~dr|z3d
@RN
@RN_
@StormyCloud
@T3s|4_
@eyedeekay
@orignal
@postman
@zzz
%Liorar
+FreefallHeavens
+Xeha
+bak83_
+cumlord
+hk
+profetikla
+uop23ip
Arch
DeltaOreo
FreeRider
Irc2PGuest19353
Irc2PGuest22478
Irc2PGuest48042
Irc2PGuest64530
Meow
Nausicaa
Onn4l7h
Onn4|7h
Over1
acetone_
anon4
anu3
boonst
juoQuua9
mareki2pb
not_bob_afk
plap
poriori_
shiver_1
simprelay
solidx66
thetia
tr
u5657
weko_
orignal
use case?
orignal
some guys want more anonymity
orignal
assuming it's harder to track an address if tunnels keep changes every 10 minutes
orignal
nice ))
orignal
per router is not good idea
orignal
why?
orignal
because an adversary can notice that LeaseSets always chage tunnel gateways
orignal
and make a conclusion that few LeaseSets are located on the same router
dr|z3d
ok, sounds like per dest would be handy.
orignal
change interval after decline to 5.5. minutes
dr|z3d
good. that'll work nice.
orignal
and 1.5 hours max
dr|z3d
max being? the max time before you retry requests from a router that prev rejected you?
orignal
if last decline was more that 1.5 hours ago
orignal
router can be used for new tunnel
dr|z3d
ok
dr|z3d
good work.
orignal
declined again? 1.5 hours more
dr|z3d
so how do you switch from waiting for 5.5m to 1.5 hours?
dr|z3d
what's the threshold?
orignal
5.5 minutes means I never select one
dr|z3d
never select one? not sure what you mean.
orignal
between 5.5 minutes and 1.5 hours it's based on success rate
dr|z3d
ok
orignal
if router declined tunnel withput 5.5. minute
dr|z3d
well, should work a lot better with java.
orignal
I don't try it for next tunnel
orignal
then the decision is based on rate
orignal
after 1.5 hours from last decline I consider it as non-declining
orignal
and can try next tunnel
dr|z3d
sounds good to me.
RN
progress!
dr|z3d
15 of these recently, zzz: RouterInfo [QzBAjh] has INVALID signature .. guess that's what you're investigating?
dr|z3d
it's called "xanax for orignal" RN :)
orignal
what?
dr|z3d
yes, orignal.
dr|z3d
*** chuckles. ***
orignal
plese be more concrete
dr|z3d
zzz gave you some digital xanax.
dr|z3d
(his fucked family cert commit)
orignal
and?
orignal
what about it?
dr|z3d
and nothing.
dr|z3d
maybe we can put the issue to bed now.
orignal
then I'm shrimp
orignal
with 2RRY?
dr|z3d
YES!
orignal
since he has made the change yes
dr|z3d
you're shrimp?
orignal
finnaly the bug was resolved
orignal
you don't know this Russian slang ))
dr|z3d
no, I don't. :)
orignal
"йа креведко"
dr|z3d
which means?
dr|z3d
"I'm as happy as a shrimp in a salad?"
orignal
means "I'm so dumb that I understand nothing"
dr|z3d
ah
dr|z3d
"clueless"
orignal
enjoy ))
dr|z3d
still waiting for you to deploy your puppy avatar...
dr|z3d
You want to watch District9, orignal, if you haven't seen it.
orignal
about ZA?
dr|z3d
about shrimps.
dr|z3d
m.media-amazon.com/images/M/MV5BMmEzZGUxZDctYWI3Mi00MjYxLWI2MWItYTYyYWRmNTFkNDZiXkEyXkFqcGc@._V1_QL75_UX820_.jpg
orignal
yes allien shirmps in JBurg
orignal
right?
dr|z3d
that's the one.
orignal
I have one in Russian
orignal
but I looked at somthing else in this movie
orignal
the boer's world
orignal
look at people there
dr|z3d
not sure what you mean
orignal
do you know what's going on in JBurg now?
orignal
fauna hijacked all hi-rise buildings
orignal
and shit into elevator shafts
orignal
the movie is about an alternative history or ZA
dr|z3d
I wasn't aware, no.
orignal
*of
orignal
the main characters are boers
dr|z3d
You're talking about a different movie, "Boer's World" ?
orignal
in JBurg
dr|z3d
or?
orignal
no. District 9
orignal
look at the people there
dr|z3d
right, Boers being South Africans of Dutch descent, presumably?
orignal
see their color?
orignal
yes
orignal
but no boers in JBurg nodays
dr|z3d
you holiday there?
orignal
they remained only in Capetown
orignal
?
dr|z3d
in Jburg.
