IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#ls2
/2022/01/17
zzz 0) Hi
zzz whats on the list for today?
orignal as you mentioned
zzz ok that's 1)
zzz anything else for the list?
eyedeekay Maybe roughtime if that's in-scope
orignal nothing
orignal from me
orignal telegram is Germany, but that's offtopic
eyedeekay Or rather, time synchronization issues on Whonix
zzz 1) SSU2
zzz as promised, I went through the proposal and made a list of what's done and what isn't
orignal as promised I started with coding
zzz I also split the todo list into "phase 1" and "phase 2"
zzz where phase 1 is just the basic stuff needed to pass data
zzz as you can see, we're pretty much done with the phase 1
zzz and we've been stuck here since about mid-october
zzz so we have a couple of choices
orignal I've started from session establishment
orignal it's clear 3 messages
zzz a) finish up the phase 1 spec and start coding and testing;
orignal the question
zzz or b) finish up the whole spec first
orignal what do we use instead AES?
zzz look for "header decryption"
zzz its chacha
orignal so we can't reuse NTCP2 code
orignal that's what I mean
orignal because chacha intead AES
zzz yes
orignal that's fine
orignal just didn't want to duplicate the code
zzz the only thing really missing from phase 1 is "header protection keys" which is just some HKDF, easy
orignal HKDF is not easy
orignal because it requires some params
zzz straightforward I mean
orignal zerokey?
orignal or what?
zzz I'll work on it for next week
zzz I don't have the answer today
orignal ашту
zzz so, do we want to spend our time coding phase 1, or working on the spec for phase 2?
zzz or both at once?
orignal I would finish pahse 1 first
eyedeekay I'm probably going to learn more from trying to code at this point
orignal to establish shared key
zzz we have the split() defined that creates k_ab and k_ba; we just need another HKDF after that for the header protection keys
zzz I agree, let's do some coding
zzz it's a lot easier to keep everything in my head once I have some code
dr|z3d sure, and if finishing phase one first means you can start testing, all the better.
zzz so, how long to have something to test? 1 month? 2 months? not a promise, just a target
eyedeekay For me, longer is better so 2 months. This is way bigger than anything else I've tried so far
orignal sorry got disconnected
zzz eyedeekay, I still think you'd be better off coding NTCP2 first. it's similar yet simpler, and you have working routers out there to test against
zzz orignal, how long to have something to test? 1 month? 2 months? not a promise, just a target
eyedeekay Well I probably won't stop trying to do NTCP2 as well, figure I'll have more to talk about in SSU2 meetings if I try to follow along though
orignal test what? phase 1?
zzz yes
orignal I'm going to finish in couple weeks
zzz does that include unit testing with your code at both ends?
zzz or coding only?
orignal I will be able to start testing after couple weeks
orignal ofc I will try both sides first
zzz ok. I don't think I can go that fast, especially because I'm doing other things too
orignal also I need to do it proprely
orignal if no respolnse to SessionCreate I should try again
orignal not a problem
zzz I'm thinking 3-4 weeks to code, 2-3 weeks to test on my own, total 5-7 weeks before I might be ready to test with others
orignal good plan
zzz there's a section "handshake retransmission"
orignal yes, I know
orignal I just don't do it now for SSU1
orignal so it should be more complicated than NTCP2
zzz your question "should I try again" was about SSU1 ??
zzz or it wasn't a question at all...
zzz or was it about NTCP2?
orignal I'm just telling what needs to be done
orignal for NTCP2 you let TCP/IP do it
orignal as I said for SSU1 I don't care
orignal and should do it properly in SSU2
zzz right
orignal that's what I'm working on now
zzz welcome mrt
mrt ru talking 'bout freenet?
zzz ok, so for next week I'll hopefully have the header protection keys KDFs done
zzz and I'll start to think about coding. It may take me 2 weeks just to decide how to start :)
zzz anything else on 1) ?
mrt damn connection errors...
mrt what is ls2?
eyedeekay LeaseSet2, mrt this is a meeting
mrt bout what, if im allowed to ask?
eyedeekay I2P router development
zzz2 back
zzz2 welcome mrt
zzz2 ok, so for next week I'll hopefully have the header protection keys KDFs done
zzz2 and I'll start to think about coding. It may take me 2 weeks just to decide how to start :)
zzz2 anything else on 1) ?
mrt so i2p has this SSU storage system to?
eyedeekay You're thinking SSK, totally different thing
mrt like freenet?
mrt or is it just sth with the same name?
eyedeekay Nothing from me zzz
mrt oh SSK was it, my memory for those terms isnt the best, thanks for explaining!
