IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#saltr
/2024/04/22
orignal no, why?
dr|z3d no, why? the why should be obvious.
dr|z3d in essence, we want to be able to authenticate routers we're talking to and ban the clones.
dr|z3d how we achieve that is an open question. but one that's been brought into focus lately.
orignal any ideas about ssu2 proposals?
dr|z3d in general terms, some sort of handshake to validate a router with the ip address it's publishing.
dr|z3d I think your proposal suggests something similar.
dr|z3d or can we put the onus on the router itself to validate its ip. also possible.
orignal didn't read the proposals yet
dr|z3d you wrote it with weko, the one I'm referring to. i2p-projekt.i2p/spec/proposals/165-ssu2-fix
dr|z3d I'm thinking of a two-tier approach that covers current/future routers and older routers.
dr|z3d current routers would validate their own ip, for old routers we'd perform a test.
orignal maybe
orignal how many fake routers per minute do we have now?
dr|z3d oh, I dunno, zzz mentioned seeing over 1000 on a single ip.
orignal <Vort> я кое что заметил сейчас. дохрена SSU2 сессий, при чём, это не клоны. клонов хоть и много, но они в список не попадают
orignal here we go
orignal routers try to connect to him like to clones
orignal and NTCP2 fails
orignal while SSU2 doesn't
dr|z3d some sort of hash that ties a router id to an ip address, signed by the issuing router.
dr|z3d I mean, we're all about crypto and signing things, why not leverage that to bake in some validation?
orignal that's exactly proposal 165
dr|z3d is it?
orignal it's pity that nobody has taken it seriously
dr|z3d it's getting taken seriously. but there are a lot of caveats and potential issues in that proposal.
dr|z3d what I'm suggesting is perhaps a variation of that. instead of validating current routers, routers validate themselves. with a test for older routers.
dr|z3d hash the ip and router id with the router's private key or something along those lines.
dr|z3d you don't explicitly ban routers in i2pd, or do you?
orignal I do if IP addresses mismatch
orignal e.g. I receive RI in SessionConformed and publish IP doesn't match with actual connection
dr|z3d ok, good.
dr|z3d are you persisting those bans?
orignal yes, in profiles
orignal for few hours if I remember
dr|z3d ok, great, that's half the battle.
orignal but the attack is not about it
weko SSU2 ( 10099 )
weko Everything OK, we can wait more while you discuss proposal
weko Or maybe better discuss solutions that already suggested in proposal
orignal we are doing well this time
zzz hidden routers losing peers and having to reseed is a years-long issue, not yet completely solved
dr|z3d the refresh routers job should mitigate the issue, but if you're on a crappy wireless connection, you may be inadvertantly losing peers instead of refreshing them.
zzz perhaps, but let's not put 100% of the blame on his setup, it is a generic issue too
dr|z3d ok, fair enough. I'll just blame his setup 90% and allow 10% for sub-optimal hidden router handling. :)
dr|z3d perhaps we could afford more latitude to hidden routers wrt RI deletion.
zzz been on my list for a while, tough problem
dr|z3d what about something along the lines of what I suggested to mesh earlier, but router-side. for hidden routers, instead of deleting RIs for routers that appear down, move them out of the netdb structure and then move them back in on a schedule?
dr|z3d if the netDb is nested, then just copying them into the netDb root will get them integrated, otherwise only copy if date stamp is newer (for flat netDb)
zzz i'd be starting with research on causes, followed by tweaks, before venturing into anything drastic
zzz if you'd like to contribute resarch, that would be helpful
dr|z3d here's how I understand the issue wrt hidden router with connectivity issues. router loses connection temporarily, though not for long enough to trigger an offline event, refresh router job carries on checking routers, routers are removed to the point the netDb is depleted.
zzz but my tests of hidden w/o conn. issues still runs out of peers.
zzz we also have checks to prevent removing routers when there's no connectivity
zzz but that may not be working well
zzz if you'd like to help test all that it would be ducky
dr|z3d sure, but those tests may not indicate connectivity issues in the time it takes for a wifi connection to disappear and reappear. that may be one issue.
dr|z3d as for testing, I suggest you attempt to rope mesh in, given he's the one experiencing the problem.
zzz whatever your thesis is, go attempt to prove it
dr|z3d I've been down this road before, which is why we all now have the router refresh job running on a cycle and not just once. I don't feel like sabotaging my connection just to test a theory. this is a job for mesh.
dr|z3d (if you can get mesh to do anything other than complain you're a better man than me)
not_bob 0% build success!
snex a new record!
not_bob It's amazing!
dr|z3d that'll be i2pd?
not_bob I2P+ is a bit better.
not_bob 30% or so?
dr|z3d 75% here.
dr|z3d good time to update if you haven't recently.
not_bob Oh, I'm trying :)
dr|z3d that bad eh?
