orignal
one guy mentioned some issue
orignal
say an advesary is trying to build a tunnel ->A->B->A->
orignal
say tunnelId at first A is xxxx
dr|z3d
we drop tunnels with duplicate hops.
orignal
and nextTunnelId at B is also is xxx
orignal
how do you know?
orignal
say ->A->B->C->D->A->
orignal
it doesn't matter
orignal
now
orignal
build of such tunnel would fail of course
dr|z3d
if ((!isOutEnd) && (!isInGW)) {
dr|z3d
// Previous and next hop the same? Don't help somebody be evil. Drop it without a reply.
dr|z3d
// A-B-C-A is not preventable
dr|z3d
if (nextPeer.equals(from)) {
dr|z3d
// i2pd does this
dr|z3d
_context.statManager().addRateData("tunnel.rejectHostile", 1);
dr|z3d
if (_log.shouldWarn()) {
orignal
but there are still two records remaning
dr|z3d
_log.warn("Dropping HOSTILE Tunnel Request -> Previous and next hop are the same " + req);
dr|z3d
}
dr|z3d
if (from != null) {
dr|z3d
_context.commSystem().mayDisconnect(from);
dr|z3d
_context.banlist().banlistRouter(from, " <b>➜</b> Hostile Tunnel Request (duplicate hops in chain)", null, null, _context.clock().now() + bantime);
dr|z3d
_log.warn("Banning [" + from.toBase64().substring(0,6) + "] for " + period +
dr|z3d
"m -> Hostile Tunnel Request (duplicate hops in chain)");
orignal
<dr|z3d> // A-B-C-A is not preventable
dr|z3d
}
orignal
here
dr|z3d
return;
dr|z3d
}
dr|z3d
}
orignal
assume this situation
dr|z3d
you originally mentioned A->B->A
orignal
for simllicity
orignal
let's consider ->A->B->C->A->
orignal
tunnelId at A = nextTunnelID at C
orignal
what would happen?
orignal
tunnel build fails but still records at A, B,C
orignal
an advesray sends a message to this failed tunnel
orignal
and this message will circiluate amoung A,B,C forever
orignal
now my question is
orignal
how does tunnel participant assign timestamp to I2NP tunnel message when send it to next peer?
orignal
I think we need zzz
dr|z3d
I think we do :)
orignal
do what?
orignal
ask zzz?
dr|z3d
*** chuckles. ***
dr|z3d
yes, we need zzz.
orignal
basically timestamp matters
orignal
if Java assigns current timestmap or copies from incoming msg
orignal
and also second question
orignal
timestamp in I2NP Garlic message
orignal
it might be information leak to OBEP if it's real one
orignal
they can make some assumtion about OB tunnel length
orignal
also it's possible it was/is going on now
orignal
a lot of strange traffic
dr|z3d
what are you seeing specifically?
dr|z3d
I mean, in terms of network effects.
orignal
a lot of bandwidth usage
orignal
remeber we couldn't understand where this traffic came from
dr|z3d
this was a long time ago.
dr|z3d
not seeing any hike in b/w usage here.
orignal
6 months ago
dr|z3d
sure, I thought we'd come past that. but apparently you think it's back.
orignal
what is someone already found this problem and tried to use it
orignal
no, one guy asked a question
orignal
about loops
orignal
he asked about something else
orignal
but it leaded me to this question
dr|z3d
so you think he might be hostile, or?
orignal
theoritcally such message can go between rounters untils tunnels dies after 10 minutes
orignal
no. I think he is just curious
dr|z3d
ok
orignal
but someone else more dagerious could have found it already
dr|z3d
well, not seeing any major hike in traffic here.
orignal
this guy understand nothing about encryptions, tunnel build replies etc.
orignal
maybe we should continue on another channel
orignal
I don't see it a as big issue
orignal
the worst thing is just extra traffic
dr|z3d
well, there's extra traffic, and then there's a ridiculous amount of extra traffic.
orignal
so let's start with tmestamps
orignal
btw I have noticed that nothing prevents you to make nextTunnelId != tunnelId at next peer
dr|z3d
you mean something like:
dr|z3d
if (ourId <= 0 || ourId > TunnelId.MAX_ID_VALUE || nextId <= 0 || nextId > TunnelId.MAX_ID_VALUE) {
dr|z3d
_context.statManager().addRateData("tunnel.rejectHostile", 1);
orignal
no
orignal
when you create TBM
orignal
you always make nexTunnelID = tunnelID in next record
orignal
also can you give me a favor and check if 2RRY is banned on your routers?
dr|z3d
let's have a look..
dr|z3d
Banned for 180 days / until restart
orignal
why?
dr|z3d
➜ Blocklist: 193.38.54.107
orignal
why?
dr|z3d
I don't know. are you a tor exit?
orignal
no and never been
dr|z3d
ok, let's see if we can find you.
orignal
I had a bug in family signature that was fixed few days ago
orignal
would be nice to know where it comes from
dr|z3d
not seeing anything obvious iny blocklists or feed.
dr|z3d
and "blocklist" indicates one of these.
dr|z3d
do you want to see if your ipv6 is in here? git.skank.i2p/i2pplus/I2P.Plus/src/commit/59312dcfffe6de1e5842467ff5d9912594fdd0cc/installer/resources/blocklist_tor.txt
dr|z3d
that's the only other thing I can think of, but it seems pretty unlikely.
orignal
2a09:7c44::e9d
dr|z3d
is that a "yes" ?
orignal
no, it's 2RRY's IP
orignal
so, what's your version?
orignal
I have 3 version:
dr|z3d
doesn't look like you're in the ipv6 tor blocklist.
orignal
1. Serious bug in Java code
dr|z3d
my version?
orignal
2. Some manipulation of the hoster that they use this IP for Tor
orignal
3. Someone from Java I2P has included my IP explicitly knowing that 2RRY is mine
dr|z3d
not appearing in tor blocklist, so you can rule out #2.
orignal
yes, how do you explain this?
dr|z3d
I don't. I don't know why you're banned, or what the source of the ban is. Can't find you in my lists.
dr|z3d
Only address I can find that comes remotely close to your ip in the blocklist feed is 193.32.249.139
orignal
then it means that any router can be banned in Java I2P without any reason
RN
how do you see that someone banned a particular router?
orignal
1. I see usuaully small transit
orignal
2. Peer tests fail often
dr|z3d
here's the weird thing.. on one router, I see you as banned, on another you're not in the netdb.
