Is this a security issue that leaks src_ip?

I2P router issues
bwdcal
Posts: 53
Joined: 07 Jan 2023 13:41

Is this a security issue that leaks src_ip?

Post by bwdcal »

The traffic in and out of i2p is two-way, so.

src send data to dest:
src_ip -> out_ip1 -> out_ip2 -> out_ip3 -> dest_ip

then, dest reply data to src:
dest_ip -> out_ip4 -> out_ip5 -> out_ip6 -> src_ip

Therefore, dest_ip needs to know src_ip in order to send back data through another link.

But in tor, src and dest are a duplex link, i.e.
src_ip <=> out_ip1 <=> out_ip2 <=> out_ip3 <=> dest_ip
Therefore, dest does not need to know the identity of src.

Is this a i2p security issue that leaks src_ip? I.e., dest can know the identity of src.

I hope i2p developers will create some technical ppt material to share, it is easier to understand the details of how i2p works than reading technical material.

Sincere thanks.
>>o<<
echelon
Posts: 261
Joined: 10 Feb 2018 13:36

Re: Is this a security issue that leaks src_ip?

Post by echelon »

HI

ANY connection in TCP/IP do have a source and destination address, so you see the source and destination on every connection/package you send, be it I2P, Tor, clearnet, Freenet, or anything.
Every data you send from your client has a destination IP address and your IP address as sender noted,
But the content of the data maybe unknown or encrypted, like in I2P, Tor, https,...
Still the IP adresses are known.

I2P and Tor are mixed routers which do add 2,3,4,5... IP addresses in between, which makes it rather hard to follow the complete way from source to target (and back).
BUT if all the nodes do work together, thats still possible, may it be Tor or I2P.

No real security leak for I2P.
Lets see it this way:
In Tor you do have 6 Nodes in between soruce/target. in I2P you have 12 nodes in between (roundtrip). It seems more unlikely to have 12 nodes in control of one person that 6, doesn't it?
Also the numbers of nodes in Tor available for tunnel building is far less than in I2P.

It is not as easy as you wrote, but none system is 100% safe.

Oh, just read it again and no, dest IP does not need src IP in I2P, just the I2P destination address, which is NOT bound fixed to a IP address.
Every I2P package has a sender destiantion ID (64bit public key) send with the content as receiver, and this one is published with the IN tunnel into NetDB. Tunnel will change every 10 min with different participants, though.

echelon
bwdcal
Posts: 53
Joined: 07 Jan 2023 13:41

Re: Is this a security issue that leaks src_ip?

Post by bwdcal »

echelon wrote: 12 Jan 2023 14:54 HI

ANY connection in TCP/IP do have a source and destination address, so you see the source and destination on every connection/package you send, be it I2P, Tor, clearnet, Freenet, or anything.
Every data you send from your client has a destination IP address and your IP address as sender noted,
But the content of the data maybe unknown or encrypted, like in I2P, Tor, https,...
Still the IP adresses are known.

I2P and Tor are mixed routers which do add 2,3,4,5... IP addresses in between, which makes it rather hard to follow the complete way from source to target (and back).
BUT if all the nodes do work together, thats still possible, may it be Tor or I2P.

No real security leak for I2P.
Lets see it this way:
In Tor you do have 6 Nodes in between soruce/target. in I2P you have 12 nodes in between (roundtrip). It seems more unlikely to have 12 nodes in control of one person that 6, doesn't it?
Also the numbers of nodes in Tor available for tunnel building is far less than in I2P.

It is not as easy as you wrote, but none system is 100% safe.

Oh, just read it again and no, dest IP does not need src IP in I2P, just the I2P destination address, which is NOT bound fixed to a IP address.
Every I2P package has a sender destiantion ID (64bit public key) send with the content as receiver, and this one is published with the IN tunnel into NetDB. Tunnel will change every 10 min with different participants, though.

echelon

Hello friend, thank you for such a detailed answer.

Yes, you understand correctly, the ip I mentioned, in the i2p network is the node hash (unique identifier of the node).

Step 1.
Let's imagine the following scenario, I run an i2p website node A and send the connection to user B and direct user B to my website. Therefore, I can get the identity hash of user B (because i2p needs to know the hash in order to send back data).

Step 2.
Then, I run a long term node C within the i2p network, which is able to collect node hash and ip data (i.e. netdb or seed) from many nodes within the network.

Then I use the identity hash from step 1 and the data match from step 2, will I be able to find out the real ip of user B?

Also, I noticed that your mention of i2p automatically switching outbound inbound tunnels periodically doesn't seem to solve this risk. And of course, as you said, tor seems to have a similar risk.

Not knowing the technical details of how i2p works, the above is just a speculation. I hope to talk to you to learn more about i2p experience.

Sincerely appreciate it.
>>o<<
echelon
Posts: 261
Joined: 10 Feb 2018 13:36

Re: Is this a security issue that leaks src_ip?

Post by echelon »

Hi

Sure, everyone can collect IP data from I2P nodes, from Tor nodes, from freenode nodes.
Also IF you own a IP, you may collect all data going through your node.
Nothing stops this, no technical way to prevent this. Thats the internet.

Also, if a destination address is long term, some guessing could be done to get the IP of this service, due to time based data collection.
Multi homing does reduce this risk by a lot, but does not reduce it to zero.
Same with Tor, freenet,.. all other tools.

Your missing point: the intermediant nodes does NOT see the destination hash of the server. They always do only see the next hop.
Only the last/first hop of a tunnel does know the server/client.
Server/Client do built up tunnels and in tunnel startpoint there is a marker "all data for destination xyzabc please use this tunnel".

