orignal
no, why?
dr|z3d
no, why? the why should be obvious.
dr|z3d
in essence, we want to be able to authenticate routers we're talking to and ban the clones.
dr|z3d
how we achieve that is an open question. but one that's been brought into focus lately.
orignal
any ideas about ssu2 proposals?
dr|z3d
in general terms, some sort of handshake to validate a router with the ip address it's publishing.
dr|z3d
I think your proposal suggests something similar.
dr|z3d
or can we put the onus on the router itself to validate its ip. also possible.
orignal
didn't read the proposals yet
dr|z3d
you wrote it with weko, the one I'm referring to. i2p-projekt.i2p/spec/proposals/165-ssu2-fix
dr|z3d
I'm thinking of a two-tier approach that covers current/future routers and older routers.
dr|z3d
current routers would validate their own ip, for old routers we'd perform a test.
orignal
maybe
orignal
how many fake routers per minute do we have now?
dr|z3d
oh, I dunno, zzz mentioned seeing over 1000 on a single ip.
orignal
<Vort> я кое что заметил сейчас. дохрена SSU2 сессий, при чём, это не клоны. клонов хоть и много, но они в список не попадают
orignal
here we go
orignal
routers try to connect to him like to clones
orignal
and NTCP2 fails
orignal
while SSU2 doesn't
dr|z3d
some sort of hash that ties a router id to an ip address, signed by the issuing router.
dr|z3d
I mean, we're all about crypto and signing things, why not leverage that to bake in some validation?
orignal
that's exactly proposal 165
dr|z3d
is it?
orignal
it's pity that nobody has taken it seriously
dr|z3d
it's getting taken seriously. but there are a lot of caveats and potential issues in that proposal.
dr|z3d
what I'm suggesting is perhaps a variation of that. instead of validating current routers, routers validate themselves. with a test for older routers.
dr|z3d
hash the ip and router id with the router's private key or something along those lines.
dr|z3d
you don't explicitly ban routers in i2pd, or do you?
orignal
I do if IP addresses mismatch
orignal
e.g. I receive RI in SessionConformed and publish IP doesn't match with actual connection
dr|z3d
ok, good.
dr|z3d
are you persisting those bans?
orignal
yes, in profiles
orignal
for few hours if I remember
dr|z3d
ok, great, that's half the battle.
orignal
but the attack is not about it
weko
SSU2 ( 10099 )
weko
Everything OK, we can wait more while you discuss proposal
weko
Or maybe better discuss solutions that already suggested in proposal
orignal
we are doing well this time
zzz
hidden routers losing peers and having to reseed is a years-long issue, not yet completely solved
dr|z3d
the refresh routers job should mitigate the issue, but if you're on a crappy wireless connection, you may be inadvertantly losing peers instead of refreshing them.
zzz
perhaps, but let's not put 100% of the blame on his setup, it is a generic issue too
dr|z3d
ok, fair enough. I'll just blame his setup 90% and allow 10% for sub-optimal hidden router handling. :)
dr|z3d
perhaps we could afford more latitude to hidden routers wrt RI deletion.
zzz
been on my list for a while, tough problem
dr|z3d
what about something along the lines of what I suggested to mesh earlier, but router-side. for hidden routers, instead of deleting RIs for routers that appear down, move them out of the netdb structure and then move them back in on a schedule?
dr|z3d
if the netDb is nested, then just copying them into the netDb root will get them integrated, otherwise only copy if date stamp is newer (for flat netDb)
zzz
i'd be starting with research on causes, followed by tweaks, before venturing into anything drastic
zzz
if you'd like to contribute resarch, that would be helpful
dr|z3d
here's how I understand the issue wrt hidden router with connectivity issues. router loses connection temporarily, though not for long enough to trigger an offline event, refresh router job carries on checking routers, routers are removed to the point the netDb is depleted.
zzz
but my tests of hidden w/o conn. issues still runs out of peers.
zzz
we also have checks to prevent removing routers when there's no connectivity
zzz
but that may not be working well
zzz
if you'd like to help test all that it would be ducky
dr|z3d
sure, but those tests may not indicate connectivity issues in the time it takes for a wifi connection to disappear and reappear. that may be one issue.
dr|z3d
as for testing, I suggest you attempt to rope mesh in, given he's the one experiencing the problem.
zzz
whatever your thesis is, go attempt to prove it
dr|z3d
I've been down this road before, which is why we all now have the router refresh job running on a cycle and not just once. I don't feel like sabotaging my connection just to test a theory. this is a job for mesh.
dr|z3d
(if you can get mesh to do anything other than complain you're a better man than me)
not_bob
0% build success!
snex
a new record!
not_bob
It's amazing!
dr|z3d
that'll be i2pd?
not_bob
Yes
not_bob
I2P+ is a bit better.
not_bob
30% or so?
dr|z3d
75% here.
dr|z3d
good time to update if you haven't recently.
not_bob
Oh, I'm trying :)
dr|z3d
that bad eh?
not_bob
Yeah
not_bob
This ssh session keeps dying too.
