zzz
0) Hi
zzz
hi
eyedeekay
hi
orignal
hi
zzz
whats on the list for today?
orignal
ssu2
orignal
as you mentioned
zzz
ok that's 1)
zzz
anything else for the list?
eyedeekay
Maybe roughtime if that's in-scope
orignal
nothing
orignal
from me
orignal
telegram is Germany, but that's offtopic
eyedeekay
Or rather, time synchronization issues on Whonix
zzz
1) SSU2
zzz
as promised, I went through the proposal and made a list of what's done and what isn't
orignal
as promised I started with coding
zzz
I also split the todo list into "phase 1" and "phase 2"
zzz
where phase 1 is just the basic stuff needed to pass data
zzz
as you can see, we're pretty much done with the phase 1
zzz
and we've been stuck here since about mid-october
zzz
so we have a couple of choices
orignal
I've started from session establishment
orignal
it's clear 3 messages
zzz
a) finish up the phase 1 spec and start coding and testing;
orignal
the question
zzz
or b) finish up the whole spec first
orignal
what do we use instead AES?
zzz
look for "header decryption"
zzz
its chacha
orignal
so we can't reuse NTCP2 code
orignal
that's what I mean
orignal
because chacha intead AES
zzz
yes
orignal
that's fine
orignal
just didn't want to duplicate the code
zzz
the only thing really missing from phase 1 is "header protection keys" which is just some HKDF, easy
orignal
HKDF is not easy
orignal
because it requires some params
zzz
straightforward I mean
orignal
zerokey?
orignal
or what?
zzz
I'll work on it for next week
zzz
I don't have the answer today
orignal
ашту
orignal
fine
zzz
so, do we want to spend our time coding phase 1, or working on the spec for phase 2?
zzz
or both at once?
orignal
I would finish pahse 1 first
eyedeekay
I'm probably going to learn more from trying to code at this point
orignal
to establish shared key
zzz
we have the split() defined that creates k_ab and k_ba; we just need another HKDF after that for the header protection keys
zzz
I agree, let's do some coding
zzz
it's a lot easier to keep everything in my head once I have some code
dr|z3d
sure, and if finishing phase one first means you can start testing, all the better.
zzz
so, how long to have something to test? 1 month? 2 months? not a promise, just a target
eyedeekay
For me, longer is better so 2 months. This is way bigger than anything else I've tried so far
orignal
sorry got disconnected
zzz
eyedeekay, I still think you'd be better off coding NTCP2 first. it's similar yet simpler, and you have working routers out there to test against
zzz
orignal, how long to have something to test? 1 month? 2 months? not a promise, just a target
eyedeekay
Well I probably won't stop trying to do NTCP2 as well, figure I'll have more to talk about in SSU2 meetings if I try to follow along though
orignal
test what? phase 1?
zzz
yes
orignal
I'm going to finish in couple weeks
zzz
does that include unit testing with your code at both ends?
zzz
or coding only?
orignal
I will be able to start testing after couple weeks
orignal
ofc I will try both sides first
zzz
ok. I don't think I can go that fast, especially because I'm doing other things too
orignal
also I need to do it proprely
orignal
if no respolnse to SessionCreate I should try again
orignal
not a problem
zzz
I'm thinking 3-4 weeks to code, 2-3 weeks to test on my own, total 5-7 weeks before I might be ready to test with others
orignal
good plan
zzz
there's a section "handshake retransmission"
orignal
yes, I know
orignal
I just don't do it now for SSU1
orignal
so it should be more complicated than NTCP2
zzz
your question "should I try again" was about SSU1 ??
zzz
or it wasn't a question at all...
zzz
or was it about NTCP2?
orignal
no
orignal
I'm just telling what needs to be done
orignal
for NTCP2 you let TCP/IP do it
zzz
ok
orignal
as I said for SSU1 I don't care
mrt
hi
orignal
and should do it properly in SSU2
zzz
right
orignal
that's what I'm working on now
zzz
welcome mrt
mrt
ru talking 'bout freenet?
orignal
huh?
zzz
ok, so for next week I'll hopefully have the header protection keys KDFs done
zzz
and I'll start to think about coding. It may take me 2 weeks just to decide how to start :)
zzz
anything else on 1) ?
mrt
damn connection errors...
orignal
no
mrt
what is ls2?
eyedeekay
LeaseSet2, mrt this is a meeting
mrt
bout what, if im allowed to ask?
eyedeekay
I2P router development
zzz2
back
zzz2
welcome mrt
zzz2
ok, so for next week I'll hopefully have the header protection keys KDFs done
zzz2
and I'll start to think about coding. It may take me 2 weeks just to decide how to start :)
zzz2
anything else on 1) ?
mrt
so i2p has this SSU storage system to?
eyedeekay
You're thinking SSK, totally different thing
mrt
like freenet?
mrt
or is it just sth with the same name?
eyedeekay
Nothing from me zzz
mrt
oh SSK was it, my memory for those terms isnt the best, thanks for explaining!