eyedeekay you're welcome, no problem
zzz2 2) roughtime
eyedeekay OK so this actually came up this morning: i2pgit.org/i2p-hackers/i2p.i2p/-/issues/344
mrt ah i remember SSU is the i2p protocol over UDP and NTCP the over tcp, and now you just switched to version 2 of them i read somewhere i guess
eyedeekay On Whonix, we're no longer able to talk to NTP servers, and this prevents them from being able to connect to the network
eyedeekay This is because the traffic from the whole system is transparently proxied through Tor and NTP is UDP
mrt i am only very happy to notice that the throughput of i2p seams to be much better then before, but maybe can also result in more peers with better internet connection or so
orignal why can't you?
eyedeekay Also they want to avoid MITM attacks which NTP is vulnerable to
orignal so what's your proposal?
mrt i have grate admiration for you folks coding bringing souch a grate project to live, keep up thee good work and dont let me disturbe your meeting (sry)
orignal to solve this timestamp problem
eyedeekay Well I don't know yet. zzz had mentioned roughtime in the past, which is one good solution, but I'm not sure it will work for Whonix
orignal what is roughtime?
zzz2 if whonix is going to block NTP, it's whonix's problem to make sure the container has the right time
zzz2 roughtime fixes the NTP problems, it uses merkle trees to sign the responses
eyedeekay Do we contact NTP every time? I've only been looking it over since this morning and it seems like we do.
zzz2 unfortunately, the roughtime spec keeps changing, and the test servers out there don't support the latest spec
zzz2 what do you mean "every time" ? every what?\
eyedeekay If so, we might need to create an option for them to trust the system clock which would be set by `sdwdate` which uses onion servers with TLS certificates
eyedeekay Every time we start the router, every time it boots up
zzz2 yes, plus periodically thereafter
zzz2 doesn't whonix do sdwdate for you?
eyedeekay yeah they run it at a random time every hour to set the clock
orignal i2pd doeen't do it at all
zzz2 so then we don't need to do anything
orignal unless it's specified explicitly
orignal is there an NTP-like service over TCP/IP?
zzz2 we need to have a good clock. we don't need for NTP to work
orignal btw, why 30 seeconds only?
eyedeekay Hmm. OK I'll have to spend some more time on it, the report says that they're completely unable to connect but perhaps there is another reason
orignal clock skew is most popular trouble, you know?
zzz2 the reseeds all failed, because DNS failed or is blocked
zzz2 30 seconds only for what?
orignal clock
orignal you check timestamp for 30 seconds only
zzz2 I think we'll accept a skew of +/- 60 seconds in SSU and NTCP2
orignal will check
eyedeekay They got through to incognet the first time, must it must be something screwy on their side though
orignal but what not 10 minutes or even hour?
zzz2 orignal, because there's a lot of expiration timestamps in messages. if your clock is way off, then all the messages will either be expired or in the future
orignal let me expain the problem
orignal mobile users usually use network time
orignal and sometimes it's not precises
orignal clock skew might be few minutes
zzz2 so use NTP or some other way to get the time
orignal yes, that's what I suggest
orignal to turn on NTP sync in i2pd.conf
zzz2 one TCP solution: Get the time from the server Date header when reseeding
zzz2 we do that and use it as a fallback
orignal we discussed it
orignal how about next start?
zzz2 another fallback: take the time from the first peer you connect to, hope he's not lying
orignal sometimes first peer just closes connection
zzz2 I don't think we save the skew, so same thing every start
orignal and not send SessionCreated back
orignal but no reseed for next start
zzz2 yeah I forget if we send a reason code or how exactly that works
orignal do we?
zzz2 dont' remember
orignal let me check
orignal I'm not sure I do it
orignal if not I will fix
orignal but anyway
orignal if you receive termination with clock skew
orignal how could it help?
zzz2 you could go do NTP then
zzz2 if you don't wnat to enable it for everybody
orignal NTP is not a good idea for mobile users
orignal but please explain what I'm supposed to do in NTCP2 if I receive SessionRequest with wrong timestamp?
zzz2 eyedeekay, bottom line, java I2P inside whonix probably doesn't work, java I2P over Tor probably doesn't work, we never said it did, and I don't think we should spend any time on it
zzz2 orignal, I'll have to research it, will let you know later
orignal thanks
orignal let me know
zzz2 will do
orignal and I will fix if necessary
zzz2 anything else for the meeting?
orignal because I close connection now
orignal we might need more mtproxies
orignal because Germany is going to block Telegram there
zzz germany is going to block telegram?
