IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#saltr
/2024/10/13
orignal one guy mentioned some issue
orignal say an advesary is trying to build a tunnel ->A->B->A->
orignal say tunnelId at first A is xxxx
dr|z3d we drop tunnels with duplicate hops.
orignal and nextTunnelId at B is also is xxx
orignal how do you know?
orignal say ->A->B->C->D->A->
orignal it doesn't matter
orignal build of such tunnel would fail of course
dr|z3d if ((!isOutEnd) && (!isInGW)) {
dr|z3d // Previous and next hop the same? Don't help somebody be evil. Drop it without a reply.
dr|z3d // A-B-C-A is not preventable
dr|z3d if (nextPeer.equals(from)) {
dr|z3d // i2pd does this
dr|z3d _context.statManager().addRateData("tunnel.rejectHostile", 1);
dr|z3d if (_log.shouldWarn()) {
orignal but there are still two records remaning
dr|z3d _log.warn("Dropping HOSTILE Tunnel Request -> Previous and next hop are the same " + req);
dr|z3d if (from != null) {
dr|z3d _context.commSystem().mayDisconnect(from);
dr|z3d _context.banlist().banlistRouter(from, " <b>➜</b> Hostile Tunnel Request (duplicate hops in chain)", null, null, _context.clock().now() + bantime);
dr|z3d _log.warn("Banning [" + from.toBase64().substring(0,6) + "] for " + period +
dr|z3d "m -> Hostile Tunnel Request (duplicate hops in chain)");
orignal <dr|z3d> // A-B-C-A is not preventable
dr|z3d return;
orignal assume this situation
dr|z3d you originally mentioned A->B->A
orignal for simllicity
orignal let's consider ->A->B->C->A->
orignal tunnelId at A = nextTunnelID at C
orignal what would happen?
orignal tunnel build fails but still records at A, B,C
orignal an advesray sends a message to this failed tunnel
orignal and this message will circiluate amoung A,B,C forever
orignal now my question is
orignal how does tunnel participant assign timestamp to I2NP tunnel message when send it to next peer?
orignal I think we need zzz
dr|z3d I think we do :)
orignal do what?
orignal ask zzz?
dr|z3d *** chuckles. ***
dr|z3d yes, we need zzz.
orignal basically timestamp matters
orignal if Java assigns current timestmap or copies from incoming msg
orignal and also second question
orignal timestamp in I2NP Garlic message
orignal it might be information leak to OBEP if it's real one
orignal they can make some assumtion about OB tunnel length
orignal also it's possible it was/is going on now
orignal a lot of strange traffic
dr|z3d what are you seeing specifically?
dr|z3d I mean, in terms of network effects.
orignal a lot of bandwidth usage
orignal remeber we couldn't understand where this traffic came from
dr|z3d this was a long time ago.
dr|z3d not seeing any hike in b/w usage here.
orignal 6 months ago
dr|z3d sure, I thought we'd come past that. but apparently you think it's back.
orignal what is someone already found this problem and tried to use it
orignal no, one guy asked a question
orignal about loops
orignal he asked about something else
orignal but it leaded me to this question
dr|z3d so you think he might be hostile, or?
orignal theoritcally such message can go between rounters untils tunnels dies after 10 minutes
orignal no. I think he is just curious
orignal but someone else more dagerious could have found it already
dr|z3d well, not seeing any major hike in traffic here.
orignal this guy understand nothing about encryptions, tunnel build replies etc.
orignal maybe we should continue on another channel
orignal I don't see it a as big issue
orignal the worst thing is just extra traffic
dr|z3d well, there's extra traffic, and then there's a ridiculous amount of extra traffic.
orignal so let's start with tmestamps
orignal btw I have noticed that nothing prevents you to make nextTunnelId != tunnelId at next peer
dr|z3d you mean something like:
dr|z3d if (ourId <= 0 || ourId > TunnelId.MAX_ID_VALUE || nextId <= 0 || nextId > TunnelId.MAX_ID_VALUE) {
dr|z3d _context.statManager().addRateData("tunnel.rejectHostile", 1);
orignal when you create TBM
orignal you always make nexTunnelID = tunnelID in next record
orignal also can you give me a favor and check if 2RRY is banned on your routers?
dr|z3d let's have a look..
dr|z3d Banned for 180 days / until restart
dr|z3d ➜ Blocklist: 193.38.54.107
dr|z3d I don't know. are you a tor exit?
orignal no and never been
dr|z3d ok, let's see if we can find you.
orignal I had a bug in family signature that was fixed few days ago
orignal would be nice to know where it comes from
dr|z3d not seeing anything obvious iny blocklists or feed.
dr|z3d and "blocklist" indicates one of these.
dr|z3d that's the only other thing I can think of, but it seems pretty unlikely.
orignal 2a09:7c44::e9d
dr|z3d is that a "yes" ?
orignal no, it's 2RRY's IP
orignal so, what's your version?
orignal I have 3 version:
dr|z3d doesn't look like you're in the ipv6 tor blocklist.
orignal 1. Serious bug in Java code
dr|z3d my version?
orignal 2. Some manipulation of the hoster that they use this IP for Tor
orignal 3. Someone from Java I2P has included my IP explicitly knowing that 2RRY is mine
dr|z3d not appearing in tor blocklist, so you can rule out #2.
orignal yes, how do you explain this?
dr|z3d I don't. I don't know why you're banned, or what the source of the ban is. Can't find you in my lists.
dr|z3d Only address I can find that comes remotely close to your ip in the blocklist feed is 193.32.249.139
orignal then it means that any router can be banned in Java I2P without any reason
RN how do you see that someone banned a particular router?
orignal 1. I see usuaully small transit
orignal 2. Peer tests fail often
dr|z3d here's the weird thing.. on one router, I see you as banned, on another you're not in the netdb.