RN
could it be related to the not-same-country thing?
orignal
with error code 69
orignal
Alice is banned
dr|z3d
make that 2 routers where you're not in the netdb.
orignal
I'm not in netdb because I'm banned somewhere elese
orignal
what does it mean "not-same-country"?
dr|z3d
RN: i2p/blocklist.txt or .i2p/docs/feed/blocklist/blocklist.txt
orignal
this router is in Amterdam
orignal
not in a "stan"
RN
some feature that lets you not use routers in your own country
dr|z3d
no, I mean your not in the netdb nor are you banned on the routers in question.
RN
I'm not clear the details, but I recall discussion of this option recently
dr|z3d
not relevant, RN.
RN
k
orignal_
dr|z3d maybe you can take a look into profiles
dr|z3d
while I'm doing all this legwork for you, orignal, perhaps you can compile snark+ and get it running :)
orignal
maybe
dr|z3d
that's my offer :)
dr|z3d
and I'll need to see a screenshot.
dr|z3d
*** pokes orignal in the anonymities. ***
dr|z3d
Blinded message
orignal
and?
dr|z3d
Blinded message
dr|z3d
and?
orignal
what does it mean?
dr|z3d
it means I have both a profile and a routerinfo for 2RRY.
orignal
but it's banned
orignal
what do you see in profile?
orignal
maybe the reaon is there?
orignal
all my routers have 2RRY in nerdb
dr|z3d
there's your profile.
orignal
nothing in it really
dr|z3d
no, except you're tagged as low latency.
dr|z3d
that's the speed bonus at the top. so it all looks fairly normal.
dr|z3d
and I can't find where you've been blocklisted, so I'm as confused as you are.
orignal
the problem is that it's banned on all Java nodes
orignal
looks like only i2pd traffic goes through
orignal
eyedeekay maybe you have an opinion?
dr|z3d
if it's all java nodes, then the block's upstream.
orignal
?
orignal
what does it mean?
dr|z3d
ie canon blocklist, not +.
orignal
and what might be the reason?
dr|z3d
I HAVE NO IDEA.
orignal
I know
orignal
I think we also need zzz for explanation
dr|z3d
I can't even find your ip or hash in the blocklists.
orignal
then where "banned for 180 days" comes from?
eyedeekay
I'm not seeing anything in either blocklist, a bad family key is currently the biggest penalty in the sybil attack tool and possibly the only way to actually hit the threshold
eyedeekay
It's the only thing that makes any sense to me so far
orignal
it was bad family key
orignal
but for 180 days?
orignal
just for cyrpto bug?
eyedeekay
More like "until a restart" in practice, or at least it should be
orignal
then why did you ban IP address?
orignal
sorry guys this lead me to make a statment "don't use family at all"
orignal
do you undertand that you have made a good powerfull floodfiil unsuable just for nothing?
orignal
great job
eyedeekay
I am fairly sure that the function that bans them bans by hash and by IP in the sybil tool, which is a flaw IMO, type of ban needs to be situational
orignal
and what are you going to do with it?
eyedeekay
The sybil tool? Too long to explain here, I've got a gitlab issue for it
orignal
if any bug in crypto kicks out a good router?
orignal
no with this false ban
dr|z3d
Not sure it's a sybil block, I'm seeing it marked as "Blocklist"
orignal
and how many good routers did you ban this way so far?
orignal
maybe that's the reason why so few floodfills in the network?
eyedeekay
I don't know that this is even why it's banned, it's a hypothesis
orignal
but who knows?
orignal
aren't you the main dev now?
dr|z3d
keep your hair on, orignal, we're trying to identify the root cause.
orignal
you are still reconsidering Tor exit nodes ban, aren't you?
orignal
I will stop paying for 2RRY hosting, that's all
orignal
one less floodfiils
orignal
and more doubts
dr|z3d
you've identified an issue, until fairly recently I had no problem with 2RRY in my netdb, so it's something recent.
orignal
and I'm still not convinced it was not done intentinally
orignal
as a small revenge
orignal
this issue with 2RRY was 3 days ago
orignal
and I still have one i2pd transit
orignal
and peer tests from i2pd Chalies only
orignal
really great job
dr|z3d
I don't think anyone was/is trying to sabotage your router.
orignal
unfortuannly too many haters of me
orignal
and 2RRY is only known my router
orignal
because it has family gostcoin
orignal
and I didn't hide that it's mine
dr|z3d
let's keep it rational. however many haters you have, very few have access to the repo, and even if they do, there's a papertrail.
eyedeekay
Revenge for what? Also our fixed blocklists are public and you're not in them
orignal
there are many reasons
eyedeekay
The explanation has to be a dynamic block from somewhere
orignal
maybe it's in the code of new release
orignal
keeping rational the source of problem is wrong family signature for short time
orignal
due to a bug
orignal
that leaded to forever ban
orignal
is it normal?
orignal
revenge for what? say for bring Tor nodes back
dr|z3d
yeah, eyedeekay, possibly dynamic block being wrongly flagged as originating from a blocklist.
dr|z3d
a bogus family sig could get you banned, possibly.
orignal
*bringing
orignal
it might be banned say for 24 hours
orignal
it's fine
orignal
but not forever
dr|z3d
although the ban should disappear on router restart, or after however long the sybil ban persists if it's detected as a sybil.
dr|z3d
well, you're not in any blocklists, so you're not banned forever.