dr|z3d
Just curious. You seem to have insider info :)
orignal
I know from people
dr|z3d
ok.
dr|z3d
*** chuckles. ***
orignal
I'm in touch with boers
orignal
Elon Musk
dr|z3d
You're in touch with Elon?
dr|z3d
Is he running i2pd?
orignal
he was born in Pretoria
orignal
as you know
orignal
guess why did his family leave ZA?
orignal
Ububtu guy
orignal
what has happened to him?
dr|z3d
He's over in London now, no?
orignal
so in Distrct 9 you see ZA of Elon Musk and Ubuntu
orignal
yes, he is
orignal
but he is there?
orignal
why did he leave ZA?>
dr|z3d
No idea, not in touch with many Boers myself :)
orignal
if you are really interested
dr|z3d
They probably left ZA because the climate became hostile.
orignal
looj for a movie called "White cross of ZA"
orignal
no they left after 1994
dr|z3d
big fish, small pond, find bigger pond, grow more.
orignal
they left ZA to not see this
dr|z3d
let's not go there, thanks.
orignal
that's real video from Durban
orignal
like 2 years ago
dr|z3d
I visited animal once. That was one time too many. Never again.
orignal
if you don't want to go there find "White cross of ZA"
orignal
it was on yourtube
orignal
but was removed from there
orignal
google doesn't like truth
orignal
film made by Russian reporters
dr|z3d
RT reporters?
orignal
about what's really going on in ZA now
orignal
no. 1st channel
dr|z3d
is that another kremlin-owned propaganda vehicle?
orignal
boers said what was shown there is trurth
orignal
propaganda of what?
orignal
so District 9 is about ZA before 1994
orignal
real ZA is in white cross
dr|z3d
any tv station owned or overseen by the kremlin (all of them in Russia) are propaganda vehicles. maybe that's why youtube banned your video?
orignal
no youtube banned it because it doesn't match theier agenda
orignal
because people can open thier eyes
dr|z3d
ok
orignal
what can happen to a country with nucler bobm and space sattelite
orignal
if you give the power to fauna
dr|z3d
so we should give power to flora then?
orignal
you know what I mean
orignal
want ZA like in District 9? Never give power to fauna
orignal
they ruin everything
orignal
and the pendullum is changing it's direction now
orignal
Nazi calls me old white racists
orignal
but I never was involved in that BLM/DEI/LGBT shit
dr|z3d
:)
orignal
and was always consistent in my opinion
dr|z3d
I know what you're trying to say, yes.
dr|z3d
sometimes opinions are best when they're not expressed :)
orignal
that's why we use I2P
orignal
the place where is can freely express any opinion
orignal
*you
dr|z3d
speaking of using i2p, I bet you still have got I2PSnark+ working yet.
orignal
how I2P people is going to wash themselves from this shame, idk
orignal
no, my project is i2pd
orignal
and it works well
dr|z3d
Snark, not I2P+
dr|z3d
it was always "will do it tomorrow". about 3 months ago.
orignal
don't have time to play with snark now
orignal
it's even not running
orignal
too many other things to do
orignal
here you go
orignal
white cross of africa
orignal
but in Russian only
dr|z3d
maybe later.
orignal
when you have time
orignal
and thing why no english version there
orignal
*think
dr|z3d
attack seems to have calmed down right now?
dr|z3d
no doubt it'll ramp up again soon enough.
orignal
yes
dr|z3d
do you talk to "monkey" ?
dr|z3d
another dodgy router: dT50jTIPtC9fFD7NnXCmz8HGiAZuRT-~re~JagmO6mo= [169.150.227.198]
dr|z3d
so yeah, orignal, I see the IPs of these routers, just not in the console routerinfo display
orignal
is it Tor or not?
orignal
no, I don't talk to monkeys I just see on my routers
dr|z3d
I don't think so.
orignal
what's a reason to use proxy ?
orignal
maybe this related
dr|z3d
so that ip geo-locates to Israel, but is registered to a private user in Prague.
orignal
do you see NTCP2 ot SSU2?
dr|z3d
both.
dr|z3d
running java.
orignal
so SSU2 works too?
dr|z3d
routerinfo says yes.
orignal
no I'm asking about XG
orignal
with caps=46
dr|z3d
I'm talking about the XG router mentioned above.
dr|z3d
with caps 46.
orignal
can Java publush RI without R or U cap?
dr|z3d
Addresses:
dr|z3d
NTCP2 caps: 46 s: qsJWhskQmAK3JzzvXFn1ZcblELMWTO9KHBBP-2EKE20= SSU2 caps: 46 MTU: 1478 i: OOzrhbRkX3GN9eZu5tXkm3T13oFBeazMwBCuBd-KU6w= s: rrkt9ZvhkAwhLxqgPSG1EpW
orignal
I don't think so
orignal
why do you think it's Java?