eyedeekay orignal I've got a self-deploying SAM MTProxy on the back-burner but I don't think DE blocking Telegram is anything more than empty saber-rattling
mrt yea, german is all in fear for anti-corona-idiots and is using this as excuse to fight against free internet ;(
mrt *fear of
zzz sounds unlikely to me too
orignal eyedeekay it's not about Germany only
eyedeekay I agree
orignal we have this infrastructe from the days when Putin tried to block Telegram
mrt i was much surprised if i had to search new non filtered dns servers after newyear, somehow my ccc dns is gone...
eyedeekay Hence the SAM MTProto proxy, I think more need to exist, I'm just not sure this Germany thing is terribly credible
orignal so if German govemnet or other monkeys dediced to go this way
orignal we should be ready
mrt isnt telegram a Russian invention?
orignal it is
orignal USSR invasion )))
orignal revenge
mrt its pretty harmless imho if its only an non govermential ordered alliance of ISPs that do stuff right now just through filtering ther official DNSd's but its one step in the wrong direction
orignal that's why people should use i2p
orignal to not depend on such monkeys
orignal from governments
RN_ heheh monkeys
eyedeekay Working on it over here though > github.com/eyedeekay/mtg-i2p after I deal with a couple extant bugs it'll just be something we can stick in a plugin or a service
orignal eyedeekay do you have a working mtpropxy over i2p?
orignal we can add it to telegram.i2p
eyedeekay Not off my laptop yet, as soon as I put one on some real hardware I'll let you know
mrt politics like the now called Zensursular (Ursula von der Leyen) tried to do that by law argumenting with child-porn-prevention and so, but now, after they didnt made it official (law was canceled shortly after) they just make it nongovermental so that all mayor ISPs are blocking stuff
orignal I mean with 24/7 uptime
mrt i would like to see a list what exactly is blocked at all ...
eyedeekay mrt if they told you you could find it lol
eyedeekay ack orignal, will let you know as soon as I've got one ready
orignal thanks
mrt btw, if youre talking bout telegram, do you know a way to get an account without a phonenumber?
orignal usualy i2p address and port is necessary
orignal and auth key
mrt eyedeekay, ??
orignal mrt use one-time sms
orignal there are bunch of services
eyedeekay The only way I know is to get a phonenumber through something that's not a phone, there are a bunch of throwaway SMS out there, you'll need to try a few
mrt btw, can somemone give me a hint how to stop firefox to start a websearch for an .i2p domain i enter without in front of?
eyedeekay My webextension will intercept those or you can disable HTTPS-only mode in about:config
mrt is it bout https only mode or just cause firefox has a likst of known TLDs where *.i2p. isnt part of?
eyedeekay Probably both, Firefox is like 1.3 million lines of C++, I don't actually know for sure
mrt i guess its last one, otherwise it would just try to rewrite to but i am just entering sth.com and it dose try to access that domain and sth.i2p and it dose forward me to duckduckgo (which is default searchengine of it, but not working in i2p config)
RN turn off search in the url bar
eyedeekay RN for the win
mrt yea, there where times where i took time after all new firefox releases to review change log and do some about:config to it so it dose things like before...
mrt RN good idea, guess i do so, thx
mrt but they are much to fast for me right now
RN for convenience I re-enable the search box so you can still have that function when wanted
mrt i am still missing the old days where firefox still could do this mighty xul addons and the url bar wasnt that unreliable with all that modern things that are soposed to be smart...
RN are we still in a meeting or trending offtopic?
mrt its like t-online redirecting to its crapy search everytime an DNS-result sould rather put out not found
eyedeekay I think clearly trending offtopic now
dr|z3d mr, try i2pdomain.i2p/
dr|z3d note the trailing slash.
mrt and there seams to be no easy way to turn out search in url bar...
dr|z3d I think it become a freeforall a while back, eyedeekay :)
mrt i allready turned off search suggestions of cause ;)
eyedeekay Yeah modern Firefox has gotten way too fancy, but XUL extensions had to die, the curation task is monumental even for the less-privileged modern extensions
mrt yea slash behind domain is a good idea but my old brain dosent learn new habits like this easily so i guess after i have sleped, its getting quite late her, ill have to dig in to the about:config docs (which are also crapy thanks mozilla) and find out how to fix that right way
eyedeekay keyword.enabled=false
mrt yea eyedeekay , i was only really unappy just afterwards as there where no alternative addons, right now there are mostly so its ok...
mrt ill try that, thx
mrt thanks, that worked fine eyedeekay , i once had an addon that added descriptions to the about:config settings with fulltext search...
mrt but such deep addons are forbidden right now for "security reason"
mrt people dont code right anymore, just forcing anything into there sandbox instead...
eyedeekay XUL was a chainsaw-juggling kit. It would be nice to reach into about:config directly, but there are excellent reasons to sandbox extensions
eyedeekay Even non-security ones. The fact that XUL extensions could rewrite eachother I mean, +5 for flexibility but -10 for stability