eyedeekay
I have no hostility toward Tor exit operators and finding a way to coexist on Tor exits is IMO overwhelmingly a good thing
orignal
almost
orignal
I'm not going to pay for hosting that doesn't work
eyedeekay
I agree that a broken family key should warrant a shorter ban time, especially because it will just be re-checked after the ban and if it's still broke, re-ban
eyedeekay
Not a big deal
eyedeekay
To change that behavior IMO
orignal
than it must be fixed as son as in 2.7.1
eyedeekay
Is your family key fixed?
orignal
The Tor issue is easy. They can be back now
orignal
yes, 3 daysa ago
orignal
alomost immediately
eyedeekay
Then the bans will be lifted as people restart their routers, I can't do a 2.7.1 over this right now
eyedeekay
There's a whole refactoring of the sybil tool that needs to happen before it can be aware of what ban-point sources are significant
orignal
I will shut it down by that time
eyedeekay
The Debian people will probably never ban you at all, nor will the Android people
eyedeekay
Because they will all restart **after** your family keys were fixed
dr|z3d
as soon as the ppa is up and running, you'll likely have most of your connections restored, orignal.
dr|z3d
and what eyedeekay said.
orignal
no
orignal
I don't see any improvement in few days
dr|z3d
thing is, I can't see you in every other router where you're not banned.
dr|z3d
so maybe the issue is you, not us.
orignal
no it's Java code issue
orignal
and you have banned bunch of other routers thsi way
orignal
I'm pretty sure
orignal
NOTHING should be banned to more that 72 hours
orignal
if it;s not obvious for you
eyedeekay
They would have to all be using bad family keys, which sounds absolutely absurd
orignal
because the intgernetal changes quicly
orignal
who knows how many other woirng reaosns you had
RN
so, it requires user intervention to reset sybil bans, or just a restart? can I just look in the sybil page for "2RRY" so see if mine shows it as banned?
orignal
then pelase tell me the reason
orignal
you can't even tell the reason how do you know?
eyedeekay
There is currently only one way to reach the 50 point threshold without running a router with a significant misconfiguration of a family key
orignal
then it's dumb and must be fixed ASAP
orignal
*** afk ***
eyedeekay
Why? I'll concede the point about the ban times, but just don't misconfigure your family keys.
eyedeekay
Just a restart RN
eyedeekay
I do not have you in my sybil bans
dr|z3d
in + you can delete the sybil blocklist, but you'll need to restart. you may also need to delete the sybil blocklist in canon to make sure it's gone.
dr|z3d
I'm not convinced it's a sybil issue, however.
eyedeekay
^ again, we're still not sure that's what this is. I'm simply defending a hypothesis
dr|z3d
I think it might be an issue with orignal's router, no matter how much he protests.
eyedeekay
In fact I can't find him in a banlist on any of my routers, and I see 2RRY on about half of them
dr|z3d
I only saw him in one, on 4 other routers I can't find him in the netdb.
dr|z3d
*3 other routers.
eyedeekay
2/5 here, so not that different
dr|z3d
maybe i2pd has inadvertently developed an allergy to java routers :)
eyedeekay
I must confess I am over the sybil ban hypothesis
eyedeekay
That seems unlikely at this time
RN
not on my sybil blocked
mareki2p
Hi, I created an issue for the Launch4j project related to my problem running the i2p installer: sourceforge.net/p/launch4j/discussion/332683/thread/b79fef5c2a
dr|z3d
nicely done, mareki2p
dr|z3d
let's hope they're responsive.
dr|z3d
which reminds me, do you want to try building with ant installer, eyedeekay, or a recent java, and see if you have issues with izpack?
dr|z3d
*on a recent java
mareki2p
This is caused by me, if some software supports both an installer and a zip distribution, I always choose the .zip one. Normal people would have Java installed thru .exe or .msi installer and there would be no problems locating Java from Launch4j.
mareki2p
I can try building the i2p installer from sources, I have Ubuntu machine over here. Just tell me what to do.
dr|z3d
what does 'java -version' tell you mareki2p?
dr|z3d
make sure you pull the latest + if you're testing plus, otherwise for canon i2p, just run ant installer
eyedeekay
Does he need to do the IzPack5 install with +?
dr|z3d
no, we're specifically testing what's in the repo.
dr|z3d
and I think they may have fixed the issue in izpack5.
eyedeekay
OIC
dr|z3d
that's why I'm asking if you get issues with 'ant installer'
dr|z3d
assuming you're building locally with a recent java.
mareki2p
$ java -version
mareki2p
openjdk version "21.0.4" 2024-07-16
mareki2p
OpenJDK Runtime Environment (build 21.0.4+7-Ubuntu-1ubuntu222.04)
mareki2p
OpenJDK 64-Bit Server VM (build 21.0.4+7-Ubuntu-1ubuntu222.04, mixed mode, sharing)
dr|z3d
ok, try any installer from + and canon workspaces, if you have both of those.
dr|z3d
(rememeber to git pull on the + repo first)
mareki2p
Build failed: java.lang.NoClassDefFoundError: java/util/jar/Pack200
dr|z3d
on canon?
dr|z3d
canon == not +
mareki2p
That was on the I2P.Plus repo, build failed on the i2p.i2p repo, different error: java.lang.ExceptionInInitializerError, at net.sf.launch4j.ant.Launch4jTask.execute(Launch4jTask.java:82), Caused by: java.lang.reflect.InaccessibleObjectException: Unable to make field protected volatile java.util.Properties java.util.Properties.defaults accessible: module java.base does not "opens java.util" to unn
orignal
eyedeekay can you give me a favour?
orignal
remove gostcoin's cert from the package
orignal
dr|z3d which issue?
orignal
the only issue was worng signature 3 days ago
dr|z3d
mareki2p: did you git pull on + before you built?