dr|z3d
Cost 14/15. Smells like Java.
dr|z3d
I even have a little I2P icon in my console that indicates it's probably Java :)
orignal
const uint8_t COST_NTCP2_NON_PUBLISHED = 14;
orignal
const uint8_t COST_SSU2_NON_PUBLISHED = 15;
orignal
it's i2pd
orignal
connecting though proxy
dr|z3d
ok, need to update my java detection.
orignal
my question is
orignal
if you see real SSU2 connections
orignal
or monkey just publishes it
orignal
if you see real SSU2 connection
dr|z3d
can't tell you right now, it hits a certain threshold and then gets banned.
orignal
most likely it's shadowsocks
orignal
maybe even from that guy in the issue
dr|z3d
probably because it's not respecting transit request limits.
orignal
if it's NTCP2 only
orignal
most likely it's Tor
dr|z3d
Sure.
dr|z3d
Not Tor.
orignal
then proxy that doesn't support UDP
orignal
something new than'
dr|z3d
that ip address looks like it's doing a lot of ownership obfuscation all by itself.
orignal
why one needs proxy?
dr|z3d
registration in cz, .co.uk abuse address, israeli geolocation.
dr|z3d
datacamp.co.uk <- abuse.
orignal
we need to understand what kind of proxy is it
orignal
without attack 2RRY still has lack of trasit
orignal
Transit: 1345.37 GiB (984.57 KiB/s)
dr|z3d
yeah, seeing a steady 1-1.5MB/s on one router.
orignal
usually it was around 3 Mbs
dr|z3d
maybe your provider's still get hit.
orignal
I don't think so
orignal
Java routers still bypass me
dr|z3d
we're not fully upgraded on the network yet, ~55% or thereabouts?
dr|z3d
here's another XG for you: pzKFy7HQfcmVWi-vRoebaOYOaloGakJwVlW5EmRJOts=
dr|z3d
NTCP/SSU
orignal
and also 46?
dr|z3d
yup
orignal
I see they all use the same config
dr|z3d
I think they're getting banned here (mostly) because they're not respecting request rejections and just keep on spamming requests, so maybe modified code.
orignal
or too many tunnels
orignal
one destination produces very limited number of tunnel requests
dr|z3d
ramping up again...
RTP
Hey everyone, had a question I thought someone here might answer. If I was going to share a couple usbsticks to friends with i2p on it... To help them try it out... Would an i2prouter become a problem if directly cloned on disk by Router Identity? Or is this automatically handled in some way? I've been wondering this and couldn't find the answer.
not_bob
I do not think it would be great, no.
not_bob
I think it would be fine if you remove ~/i2p/router.keys.dat before you pass them out. Then each router will create a new one on start.
RTP
ah awesome. Thanks not_bob! Always appreciated.
not_bob
Anytime!
dr|z3d
are you going to share the config dir as well, RTP?
dr|z3d
if you're not, then you don't need to worry about router identity, it'll create a new one (and a config dir) on first run.
dr|z3d
if you were to share a config dir, add the line router.rebuildKeys=true to the existing router.config in the config dir and that will also remove any router identity files and create a new id.
dr|z3d
either way, you'd have a hard time deleting ~/i2p/router.keys.dat since it doesn't reside there, it resides in ~/.i2p/
dr|z3d
but router.rebuildKeys=true in ~/.i2p/router.config is what you want.
dr|z3d
that will create a new routerid and then remove itself from router.config
dr|z3d
no harm removing router.keys.dat, though.
dr|z3d
probably a "good idea" just so someone else doesn't have your own router id keys.
dr|z3d
with all that said, best to just distribute the app dir and then a new profile and new identity will be created on first run.
RTP
ah thank you dr|z3d will add that to ~/.i2p/router.config as don't want to cause any issues
dr|z3d
are you creating a virtual image?
dr|z3d
or you're just providing a usb stick with i2p pre-installed?
dr|z3d
either way, better not to copy the profile dir at all. if you want to customize the config, you can edit i2p/router.config
RTP
just going to provide usbstick with i2p preinstalled for bootable bare metal experience :)
not_bob_afk
Yes, my bad. Forgot the . in the path.
dr|z3d
right, so your user runs i2p, and it'll ignore your profile dir.
dr|z3d
so don't bother.
dr|z3d
the profile dir will be created on first run.
dr|z3d
(and not on the usb stick)
dr|z3d
bootable??
not_bob_afk
That's what it sounds like.