RN could it be related to the not-same-country thing?
orignal with error code 69
orignal Alice is banned
dr|z3d make that 2 routers where you're not in the netdb.
orignal I'm not in netdb because I'm banned somewhere elese
orignal what does it mean "not-same-country"?
dr|z3d RN: i2p/blocklist.txt or .i2p/docs/feed/blocklist/blocklist.txt
orignal this router is in Amterdam
orignal not in a "stan"
RN some feature that lets you not use routers in your own country
dr|z3d no, I mean your not in the netdb nor are you banned on the routers in question.
RN I'm not clear the details, but I recall discussion of this option recently
dr|z3d not relevant, RN.
orignal_ dr|z3d maybe you can take a look into profiles
dr|z3d while I'm doing all this legwork for you, orignal, perhaps you can compile snark+ and get it running :)
orignal maybe
dr|z3d that's my offer :)
dr|z3d and I'll need to see a screenshot.
dr|z3d *** pokes orignal in the anonymities. ***
dr|z3d Blinded message
dr|z3d Blinded message
orignal what does it mean?
dr|z3d it means I have both a profile and a routerinfo for 2RRY.
orignal but it's banned
orignal what do you see in profile?
orignal maybe the reaon is there?
orignal all my routers have 2RRY in nerdb
dr|z3d there's your profile.
orignal nothing in it really
dr|z3d no, except you're tagged as low latency.
dr|z3d that's the speed bonus at the top. so it all looks fairly normal.
dr|z3d and I can't find where you've been blocklisted, so I'm as confused as you are.
orignal the problem is that it's banned on all Java nodes
orignal looks like only i2pd traffic goes through
orignal eyedeekay maybe you have an opinion?
dr|z3d if it's all java nodes, then the block's upstream.
orignal what does it mean?
dr|z3d ie canon blocklist, not +.
orignal and what might be the reason?
dr|z3d I HAVE NO IDEA.
orignal I know
orignal I think we also need zzz for explanation
dr|z3d I can't even find your ip or hash in the blocklists.
orignal then where "banned for 180 days" comes from?
eyedeekay I'm not seeing anything in either blocklist, a bad family key is currently the biggest penalty in the sybil attack tool and possibly the only way to actually hit the threshold
eyedeekay It's the only thing that makes any sense to me so far
orignal it was bad family key
orignal but for 180 days?
orignal just for cyrpto bug?
eyedeekay More like "until a restart" in practice, or at least it should be
orignal then why did you ban IP address?
orignal sorry guys this lead me to make a statment "don't use family at all"
orignal do you undertand that you have made a good powerfull floodfiil unsuable just for nothing?
orignal great job
eyedeekay I am fairly sure that the function that bans them bans by hash and by IP in the sybil tool, which is a flaw IMO, type of ban needs to be situational
orignal and what are you going to do with it?
eyedeekay The sybil tool? Too long to explain here, I've got a gitlab issue for it
orignal if any bug in crypto kicks out a good router?
orignal no with this false ban
dr|z3d Not sure it's a sybil block, I'm seeing it marked as "Blocklist"
orignal and how many good routers did you ban this way so far?
orignal maybe that's the reason why so few floodfills in the network?
eyedeekay I don't know that this is even why it's banned, it's a hypothesis
orignal but who knows?
orignal aren't you the main dev now?
dr|z3d keep your hair on, orignal, we're trying to identify the root cause.
orignal you are still reconsidering Tor exit nodes ban, aren't you?
orignal I will stop paying for 2RRY hosting, that's all
orignal one less floodfiils
orignal and more doubts
dr|z3d you've identified an issue, until fairly recently I had no problem with 2RRY in my netdb, so it's something recent.
orignal and I'm still not convinced it was not done intentinally
orignal as a small revenge
orignal this issue with 2RRY was 3 days ago
orignal and I still have one i2pd transit
orignal and peer tests from i2pd Chalies only
orignal really great job
dr|z3d I don't think anyone was/is trying to sabotage your router.
orignal unfortuannly too many haters of me
orignal and 2RRY is only known my router
orignal because it has family gostcoin
orignal and I didn't hide that it's mine
dr|z3d let's keep it rational. however many haters you have, very few have access to the repo, and even if they do, there's a papertrail.
eyedeekay Revenge for what? Also our fixed blocklists are public and you're not in them
orignal there are many reasons
eyedeekay The explanation has to be a dynamic block from somewhere
orignal maybe it's in the code of new release
orignal keeping rational the source of problem is wrong family signature for short time
orignal due to a bug
orignal that leaded to forever ban
orignal is it normal?
orignal revenge for what? say for bring Tor nodes back
dr|z3d yeah, eyedeekay, possibly dynamic block being wrongly flagged as originating from a blocklist.
dr|z3d a bogus family sig could get you banned, possibly.
orignal *bringing
orignal it might be banned say for 24 hours
orignal it's fine
orignal but not forever
dr|z3d although the ban should disappear on router restart, or after however long the sybil ban persists if it's detected as a sybil.
dr|z3d well, you're not in any blocklists, so you're not banned forever.