orignal
you don't see it because it's banned by other Java floodfiils
dr|z3d
[ ] yes [ ] no (Tick one box only)
mareki2p
Yes, the latest version from git. commit id 562e6dfe0dfc6c51457cf7565f06296fb9dd7ee8 in the i2p.i2p repo and commit id 0c47b7ea1369d661ea08f7109d153c7df51e5c52 in the I2P.Plus repo.
orignal
but again I see it on all my routers
orignal_
soo
dr|z3d
mareki2p: in the +_ workspace, try ant distclean && ant installer
orignal_
again please remove gostcoin.crt from the ceritifactes
dr|z3d
I've just successfully built on openjdk version "23" 2024-09-17
orignal_
2. family code will be removed from ip2d code completely
orignal_
e.g. it will not be supported at all since Java react so inadequate
orignal_
3. All routers responding with code 69 will be banned
mareki2p
I always start from clean slate, meaning git clean -dfx && git reset --hard. Do I need to install some dependency?
orignal
seems I2P has too many good floodfills to throw the away
dr|z3d
a clean slate won't cleanup files ignored by git.
dr|z3d
hence ant distclean
mareki2p
After distclean same build error.
dr|z3d
ok, where are you pulling from? don't tell me, gitlab?
orignal
why do you need to fix it? because it's your fuckup
dr|z3d
you need to calm down, orignal
orignal
no
orignal
I said what I said
orignal
the only thing I need from you now is removing goistcoin cert
mareki2p
$ git remote get-url origin
mareki2p
I guess I need to add some xxx.i2p domain, righ?
orignal
is it possible to do it for 2.7.1?
dr|z3d
no, just pull from github.
dr|z3d
gitlab is currently non-functional.
orignal
<eyedeekay> Why? I'll concede the point about the ban times, but just don't misconfigure your family keys.
orignal
calm down after such statment?
orignal
you guys are all insane
dr|z3d
we haven't identified the root cause of your issue, orignal, and neither have you.
orignal
idk said clearly
orignal
and I agree
orignal
it's worng family signature that produced 180 days ban
dr|z3d
eyedeekay doesn't know, he was speculating. and he's probably wrong relating to a sybil-level ban. so we _don't know_.
orignal
are you going to fix it? no
orignal
I run 2RRY for stress test of serious load
dr|z3d
your router is not very visible right now, for whatever reason.
dr|z3d
like I said, mostly it just doesn't appear in any of my routers' netdbs.. no bans, just no 2RRY.
orignal
no transit no load not reason to run it at all
dr|z3d
180 days ban is boilerplate.
orignal_
do you afree it must be fixed asap
dr|z3d
those bans don't persist beyond a restart unless they're in a blocklist.
orignal_
?
dr|z3d
and afaict, your router isn't in any blocklist.
orignal_
and?
eyedeekay
No, because the evidence currently supports not a sybil block
dr|z3d
so we haven't actually established anything yet.
orignal_
eyedeekay will you remove gostcoin.crt?
dr|z3d
and you throwing a tantrum isn't much helping shed light.
mareki2p
Build succesful.
orignal_
eyedeekay then it's even worse
dr|z3d
there we go, good.
orignal_
because you don't even know
dr|z3d
orignal_: have you ever had bugs in your code that aren't immediately obvious?
orignal
and I'm asking again
orignal
how many good floodfiils did you lose becuase of this?
orignal
dr|z3d that's why this bug must be investigated shortly
orignal
the only sure thing it start happening after inccorect signature
onon_
Guys, I think you need to add to the check code: if (RI == 2RRY) to exclude him from the ban list
orignal
of afer the releaae
orignal
onon_ no
orignal
it's not about 2RRY
onon_
For any reason
dr|z3d
that's what we do, orignal, we attempt to identify issues and their root cause when they're reported. we just prefer not having to deal with people throwing tantrums.
orignal
the problem is not 2RRY
orignal
the problem is your code
orignal
that might causes issues
dr|z3d
mareki2p: can you do idk a favor and copy /installer/lib/izpack/standalone-compiler.jar from + to canon and see if canon compiles.
mareki2p
will do...wait
orignal
unless it's confirmed it was just new release, I will remove family code anyway
orignal
useless features causes many troubles
mareki2p
No, both before copying that .jar nor after the i2p.i2p repo doesn't compile.
dr|z3d
ok, thanks. one for the canon folks to investigate then.
mareki2p
Do you have GitHub actions CI?
dr|z3d
I do, but currently it's "in flux".
dr|z3d
it needs to copy the artifacts to a specified folder after they're built so I can serve them via github pages, but it's not playing ball.
orignal
I need to decide soon if I put 2RRY down or not
orignal
it's about payment for that VPS
orignal
fixing that problem
orignal
it was 4 days ago
orignal
as I see Java release start rolling out yesterday
orignal
meaning that most of Java router had to restart after
orignal
therefore what's going on?
dr|z3d
no, ppa routers which are the bulk of canon i2p routers won't have updated yet.
orignal
then accroding to eyedeekay I should see an improvement in few days
eyedeekay
And won't be updated until tomorrow at least, I have currently 4 arches to wait on
dr|z3d
no, forget what eyedeekay said. we don't know what the issue is. it's not sybil detection, and it's definitely not an issue with any blocklist.
orignal
then why IP address? and only ipv4 as I understand right
dr|z3d
what I want to know is why 2RRY is failing to show up in my netdbs.
orignal
because it's banned on other floodfiils
dr|z3d
that I also don't know, that was an outlier on a single router. why it was reported as being in a blocklist when I couldn't find any mention of hash or ip I don't know.
orignal
why peer test returns code 69?
orignal
why it's connect to i2pd only?
orignal
and why all other my routers with same code are fine?
dr|z3d
let's assume that your family fuckup has caused a temporary ban on some routers. if that's the case, it should resolve in time without further intervention.
orignal
yes, me expectation like 24 hours or so
mareki2p
The failed build on GitHub's Ubuntu 24.04: github.com/mareki2p/i2p.i2p/actions/runs/11310259494/job/31455103566
eyedeekay
dr|zed where's your pages CI file, I could take a look?