RTP
bootable set up for someone who has no linux experience. The idea is just to make it super easy for them to check out for the first time.
dr|z3d
it doesn't sound like much without more info.
dr|z3d
if it's a live OS, great. still don't recommend a profile dir.
dr|z3d
if you want to pre-configure i2p, then do that first, copy the relevant sections in .i2p/router.config to i2p/router.config and then you can remove ~/.i2p/
RTP
Just a very basic automated starting i2p browser set up on desktop. Was afraid if I missed something in router ID etc it might get banned so will for sure add the recommendations.
RTP
not live run though
dr|z3d
ok
RTP
so would have i2p+ preinstalled with a browser and some scripts I shared on my channel to automate everything with a shortcut. Nothing fancy on set up. Just basic functional i2p browser is purpose.
dr|z3d
on the live os, then, you probably want to run ~/i2p/i2prouter install once you've modified i2prouter to point at the user you're running it from, though you'll need to run ~/i2p/i2prouter install as sudo.
dr|z3d
that will setup a systemd service so it runs on startup.
dr|z3d
(and can be controlled with service i2p {stop|start|restart}
RTP
ahh okay I actually never tried the install argument. That is great to know about! Saves me some writing. :)
dr|z3d
the line you want to edit in i2prouter is commented out and starts with RUN_AS_USER iirc.
dr|z3d
you can also copy eephead eepget and i2ping from ~/i2p/ to usr/bin and then edit each file to point at your i2p installation
dr|z3d
edit each file after copying to usr/bin .. there's comments at the top of each file where you need to specify the i2p app dir.
dr|z3d
if you want to add additional documentation, you can add stuff to the default eepsite folder and link to it.. just an idea.
dr|z3d
then you might set 127.0.0.1:7667|127.0.0.1:7658 as the homepage in firefox or equiv.
dr|z3d
(which will open multiple pages for home)
RTP
Very helpful. Thanks to both of you much on this. 🙏
dr|z3d
*thumbs up*
orignal
RN, you shouldn't clone router keys. Such routers will be banned
orignal
once found
orignal
at least in i2pd
dr|z3d
we estanblished that, orignal :)
dr|z3d
I've now contracted your stan bug :|
orignal
well you might not know how i2pd works
orignal
which -stan bug?
dr|z3d
estanblished..
orignal
lol
orignal
btw, since you watched District 9 you know what bantustan is
dr|z3d
I've just reminded myself.
orignal
bantustan is word from SA
orignal
but in Russian it also means a shitty country
dr|z3d
homelands for black South Africans in apartheid South Africa. I guess in Russian in sort of means ghetto.
orignal
no, ghetto is about WW2
orignal
about Nazi
orignal
the differnce that bantustans has own govenments
dr|z3d
ok
orignal
and not whole SA is bantustan
dr|z3d
indeed not.
zzz
I've collected about 20 XG's by hash/ip/port
zzz
as a group they're all over the place, but none of them are IP-hoppers
zzz
my list has zero overlap with Vort's zip of 16 though
zzz
anybody want the list for further analysis?
orignal
zzz, any idea what kind of proxy is it?
orignal
guys, please help me choose name of param that says non recreate expired tunnel
orignal
because I'm not native englush speaker
zzz
I know nothing about proxies, I leave that to others
orignal
do you see actual SSU2 sessions?
orignal
or NTCP2 only
zzz
not looking for ssu2
orignal
if they relly connect through SSU2 there are not too many proxies that support UDP
orignal
and then most likely it's shadowsocks
dr|z3d
param? newTunnelsOnExpiry ?
dr|z3d
newLSOnExpiry?
dr|z3d
or rather, newLeaseSetOnExpiry
dr|z3d
is that what you're doing, tearing down the LS and creating a new one?
dr|z3d
or maybe newDestOnExpiry ?
dr|z3d
not that many of them, zzz, possible attack routers? dunno.
orignal
thanks
orignal
i2cp.newTunnelsOnExpiry sounds right
dr|z3d
ok
orignal
LS is about IB only
orignal
but this is about OB too
orignal
Vort said not much traffic went from them
orignal
hence most likely it's a monkey try to attack some service
dr|z3d
I still think XG !R!U routers are suspect and should be blocked.
dr|z3d
maybe in time you'll come around to my way of thinking, orignal :)
orignal
no you don't have any evidence that these routers do something wrong
dr|z3d
that's the "in time" part. :)
orignal
no, it's because the release
orignal
before they would appear as X
orignal
hence maybe they are in the network for a long time
orignal
plus before i2pd didn't work well through proxy
zzz
not true, sampled my list, all first seen in last 24 hours
dr|z3d
> ok, well we can keep them under review. maybe we'll learn something.
orignal
maybe they always change RI
zzz
maybe let's do data-based analysis instead of guessing?