eyedeekay I have no hostility toward Tor exit operators and finding a way to coexist on Tor exits is IMO overwhelmingly a good thing
orignal almost
orignal I'm not going to pay for hosting that doesn't work
eyedeekay I agree that a broken family key should warrant a shorter ban time, especially because it will just be re-checked after the ban and if it's still broke, re-ban
eyedeekay Not a big deal
eyedeekay To change that behavior IMO
orignal than it must be fixed as son as in 2.7.1
eyedeekay Is your family key fixed?
orignal The Tor issue is easy. They can be back now
orignal yes, 3 daysa ago
orignal alomost immediately
eyedeekay Then the bans will be lifted as people restart their routers, I can't do a 2.7.1 over this right now
eyedeekay There's a whole refactoring of the sybil tool that needs to happen before it can be aware of what ban-point sources are significant
orignal I will shut it down by that time
eyedeekay The Debian people will probably never ban you at all, nor will the Android people
eyedeekay Because they will all restart **after** your family keys were fixed
dr|z3d as soon as the ppa is up and running, you'll likely have most of your connections restored, orignal.
dr|z3d and what eyedeekay said.
orignal I don't see any improvement in few days
dr|z3d thing is, I can't see you in every other router where you're not banned.
dr|z3d so maybe the issue is you, not us.
orignal no it's Java code issue
orignal and you have banned bunch of other routers thsi way
orignal I'm pretty sure
orignal NOTHING should be banned to more that 72 hours
orignal if it;s not obvious for you
eyedeekay They would have to all be using bad family keys, which sounds absolutely absurd
orignal because the intgernetal changes quicly
orignal who knows how many other woirng reaosns you had
RN so, it requires user intervention to reset sybil bans, or just a restart? can I just look in the sybil page for "2RRY" so see if mine shows it as banned?
orignal then pelase tell me the reason
orignal you can't even tell the reason how do you know?
eyedeekay There is currently only one way to reach the 50 point threshold without running a router with a significant misconfiguration of a family key
orignal then it's dumb and must be fixed ASAP
orignal *** afk ***
eyedeekay Why? I'll concede the point about the ban times, but just don't misconfigure your family keys.
eyedeekay Just a restart RN
eyedeekay I do not have you in my sybil bans
dr|z3d in + you can delete the sybil blocklist, but you'll need to restart. you may also need to delete the sybil blocklist in canon to make sure it's gone.
dr|z3d I'm not convinced it's a sybil issue, however.
eyedeekay ^ again, we're still not sure that's what this is. I'm simply defending a hypothesis
dr|z3d I think it might be an issue with orignal's router, no matter how much he protests.
eyedeekay In fact I can't find him in a banlist on any of my routers, and I see 2RRY on about half of them
dr|z3d I only saw him in one, on 4 other routers I can't find him in the netdb.
dr|z3d *3 other routers.
eyedeekay 2/5 here, so not that different
dr|z3d maybe i2pd has inadvertently developed an allergy to java routers :)
eyedeekay I must confess I am over the sybil ban hypothesis
eyedeekay That seems unlikely at this time
RN not on my sybil blocked
mareki2p Hi, I created an issue for the Launch4j project related to my problem running the i2p installer: sourceforge.net/p/launch4j/discussion/332683/thread/b79fef5c2a
dr|z3d nicely done, mareki2p
dr|z3d let's hope they're responsive.
dr|z3d which reminds me, do you want to try building with ant installer, eyedeekay, or a recent java, and see if you have issues with izpack?
dr|z3d *on a recent java
mareki2p This is caused by me, if some software supports both an installer and a zip distribution, I always choose the .zip one. Normal people would have Java installed thru .exe or .msi installer and there would be no problems locating Java from Launch4j.
mareki2p I can try building the i2p installer from sources, I have Ubuntu machine over here. Just tell me what to do.
dr|z3d what does 'java -version' tell you mareki2p?
dr|z3d make sure you pull the latest + if you're testing plus, otherwise for canon i2p, just run ant installer
eyedeekay Does he need to do the IzPack5 install with +?
dr|z3d no, we're specifically testing what's in the repo.
dr|z3d and I think they may have fixed the issue in izpack5.
dr|z3d that's why I'm asking if you get issues with 'ant installer'
dr|z3d assuming you're building locally with a recent java.
mareki2p $ java -version
mareki2p openjdk version "21.0.4" 2024-07-16
mareki2p OpenJDK Runtime Environment (build 21.0.4+7-Ubuntu-1ubuntu222.04)
mareki2p OpenJDK 64-Bit Server VM (build 21.0.4+7-Ubuntu-1ubuntu222.04, mixed mode, sharing)
dr|z3d ok, try any installer from + and canon workspaces, if you have both of those.
dr|z3d (rememeber to git pull on the + repo first)
mareki2p Build failed: java.lang.NoClassDefFoundError: java/util/jar/Pack200
dr|z3d on canon?
dr|z3d canon == not +
mareki2p That was on the I2P.Plus repo, build failed on the i2p.i2p repo, different error: java.lang.ExceptionInInitializerError, at net.sf.launch4j.ant.Launch4jTask.execute(Launch4jTask.java:82), Caused by: java.lang.reflect.InaccessibleObjectException: Unable to make field protected volatile java.util.Properties java.util.Properties.defaults accessible: module java.base does not "opens java.util" to unn
orignal eyedeekay can you give me a favour?
orignal remove gostcoin's cert from the package
orignal dr|z3d which issue?
orignal the only issue was worng signature 3 days ago
dr|z3d mareki2p: did you git pull on + before you built?
orignal you don't see it because it's banned by other Java floodfiils
dr|z3d [ ] yes [ ] no (Tick one box only)
mareki2p Yes, the latest version from git. commit id 562e6dfe0dfc6c51457cf7565f06296fb9dd7ee8 in the i2p.i2p repo and commit id 0c47b7ea1369d661ea08f7109d153c7df51e5c52 in the I2P.Plus repo.
