the waves invert it (with a slight phase shift) amplify it and cause the source to blow up

RN (very oversimplified version)

mesh RN: yeah that's not how radio works at all

RN LOL

RN if you are close enough, yes you can pop someone's transmitter. but I did say it was oversimplified.

RN I also neglected to mention you have to amplify to levels that are probably not legal

RN been there and done that

weko [01:15:57] <eyedeekay> I've been following dev but I don't read russian so I machine translate it and read it back, but re: Alice-only floodfills, I am also working on something like that by adding it to our profiling.

weko Anyway, what do you think about general (protocol-level) profiling rules recommendations?

not_bob Russian is fun to learn.

weko not_bob_afk: спокойной ночи!

not_bob_afk weko: спасибо

eyedeekay weko do you mean defining the procedures we're using to optimize the peers we connect to and making it part of the description of the netDB, or the various proposals re verifying Bob's signature?

weko eyedeekay: moxtly first, but I think what profiles are not a part of netdb, it should be separate. General goal is 1) define full list of rules of good router and 2) describe new and better old practics of profilng.

weko P.S. In "Profiling" I mean any algorithms, that help do not use bad and danger routers, protect from abuse (by general parameters and router-specify parametrs).

weko It also can require adding some new features (like tunnel speed limitation by transits)

weko it is nessary for fix some really stupid problems with RIs, global fix of most DDoS attacks, better connections and other improvments

T3s|4 dr|z3d: minor stuff, but pretty sure I've used 3 of latest versions of -20+, and for each of those 3, the Build date did change, but the Revision '436631ca' did not change. I can see on my other laptop, both the Build date and Revision have changed under -21+

dr|z3d T3s|4: that's fairly normal for dev builds, sometimes they get uploaded before the changes are committed, so the revision won't change.

T3s|4 np dr|z3d - but been a tad bumpy ride of late ;p

dr|z3d bumpy ride is about right. :)

dr|z3d bump, T3s|4_, is almost 10K bans in 20m of uptime. :)

dr|z3d *bumpy

weko you again ban all routers? wtf with tcsr

dr|z3d are you asking a question, weko?

weko Can your code ban real router because fake RIs?

weko routers*

dr|z3d it doesn't work like that.

dr|z3d you're talking about sybil detection. that's something entirely different.

dr|z3d currently on the router I'm looking at there are precisely 0 bans for sybils.

orignal xeiaso_ thanks will limit to 8

orignal good ctach

dr|z3d I think there's a hard limit referenced in the specs, orignal

orignal yes

dr|z3d 7 hops max.

orignal it's my fault that I don't check number of records

orignal you never know number of hops

orignal you can only check number of records that's 8

dr|z3d great way to choke up the network, 255 hop tunnels :)