orignal
more funny
orignal
most of my node are connected with it
dr|z3d
eyedeekay: this is what I'm wrestling with right now: github.com/I2PPlus/i2pplus/blob/master/.github/workflows/ant.yml
dr|z3d
orignal: you can keep your vps running, it'll sort itself out.
orignal
if it's banned on most Java routers no reason to keep it
dr|z3d
eyedeekay: I wanted to keep a separate branch (artifacts) that copies to builds/ so that i2pplus.github.io/i2pplus/builds/{artifact} is available. that's the plan.
orignal
I don't need it without high load
dr|z3d
it will sort itself out. patience, young jedi.
orignal
I don't see any improvements in last 3 days
orignal
it's around 1/3 of normal load
dr|z3d
most of the canon i2p network hasn't migrated to 2.7.0 yet, as mentioned, that's waiting for the PPA build.
orignal
and bunch of error 69 for peer test
dr|z3d
if the ban is session-persistent, then you'll need to wait for the routers to restart.
orignal
but the release is rolling out
dr|z3d
NOT YET PPA.
dr|z3d
PPA = majority of java routers.
orignal
let me check stats.i2p
orignal
well 15% only
orignal
than let's wait until 40-50%
dr|z3d
yes, let's!
orignal
one more week
dr|z3d
crack open a packet of chocolate potato chips, pour yourself a vodka, and relax.
orignal
and if no improvement put it down
orignal
maybe started it somewhere else later
orignal
but without family
orignal
how can I send GHOST command?
dr|z3d
Blinded message
orignal
thanks
dr|z3d
you may also fine nickserv release helpful on occasion. /msg nickserv help release
dr|z3d
*find
orignal
wondring why no ghosts at ilita?
dr|z3d
you usually only see ghosts when you restart i2p without /quitting first.
orignal
I use znc )))
orignal
but see here
dr|z3d
you're not alone.
orignal
and never at ilita
orignal
why?
dr|z3d
I don't know. I've got a question for you. snark+ yet?
dr|z3d
:)
orignal
no, I was busy in something else
orignal
will try tommorow
dr|z3d
yeah, busy harassing us.
dr|z3d
:)
orignal
harrassng?
dr|z3d
as I mentioned before, just extract the zip over your existing installation.
dr|z3d
you can always do the same with canon snark to revert. no need for multiple copies.
orignal
does it accpet i2p.streaming.profile=2 now?
dr|z3d
you asked me that yesterday, and I told you "YES!"
dr|z3d
be sure to git pull before you build.
orignal
don't remember )) probably I was drunk ))
dr|z3d
are you drunk now?
orignal
no
orignal
I don't remeber I was here yesterday
orignal
was I?
dr|z3d
that's unfortunate, we could have put your tantrum down to too much potato juice. oh well. maybe now's a good time to drink some :)
orignal
so about harrassing
orignal
seems I have found a serious bug
orignal
and it's lucky it affected me
dr|z3d
yeah, it's one of those pebcak bugs.
orignal
so I brought it in
orignal
to investagate
orignal
other people don't understand what's going on
dr|z3d
presumably the only person having this issue is you?
orignal
and I receive complains often about low transit
orignal
many compains from many people
orignal
looks like Java bans i2pd nodes often
dr|z3d
you can't serve more traffic than occurs on the network. rule #1.
orignal
I'm only person who is able to understand what's going on
dr|z3d
as for banning i2pd, no, that's something we haven't established. routers with fucked family certs, otoh...
orignal
not intenially
orignal
but for some logic that contains a bug
dr|z3d
we haven't established that, either. perhaps we're a bit too strict with fucked family certs, that's something to look at.
orignal
in my case it was fucked family cert for sure
orignal
but for short ime
orignal
*time
orignal
people compian about few hunreds Kbs transit on XR routers
dr|z3d
sure, we'd like to see more. but if not much is happening on the network, there's not so much traffic to route.
orignal
also another version
orignal
maybe Java node bans 2RRY because it's partcipates too much
orignal
if I remeber it was your idea
dr|z3d
unlikely.
dr|z3d
for a router to be banned for requesting too many transit tunnels, it first has to ignore the fact that its requests are being rejected and keep requesting a ridiculous numner of tunnels.
dr|z3d
on canon, it's just rejected.
orignal
no, it's not requisting it's accepting too much
dr|z3d
"it's accepting too much"
dr|z3d
look at what you just wrote. :)
dr|z3d
if it's accepting too much, fix it.
orignal
why? if it can
dr|z3d
you just said it was accepting "too much". too much == needs fix.
dr|z3d
we've had this discussion before. setting a limit on individual routers results in better distribution over the network and more heterogenous tunnels.
dr|z3d
it also means you're less likely to get rejected when requesting tunnels.
dr|z3d
so the whole network operates more smoothly.
dr|z3d
everyone wins.
dr|z3d
you also protect yourself from abusive routers.
orignal
we need to think about loops
dr|z3d
sure, that's a good topic. let's wait to see what zzz has to offer on the matter.
dr|z3d
I see you, orignal
dr|z3d
you're back in my netdb.
dr|z3d
LeaseSets: 346 Routers: 15463 First heard about: 62 min ago Last heard about: 23 min ago Last heard from: 5 sec ago
orignal
because you have restarted
orignal
?
dr|z3d
I did restart, but before that I wasn't seeing your router in my blocklist.
orignal
java routers keep updating
orignal
I see now half of usual transit
orignal
however this problem is still not identified I guess
dr|z3d
I think we identified the issue.
dr|z3d
The issue was your fucked family cert. It probably resulted in a session ban.
dr|z3d
So if there's any issue at all, it's the length of the ban. That's my hypothesis, anyways.
orignal
no the issue is why it was banned for 180 days
orignal
and IP
orignal
I'm wondering what would happen if RI has wrong signature for example
dr|z3d
I told you, 180 days is boilerplate.