orignal but again I see it on all my routers
dr|z3d mareki2p: in the +_ workspace, try ant distclean && ant installer
orignal_ again please remove gostcoin.crt from the ceritifactes
dr|z3d I've just successfully built on openjdk version "23" 2024-09-17
orignal_ 2. family code will be removed from ip2d code completely
orignal_ e.g. it will not be supported at all since Java react so inadequate
orignal_ 3. All routers responding with code 69 will be banned
mareki2p I always start from clean slate, meaning git clean -dfx && git reset --hard. Do I need to install some dependency?
orignal seems I2P has too many good floodfills to throw the away
dr|z3d a clean slate won't cleanup files ignored by git.
dr|z3d hence ant distclean
mareki2p After distclean same build error.
dr|z3d ok, where are you pulling from? don't tell me, gitlab?
orignal why do you need to fix it? because it's your fuckup
dr|z3d you need to calm down, orignal
orignal I said what I said
orignal the only thing I need from you now is removing goistcoin cert
mareki2p $ git remote get-url origin
mareki2p I guess I need to add some xxx.i2p domain, righ?
orignal is it possible to do it for 2.7.1?
dr|z3d no, just pull from github.
dr|z3d gitlab is currently non-functional.
orignal <eyedeekay> Why? I'll concede the point about the ban times, but just don't misconfigure your family keys.
orignal calm down after such statment?
orignal you guys are all insane
dr|z3d we haven't identified the root cause of your issue, orignal, and neither have you.
orignal idk said clearly
orignal and I agree
orignal it's worng family signature that produced 180 days ban
dr|z3d eyedeekay doesn't know, he was speculating. and he's probably wrong relating to a sybil-level ban. so we _don't know_.
orignal are you going to fix it? no
orignal I run 2RRY for stress test of serious load
dr|z3d your router is not very visible right now, for whatever reason.
dr|z3d like I said, mostly it just doesn't appear in any of my routers' netdbs.. no bans, just no 2RRY.
orignal no transit no load not reason to run it at all
dr|z3d 180 days ban is boilerplate.
orignal_ do you afree it must be fixed asap
dr|z3d those bans don't persist beyond a restart unless they're in a blocklist.
dr|z3d and afaict, your router isn't in any blocklist.
eyedeekay No, because the evidence currently supports not a sybil block
dr|z3d so we haven't actually established anything yet.
orignal_ eyedeekay will you remove gostcoin.crt?
dr|z3d and you throwing a tantrum isn't much helping shed light.
mareki2p Build succesful.
orignal_ eyedeekay then it's even worse
dr|z3d there we go, good.
orignal_ because you don't even know
dr|z3d orignal_: have you ever had bugs in your code that aren't immediately obvious?
orignal and I'm asking again
orignal how many good floodfiils did you lose becuase of this?
orignal dr|z3d that's why this bug must be investigated shortly
orignal the only sure thing it start happening after inccorect signature
onon_ Guys, I think you need to add to the check code: if (RI == 2RRY) to exclude him from the ban list
orignal of afer the releaae
orignal onon_ no
orignal it's not about 2RRY
onon_ For any reason
dr|z3d that's what we do, orignal, we attempt to identify issues and their root cause when they're reported. we just prefer not having to deal with people throwing tantrums.
orignal the problem is not 2RRY
orignal the problem is your code
orignal that might causes issues
dr|z3d mareki2p: can you do idk a favor and copy /installer/lib/izpack/standalone-compiler.jar from + to canon and see if canon compiles.
mareki2p will do...wait
orignal unless it's confirmed it was just new release, I will remove family code anyway
orignal useless features causes many troubles
mareki2p No, both before copying that .jar nor after the i2p.i2p repo doesn't compile.
dr|z3d ok, thanks. one for the canon folks to investigate then.
mareki2p Do you have GitHub actions CI?
dr|z3d I do, but currently it's "in flux".
dr|z3d it needs to copy the artifacts to a specified folder after they're built so I can serve them via github pages, but it's not playing ball.
orignal I need to decide soon if I put 2RRY down or not
orignal it's about payment for that VPS
orignal fixing that problem
orignal it was 4 days ago
orignal as I see Java release start rolling out yesterday
orignal meaning that most of Java router had to restart after
orignal therefore what's going on?
dr|z3d no, ppa routers which are the bulk of canon i2p routers won't have updated yet.
orignal then accroding to eyedeekay I should see an improvement in few days
eyedeekay And won't be updated until tomorrow at least, I have currently 4 arches to wait on
dr|z3d no, forget what eyedeekay said. we don't know what the issue is. it's not sybil detection, and it's definitely not an issue with any blocklist.
orignal then why IP address? and only ipv4 as I understand right
dr|z3d what I want to know is why 2RRY is failing to show up in my netdbs.
orignal because it's banned on other floodfiils
dr|z3d that I also don't know, that was an outlier on a single router. why it was reported as being in a blocklist when I couldn't find any mention of hash or ip I don't know.
orignal why peer test returns code 69?
orignal why it's connect to i2pd only?
orignal and why all other my routers with same code are fine?
dr|z3d let's assume that your family fuckup has caused a temporary ban on some routers. if that's the case, it should resolve in time without further intervention.
orignal yes, me expectation like 24 hours or so
eyedeekay dr|zed where's your pages CI file, I could take a look?