eyedeekay
you're welcome, no problem
zzz2
2) roughtime
eyedeekay
OK so this actually came up this morning: i2pgit.org/i2p-hackers/i2p.i2p/-/issues/344
mrt
ah i remember SSU is the i2p protocol over UDP and NTCP the over tcp, and now you just switched to version 2 of them i read somewhere i guess
eyedeekay
On Whonix, we're no longer able to talk to NTP servers, and this prevents them from being able to connect to the network
eyedeekay
This is because the traffic from the whole system is transparently proxied through Tor and NTP is UDP
mrt
i am only very happy to notice that the throughput of i2p seams to be much better then before, but maybe can also result in more peers with better internet connection or so
orignal
why can't you?
eyedeekay
Also they want to avoid MITM attacks which NTP is vulnerable to
orignal
so what's your proposal?
mrt
i have grate admiration for you folks coding bringing souch a grate project to live, keep up thee good work and dont let me disturbe your meeting (sry)
orignal
to solve this timestamp problem
eyedeekay
Well I don't know yet. zzz had mentioned roughtime in the past, which is one good solution, but I'm not sure it will work for Whonix
orignal
what is roughtime?
zzz2
if whonix is going to block NTP, it's whonix's problem to make sure the container has the right time
zzz2
roughtime fixes the NTP problems, it uses merkle trees to sign the responses
eyedeekay
Do we contact NTP every time? I've only been looking it over since this morning and it seems like we do.
zzz2
unfortunately, the roughtime spec keeps changing, and the test servers out there don't support the latest spec
zzz2
what do you mean "every time" ? every what?\
eyedeekay
If so, we might need to create an option for them to trust the system clock which would be set by `sdwdate` which uses onion servers with TLS certificates
eyedeekay
Every time we start the router, every time it boots up
zzz2
yes, plus periodically thereafter
zzz2
doesn't whonix do sdwdate for you?
eyedeekay
yeah they run it at a random time every hour to set the clock
orignal
i2pd doeen't do it at all
zzz2
so then we don't need to do anything
orignal
unless it's specified explicitly
orignal
is there an NTP-like service over TCP/IP?
zzz2
we need to have a good clock. we don't need for NTP to work
orignal
btw, why 30 seeconds only?
eyedeekay
Hmm. OK I'll have to spend some more time on it, the report says that they're completely unable to connect but perhaps there is another reason
orignal
clock skew is most popular trouble, you know?
zzz2
the reseeds all failed, because DNS failed or is blocked
zzz2
30 seconds only for what?
orignal
clock
orignal
you check timestamp for 30 seconds only
zzz2
I think we'll accept a skew of +/- 60 seconds in SSU and NTCP2
orignal
will check
eyedeekay
They got through to incognet the first time, must it must be something screwy on their side though
orignal
but what not 10 minutes or even hour?
zzz2
orignal, because there's a lot of expiration timestamps in messages. if your clock is way off, then all the messages will either be expired or in the future
orignal
let me expain the problem
orignal
mobile users usually use network time
orignal
and sometimes it's not precises
orignal
clock skew might be few minutes
zzz2
so use NTP or some other way to get the time
orignal
yes, that's what I suggest
orignal
to turn on NTP sync in i2pd.conf
zzz2
one TCP solution: Get the time from the server Date header when reseeding
zzz2
we do that and use it as a fallback
orignal
yes
orignal
we discussed it
orignal
how about next start?
zzz2
another fallback: take the time from the first peer you connect to, hope he's not lying
orignal
sometimes first peer just closes connection
zzz2
I don't think we save the skew, so same thing every start
orignal
and not send SessionCreated back
orignal
but no reseed for next start
zzz2
yeah I forget if we send a reason code or how exactly that works
orignal
do we?
zzz2
dont' remember
orignal
let me check
orignal
I'm not sure I do it
orignal
if not I will fix
orignal
but anyway
orignal
if you receive termination with clock skew
orignal
how could it help?
zzz2
you could go do NTP then
zzz2
if you don't wnat to enable it for everybody
orignal
NTP is not a good idea for mobile users
orignal
but please explain what I'm supposed to do in NTCP2 if I receive SessionRequest with wrong timestamp?
zzz2
eyedeekay, bottom line, java I2P inside whonix probably doesn't work, java I2P over Tor probably doesn't work, we never said it did, and I don't think we should spend any time on it
zzz2
orignal, I'll have to research it, will let you know later
orignal
thanks
orignal
let me know
zzz2
will do
orignal
and I will fix if necessary
zzz2
anything else for the meeting?
orignal
because I close connection now
orignal
we might need more mtproxies
orignal
because Germany is going to block Telegram there
zzz
germany is going to block telegram?