dr|z3d
180 days means "180 days OR until the router is restarted"
orignal
so the issue not what tiggered it
orignal
but why such consequences
orignal
people don't restart routers for months
orignal
it's ot a point
dr|z3d
yeah, we also discussed this. the ban may be excessive, it'll get fixed.
dr|z3d
once I've had time to locate the specific ban code, I'll do a 4hr ban.
orignal
but it's not identified why
orignal
we don't have such code in i2pd )))
dr|z3d
that also needs fixing, it shouldn't be indicating blocklist.
orignal
as I said, I will remove family code completely
dr|z3d
no, you don't ban and let all manner of morons route traffic through you :)
orignal
much easier
orignal
I do ban a lot of shit
orignal
say duplicates
orignal
or false IPs
orignal
if publuished IP doesn't match actual one
orignal
but again I ban for 72 hours max
orignal
not forever as you do
dr|z3d
sure, that's something we can review.
orignal
I have an idea how to solve this loops issue
orignal
we need to store ident where TBR came from with tunnelID
orignal
then we check if it's from another address drop it
orignal
ofc not for IBGW but it received TunnleGateway msg
zzz
re: 2RRY, rekey and change port, done and done
orignal
zzz, they banned IP address
orignal
that's the problem
orignal
it means I have to ask hoster to assign another IP
orignal
anyway better to talk with you about loops
zzz
the only report we have of banning is from dr|z3d ? did he report IP is banned? how do you know?
orignal
yes
zzz
I thought he said IP was not banned? it's a lot of backlog
orignal
<dr|z3d> ➜ Blocklist: 193.38.54.107
orignal
that's the main problem
orignal
also I saw code 69 in peer tests
dr|z3d
only saw it banned on 1/4 routers.
zzz
change port and rekey, see what happens
dr|z3d
couldn't find it in blocklists, so I'm guessing the reason for the ban was misreported.
dr|z3d
you're suggesting orignal rekey.. he has an emotional attachment to his router hash :)
orignal
maybe later next week
orignal
no, you didn't
dr|z3d
no I didn't what?
orignal
since it was banned by IP
orignal
you didn't suggest rekeying because it's useless
dr|z3d
I was talking to zzz in response to his comment "change port and rekey, see what happens"
zzz
maybe only i2pplus banned you, maybe only some of them
orignal
and no I didn't emotially attachem to router hash
orignal
maybe
orignal
by IP maybe
orignal
by hash definitly not
orignal
many Java routers did
orignal
let's see how it will go next week since routers are going to restart due to the new release
orignal
however it would be nice to know what caused it
orignal
loops however is more imporant topic
orignal
assume better scenarion
zzz
if your #1 priority is having your router used for ff and tunnels, then stop what you're doing, change port and rekey
orignal
tunnel ->A->B-C->D->
orignal
and D's next tunnel id is tunnel id at B
zzz
what caused it is you messed up the family sig, that's what you said? nothing to research. you did it.
orignal
no, it's not #1 priority
orignal
I just want to see things sorted out because it might affect other users
orignal
what caused bad forever?
orignal
that's my question
dr|z3d
private void banlist(Hash peer, byte[] ip) {
dr|z3d
if (!_haveIPv6 && ip.length == 16) {return;} // Don't bother unless we have IPv6
dr|z3d
String sip = Addresses.toString(ip); // Temporary reason, until the job finishes
dr|z3d
String reason = " <b>➜</b> " + _x("Blocklist") + ": " + sip;
dr|z3d
if (sip != null && sip.startsWith("127.") || "0:0:0:0:0:0:0:1".equals(sip) ||
dr|z3d
sip.startsWith("192.168.") || sip.startsWith("10.") ||
zzz
one banned router out of thousands and thousands doesn't affect anything
dr|z3d
(ip != null && ip.length == 4 && (ip[0] * 0xff) == 172 && ip[1] >= 16 && ip[1] <= 31)) {
dr|z3d
// i2pd bug, possibly at startup, don't ban forever
orignal
5-th day and only littelt improvement
dr|z3d
_context.banlist().banlistRouter(peer, reason, sip, null, _context.clock().now() + Banlist.BANLIST_DURATION_PRIVATE);
dr|z3d
return;
dr|z3d
}
orignal
zzz, people compalined about low transit
orignal
on thier routers
orignal
it might be the same cause
zzz
did they all have bad family sigs also?
dr|z3d
*** chuckles. ***
orignal
2RRY works fine just lower ransit and sometimes failures of peer tests
orignal
no
orignal
but we don't know the whole logic yet
orignal
my question is not why it's banned
orignal
my question is why it's banned for long time
zzz
re: research and "whole logic", work with dr|z3d on that, it's his router that banned you and his code. He's tweaked everthing, especially on banning. I can't help you.
orignal
yes, and I'm not askign this question to you
orignal
idk should take care
orignal
I can collect router hashes retuning code 69 and see what's that
orignal
so let's talk about loops
zzz
ok, please restate the scenario briefly
orignal
<orignal> tunnel ->A->B-C->D->
orignal
<orignal> and D's next tunnel id is tunnel id at B
orignal
an advesary drops a message into such tunnels and it's in loop for 10 minutes
orignal
be back in 15 minites
dr|z3d
I think the reason orignal's ip was reported as being in the blocklist was the temp reason code.
dr|z3d
String sip = Addresses.toString(ip); // Temporary reason, until the job finishes
dr|z3d
String reason = " <b>➜</b> " + _x("Blocklist") + ": " + sip;
dr|z3d
that's the only thing that makes any sense to me, and even then, I'm not entirely sure it makes sense, since it's not pulling the ip from a blocklist.
zzz
orignal, you've researched this loop scenario and confirmed i2pd is vulnerable?
dr|z3d
orignal was speculating that the excessive bandwidth we saw at the beginning of the year might have been a result of tunnel "loops", though I'll let orignal answer your question.