orignal more funny
orignal most of my node are connected with it
dr|z3d eyedeekay: this is what I'm wrestling with right now: github.com/I2PPlus/i2pplus/blob/master/.github/workflows/ant.yml
dr|z3d orignal: you can keep your vps running, it'll sort itself out.
orignal if it's banned on most Java routers no reason to keep it
dr|z3d eyedeekay: I wanted to keep a separate branch (artifacts) that copies to builds/ so that i2pplus.github.io/i2pplus/builds/{artifact} is available. that's the plan.
orignal I don't need it without high load
dr|z3d it will sort itself out. patience, young jedi.
orignal I don't see any improvements in last 3 days
orignal it's around 1/3 of normal load
dr|z3d most of the canon i2p network hasn't migrated to 2.7.0 yet, as mentioned, that's waiting for the PPA build.
orignal and bunch of error 69 for peer test
dr|z3d if the ban is session-persistent, then you'll need to wait for the routers to restart.
orignal but the release is rolling out
dr|z3d NOT YET PPA.
dr|z3d PPA = majority of java routers.
orignal let me check stats.i2p
orignal well 15% only
orignal than let's wait until 40-50%
dr|z3d yes, let's!
orignal one more week
dr|z3d crack open a packet of chocolate potato chips, pour yourself a vodka, and relax.
orignal and if no improvement put it down
orignal maybe started it somewhere else later
orignal but without family
orignal how can I send GHOST command?
dr|z3d Blinded message
orignal thanks
dr|z3d you may also fine nickserv release helpful on occasion. /msg nickserv help release
dr|z3d *find
orignal wondring why no ghosts at ilita?
dr|z3d you usually only see ghosts when you restart i2p without /quitting first.
orignal I use znc )))
orignal but see here
dr|z3d you're not alone.
orignal and never at ilita
dr|z3d I don't know. I've got a question for you. snark+ yet?
orignal no, I was busy in something else
orignal will try tommorow
dr|z3d yeah, busy harassing us.
orignal harrassng?
dr|z3d as I mentioned before, just extract the zip over your existing installation.
dr|z3d you can always do the same with canon snark to revert. no need for multiple copies.
orignal does it accpet i2p.streaming.profile=2 now?
dr|z3d you asked me that yesterday, and I told you "YES!"
dr|z3d be sure to git pull before you build.
orignal don't remember )) probably I was drunk ))
dr|z3d are you drunk now?
orignal I don't remeber I was here yesterday
orignal was I?
dr|z3d that's unfortunate, we could have put your tantrum down to too much potato juice. oh well. maybe now's a good time to drink some :)
orignal so about harrassing
orignal seems I have found a serious bug
orignal and it's lucky it affected me
dr|z3d yeah, it's one of those pebcak bugs.
orignal so I brought it in
orignal to investagate
orignal other people don't understand what's going on
dr|z3d presumably the only person having this issue is you?
orignal and I receive complains often about low transit
orignal many compains from many people
orignal looks like Java bans i2pd nodes often
dr|z3d you can't serve more traffic than occurs on the network. rule #1.
orignal I'm only person who is able to understand what's going on
dr|z3d as for banning i2pd, no, that's something we haven't established. routers with fucked family certs, otoh...
orignal not intenially
orignal but for some logic that contains a bug
dr|z3d we haven't established that, either. perhaps we're a bit too strict with fucked family certs, that's something to look at.
orignal in my case it was fucked family cert for sure
orignal but for short ime
orignal *time
orignal people compian about few hunreds Kbs transit on XR routers
dr|z3d sure, we'd like to see more. but if not much is happening on the network, there's not so much traffic to route.
orignal also another version
orignal maybe Java node bans 2RRY because it's partcipates too much
orignal if I remeber it was your idea
dr|z3d unlikely.
dr|z3d for a router to be banned for requesting too many transit tunnels, it first has to ignore the fact that its requests are being rejected and keep requesting a ridiculous numner of tunnels.
dr|z3d on canon, it's just rejected.
orignal no, it's not requisting it's accepting too much
dr|z3d "it's accepting too much"
dr|z3d look at what you just wrote. :)
dr|z3d if it's accepting too much, fix it.
orignal why? if it can
dr|z3d you just said it was accepting "too much". too much == needs fix.
dr|z3d we've had this discussion before. setting a limit on individual routers results in better distribution over the network and more heterogenous tunnels.
dr|z3d it also means you're less likely to get rejected when requesting tunnels.
dr|z3d so the whole network operates more smoothly.
dr|z3d everyone wins.
dr|z3d you also protect yourself from abusive routers.
orignal we need to think about loops
dr|z3d sure, that's a good topic. let's wait to see what zzz has to offer on the matter.
dr|z3d I see you, orignal
dr|z3d you're back in my netdb.
dr|z3d LeaseSets: 346 Routers: 15463 First heard about: 62 min ago Last heard about: 23 min ago Last heard from: 5 sec ago
orignal because you have restarted
dr|z3d I did restart, but before that I wasn't seeing your router in my blocklist.
orignal java routers keep updating
orignal I see now half of usual transit
orignal however this problem is still not identified I guess
dr|z3d I think we identified the issue.
dr|z3d The issue was your fucked family cert. It probably resulted in a session ban.
dr|z3d So if there's any issue at all, it's the length of the ban. That's my hypothesis, anyways.
orignal no the issue is why it was banned for 180 days
orignal and IP
orignal I'm wondering what would happen if RI has wrong signature for example
dr|z3d I told you, 180 days is boilerplate.