dr|z3d
*** smiles. ***
orignal
I will try on 2RRY
zzz
give me the IPs you have for vort's 16 and I'll compare with my list
orignal
he said everything had the same one
dr|z3d
this one's a good place to start if you want to perform some analysis: dT50jTIPtC9fFD7NnXCmz8HGiAZuRT-~re~JagmO6mo= [169.150.227.198]
orignal
that's how he recogznized them
dr|z3d
that's got dodgy written all over it.
dr|z3d
israel geolocation, czech registration, abuse/hosting co.uk
zzz
I don't have that hash or IP in my list
zzz
what IP was it orignal ?
orignal
I posted it here
zzz
so could you do it again please? like you've never asked me to repeat myself?
orignal
<Vort> 2a02:6ea0:fb01:1::d001
orignal
<Vort> CDN77
orignal
sure
orignal
<Vort> [2a02:6ea0:f207::d001]
orignal
<Vort> скорее всего, все вот эти :d001 - это от одного владельца
orignal
bascicallly he sais that all ended with d001
zzz
I don't have that hash or IP in my list
orignal
do you have ipv6 with d001?
orignal
I don't see either now
zzz
XG: 1ElsL8VYkh7UGBiWqQzaNUotZuBE23H3KgbIyan4DPk= [2a02:ed04:3581:3:0:0:0:d001]:35858
zzz
XG: 3FjBS3xBBmVhnmeHBcmTDNZtE3I3WQCmBPr6WleLIAc= [2a06:3040:d:410:0:0:0:d001]:59054
zzz
XG: bInqP3B-TRtryxnec9gp27hrXya~pRIaSGbq3pWKRoo= [2400:ddc0:a00b:0:0:0:0:d001]:44844
zzz
XG: fWJ8BU6GlVZqLAwxE-4lkyWfg7ddz6GaOSZgSuITzFk= [2a02:6ea0:f206:0:0:0:0:d001]:51080
zzz
XG: hCW-6LzOpPCBedRhUKTj3qcdZ7-5zLPC8JENwDKUpwE= [2602:ffe4:c0d:801d:0:0:0:d001]:35102
zzz
XG: i2OMHYkOO0h5n9p7QrLUnSll1Ie-vY7qw8SGA7AIrdM= [2404:f780:4:deb:0:0:0:d001]:34070
zzz
XG: i2OMHYkOO0h5n9p7QrLUnSll1Ie-vY7qw8SGA7AIrdM= [2404:f780:4:deb:0:0:0:d001]:50740
zzz
XG: IY1RS9XUzvuRw68AzWeSAn2sehHrcy~q2T-XISePjEE= [2804:5364:7000:40:0:0:0:d001]:60476
orignal
I seee 2604:d500:4:1::4 like 8 connection from the same IP but from different ports
orignal
so Vort was right
zzz
but plenty more w/o d001
orignal
yes
zzz
4th one above has f206, vort reports f207
orignal
so I'm going to change the code if SsessionConfirmed receives XG write it to log
orignal
Vort said that all IPs ended with d001
orignal
that's how he collected them
zzz
not true here, 1/3 ipv6 not d001, 1/3 ipv4
orignal
ofc not
orignal
only his list
orignal
indeed there are more
orignal
maybe that guy
dr|z3d
that RI I referenced just know was notable for requesting a ton of tunnels, aside from the obvious ip ownership obfuscation.
dr|z3d
*now
dr|z3d
orignal: that issue re the proxy guy on github, shouldn't you be advising him against using a proxy if he wants to host transits?
orignal
everybody understands that no transit through proxy
dr|z3d
I'm not sure they do, esp. given it's a recent i2pd feature to mark G for proxied connections.
zzz
"ton of tunnels" seems to be a different category than "XG", let's not get ourselves confused
dr|z3d
just an observation - that specific router came to my attention because XG + tons of tunnels.
zzz
it is XG?
dr|z3d
yup
zzz
ok, we're not confused ))
dr|z3d
ok, good. :)
zzz
here's a tons of tunnels XG BbZqLVpQYKHF-KqsIcfVVMc8s7B09t4jFWC8KQaXctQ= 2a02:6ea0:d70a:1:0:0:0:b58d
dr|z3d
yeah, I see that. Top of my list right now.
orignal
requests or what?
dr|z3d
except it's not G.
dr|z3d
at least not here.
