#ls2 (irc2p) | #ls2 I2P Protocol Development Discussion - Next Meeting Monday, October 9th 6:30 UTC | major

👮 major

✅ irc2p

#i2p-dev #i2pd-dev #ls2 #saltr

✅ ilita

#4rum #acetonevideo #dev #retroshare #torrent #video2p

#ls2

/2023/01/05

Online: 22

@eyedeekay

+R4SAS

+RN

+RN_

+Xeha

+orignal

FreeRider

Irc2PGuest22478

Irc2PGuest48042

Onn4l7h

Onn4|7h

T3s|4_

aargh3

acetone_

anon4

eyedeekay_bnc

not_bob_afk

profetikla

shiver_1

u5657

weko_

x74a6

orignal if I receive tunnel build request with same tunnel id, do I drop it or send reply with error code?

dr|z3d on the java side, we drop tunnel requests we determine are hostile.

dr|z3d eg:

dr|z3d if (ourId <= 0 || ourId > TunnelId.MAX_ID_VALUE ||

dr|z3d nextId <= 0 || nextId > TunnelId.MAX_ID_VALUE) {

dr|z3d _context.statManager().addRateData("tunnel.rejectHostile", 1);

dr|z3d if (_log.shouldWarn())

dr|z3d _log.warn("Dropping hostile build request, BAD Tunnel ID: " + req);

dr|z3d if (from != null) {

dr|z3d _context.commSystem().mayDisconnect(from);

dr|z3d _context.banlist().banlistRouter(from, " <b>➜</b> HostileTunnel Request (BAD Tunnel ID)", null, null, _context.clock().now() + bantime);

dr|z3d _log.warn("Temp banning [" + from.toBase64().substring(0,6) + "] for " + period +

dr|z3d "m -> Hostile tunnel request (BAD TunnelID)");

dr|z3d }

dr|z3d return;

dr|z3d }

dr|z3d banning the router is optional, canon doesn't, cannon does.

dr|z3d (temp ban)

dr|z3d orignal: git.idk.i2p/i2p-hackers/i2p.i2p/-/blob/master/router/java/src/net/i2p/router/tunnel/pool/BuildHandler.java

zzz same tunnel id as what?

dr|z3d got what the router's reporting as a forged RouterInfo here, seen a couple of those reported in the last few days

dr|z3d zzz: cake.i2p/view/B6fKWdmI6K_d4Bu0Tovci6ReIOGtgkpBPXYWtQdQz_Oie8gMscu6/B6fKWdmI6K.txt

zzz ^^^ orignal 12 introducers ?!?!?

dr|z3d 12 introducers for an X tier floodfill no less.

orignal we never publish more than 3

orignal zzz, so I receive tunnel build request with record and my tunnelid I'm supposed to use for it

orignal then I find there is another transit tunnel with same id already

zzz send reject, you can't let somebody steal somebody else's tunnel, of course!

orignal what I do with ti? Drop or reject?

zzz we reject

zzz // Dup Tunnel ID. This can definitely happen (birthday paradox).

zzz // Probability in 11 minutes (per hop type):

zzz // 0.1% for 2900 tunnels; 1% for 9300 tunnels

zzz response = TunnelHistory.TUNNEL_REJECT_BANDWIDTH;

zzz orignal, do you let tunnels get stolen now?

orignal zzz what reject code? 30 or 10?

orignal what do you mean "stolen"?

zzz I see target LS with IBGW, I send tunnel build to IBGW with same ID. Do you detect the duplicate now, or do you send me all the target's traffic?

zzz <zzz> response = TunnelHistory.TUNNEL_REJECT_BANDWIDTH;

orignal right now I accept

orignal but use old one

orignal that's definitly bug

orignal so, code 30, right?

orignal when do you sedn code 10?

zzz 30

zzz 10 is during rapid increase in tunnels

zzz ok, so please verify, it is NOT possible to steal a tunnel?

orignal 100%

orignal not possible to steal

zzz but if there IS a dup, my traffic will go to somebody else?

orignal just send 0 instead 30

orignal tell me in which case I should send 10

orignal yes

zzz lets finish the dup discussion first

orignal it will go through original tunnel

zzz ok, so I need to prevent i2pd from being my IBGW?

orignal as it published in LS

orignal why?

zzz I don't want my traffic going to the wrong guy

orignal you build a tunnel

orignal I'm IBGW

orignal it will not

zzz other way

orignal that's what I'm trying to say

orignal an advesary tries to steal tunnel

zzz somebody else builds tunnel through you as IBGW

zzz then I build tunnel through you with same ID

zzz my traffic goes to other guy

zzz not an attack, just bad luck

zzz <zzz> // Dup Tunnel ID. This can definitely happen (birthday paradox).

zzz <zzz> // Probability in 11 minutes (per hop type):

zzz <zzz> // 0.1% for 2900 tunnels; 1% for 9300 tunnels

orignal how can you build with the same id unintentionally?

orignal I will just fix it

orignal 30 instead 0

zzz sure, but I think I need to avoid i2pd as IBGW

orignal why?

zzz I don't want any chance of my traffic going to somebody else

orignal it works for many years

orignal and will be fiex in the next release

zzz it's a security issue I think

orignal have you ever seen sombebody else's traffic?

zzz I get decrypt fails all the time

orignal me too

orignal but there are bunch of other reasons

zzz hmm. actually I'd have to avoid i2pd for all hops, not just ibgw

orignal nice ))

zzz not ideal

orignal as I said wait for the next release

zzz I;ll have to think about it

dr|z3d how you getting on with those bloom filters, orignal?

orignal in this case that guys will not be able to decrypt your traffic

orignal because only you can

orignal dr|z3d will implement in few days

dr|z3d great stuff

zzz right

orignal we can also make 2.45.1 with bloom filter and transit tunnels fixes

zzz you're at 2.3% of network now

orignal yes, and you can see stabilization of creating rate now

orignal *creation

orignal people are slow with updates

orignal but big routers update

orignal d

orignal 30-40% now

orignal vs. 10-20 last week

zzz why do you think it improved so much?

orignal because new i2pd routers can process much more traffic

orignal and no 2500 transit cap

orignal it's 5000 for regular and 10000 for floodfill

zzz but it's a small % of the network

orignal hence less chance that tunnel build get rejected

orignal maybe Java nodes have less load

orignal now

zzz no change in avg. part. tunnels

orignal then how do you explain it?

orignal still bunch of transit

orignal and still a lot of traffic

zzz your build limiter?

orignal but rate is higher

orignal as I mentioned before 4 tunnels at the time per dest

orignal regardless actual quatity

zzz so, if you were spamming tunnel builds before and getting rejected all the time, that's why

orignal number of trabsit tunnels is the same

orignal on my routers

zzz remember, your SSU2 session request failed one chance in 16, so that's 6% right there, plus 6% for every other i2pd router in the tunnel or reply tunnel (if not connected before and using SSU2)

zzz the X routers report a big drop in tunnels starting about 48 hours ago

zzz stats.i2p/cgi-bin/parttunnels-week.cgi

orignal so you think that abuser got updated?

zzz you can check, drz gave you the router hashes

orignal implemented filter for SSU2

obscuratus orignal: Thanks, I'll give the lastest a spin on my testing network.

orignal obscuratus it's not complete yet

orignal SSU2 only

orignal also need to implement it for tunnels

orignal but should be better anyway

obscuratus orignal: OK.

zzz I predict the SSU2 filter will fix 99.9% of the issues in a testnet

zzz it's hard to think of a scenario where an IBGW filter would catch much if everybody has a SSU2 filter

orignal maybe

orignal zzz you promised to tell about code 10