dr|z3d 180 days means "180 days OR until the router is restarted"
orignal so the issue not what tiggered it
orignal but why such consequences
orignal people don't restart routers for months
orignal it's ot a point
dr|z3d yeah, we also discussed this. the ban may be excessive, it'll get fixed.
dr|z3d once I've had time to locate the specific ban code, I'll do a 4hr ban.
orignal but it's not identified why
orignal we don't have such code in i2pd )))
dr|z3d that also needs fixing, it shouldn't be indicating blocklist.
orignal as I said, I will remove family code completely
dr|z3d no, you don't ban and let all manner of morons route traffic through you :)
orignal much easier
orignal I do ban a lot of shit
orignal say duplicates
orignal or false IPs
orignal if publuished IP doesn't match actual one
orignal but again I ban for 72 hours max
orignal not forever as you do
dr|z3d sure, that's something we can review.
orignal I have an idea how to solve this loops issue
orignal we need to store ident where TBR came from with tunnelID
orignal then we check if it's from another address drop it
orignal ofc not for IBGW but it received TunnleGateway msg
zzz re: 2RRY, rekey and change port, done and done
orignal zzz, they banned IP address
orignal that's the problem
orignal it means I have to ask hoster to assign another IP
orignal anyway better to talk with you about loops
zzz the only report we have of banning is from dr|z3d ? did he report IP is banned? how do you know?
zzz I thought he said IP was not banned? it's a lot of backlog
orignal <dr|z3d> ➜ Blocklist: 193.38.54.107
orignal that's the main problem
orignal also I saw code 69 in peer tests
dr|z3d only saw it banned on 1/4 routers.
zzz change port and rekey, see what happens
dr|z3d couldn't find it in blocklists, so I'm guessing the reason for the ban was misreported.
dr|z3d you're suggesting orignal rekey.. he has an emotional attachment to his router hash :)
orignal maybe later next week
orignal no, you didn't
dr|z3d no I didn't what?
orignal since it was banned by IP
orignal you didn't suggest rekeying because it's useless
dr|z3d I was talking to zzz in response to his comment "change port and rekey, see what happens"
zzz maybe only i2pplus banned you, maybe only some of them
orignal and no I didn't emotially attachem to router hash
orignal maybe
orignal by IP maybe
orignal by hash definitly not
orignal many Java routers did
orignal let's see how it will go next week since routers are going to restart due to the new release
orignal however it would be nice to know what caused it
orignal loops however is more imporant topic
orignal assume better scenarion
zzz if your #1 priority is having your router used for ff and tunnels, then stop what you're doing, change port and rekey
orignal tunnel ->A->B-C->D->
orignal and D's next tunnel id is tunnel id at B
zzz what caused it is you messed up the family sig, that's what you said? nothing to research. you did it.
orignal no, it's not #1 priority
orignal I just want to see things sorted out because it might affect other users
orignal what caused bad forever?
orignal that's my question
dr|z3d private void banlist(Hash peer, byte[] ip) {
dr|z3d if (!_haveIPv6 && ip.length == 16) {return;} // Don't bother unless we have IPv6
dr|z3d String sip = Addresses.toString(ip); // Temporary reason, until the job finishes
dr|z3d String reason = " <b>➜</b> " + _x("Blocklist") + ": " + sip;
dr|z3d if (sip != null && sip.startsWith("127.") || "0:0:0:0:0:0:0:1".equals(sip) ||
dr|z3d sip.startsWith("192.168.") || sip.startsWith("10.") ||
zzz one banned router out of thousands and thousands doesn't affect anything
dr|z3d (ip != null && ip.length == 4 && (ip[0] * 0xff) == 172 && ip[1] >= 16 && ip[1] <= 31)) {
dr|z3d // i2pd bug, possibly at startup, don't ban forever
orignal 5-th day and only littelt improvement
dr|z3d _context.banlist().banlistRouter(peer, reason, sip, null, _context.clock().now() + Banlist.BANLIST_DURATION_PRIVATE);
dr|z3d return;
orignal zzz, people compalined about low transit
orignal on thier routers
orignal it might be the same cause
zzz did they all have bad family sigs also?
dr|z3d *** chuckles. ***
orignal 2RRY works fine just lower ransit and sometimes failures of peer tests
orignal but we don't know the whole logic yet
orignal my question is not why it's banned
orignal my question is why it's banned for long time
zzz re: research and "whole logic", work with dr|z3d on that, it's his router that banned you and his code. He's tweaked everthing, especially on banning. I can't help you.
orignal yes, and I'm not askign this question to you
orignal idk should take care
orignal I can collect router hashes retuning code 69 and see what's that
orignal so let's talk about loops
zzz ok, please restate the scenario briefly
orignal <orignal> tunnel ->A->B-C->D->
orignal <orignal> and D's next tunnel id is tunnel id at B
orignal an advesary drops a message into such tunnels and it's in loop for 10 minutes
orignal be back in 15 minites
dr|z3d I think the reason orignal's ip was reported as being in the blocklist was the temp reason code.
dr|z3d String sip = Addresses.toString(ip); // Temporary reason, until the job finishes
dr|z3d String reason = " <b>➜</b> " + _x("Blocklist") + ": " + sip;
dr|z3d that's the only thing that makes any sense to me, and even then, I'm not entirely sure it makes sense, since it's not pulling the ip from a blocklist.
zzz orignal, you've researched this loop scenario and confirmed i2pd is vulnerable?
dr|z3d orignal was speculating that the excessive bandwidth we saw at the beginning of the year might have been a result of tunnel "loops", though I'll let orignal answer your question.