zzz
Router: BbZqLVpQYKHF-KqsIcfVVMc8s7B09t4jFWC8KQaXctQ=
zzz
Published:9 min ago
zzz
Signing Key:EdDSA_SHA512_Ed25519
zzz
Encryption Key:ECIES_X25519
zzz
Routing Key:jQK-PgELT9~wzZGcpNfvKEy91IY4chOYRymSqKbjMds=
zzz
Compressible:true
zzz
Last IP: 2a02:6ea0:d70a:1:0:0:0:b58d
zzz
Addresses:NTCP2: cost: 14 caps: 46 s: qkyxgS9bcHv4f~1-GIcts12zWdirQ2~K~k1miCixOiY= v: 2
zzz
SSU2: cost: 15 caps: 46 i: m~cEiBQ0XldaSqw84B~Rm7YYE40NZj3faphDHXN8NS4= s: LLiLuZF2phDy1x9ShLAWo~F~RfvoPLI01JDwu005G2I= v: 2
zzz
Stats:caps = XG
zzz
netId = 2
zzz
router.version = 0.9.64
orignal
<zzz> Published: 9 min ago
orignal
what does it mean?
zzz
that's the RI timestamp
dr|z3d
ok, that's strange, it's displaying G on the routerinfo page, just not on transits.
dr|z3d
must be a css snafu.
dr|z3d
another XG demanding a ton of tunnels: T6nP4iQZ6u~2x4YqARQV8~sdREzMDkyTtqNRY56tnes=
orignal
because it's not supposed to be published at FF
dr|z3d
another one slowly climbing up the XG tons of tunnels ladder: YV6J9XMlk19D3-0-vy2Z6qNXDHT9IIR5JEYJi8lfSpw=
dr|z3d
they climb to the top, then seemingly don't take the "no more tunnels" hint and keep requesting, and then get banned.
orignal
do you publish E?
dr|z3d
publish? sure.
dr|z3d
I think ARM or Android is E by default.
dr|z3d
one of the two, or both.
dr|z3d
otherwise, when we reach x percent of capacity, we publish E.
orignal
i2pd never tries to requst tunnel through a router with E
dr|z3d
I think we're the same, at least in + and possibly in canon.
dr|z3d
in fact, in + I don't think we request transit from routers with D, E or G.
dr|z3d
actually, no, we publish D for low performance (Android et al) routers, my bad.
dr|z3d
correct channel: another XG/tunnels: hdsZ1DIgi~AMYbQ8q~6euPj9MadfEvy4L~o~ZcUN-3g=
orignal
also people are reporting than tunnels thread is most CPU consuming now
orignal
it means too many TBRs
dr|z3d
right, so throttle, orignal :)
dr|z3d
one of these days you'll get the hint.
orignal
no, first is to move x25519 away
zzz
fix your 25519 precalc thread.
zzz
don't run it once a second with a timer; just interrupt it when it's low or empty
orignal
zzz, already
orignal
I generate x25519 is separate thread
zzz
ane even 25 may not be enough; we do 20-60 depending on memory
orignal
but this CPU usage is key agreement
orignal
once a second? what are you talking about?
orignal
I have enough pre-culaulated keys
zzz
std::this_thread::sleep_for (std::chrono::seconds(1)); // take a break
zzz
github.com/PurpleI2P/i2pd/commit/b8d61e04f0ca5ce652e193198b5cd4f277fe2a18#diff-9a8b45dc33aeb2ab786c744f137ede2b369e97bc9975cf4652ccbbbb8c96aa28R77
orignal
the problem comes when you have to calculate shared secrect for every TBR
orignal
it never falls here
orignal
it's circuit breaker
zzz
ok
orignal
to make sure that thread doesn't eat whole CPU
zzz
keep a queue of tbrs and start dropping if you fall behind in that thread
orignal
usually it calculates a new key one a key is used
orignal
yes, that's what I'm goung to do
orignal
move TBRs away from tunnels thread
orignal
I handle TBR and tunnel data in the same thread
zzz
eww
orignal
just saying it's time
orignal
because it was never been an issue
zzz
how many threads total do you have?
orignal
my point is that x25519 also consume CPU
orignal
around 20
zzz
ofc
orignal
well it's much better than ElGamal
orignal
but still much slower than symmetric crypto
zzz
ofc
dr|z3d
another one: HRiGlE9sEMnPRMsHPM~wTWQJ0-NLnl8IDimIoB4Yd6Y=
zzz
we have one thread for TBRs but a whole bunch for data
orignal
yes, that's I'm going to do
orignal
for own TBR or transit TBR?
zzz
all incoming requests and responses
zzz
we're well over 100 threads total, probably close to 200 on big routers
zzz
but it's a little easier to do threads on java
orignal
for your TBR you need to apply x25519 for each record
dr|z3d
closer to 300 here.
dr|z3d
(threads)
orignal
no problem with threads in C++ either
orignal
I just prefer to keep tjem minimal
uop23ip
dr|z3d, What are good values for job lag or message delay and are they useful (transit) performance indicators?
