@eyedeekay
+R4SAS
+RN
+RN_
+T3s|4
+Xeha
+acetone
+orignal
+weko
Irc2PGuest5995
Irc2PGuest89954
Leopold_
Onn4l7h
Onn4|7h
T3s|4_
aargh2
anon2
eyedeekay_bnc
hk
not_bob_afk
profetikla
shiver_
u5657
x74a6
zzz
what we do: SSU2 tells NTCP2 what the external port is
dr|z3d
interesting looking at the 2-tiered approach to banning peers making excessive tunnel requests.
dr|z3d
first they get rejected, and for a good proportion of peers, that's sufficient to make them back off.
dr|z3d
a few peers, however, keep going, and then they get temp banned for 1/2 hour. seems pretty effective, especially when targetting L/unreachable peers.
dr|z3d
very rarely seeing high b/w tier routers getting snagged, their budget is higher.
dr|z3d
the policy isn't totally removing the part tunnel spikes, but when they do occur, they're much less pronounced.
dr|z3d
A sample with obfuscated timestamps: cake.i2p/view/vA4kBxKyx1_qRqtvUUwza0wkESOSYczgQcxPemjG8_r2Lg9BTWt4/vA4kBxKyx1.txt
zzz
bitcoin jonatack doc change PR, please review/comment github.com/bitcoin/bitcoin/pull/26838/files
dr|z3d
looking better.
dr|z3d
"It is possible, though strongly discouraged, to change your I2P router
dr|z3d
configuration to limit the amount of I2P traffic relayed by your node."
dr|z3d
that's good, but then he keeps the sample config for i2pd the same as it was before. not good. there's no scenario where limiting transit tunnels to 20 works.
dr|z3d
limiting transit tunnels to 500 often results in a poorly performing router, at least on java.
dr|z3d
he also wants a section in there to encourage port forwarding where required, to avoid being firewalled, for optimal router performance.
dr|z3d
still, progress.
Xeha
amount of transit tunnels should be at least the same amount they consume
dr|z3d
can you do me a favor, zzz, and confirm or deny my theory that MAX_BAD_REPLIES_PER_HOUR in ProfileOrganizer will prevent the attack of a 1000 malformed routers?
Xeha
otherwise they're leechers
dr|z3d
*malformed RIs
dr|z3d
he's added something about that, Xeha, though more clarity wouldn't hurt. "It is also
dr|z3d
important that the nodes of a popular application like Bitcoin contribute more
dr|z3d
to the I2P network than they consume."
Xeha
50% share AND 20 transittunnels, thats just pure leeching
dr|z3d
that's my point. I think it's probably best for zzz to carry on communicating with the dev on that ticket, no sense everyone piling in.
dr|z3d
he should probably be advised that changing either b/w share _OR_ transit tunnels is sufficient to constrain b/w usage, and that 1000 tunnels minimum or 80% share of 256KB/s if the b/w is available is a reasonable config.
zzz
dr|z3d, looks like "deny" - peerSendsBadReplies() is used in only one place, to skip them for a netdb verify
zzz
and, ofc, you don't know where a DSM came from anyway, it's not necessarily a "reply"
dr|z3d
ok, zzz, thanks. maybe that method could be extended and made a bit more robust, or not.
zzz
well, most of the reply stuff is commented out, but in any case, of course, it's for replies to lookups, and it definitely won't kick in for unsolicited stores, where you don't and can't know the source
dr|z3d
we're throttling unsolicited stores in OutboundMessageDistributor.
dr|z3d
MAX_ROUTERS_PER_PERIOD specifically, no?
zzz
re: bitcoin ticket, no, I don't want to be the only one commenting or the sole representative of the community advising on best practices, esp. when the primary router used is i2pd
dr|z3d
up to you, but it's probably going to carry much more weight if you act as the i2p emissary.
zzz
sure, but I can't become the i2pd whisperer
dr|z3d
just remove i2pd from the equation when you're formulating your responses, the recommendations in that doc, though they're more weighted towards i2pd, are applicable to the whole network.
zzz
if you don't want to contribute over there, fine, but please don't discourage others
dr|z3d
no where am I discouraging others from contributing, I've all along been suggesting that you carry on the dialog with suggestions for how to improve the documentation. if you don't want to assume that role, that's fine, but don't make me the bogeyman.
zzz
ok, I misunderstood. I'll weigh in when I get a chance, maybe after it shakes out a little more
zzz
anybody know if the btc protocol has a flag that says 'outbound only' ?
zzz
or will a router with 10 address get all of them gossipped around and everybody will try to connect to all 10?
dr|z3d
ok, great. you've got jonatack's attention and he's listening to your suggestions is really all I'm saying. we don't want to dilute that if at all possible. you're essentially in the driving seat :)
zzz
more drivers wouldn't hurt imho
orignal
weko can you test it?
weko
Test what?
orignal
that your NTCP2 is reachable though the port SSU2 tell you
weko
I can I think
orignal
that's the good question
orignal
please try
weko
Okay
weko
I need rebuild
orignal
no, just use nc
orignal
check port you receive packet from
orignal
and hit TCP port on that box
weko
orignal: no i cant connect with port that i recieve from SSU2 peertest
weko
with my congif port i can
weko
config*
orignal
zzz, so it wouldn't work
zzz
interesting. we would not handle that well.
zzz
dr|z3d, I commented on the PR
orignal
zzz so what should we do in this case?
orignal
basically what port should be publised for SSU2 address
zzz
whatever port works
zzz
the internal/external port concept is still a good one for SSU2
zzz
if the NAT does something different for UDP and TCP, that's a separate issue
Xeha
zzz: could have mentioned the transit tunnels too...
zzz
they do have i2pd-specific changes in the PR Xeha, I'll leave the i2pd people to comment on that if they want
zzz
when I said "limits" I meant both bandwidth and tunnels
orignal
what do you do if real endpoint doesn't match publised endpoint?
zzz
for NTCP2?
orignal
for SSU2
orignal
TCP alsways uses ephemeral ports
zzz
we look at the session created. If two peers agree, we change published endpoint
zzz
subject to all the limitations I listed yesterday
orignal
how about SessionConfirmed?
orignal
shouldn't we check it when we receive actual RI?
zzz
I don't know. A lot of our code on this is 20 years old and pretty fragile
orignal
my concerte question is
orignal
can we leave port as is if we received msg 5
zzz
yes, that's my recommendation in zzz.i2p/topics/3489
orignal
fine
orignal
let's go this way
zzz
:)
orignal
will just show error status "Cone NAT"
zzz
"Full cone NAT" en.wikipedia.org/wiki/Symmetric_NAT
zzz
vs. restricted
zzz
ru flavor without pictures :) ru.wikipedia.org/wiki/NAT
orignal
I know
orignal
just telling what I'm going to do
zzz
it's too bad ru wiki doesn't get pictures though
orignal
I'm able o read english )))
zzz
:)