orignal zzz, I think so
orignal this scenario is mine now
orignal see, A can't handle TunnelGateway
orignal but B can handle TunnelData as long as it can find tunnel id
orignal it just add encryption layer and sends to C
orignal so this loop can be stopped only after 10 minutes
orignal but my question to is about timestamps in TunnelData msgs
zzz what about them
orignal does tunnel participants assigns actual timestamp or copied it from incoming TunnelData?
zzz what do you do
orignal former
zzz is this a new topic? I thought we were talking about tunnel build loops
orignal so, my proposal is save router hash where TBR came from with a tunnel
orignal yes tunnels loops
orignal that's about it
zzz you can't have tunnel data msgs until the tunnel is built ))
orignal tunnel participant don''t know if tunnel was built or not
orignal they only have a record with tunnelid
orignal why timestamp?
zzz ok, right, but at least everybody has to agree
orignal if we had a timestamp assigned by IBGW we could drop it by timeout
orignal but it's bad idea
orignal that's my point
orignal A,B,C,D agreed
zzz so fix that. you can't fix it with timeouts
orignal D sends back to A
orignal this record contains new tunnel id and A accepts it
orignal bue next tunnel id for D contains first tunnel id at A
orignal how do you handle it?
orignal I suspect you have the same issue
zzz doubt it
orignal timeout is wrong idea
orignal please exaplain what's wrong in this sceranio
orignal D doesn't know what's inside the next record
orignal advesray doesn't need a successufull tunnel
orignal he only need a loop to flood routers
zzz so fix your loop
orignal please explain how
orignal what do I do if I'm B or D?
orignal I never know if it's loop
zzz check for dup tunnel IDs? bloom filters?
orignal no dup tunnel ids
orignal every TBM record contains unique tunnel id
orignal and nexttunnelid for A and for D are same
zzz <orignal> <orignal> and D's next tunnel id is tunnel id at B <--- that sounds like a dup tunnel id to me
orignal no. nexttunnleid is a fieild in D's tunnel build record
zzz so that's a dup for B, right?
orignal and tunnel id is in B's record
orignal no dup
zzz but B will get the TBM for that tunnel ID twice, once from A and once from D?
orignal B receive two records with difefrent tunnel id
orignal they will be different
zzz <orignal> and nexttunnelid for A and for D are same
zzz I'm very confused
orignal see, D had a fiild "next tunnel id"
orignal he sends next record to A
orignal every TBR contains two fields
orignal tunnel id and next tunnel id
orignal right?
zzz yes
orignal next tunnel id = tunnel id in next peer
orignal right?
zzz yes
orignal but it's set by tunnel originator
zzz yes
orignal what if adverasy breaks this rule?
orignal he set next tunnel id to tunnel id for first occurence of B
orignal and unique tunnel id for TBR for secnd accorence of B
orignal in this case B will receive two different TBRs with different tunnel id
orignal no when message goes through tunnel
orignal D will send it back to B wihh tunnel id that was alerady used
orignal B thinks it's a new message and send to C, C send to D and D sends back to C
orignal the loop gets formed
orignal be back in 2 hours. please think about this scenario
zzz I'm going to need a picture, I've had plenty of coffee and still stumped
orignal ofc. the key thing is worng next tunnel id at D
orignal *** afk ***
zzz I need the ids for the TBM
zzz A: id=1 nexthop=B nextid=2
zzz B: id=2 nexthop=B nextid=3
zzz *B: id=2 nexthop=C nextid=3
zzz C: id=3 nexthop=D nextid=4
zzz D: id=4 nexthop=B id=5
zzz B: id=??? nexcthop=??? nextid=???
orignal и TBR D: id=4 nextHop=B id=1
orignal B: id = 5 OBEP no next hop
orignal soory D: id=4 nextHop=B nextid=2
zzz if B is java i2p that's not going to loop for multiple different reasons
zzz - if B id 5 is an OBEP it's not going to infinite loop
zzz - D to B on id 2, B will drop it because 'mid tunnel injection' check
zzz - will the D->B layer keys be the same as the A->B layer keys? depends how the KDF works
snex dr|z3d: gitlab says latest commit is 3 weeks ago. shouldnt there be newer stuff? trying to work on the snark infobar
dr|z3d snex: use github, not gitlab.
dr|z3d gitlab locked me out.
dr|z3d (and won't send a password verification e-mail)
snex link?
snex 👍️
orignal please explain why B will drop
orignal layer key doesn't matter
orignal B id 5 is OBEP but TunnelData will never come to tunnel 5 it will always come to 2 from D
orignal why layer key will be the same? You have different ephemeral key for first and second occurence of b
snex lol... i added a torrent so thered be an infobar and now the page is just blank white. dafuq
dr|z3d try ant distclean before building.
snex the html is loaded, not sure why browser wont display it
dr|z3d have you just copied over the .war file or?
snex oh what the fuck... body display:none; was set somehow??
snex yeah the .war
dr|z3d you'll need to copy over the .jar file as well.
dr|z3d ignore body styling, nothing to do with the issue.
snex oh right i have an older v of that
dr|z3d build -> i2psnark.jar -> i2p/lib/
snex why would it set body display:none tho
dr|z3d so that the user's presented with a completely rendered page.
dr|z3d (see the bottom of the page before </body>)
snex there we go
dr|z3d as long as you're just working on the servlet, you can just copy over the .war file now.
dr|z3d if you work on other stuff, you'll need to copy over .jar file as well and restart your router/standalone.
snex yeah i just forgot the jar was ancient
dr|z3d there's a possible fix for console graphs that you said you were experiencing if you're running the latest + from git. let me know if it fixes things for you.
