orignal
if I receive tunnel build request with same tunnel id, do I drop it or send reply with error code?
dr|z3d
on the java side, we drop tunnel requests we determine are hostile.
dr|z3d
eg:
dr|z3d
if (ourId <= 0 || ourId > TunnelId.MAX_ID_VALUE ||
dr|z3d
nextId <= 0 || nextId > TunnelId.MAX_ID_VALUE) {
dr|z3d
_context.statManager().addRateData("tunnel.rejectHostile", 1);
dr|z3d
if (_log.shouldWarn())
dr|z3d
_log.warn("Dropping hostile build request, BAD Tunnel ID: " + req);
dr|z3d
if (from != null) {
dr|z3d
_context.commSystem().mayDisconnect(from);
dr|z3d
_context.banlist().banlistRouter(from, " <b>➜</b> HostileTunnel Request (BAD Tunnel ID)", null, null, _context.clock().now() + bantime);
dr|z3d
_log.warn("Temp banning [" + from.toBase64().substring(0,6) + "] for " + period +
dr|z3d
"m -> Hostile tunnel request (BAD TunnelID)");
dr|z3d
}
dr|z3d
return;
dr|z3d
}
dr|z3d
banning the router is optional, canon doesn't, cannon does.
dr|z3d
(temp ban)
dr|z3d
orignal: git.idk.i2p/i2p-hackers/i2p.i2p/-/blob/master/router/java/src/net/i2p/router/tunnel/pool/BuildHandler.java
zzz
same tunnel id as what?
dr|z3d
got what the router's reporting as a forged RouterInfo here, seen a couple of those reported in the last few days
zzz
^^^ orignal 12 introducers ?!?!?
dr|z3d
12 introducers for an X tier floodfill no less.
orignal
we never publish more than 3
orignal
zzz, so I receive tunnel build request with record and my tunnelid I'm supposed to use for it
orignal
then I find there is another transit tunnel with same id already
zzz
send reject, you can't let somebody steal somebody else's tunnel, of course!
orignal
what I do with ti? Drop or reject?
zzz
we reject
zzz
// Dup Tunnel ID. This can definitely happen (birthday paradox).
zzz
// Probability in 11 minutes (per hop type):
zzz
// 0.1% for 2900 tunnels; 1% for 9300 tunnels
zzz
response = TunnelHistory.TUNNEL_REJECT_BANDWIDTH;
zzz
orignal, do you let tunnels get stolen now?
orignal
zzz what reject code? 30 or 10?
orignal
what do you mean "stolen"?
zzz
I see target LS with IBGW, I send tunnel build to IBGW with same ID. Do you detect the duplicate now, or do you send me all the target's traffic?
zzz
<zzz> response = TunnelHistory.TUNNEL_REJECT_BANDWIDTH;
orignal
right now I accept
orignal
but use old one
orignal
that's definitly bug
orignal
so, code 30, right?
orignal
when do you sedn code 10?
zzz
30
zzz
10 is during rapid increase in tunnels
zzz
ok, so please verify, it is NOT possible to steal a tunnel?
orignal
100%
orignal
not possible to steal
zzz
but if there IS a dup, my traffic will go to somebody else?
orignal
just send 0 instead 30
orignal
tell me in which case I should send 10
orignal
yes
zzz
lets finish the dup discussion first
orignal
it will go through original tunnel
zzz
ok, so I need to prevent i2pd from being my IBGW?
orignal
as it published in LS
orignal
why?
zzz
I don't want my traffic going to the wrong guy
orignal
you build a tunnel
orignal
I'm IBGW
orignal
it will not
zzz
other way
orignal
that's what I'm trying to say
orignal
an advesary tries to steal tunnel
zzz
somebody else builds tunnel through you as IBGW
zzz
then I build tunnel through you with same ID
zzz
my traffic goes to other guy
zzz
not an attack, just bad luck
zzz
<zzz> // Dup Tunnel ID. This can definitely happen (birthday paradox).
zzz
<zzz> // Probability in 11 minutes (per hop type):
zzz
<zzz> // 0.1% for 2900 tunnels; 1% for 9300 tunnels
orignal
how can you build with the same id unintentionally?
orignal
I will just fix it
orignal
30 instead 0
zzz
sure, but I think I need to avoid i2pd as IBGW
orignal
why?
zzz
I don't want any chance of my traffic going to somebody else
orignal
it works for many years
orignal
and will be fiex in the next release
zzz
it's a security issue I think
orignal
have you ever seen sombebody else's traffic?
zzz
I get decrypt fails all the time
orignal
me too
orignal
but there are bunch of other reasons
zzz
hmm. actually I'd have to avoid i2pd for all hops, not just ibgw
orignal
nice ))
zzz
not ideal
orignal
as I said wait for the next release
zzz
I;ll have to think about it
dr|z3d
how you getting on with those bloom filters, orignal?
orignal
in this case that guys will not be able to decrypt your traffic
orignal
because only you can
orignal
dr|z3d will implement in few days
dr|z3d
great stuff
zzz
right
orignal
we can also make 2.45.1 with bloom filter and transit tunnels fixes
zzz
you're at 2.3% of network now
orignal
yes, and you can see stabilization of creating rate now
orignal
*creation
orignal
people are slow with updates
orignal
but big routers update
orignal
d
orignal
30-40% now
orignal
vs. 10-20 last week
zzz
why do you think it improved so much?
orignal
because new i2pd routers can process much more traffic
orignal
and no 2500 transit cap
orignal
it's 5000 for regular and 10000 for floodfill
zzz
but it's a small % of the network
orignal
hence less chance that tunnel build get rejected
orignal
maybe Java nodes have less load
orignal
now
zzz
no change in avg. part. tunnels
orignal
then how do you explain it?
orignal
still bunch of transit
orignal
and still a lot of traffic
zzz
your build limiter?
orignal
but rate is higher
orignal
as I mentioned before 4 tunnels at the time per dest
orignal
regardless actual quatity
zzz
so, if you were spamming tunnel builds before and getting rejected all the time, that's why
orignal
number of trabsit tunnels is the same
orignal
on my routers
zzz
remember, your SSU2 session request failed one chance in 16, so that's 6% right there, plus 6% for every other i2pd router in the tunnel or reply tunnel (if not connected before and using SSU2)
zzz
the X routers report a big drop in tunnels starting about 48 hours ago
orignal
so you think that abuser got updated?
zzz
you can check, drz gave you the router hashes
orignal
implemented filter for SSU2
obscuratus
orignal: Thanks, I'll give the lastest a spin on my testing network.
orignal
obscuratus it's not complete yet
orignal
SSU2 only
orignal
also need to implement it for tunnels
orignal
but should be better anyway
obscuratus
orignal: OK.
zzz
I predict the SSU2 filter will fix 99.9% of the issues in a testnet
zzz
it's hard to think of a scenario where an IBGW filter would catch much if everybody has a SSU2 filter
orignal
maybe
orignal
zzz you promised to tell about code 10