eyedeekay
orignal I've got a self-deploying SAM MTProxy on the back-burner but I don't think DE blocking Telegram is anything more than empty saber-rattling
mrt
yea, german is all in fear for anti-corona-idiots and is using this as excuse to fight against free internet ;(
mrt
*fear of
zzz
sounds unlikely to me too
orignal
eyedeekay it's not about Germany only
eyedeekay
I agree
orignal
we have this infrastructe from the days when Putin tried to block Telegram
mrt
i was much surprised if i had to search new non filtered dns servers after newyear, somehow my ccc dns is gone...
eyedeekay
Hence the SAM MTProto proxy, I think more need to exist, I'm just not sure this Germany thing is terribly credible
orignal
so if German govemnet or other monkeys dediced to go this way
orignal
we should be ready
mrt
isnt telegram a Russian invention?
orignal
it is
orignal
USSR invasion )))
orignal
revenge
mrt
its pretty harmless imho if its only an non govermential ordered alliance of ISPs that do stuff right now just through filtering ther official DNSd's but its one step in the wrong direction
orignal
that's why people should use i2p
orignal
to not depend on such monkeys
orignal
from governments
RN_
heheh monkeys
eyedeekay
Working on it over here though > github.com/eyedeekay/mtg-i2p after I deal with a couple extant bugs it'll just be something we can stick in a plugin or a service
orignal
eyedeekay do you have a working mtpropxy over i2p?
orignal
we can add it to telegram.i2p
eyedeekay
Not off my laptop yet, as soon as I put one on some real hardware I'll let you know
mrt
politics like the now called Zensursular (Ursula von der Leyen) tried to do that by law argumenting with child-porn-prevention and so, but now, after they didnt made it official (law was canceled shortly after) they just make it nongovermental so that all mayor ISPs are blocking stuff
orignal
I mean with 24/7 uptime
mrt
i would like to see a list what exactly is blocked at all ...
eyedeekay
mrt if they told you you could find it lol
eyedeekay
ack orignal, will let you know as soon as I've got one ready
orignal
thanks
mrt
btw, if youre talking bout telegram, do you know a way to get an account without a phonenumber?
orignal
usualy i2p address and port is necessary
orignal
and auth key
mrt
eyedeekay, ??
orignal
mrt use one-time sms
orignal
there are bunch of services
eyedeekay
The only way I know is to get a phonenumber through something that's not a phone, there are a bunch of throwaway SMS out there, you'll need to try a few
mrt
btw, can somemone give me a hint how to stop firefox to start a websearch for an .i2p domain i enter without in front of?
eyedeekay
My webextension will intercept those or you can disable HTTPS-only mode in about:config
mrt
is it bout https only mode or just cause firefox has a likst of known TLDs where *.i2p. isnt part of?
eyedeekay
Probably both, Firefox is like 1.3 million lines of C++, I don't actually know for sure
mrt
i guess its last one, otherwise it would just try to rewrite to but i am just entering sth.com and it dose try to access that domain and sth.i2p and it dose forward me to duckduckgo (which is default searchengine of it, but not working in i2p config)
RN
turn off search in the url bar
eyedeekay
RN for the win
mrt
yea, there where times where i took time after all new firefox releases to review change log and do some about:config to it so it dose things like before...
mrt
RN good idea, guess i do so, thx
mrt
but they are much to fast for me right now
RN
for convenience I re-enable the search box so you can still have that function when wanted
mrt
i am still missing the old days where firefox still could do this mighty xul addons and the url bar wasnt that unreliable with all that modern things that are soposed to be smart...
RN
are we still in a meeting or trending offtopic?
mrt
its like t-online redirecting to its crapy search everytime an DNS-result sould rather put out not found
eyedeekay
I think clearly trending offtopic now
dr|z3d
mr, try i2pdomain.i2p/
dr|z3d
note the trailing slash.
mrt
and there seams to be no easy way to turn out search in url bar...
dr|z3d
I think it become a freeforall a while back, eyedeekay :)
mrt
i allready turned off search suggestions of cause ;)
eyedeekay
Yeah modern Firefox has gotten way too fancy, but XUL extensions had to die, the curation task is monumental even for the less-privileged modern extensions
mrt
yea slash behind domain is a good idea but my old brain dosent learn new habits like this easily so i guess after i have sleped, its getting quite late her, ill have to dig in to the about:config docs (which are also crapy thanks mozilla) and find out how to fix that right way
eyedeekay
keyword.enabled=false
mrt
yea eyedeekay , i was only really unappy just afterwards as there where no alternative addons, right now there are mostly so its ok...
mrt
ill try that, thx
mrt
thanks, that worked fine eyedeekay , i once had an addon that added descriptions to the about:config settings with fulltext search...
mrt
but such deep addons are forbidden right now for "security reason"
mrt
people dont code right anymore, just forcing anything into there sandbox instead...
mrt
n8
eyedeekay
XUL was a chainsaw-juggling kit. It would be nice to reach into about:config directly, but there are excellent reasons to sandbox extensions
eyedeekay
Even non-security ones. The fact that XUL extensions could rewrite eachother I mean, +5 for flexibility but -10 for stability