субота, 29 червня 2024 р.

I2P over Yggdrasil: Anonymity in Mesh Networks

 

I2P over Yggdrasil: Anonymity in Mesh Networks

Hornbeam
6 min

I2P (Invisible Internet Protocol) is a free tool for organizing anonymous communications via the Internet. It is a peer-to-peer network in which each user is by default a potential link in the anonymous chain of other network participants. I2P traffic is encrypted and cannot be analyzed. The concept of a "watchdog" node in I2P, which is present in the Tor network, does not exist: there is no permanent node through which access to the network is carried out. User interaction with I2P on the home provider side is identified as a chaotic connection to random hosts. The number of client connections with a white IP varies on average around four thousand. In addition to the payload, this includes the exchange of service information with other network routers and transit traffic.

Prerequisites

A significant weakness of the I2P network is the need to contact one of the starting nodes via the regular Internet at the first launch. The packet with the initial network pattern in the form of several random routers and the node that gives it are called a reseed. Starting nodes are held by enthusiasts, their list is publicly available and often undergoes changes due to ordinary human circumstances. The bottleneck is the ability on the provider's side to identify most requests to the reseed through DNS request monitoring, as well as blocking the domains of the starting nodes, which will complicate the first launch for an inexperienced user, since it will require the use of a proxy or VPN.

Blocking the request to the resid on the provider side
Blocking the request to the resid on the provider side

Unlike the regular Internet, I2P users without a dedicated address have a worse quality of using the hidden network than subscribers with a white IP. This is due to the constant need for direct communication with other routers in the network. Each router publishes its address, which includes encryption keys, an IP address, and a port for receiving messages. Obviously, reaching a network node behind a NAT server is not an easy task.

Difference between a user with a dedicated IP and a user behind NAT
Difference between a user with a dedicated IP and a user behind NAT

However, routers without a dedicated address can operate: a client behind a NAT network must constantly maintain an active UDP connection, reserving a port on the provider's output server, requests to which will be transmitted to the client. This scenario is very complex, especially when it comes to initializing a connection from the outside. The mechanics of a client behind a NAT are a work of engineering thought that deserves a separate article.

Briefly about Yggdrasil

Yggdrasil Network is one of the few working mesh network protocols. The main concept is automatic routing in the internal IPv6 subnet (200::/7) and absolute scalability. Yggdrasil is a completely peer-to-peer network: there are no "master nodes" to which any global responsibility is delegated. It is an ideological continuation of the CJDNS (Hyperboria) project.

The abstract idea of ​​a mesh network puts performance, privacy and ease of use at the forefront: traffic encryption and a low threshold for new users. Yggdrasil is not an anonymity tool, since the nodes closest to the user see their real network interfaces in the local network, or their IP address when connecting to a public peer via the Internet. Mesh networks are used to organize pseudo-local networks, uniting remote computers into one IPv6 network (similar to Hamachi for playing Minecraft and other multiplayer games). It is also used to organize other intranet resources such as websites and VoIP telephony.

First attempts at integration

A small note

The I2P router publishes its addresses, including IPv6, if it is enabled in the config and is actually available. Since Yggdrasil provides the user not with a local proxy, but with a full-fledged network interface (using the TUN driver from WireGuard), until recently the I2P router published an IPv6 address from the Yggdrasil subnet. Since there were more than one or even two users with the IPv6 protocol enabled in the I2P router configuration and Yggdrasil installed, it was possible to periodically see that the I2P client (router) communicates with other Yggdrasil addresses.

However, the following disadvantages are obvious:

  1. access to the resid must ultimately be done via the regular Internet;

  2. the IPv6-Yggdrasil address published by the router is unknown and inaccessible to the vast majority of I2P users;

  3. successful launch of the I2P router on a Yggdrasil-Only device is unlikely due to the possible absence of nodes with an IPv6-Yggdrasil address in the router's resid or local database.

Beginning of full compatibility

Since version 2.36.0, i2pd has several new configuration parameters, the main one being meshnets.yggdrasil=true. This parameter does not depend on the IPv4 and IPv6 configuration. In particular, real network interfaces can be disabled. In this case, the I2P router will operate in Yggdrasil-Only mode.

A special resid is also organized, accessible from Yggdrasil and giving the user a package primarily consisting of known routers with an IPv6-Yggdrasil address. Each time an I2P router running in Yggdrasil-Only mode is started, a check is made for the presence of accessible nodes in the local database at the transport level, i.e. the presence of other nodes with IPv6-Yggdrasil. If for some reason there are no compatible routers in the local database, a repeated request to the Yggdrasil resid occurs.

With Yggdrasil used today mostly through overlay connections to public peers over the Internet, the I2P router in Yggdrasil works like a “Tor-over-VPN” setup: it completely hides the fact that you are using a hidden network from your home ISP. In the case of I2P, there is another specific advantage: the user does not need to have a dedicated IP from the ISP to seamlessly access external connections, since IPv6-Yggdrasil is globally accessible within the Yggdrasil network segment (a physically connected group of participants, including through public peers on the Internet).

Network Integrity

The solution described is not a factor in I2P fragmentation. Building hidden network tunnels is a very capacious and even delicate process, which includes coordinating the nodes' transport capabilities. When forming a "garlic" - an encrypted message to a group of nodes that must form a tunnel - the router checks their addresses for compatibility. For example, a node with a single IPv4 address will not receive an instruction that it must establish contact with an IPv6 address, since this is obviously impossible.

In order for a Yggdrasil-Only router to build a tunnel to a node with an address from the regular Internet, at least a transit router will be selected that has two interfaces: IPv6-Yggdrasil and, for example, regular IPv4. In turn, other Yggdrasil-Only routers can also act as transit links in the tunnel, but only for communication with nodes compatible in transport, i.e. also having a Yggdrasil network interface. The more routers in the I2P network with simultaneously enabled IPv4, IPv6 and Yggdrasil interfaces, the more connected the network.

Connecting to I2P via Yggdrasil
Connecting to I2P via Yggdrasil

Perspective

The Yggdrasil example is a particular step into the future, not an end in itself. The described experience of successful integration of a hidden network into a mesh network is an important conceptual step, which, if necessary, will allow integrating the I2P network into other mesh networks. The prospect opens up when considering self-organized segments of a mesh network, for example, in apartment buildings without a centralized provider. In a local network, the Yggdrasil client automatically finds other nodes and communicates with them, acting as a transit one itself if necessary. When connecting at least one node in such a segment to another network segment (for example, to a global one via the Internet), the networks are automatically united. This approach to network organization has become even more realistic, since now there is also a second side of the familiar Internet - the hidden one.


For a more detailed acquaintance with the mentioned technologies, I recommend the articles: about I2P and about Yggdrasil .

Немає коментарів:

Дописати коментар

Pure Acetone: "Pin Tweet to IPFS https://chro…" - Mastodon
https://mastodon.social/deck/@pureacetone/111421706607809813

Ricoh GR IIIx: the Point-and-Shoot That Costs $1500

Ricoh GR IIIx: the Point-and-Shoot That Costs $1500 Yes, I've "missed the boat" again, which only elevates my sheer amazem...