orignal
zzz, I think so
orignal
this scenario is mine now
orignal
see, A can't handle TunnelGateway
orignal
but B can handle TunnelData as long as it can find tunnel id
orignal
it just add encryption layer and sends to C
orignal
so this loop can be stopped only after 10 minutes
orignal
but my question to is about timestamps in TunnelData msgs
zzz
what about them
orignal
does tunnel participants assigns actual timestamp or copied it from incoming TunnelData?
zzz
what do you do
orignal
former
zzz
is this a new topic? I thought we were talking about tunnel build loops
orignal
so, my proposal is save router hash where TBR came from with a tunnel
orignal
yes tunnels loops
orignal
that's about it
zzz
you can't have tunnel data msgs until the tunnel is built ))
orignal
why?
orignal
tunnel participant don''t know if tunnel was built or not
orignal
they only have a record with tunnelid
orignal
why timestamp?
zzz
ok, right, but at least everybody has to agree
orignal
if we had a timestamp assigned by IBGW we could drop it by timeout
orignal
but it's bad idea
orignal
no
orignal
that's my point
orignal
A,B,C,D agreed
zzz
so fix that. you can't fix it with timeouts
orignal
D sends back to A
orignal
this record contains new tunnel id and A accepts it
orignal
bue next tunnel id for D contains first tunnel id at A
orignal
how do you handle it?
orignal
I suspect you have the same issue
zzz
doubt it
orignal
timeout is wrong idea
orignal
please exaplain what's wrong in this sceranio
orignal
D doesn't know what's inside the next record
orignal
advesray doesn't need a successufull tunnel
orignal
he only need a loop to flood routers
zzz
so fix your loop
orignal
please explain how
orignal
what do I do if I'm B or D?
orignal
I never know if it's loop
zzz
check for dup tunnel IDs? bloom filters?
orignal
no dup tunnel ids
orignal
every TBM record contains unique tunnel id
orignal
and nexttunnelid for A and for D are same
zzz
<orignal> <orignal> and D's next tunnel id is tunnel id at B <--- that sounds like a dup tunnel id to me
orignal
no. nexttunnleid is a fieild in D's tunnel build record
zzz
so that's a dup for B, right?
orignal
and tunnel id is in B's record
orignal
no dup
zzz
but B will get the TBM for that tunnel ID twice, once from A and once from D?
orignal
B receive two records with difefrent tunnel id
orignal
no
orignal
they will be different
zzz
<orignal> and nexttunnelid for A and for D are same
zzz
I'm very confused
orignal
see, D had a fiild "next tunnel id"
orignal
he sends next record to A
orignal
every TBR contains two fields
orignal
tunnel id and next tunnel id
orignal
right?
zzz
yes
orignal
next tunnel id = tunnel id in next peer
orignal
right?
zzz
yes
orignal
but it's set by tunnel originator
zzz
yes
orignal
what if adverasy breaks this rule?
orignal
he set next tunnel id to tunnel id for first occurence of B
orignal
and unique tunnel id for TBR for secnd accorence of B
orignal
in this case B will receive two different TBRs with different tunnel id
orignal
no when message goes through tunnel
orignal
D will send it back to B wihh tunnel id that was alerady used
orignal
B thinks it's a new message and send to C, C send to D and D sends back to C
orignal
the loop gets formed
orignal
be back in 2 hours. please think about this scenario
zzz
I'm going to need a picture, I've had plenty of coffee and still stumped
orignal
ofc. the key thing is worng next tunnel id at D
orignal
*** afk ***
zzz
I need the ids for the TBM
zzz
A: id=1 nexthop=B nextid=2
zzz
B: id=2 nexthop=B nextid=3
zzz
*B: id=2 nexthop=C nextid=3
zzz
C: id=3 nexthop=D nextid=4
zzz
D: id=4 nexthop=B id=5
zzz
B: id=??? nexcthop=??? nextid=???
orignal
и TBR D: id=4 nextHop=B id=1
orignal
B: id = 5 OBEP no next hop
orignal
soory D: id=4 nextHop=B nextid=2
zzz
if B is java i2p that's not going to loop for multiple different reasons
zzz
- if B id 5 is an OBEP it's not going to infinite loop
zzz
- D to B on id 2, B will drop it because 'mid tunnel injection' check
zzz
- will the D->B layer keys be the same as the A->B layer keys? depends how the KDF works
snex
dr|z3d: gitlab says latest commit is 3 weeks ago. shouldnt there be newer stuff? trying to work on the snark infobar
dr|z3d
snex: use github, not gitlab.
dr|z3d
gitlab locked me out.
dr|z3d
(and won't send a password verification e-mail)
snex
link?
snex
👍️
orignal
please explain why B will drop
orignal
layer key doesn't matter
orignal
B id 5 is OBEP but TunnelData will never come to tunnel 5 it will always come to 2 from D
orignal
why layer key will be the same? You have different ephemeral key for first and second occurence of b
snex
lol... i added a torrent so thered be an infobar and now the page is just blank white. dafuq
dr|z3d
try ant distclean before building.
snex
the html is loaded, not sure why browser wont display it
dr|z3d
have you just copied over the .war file or?
snex
oh what the fuck... body display:none; was set somehow??
snex
yeah the .war
dr|z3d
you'll need to copy over the .jar file as well.
dr|z3d
ignore body styling, nothing to do with the issue.
snex
oh right i have an older v of that
dr|z3d
build -> i2psnark.jar -> i2p/lib/
snex
why would it set body display:none tho
dr|z3d
so that the user's presented with a completely rendered page.
dr|z3d
(see the bottom of the page before </body>)
snex
there we go
dr|z3d
as long as you're just working on the servlet, you can just copy over the .war file now.
dr|z3d
if you work on other stuff, you'll need to copy over .jar file as well and restart your router/standalone.
snex
yeah i just forgot the jar was ancient
dr|z3d
there's a possible fix for console graphs that you said you were experiencing if you're running the latest + from git. let me know if it fixes things for you.
