IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#saltr
/2023/05/02
orignal obscuratus because we have a drwaback in Noise protocol
orignal we never verify if we connect to the same Bob we are supposed to
orignal so our new filter is in place now
obscuratus orignal: Thanks
orignal we did this analisys they just copy content of original routers as is
orignal even with E caps
orignal what we need to work with eyedeekay is protocol externsion
orignal we need to include some blocks into SSU2 and NTCP2 handshake messages
dr|z3d yeah, you're right about that. the only thing that differs is the router hash, orignal. I've seen my own ip spoofed in my own netdb.
orignal Vort seeb his own 53 times
eyedeekay I agree but I think we need to do both, ploink Bobs who don't match an already observed Alice's router hash and also modify the handshake to verify Bob
dr|z3d There are also a huge number of RIs being seeded with fake ips by the look of things.
obscuratus Yeah, that's another simple attack that plays to our sybil implementation. You don't even need to mimick a router, just plop a whole buch of random routers on the same IP.
orignal <orignal_> real routers?
orignal <orignal_> but nobody builds a tunnel trough routers with same IP
obscuratus orignal: They don't need to be real routers. Sybil will ban them because too many RI entries with the same IP.
orignal and again
orignal you will ban real floodfills during this attack
orignal see the weakness of your algorithm?
obscuratus orignal: I see your point, but we need to have something to keep an adversary from setting up multiple real FF routers on a single IP.
orignal you need to have a way to differentiate real and fake routers
orignal that's all you need
obscuratus Hhhhmmm, a different sybil penalty for FF we've actually contacted, and lower penalty (or none) for routers we've never heard from.
orignal maybe my solution is not prefect but works well now
orignal I consider router as real once it connects as Alice
orignal in this case I can verify it's IP and also I verify RI signature in SessionConfirmed
orignal and I assicuate this router hash with static key
orignal and drop others with this static key
obscuratus I'll confess my understanding of the crypto with respect to RI needs work, but we've got to find a way to make sure the Bob we contact is the Bob we intended to contract.
obscuratus Then we can add Bobs we've contacted to that list also.
obscuratus s/contract/contact/
orignal yes, and this is the weakness of current protocol
orignal you can't now
orignal that's why I propose to send Bob's ident hash with SessionCreated
eyedeekay Yes we need a way to do that but it's also a pretty significant change which will take time to carry out correctly IMO. Having a good way to identify the attacker's RI's without collateral damage is something we can do in the meantime
orignal eyedeekay no, it's just an aextyra block that wouldn't break the protocol
eyedeekay I'm not saying no, I'm just saying I have to consider certain aspects of such a change in light of what canon I2P has to do re: backward-compatibility, time to think about it is all I need
orignal please look at PeerTest message
orignal good example that it has signature of all parties
orignal I would introduce an addition block type "signature"
eyedeekay I will, actually I already started looking at it
orignal we need something similar to what we had in SSU1
not_bob I think this is a good solutin. A way to test if the host really is the host it says it is.
not_bob Is there a way to ask the host a question with the current way it works? So we have backwards compatablity?
orignal well routers send update routerinfos through sessions
orignal but it you receive routerinfo nobody guarantees it must be peer's
orignal plus it's not fast
orignal as I remeber once in 20 minutes or so
not_bob That's too slow.
orignal ofc you can always send DatabaseLookup with your peer's ident
orignal but even if you get a reposponse it doesn't mean it's peer's RI
not_bob True, would that validate the router?
orignal we deinitly need to send it with SessionCreated like we didn in SSU1
RN what about if the peer has changed IP address?
orignal depends on if it's SSU2 or NTCP23
snowflakes hewwo guys. anyone have a waves in stacking? (leasing) antebeot.i2p/wavesnode/wavesnode
RN you what now?
RN that link is screwy
xeiaso it's better to give the b32 in case people don't have your site in their addressbook
RN I'm also curious about the duble /wavesnode/
not_bob i2pd is working better now that it had been.
not_bob But, still nowhere near normal.
not_bob i2pd tunnel builds are now closer to 20% on average.
not_bob I2P+ is doing better, but not by much.
not_bob 40-50% currently. Much more usable.
orignal the network is still full or shit
RN more attacks, or leftover garbage in netdb?
mesh RN: something's going on it seems
obscuratus Everything looks pretty normal on my raouter. What are you guys seeing?
RN Canon: 65% I2P+ 42%
mesh obscuratus: bandwidth spikes combined with something else
obscuratus mesh: OK, thanks.
RN there was an increase in peerFailedLookupRate some hours ago, but looking normal now
not_bob Still shit here.
not_bob Somewhat usable, but not good.
RN Canon down to 36% and i2p+ 12%
RN banned around 2k and 1.7k
RN (I reset at some point yesterday)
dr|z3d not quite as bad as it was, but not cleansed of the crap fo' sure.
RN so, restarting clears most of the bans, but doesn't clean the netdb, right?