dr|z3d
what are you seeing right now, uop23ip, and are you floodfill?
uop23ip
yes ff, jlag 500mu, mdelay 6ms
dr|z3d
those are fine. job lag under 200ms is fine, message delay under 100ms is fine.
dr|z3d
obviously the lower the better, and your values are low.
dr|z3d
you'll maybe see those a bit higher when the router starts up.. they soon come down.
dr|z3d
job lag is normally lower for floodfills because they're not exploring the netdb DHT.
uop23ip
Regarding the attack, better to get onto dev to bring your fixes in?
dr|z3d
sure, there are a few mitigations in there.
dr|z3d
it's not going to stop the bandwidth rollercoaster, but it might catch offending routers sooner.
uop23ip
Nice, thanks
uop23ip
Is it possible to tunnel "dos" a router so far that its congestion level gets worse and worse?
dr|z3d
you also get an enhanced, streamlined view of router profiles in the latest dev builds.
uop23ip
Can you make a D to an E or G, by overwhelming it with tunnel demands which exceeds it limits and reacts by declining tunnel request for others?
uop23ip
nevermind, just wondering how i became an E from a former always D. ;)
zzz
so what do we do about G routers
zzz
G hop is obviously owner
zzz
no mention of it in proposal
zzz
I don't recall orignal discussing any anon concerns about it here
orignal
zzz, it's obbvious even without G
orignal
if a router publishes RI without incoming addresses
orignal
if someone connects through proxy they must understand this risk
orignal
that thier connectivity is limited
zzz
what about non proxy
orignal
I set G only for proxy
zzz
I certainly haven't communicated the risk via my UI
zzz
you set it for sym nat and for max tunnels == 0 also, iirc
orignal
if someone turn off transit they must accept this risk
orignal
for sym nat you did it
orignal
I'm going to revert it
zzz
where do you present that info to the user? website? web UI? logs?
orignal
notransit=true you mean?
orignal
it false by default
orignal
if you are so dumb to turn if off don't expect anonymity
orignal
G for symm NAT is a bad idea, I agree
zzz
ah, you've come full circle, bad idea again
zzz
ok so you don't communicate it anywhere, they either know it or they're dumb ))
orignal
I talked to people on dev
zzz
should G routers be limited to 1 hop tunnels since they're wasting their time?
orignal
ofc no
orignal
to 2
orignal
examaple
orignal
I'm a G router ygg-only
orignal
first hop is ygg only too
orignal
last one is ygg + clearnet for endpoints
zzz
should the part. tunnel throttler be way stricter for G routers?
zzz
that would reduce the impact of the XG fleet
orignal
you mean own tunnels?
orignal
yes I agree
zzz
no. how many tunnels should I allow a G router as previous or next hop. shouldn't be too many
zzz
definitely not 25 like I saw this morning
orignal
zero
orignal
because you are G
orignal
how many FROM G routers?
dr|z3d
re part throttler, yes.
orignal
I would say how many destinations are allowed
dr|z3d
treat G routers as superslow and throttle accordingly. that's what I do.
orignal
I would alllow only 3
orignal
shared local destination, proxy and one server tunnel
dr|z3d
another XG/tunnels offender: MH5A7L1fcsea9bv6UHc~PNX~yknfVoTjKKpoCOxJ7Vo=
dr|z3d
you don't throttle, orignal :)
orignal
no I don't
orignal
I mean in configuration
dr|z3d
so you can't allow only 3.
dr|z3d
oh, you mean cap the number of tunnels the router can host.
dr|z3d
tunnels/dests.
zzz
this is all discussion we should have had when the G cap was proposed and discussed
dr|z3d
we're only discussing it now because orignal's marking proxied routers G.
orignal
zzz, it's not about G cap
orignal
if you see LU with NTCP2 only
orignal
what's a difference?
orignal
e.g. we should also talk about de-facto G
zzz
that's even rarer than G
orignal
poroxy always looked like this before
orignal
and there were tonns of such routers and dr|z3d banned them explicitly
zzz
proxy was almost nonexistent until you decided to do the opposite of what I recommended and make it easy
orignal
come on
dr|z3d
lol.
orignal
proxy existed for al least 5 years
orignal
un has implemented it long time ago
dr|z3d
orignal's doing that "come on" routine again. it's almost a catch phrase.
orignal
even for NTCP1
orignal
proxies always existed
zzz
this is how we got here. me + drz: block tor; you: make sure i2p-over-tor works well
zzz
so not surprising
orignal
hold on
orignal
we are talking aboyt two different things
orignal
how long does i2pd support proxy for NTCP2? For SSU2?