snex
Error 500: /graphs - javax.servlet.ServletException: java.lang.NoSuchMethodError: 'int net.i2p.router.web.StatSummarizer.countGraphs()'
dr|z3d
well that's odd.
dr|z3d
make sure you ant distclean before building an update.
dr|z3d
/** @since 0.9.62+ */
dr|z3d
public int countGraphs() {return _listeners.size();}
dr|z3d
as mentioned before, you should also be able to 'ant installer' without erroring now.
snex
yeah that part worked. did not distclean or copy over anything not snark-related
zzz
orignal, <zzz> - D to B on id 2, B will drop it because 'mid tunnel injection' check
zzz
and if the layer keys are different, B will not be able to correctly layer encrypt the msgs it gets from D, even without the mid-tunnel-injection check
orignal
but an advesray doens't need a message to be decrypted
orignal
thier puprose it to make the shit circulating
orignal
please explain how "mid injection check works"
zzz
when B gets TBM from A for id 2, it enforces that all tunnel data msgs for that tunnel must come from A
zzz
nobody else can send messages into the "middle of the tunnel"
zzz
if you don
orignal
so you store ident hash with tunnel
orignal
where TBM came from
zzz
if you don't have that check, that's your issue
zzz
yes
orignal
agree it's mine issue
orignal
do you compare hashes for every single message?
orignal
I mean tunnel message
zzz
yes
orignal
it's an overhead and slows down
orignal
I would start doing it after some threshold
dr|z3d
this is probably all you, orignal: BuildHandler: Dropping HOSTILE Tunnel Request -> Previous and next hop are the same
orignal
e.g. when too much data goes through
zzz
not too much overhead imho
orignal
comparison of 32 bytes
zzz
but I'm not here to convince you, just to explain what my code does
orignal
?
orignal
I'm talking about possible solutions
orignal
thinking how to implement it efficiently
orignal
say you can save connid is it's SSU2
orignal
instead ident hash
zzz
I'm not very helpful on C++ efficiency tradeoffs :) 32 byte hash storage and comparison is pretty cheap in java
orignal
dr|z3d yes it's mine
orignal
I don't check this situation
snex
bleh now i cant run the install.jar after distclean and rebuild all: Exception in thread "main" java.lang.NoClassDefFoundError: Could not initialize class java.awt.Toolkit
dr|z3d
try running with java -jar ./install.jar -console
orignal
8 bytes int is much much faster than 32 bytes nin0aligned buffer
dr|z3d
remember to run that from the dir you want to install to, or specify the install path without trailing /
dr|z3d
otherwise it'll install to the pwd.
orignal
anyway I will implemnet this check
snex
got it - i forgot all this stuff lol
snex
the graphs page still gives that error and it also seems to prevent display of the tunnels page
snex
slightly different error coming from the tunnels page when it tries to load viewstat.jsp: Error 500: /viewstat.jsp - java.io.IOException: No rates for combined bandwidth graph
dr|z3d
that should be a transient error, or you're running java with awt support expected.
dr|z3d
try: sudo sed -i -e '/^assistive_technologies=/s/^/#/' /etc/java-*-openjdk/accessibility.properties
dr|z3d
I don't think you see that error if you install openjdk-headless.
snex
i believe my default is running java-14-oracle
snex
i can switch it
dr|z3d
if you've got openjdk-headless or similar, try that. whichever version's latest, or whatever that installs.
snex
same thing :(
snex
i dont have assistive_technologies in that config file
dr|z3d
did you purge oracle java?
snex
no i just changed JAVA_HOME
dr|z3d
and you ran i2prouter restart?
snex
no i have it run in console so i ctrl+c then change JAVA_HOME then restart
snex
i got this in the console log but it started anyway: ERROR: Failed to start imagegen MultiException[java.lang.UnsatisfiedLinkError: Can't load library: /usr/lib/jvm/java-11-openjdk-amd64/lib/libawt_xawt.so, java.lang.NoClassDefFoundError: Could not initialize class java.awt.Toolkit]
dr|z3d
you're running it without the wrapper (runplain.sh) ?
snex
didnt know i needed any wrappers
dr|z3d
that's what i2prouter does.
dr|z3d
runs the wrapper (service) which is how you can restart from the web ui.
dr|z3d
either way, you're using java11.
snex
i was just doing this: ./i2prouter console
dr|z3d
I'm not entirely sure how that handles things, but try i2prouter stop && i2prouter start.
snex
i believe it just runs it in the foreground rather than background
snex
i dont want it running as a daemon
dr|z3d
ok, well somewhere java's configured to load awt which you don't want.
dr|z3d
because that relies on X11 or wayland.
dr|z3d
(which you obviously won't have running from console)
snex
i mean i am in a "terminal" from inside of X11 not a real terminal
dr|z3d
well, you've got an issue somewhere locally relating to awt/java. stackoverflow.com/questions/18099614/java-lang-noclassdeffounderror-could-not-initialize-class-java-awt-toolkit
orignal
zzz, and one more question
orignal
about timestamp in I2NP Garlic message
orignal
OBEP can conclude what was the tunnel length
orignal
that's different topic
snex
ok got rid of all that by switching to java-18-openjdk. local tunnels page still blank despite not seeing this error in viewstat.jsp anymore. i was hoping to use this page to get some insight on how to poll the number of tunnels for display in snark
dr|z3d
anything in logs?
dr|z3d
local tunnels being the tunnel manager, or /tunnels ?
snex
no. also my real router displays these pages just fine
snex
/tunnels
dr|z3d
dunno, you're not giving me much to go on.
dr|z3d
what about /transit ? same?
snex
ffs now the page loaded. i wonder if brave is doing some stupid fuckin caching shit
dr|z3d
also, you're more likely to get the info you need from /configtunnels (maybe)
snex
i hate when my software tries to be more clever than me and is never right
orignal
ha
orignal
ghost works
dr|z3d
chocolate star for orignal.