dr|z3d
jump into your sybils section, set the task interval to every hour, and then run new analysis.
snex
i have 79%
dr|z3d
and when you run the analysis, not_bob, keep an eye on known floodfill count.
dr|z3d
will likely drop considerably.
not_bob
That would assume I'm not running i2pd locally :)
dr|z3d
no, that would assume you're addressing your 30% build success in +
not_bob
Oh, I can barely talk to that mac hine currently.
not_bob
Due to my local issue.
not_bob
I'm workinjg to resolve that now.
dr|z3d
you can also do a cap search for PfR and see what's banned. those are mostly dodgy clones.
not_bob
I just compiled a new version of i2pd which seems to be doing slightly better.
dr|z3d
anything's better than 0% :)
not_bob
Yes
dr|z3d
as for ssh, I always keep torify on ice as a backup strategy.
not_bob
As do I.
not_bob
But, the network I'm on seems to beblockng tor.
dr|z3d
oh, joy.
not_bob
Yeah...
dr|z3d
then you'll want some bridges I guess.
dr|z3d
bridges.torproject.i2p
not_bob
Yep
not_bob
I'll make it work.
dr|z3d
no doubt :)
not_bob
I've only been awake for a litlte bit.
not_bob
And, yes. All my hosts are accessable via tor as well.
not_bob
It's the only logical move.
RN
Did something change with the user agent filtering? I remember it used to be myob-6.66 or such
RN
<RN> (for http tunnel)
orignal
not_bob always 10% with last commit ))
orignal
if rate falls below 10% I start building tunnels through confirmed routers
snex
is that by IP or by b32? maybe we can host a signed list somewhere
not_bob
orignal: I am now running the latest build, thank you.
not_bob
How long ago was that commit?
orignal
hour ago
not_bob
Ok, I may not have that then. I'll pull again here shortly and recompile.
not_bob
Thank you.
orignal
maybe I should set hight threshold
orignal
but now I have stable 10% rate
orignal
exactly what I set
dr|z3d
re attack, I dunno if 9 failure to respond to termination packets counts as hostile or a bug, but I'm looking at a cutoff before the router's banned for the session.
mesh
zzz: is it at possible to see some logging in the router in regards to a specific tunnel? I noticed sometimes the router will print an error message saying it couldn't connect to the server that a tunnel points to
mesh
is it possible to see some debug logging so we know when somebody connects to a tunnel hosted by the router? when the router is then able to successfully connect to the server?
dr|z3d
check /configlogging
mesh
dr|z3d: I've done that but it's not clear how that ui gets me to seeing what happens with regards to a specific tunnel
dr|z3d
specifically the net.i2p.i2ptunnel section. HTTPServer for web tunnels, etc.
mesh
hmm
mesh
dr|z3d: which classes might you suggest for diagnosing a Standard tunnel? I'm trying to figure out why a ftp client is failing to connect over i2p to a ftp server using basic Standard tunnels
dr|z3d
also, you should be talking to zzz about how to help him with the depleting routerinfo issue you're experiencing, not asking him basic stuff like how your logs work.
dr|z3d
try I2PTunnel, debug level, see if that helps.
dr|z3d
and for future reference, set default log level to error, and if in doubt, set the entire parent class to debug and then refine your logging until you get the output you're expecting. basic stuff.
mesh
hmm ok that worked, I just set it to all classes and now I see Sockets getting closed for some reason
mesh
dr|z3d: btw, do you know what the 'Delay Connect' option on a tunnel actually does?
dr|z3d
other than what it says, no, which is why there's no tooltip explaining what it does. it delays the connection. what purpose it actually serves I can't tell you.
dr|z3d
when I overhauled the tunnel manager several years ago, that was the one thing I couldn't find an adequate explanation for.
mesh
dr|z3d: ever seen WARN […Runner 2140] ….I2PTunnelClient: Error connecting: Unsupported encryption options before?
dr|z3d
client and server don't have a shared encryption protocol. one elgamal, the other ECIES.
dr|z3d
make sure the same are specified on client and server, or just enable both on the server.
mesh
it's strange because these options don't even exist on the android i2p client
dr|z3d
enable both on the server.
mesh
wow that fixed the fucking problem
dr|z3d
then restart the tunnel.
mesh
dr|z3d: in this case the android device is the server
mesh
but I enabled both on the client (the laptop) and it worked
mesh
though hehe I suspected this would be a problem, ftp likes to open lots of data connections on other ports
dr|z3d
try passive mode if the defaults aren't working.
dr|z3d
or active, if passive is the default.
mesh
it works
mesh
this is great
dr|z3d
seeing several "Attempted mid-tunnel injection ..." warnings in a small timeframe.
orignal
I have another idea
orignal
ed22519 keys can be converted to x25519 easily
orignal
then we publish NTCP2 or SSU2 address without "s"
orignal
meaning that "s" is signing key converted to x25519
orignal
if an advesary generates a new router "s" will be different
orignal
and they can't clone just signing key because they must sign RI
orignal
profit