snex Error 500:  /graphs - javax.servlet.ServletException: java.lang.NoSuchMethodError: 'int net.i2p.router.web.StatSummarizer.countGraphs()'
dr|z3d well that's odd.
dr|z3d make sure you ant distclean before building an update.
dr|z3d /** @since 0.9.62+ */
dr|z3d public int countGraphs() {return _listeners.size();}
dr|z3d as mentioned before, you should also be able to 'ant installer' without erroring now.
snex yeah that part worked. did not distclean or copy over anything not snark-related
zzz orignal, <zzz> - D to B on id 2, B will drop it because 'mid tunnel injection' check
zzz and if the layer keys are different, B will not be able to correctly layer encrypt the msgs it gets from D, even without the mid-tunnel-injection check
orignal but an advesray doens't need a message to be decrypted
orignal thier puprose it to make the shit circulating
orignal please explain how "mid injection check works"
zzz when B gets TBM from A for id 2, it enforces that all tunnel data msgs for that tunnel must come from A
zzz nobody else can send messages into the "middle of the tunnel"
zzz if you don
orignal so you store ident hash with tunnel
orignal where TBM came from
zzz if you don't have that check, that's your issue
zzz yes
orignal agree it's mine issue
orignal do you compare hashes for every single message?
orignal I mean tunnel message
zzz yes
orignal it's an overhead and slows down
orignal I would start doing it after some threshold
dr|z3d this is probably all you, orignal: BuildHandler: Dropping HOSTILE Tunnel Request -> Previous and next hop are the same
orignal e.g. when too much data goes through
zzz not too much overhead imho
orignal comparison of 32 bytes
zzz but I'm not here to convince you, just to explain what my code does
orignal I'm talking about possible solutions
orignal thinking how to implement it efficiently
orignal say you can save connid is it's SSU2
orignal instead ident hash
zzz I'm not very helpful on C++ efficiency tradeoffs :) 32 byte hash storage and comparison is pretty cheap in java
orignal dr|z3d yes it's mine
orignal I don't check this situation
snex bleh now i cant run the install.jar after distclean and rebuild all: Exception in thread "main" java.lang.NoClassDefFoundError: Could not initialize class java.awt.Toolkit
dr|z3d try running with java -jar ./install.jar -console
orignal 8 bytes int is much much faster than 32 bytes nin0aligned buffer
dr|z3d remember to run that from the dir you want to install to, or specify the install path without trailing /
dr|z3d otherwise it'll install to the pwd.
orignal anyway I will implemnet this check
snex got it - i forgot all this stuff lol
snex the graphs page still gives that error and it also seems to prevent display of the tunnels page
snex slightly different error coming from the tunnels page when it tries to load viewstat.jsp: Error 500:  /viewstat.jsp - java.io.IOException: No rates for combined bandwidth graph
dr|z3d that should be a transient error, or you're running java with awt support expected.
dr|z3d try: sudo sed -i -e '/^assistive_technologies=/s/^/#/' /etc/java-*-openjdk/accessibility.properties
dr|z3d I don't think you see that error if you install openjdk-headless.
snex i believe my default is running java-14-oracle
snex i can switch it
dr|z3d if you've got openjdk-headless or similar, try that. whichever version's latest, or whatever that installs.
snex same thing :(
snex i dont have assistive_technologies in that config file
dr|z3d did you purge oracle java?
snex no i just changed JAVA_HOME
dr|z3d and you ran i2prouter restart?
snex no i have it run in console so i ctrl+c then change JAVA_HOME then restart
snex i got this in the console log but it started anyway: ERROR: Failed to start imagegen MultiException[java.lang.UnsatisfiedLinkError: Can't load library: /usr/lib/jvm/java-11-openjdk-amd64/lib/libawt_xawt.so, java.lang.NoClassDefFoundError: Could not initialize class java.awt.Toolkit]
dr|z3d you're running it without the wrapper (runplain.sh) ?
snex didnt know i needed any wrappers
dr|z3d that's what i2prouter does.
dr|z3d runs the wrapper (service) which is how you can restart from the web ui.
dr|z3d either way, you're using java11.
snex i was just doing this: ./i2prouter console
dr|z3d I'm not entirely sure how that handles things, but try i2prouter stop && i2prouter start.
snex i believe it just runs it in the foreground rather than background
snex i dont want it running as a daemon
dr|z3d ok, well somewhere java's configured to load awt which you don't want.
dr|z3d because that relies on X11 or wayland.
dr|z3d (which you obviously won't have running from console)
snex i mean i am in a "terminal" from inside of X11 not a real terminal
orignal zzz, and one more question
orignal about timestamp in I2NP Garlic message
orignal OBEP can conclude what was the tunnel length
orignal that's different topic
snex ok got rid of all that by switching to java-18-openjdk. local tunnels page still blank despite not seeing this error in viewstat.jsp anymore. i was hoping to use this page to get some insight on how to poll the number of tunnels for display in snark
dr|z3d anything in logs?
dr|z3d local tunnels being the tunnel manager, or /tunnels ?
snex no. also my real router displays these pages just fine
snex /tunnels
dr|z3d dunno, you're not giving me much to go on.
dr|z3d what about /transit ? same?
snex ffs now the page loaded. i wonder if brave is doing some stupid fuckin caching shit
dr|z3d also, you're more likely to get the info you need from /configtunnels (maybe)
snex i hate when my software tries to be more clever than me and is never right
orignal ghost works
dr|z3d chocolate star for orignal.