not_bob This ssh session keeps dying too.
dr|z3d jump into your sybils section, set the task interval to every hour, and then run new analysis.
snex i have 79%
dr|z3d and when you run the analysis, not_bob, keep an eye on known floodfill count.
dr|z3d will likely drop considerably.
not_bob That would assume I'm not running i2pd locally :)
dr|z3d no, that would assume you're addressing your 30% build success in +
not_bob Oh, I can barely talk to that mac hine currently.
not_bob Due to my local issue.
not_bob I'm workinjg to resolve that now.
dr|z3d you can also do a cap search for PfR and see what's banned. those are mostly dodgy clones.
not_bob I just compiled a new version of i2pd which seems to be doing slightly better.
dr|z3d anything's better than 0% :)
dr|z3d as for ssh, I always keep torify on ice as a backup strategy.
not_bob As do I.
not_bob But, the network I'm on seems to beblockng tor.
dr|z3d oh, joy.
not_bob Yeah...
dr|z3d then you'll want some bridges I guess.
dr|z3d bridges.torproject.i2p
not_bob I'll make it work.
dr|z3d no doubt :)
not_bob I've only been awake for a litlte bit.
not_bob And, yes. All my hosts are accessable via tor as well.
not_bob It's the only logical move.
RN Did something change with the user agent filtering? I remember it used to be myob-6.66 or such
RN <RN> (for http tunnel)
orignal not_bob always 10% with last commit ))
orignal if rate falls below 10% I start building tunnels through confirmed routers
snex is that by IP or by b32? maybe we can host a signed list somewhere
not_bob orignal: I am now running the latest build, thank you.
not_bob How long ago was that commit?
orignal hour ago
not_bob Ok, I may not have that then. I'll pull again here shortly and recompile.
not_bob Thank you.
orignal maybe I should set hight threshold
orignal but now I have stable 10% rate
orignal exactly what I set
dr|z3d re attack, I dunno if 9 failure to respond to termination packets counts as hostile or a bug, but I'm looking at a cutoff before the router's banned for the session.
mesh zzz: is it at possible to see some logging in the router in regards to a specific tunnel? I noticed sometimes the router will print an error message saying it couldn't connect to the server that a tunnel points to
mesh is it possible to see some debug logging so we know when somebody connects to a tunnel hosted by the router? when the router is then able to successfully connect to the server?
dr|z3d check /configlogging
mesh dr|z3d: I've done that but it's not clear how that ui gets me to seeing what happens with regards to a specific tunnel
dr|z3d specifically the net.i2p.i2ptunnel section. HTTPServer for web tunnels, etc.
mesh hmm
mesh dr|z3d: which classes might you suggest for diagnosing a Standard tunnel? I'm trying to figure out why a ftp client is failing to connect over i2p to a ftp server using basic Standard tunnels
dr|z3d also, you should be talking to zzz about how to help him with the depleting routerinfo issue you're experiencing, not asking him basic stuff like how your logs work.
dr|z3d try I2PTunnel, debug level, see if that helps.
dr|z3d and for future reference, set default log level to error, and if in doubt, set the entire parent class to debug and then refine your logging until you get the output you're expecting. basic stuff.
mesh hmm ok that worked, I just set it to all classes and now I see Sockets getting closed for some reason
mesh dr|z3d: btw, do you know what the 'Delay Connect' option on a tunnel actually does?
dr|z3d other than what it says, no, which is why there's no tooltip explaining what it does. it delays the connection. what purpose it actually serves I can't tell you.
dr|z3d when I overhauled the tunnel manager several years ago, that was the one thing I couldn't find an adequate explanation for.
mesh dr|z3d: ever seen WARN […Runner 2140] ….I2PTunnelClient: Error connecting: Unsupported encryption options before?
dr|z3d client and server don't have a shared encryption protocol. one elgamal, the other ECIES.
dr|z3d make sure the same are specified on client and server, or just enable both on the server.
mesh it's strange because these options don't even exist on the android i2p client
dr|z3d enable both on the server.
mesh wow that fixed the fucking problem
dr|z3d then restart the tunnel.
mesh dr|z3d: in this case the android device is the server
mesh but I enabled both on the client (the laptop) and it worked
mesh though hehe I suspected this would be a problem, ftp likes to open lots of data connections on other ports
dr|z3d try passive mode if the defaults aren't working.
dr|z3d or active, if passive is the default.
mesh it works
mesh this is great
dr|z3d seeing several "Attempted mid-tunnel injection ..." warnings in a small timeframe.
orignal I have another idea
orignal ed22519 keys can be converted to x25519 easily
orignal then we publish NTCP2 or SSU2 address without "s"
orignal meaning that "s" is signing key converted to x25519
orignal if an advesary generates a new router "s" will be different
orignal and they can't clone just signing key because they must sign RI
orignal profit