orignal
seocond. all these XG routers have nothing to do wiht Tor
orignal
hence they would work anyway wihout my recent change
orignal
but looked like X or XU
orignal
and I wish we had this discussion 6 months
orignal
to discuss how to fix proxy rather than all Tor IPs
zzz
if they're behind a proxy you can probably limit them to 1 hop unless ygg-ygg
orignal
yes, good idea
orignal
but then OBEP and IBGW will be i2pd only
zzz
ok, if you want to keep your tor sabotage
orignal
that I don't like
orignal
because enpoints always consume more reosources than middle hop
orignal
man, it's not about Tor
orignal
the purpose of this change is wider
orignal
it's "-stan" mode
orignal
meaning you can't connet to every routers in the network
orignal
you guys don't even try to address this issue yet
orignal
keep living in jrandom's days with assumption that any-to-any connection is possble
orignal
but in real world driven by monkeys it's not true anymore
zzz
jrandom did not assume that and it's mentioned all over his docs
orignal
and what's the solution?
orignal
hidden router?
dr|z3d
might as well be. G + !R + !U == hidden.
orignal
maybe I should publishing H for proxy?
dr|z3d
sure
dr|z3d
amounts to the same thing, no?
orignal
I don't want to inytroduce "hidded" mode explicitly
orignal
because every monkey would start turning it on
orignal
they are so dumb that turn on encrypted leasesets for client tunnels
orignal
zzz, what do you think about H?
zzz
not a bad letter, not my favorite
orignal
for proxy I mean
dr|z3d
*** chuckles ***
orignal
literraly meaning that it doesn't publush itslef
orignal
and that's true
orignal
for proxy
zzz
state your case, write it up, with a security analysis this time
orignal
my case?
zzz
case = "why"
orignal
NTCP2 and/or SSU2 go through proxy
orignal
why publish H?
orignal
that's my question to you
orignal
waht it actually means
zzz
I'm asking that you spend some time to explain an idea before you ask me what I think
orignal
then I need to know what 'H' is for
orignal
what exactly does it say?
orignal
in my code I consider it as G
zzz
look in the specs
orignal
ok. removed G for proxies and symm nat
orignal
I did
orignal
it doesn't have exact explnation
orignal
zzz, while you are here and we are talking about caps maybe you can give an ulitmate answer about 'U' cap
orignal
the question is simple. Can a router publish U cap for non-published NTCP2 only router?
orignal
nobody can answer this question for years
orignal
and second question if I can publish "R" for ygg-only router
zzz
asked and answered many times, and the answer is in the spec
orignal
no it's not there
orignal
R if can be reached by any transport
orignal
but is ygg "any" transport since you don't recogzize it as transport
zzz
if you have a proposed addition to the spec, email me a patch
orignal
R: Reachable
orignal
U: Unreachable
orignal
that's what I see in specs
zzz
sigh
orignal
R means that the router is directly reachable (no introducers required, not firewalled) on at least one transport address. U means that the router is NOT directly reachable on ANY transport address.
zzz
there you go
orignal
no it doesn't answeer my question
orignal
for R it doesn't answer if ygg is transport or not
orignal
U says if it's not reachable directly but doen't say what if not reachable at all
zzz
then add your own answer and email me the patch
orignal
but I don't the answer
zzz
I added that section after the last 10 times we talked about it
orignal
A router should usually publish the R or U capability, unless the reachability state is currently unknown.
zzz
I don't have all the answers either. Sometimes implementers have to make their own decisions
orignal
so, what's right answer?
zzz
don't know
orignal
I should publish R or U accodring to this statmenet
orignal
but I don't know
orignal
if I can publush R in case of ygg, and U in case of proxy
zzz
then convene a subcommittee of i2pd devs to research the alternatives and make a recommendation
orignal
you already know my recommendtation
orignal
but you disgree with it and I know your reasons
orignal
that's why I'm asking because any Java uses these caps
orignal
zzz, will you also remove G from routers with symm nat?
zzz
don't know
orignal
it's real deanon
orignal
for non-guilty user
orignal
better to decide how to publish code for symm nat
orignal
a guys might not even know about symm nat
orignal
unlike proxy or no transit
orignal
it's not his fault
eyedeekay
Re: Yggdrasil, my understanding is that yggdrasil routers are reachable to other yggdrasil routers, and that yggdrasil is an IPv6 overlay, fulfilling the "reachable on any" requirement of the specification, so it makes sense from that POV to publish R, and the routers who can't talk to the yggdrasil routers have to learn to avoid them
orignal
eyedeekay theoritaclly yes
orignal
however Java doesn't recognize ygg as transport
eyedeekay
That seems like an us problem, if we don't support the transport we need to avoid the routers with ygg addresses
orignal
or drop such routers as malformed
orignal
that's why i'm trying to avoid