You should read the specs and howto on geti2p.net

echelon
bwdcal
Posts: 53
Joined: 07 Jan 2023 13:41

Re: Is this a security issue that leaks src_ip?

Post by bwdcal »

echelon wrote: 13 Jan 2023 07:15 Hi

Sure, everyone can collect IP data from I2P nodes, from Tor nodes, from freenode nodes.
Also IF you own a IP, you may collect all data going through your node.
Nothing stops this, no technical way to prevent this. Thats the internet.

Also, if a destination address is long term, some guessing could be done to get the IP of this service, due to time based data collection.
Multi homing does reduce this risk by a lot, but does not reduce it to zero.
Same with Tor, freenet,.. all other tools.

Your missing point: the intermediant nodes does NOT see the destination hash of the server. They always do only see the next hop.
Only the last/first hop of a tunnel does know the server/client.
Server/Client do built up tunnels and in tunnel startpoint there is a marker "all data for destination xyzabc please use this tunnel".

You should read the specs and howto on geti2p.net

echelon
Yes, as per what you said, I understood it correctly.

I mean exactly the last node knows the target site address, and the target client's hash. so, being able to use this, the target user's hash is collected. then using the hash/ip data collected in step 2. It is possible to de-anonymize a specific target client user.

I also know that there is no perfect system, but the pursuit of perfection is, I think, the ideal of every technical person.

Sincerely thank you for your answer. Happy working.
>>o<<
echelon
Posts: 261
Joined: 10 Feb 2018 13:36

Re: Is this a security issue that leaks src_ip?

Post by echelon »

Hi

the last node does NOT know the server destination address. Just the tunnel ID and the IP. Nothing more.
Only the FIRST hop of tunnel does know the destination address and the next hop, but not the last hop, neither if nexxt hop is last hop, nor if previous hop was the client.

echelon
bwdcal
Posts: 53
Joined: 07 Jan 2023 13:41

Re: Is this a security issue that leaks src_ip?

Post by bwdcal »

echelon wrote: 13 Jan 2023 08:18 Hi

the last node does NOT know the server destination address. Just the tunnel ID and the IP. Nothing more.
Only the FIRST hop of tunnel does know the destination address and the next hop, but not the last hop, neither if nexxt hop is last hop, nor if previous hop was the client.

echelon
If the last node does not know the client's hash, how does i2p send back data, through another tunnel?

I see in i2p's documentation that it is written that outbound and inbound, are transmitting data through different tunnels.

Can you draw a flowchart showing the data delivery process and node information?
>>o<<
bwdcal
Posts: 53
Joined: 07 Jan 2023 13:41

Re: Is this a security issue that leaks src_ip?

Post by bwdcal »

echelon wrote: 13 Jan 2023 08:18 Hi

the last node does NOT know the server destination address. Just the tunnel ID and the IP. Nothing more.
Only the FIRST hop of tunnel does know the destination address and the next hop, but not the last hop, neither if nexxt hop is last hop, nor if previous hop was the client.

echelon
hi, i have draw a follow graph as bellow.

Image

Either server or node4, as long as one of them can get the client hash, it will satisfy what I wrote in step1. Then you can use the method in step2 to de-anonymize a specific client.
>>o<<
echelon
Posts: 261
Joined: 10 Feb 2018 13:36

Re: Is this a security issue that leaks src_ip?

Post by echelon »

Hi

No, that graph is wrong, as you did miss a complete half of the tunnels.
See geti2p.net docs.
https://geti2p.net/en/about/performance
https://geti2p.net/en/docs/how/tunnel-routing

Client - OUTtunnel - OUTTunnelGateway - INTunnelGateway - INTunnel - Server - Outtunnel2 - OUTTunnelGateway2 - INTunnelGateway2 - INTunnel2 -client.
Each tunnel by default 3 hops, amkes it 12 hops/12 different I2P nodes, 12 different IPs in a roundtrip.
Each tunnel rebuild every 10 min.
Client/server build the adjectant IN/OUT tunnel out of their known peers, which should be mostly disjunct.

Also, the client destination is not stable, each service has a own client destination (return) ID, and this change every I2P restart, except user explicit save it to disk.
Which makes attacks harder, as destination is short lived.

Only servers like i2pforum.i2p or alike do have stable destination IDs by default.

echelon
bwdcal
Posts: 53
Joined: 07 Jan 2023 13:41

Re: Is this a security issue that leaks src_ip?

Post by bwdcal »

echelon wrote: 13 Jan 2023 09:04 Hi

No, that graph is wrong, as you did miss a complete half of the tunnels.
See geti2p.net docs.
https://geti2p.net/en/about/performance
https://geti2p.net/en/docs/how/tunnel-routing

Client - OUTtunnel - OUTTunnelGateway - INTunnelGateway - INTunnel - Server - Outtunnel2 - OUTTunnelGateway2 - INTunnelGateway2 - INTunnel2 -client.
Each tunnel by default 3 hops, amkes it 12 hops/12 different I2P nodes, 12 different IPs in a roundtrip.
Each tunnel rebuild every 10 min.
Client/server build the adjectant IN/OUT tunnel out of their known peers, which should be mostly disjunct.

Also, the client destination is not stable, each service has a own client destination (return) ID, and this change every I2P restart, except user explicit save it to disk.
Which makes attacks harder, as destination is short lived.

Only servers like i2pforum.i2p or alike do have stable destination IDs by default.

echelon
Yes, I know what you are talking about, my flowchart is just a schematic and simplified data sending pattern. The nodes in the diagram can also be interpreted as i2p tunnels or gateway tunnels. But this does not affect my idea of decentralization for a specific user.

You mentioned the client hash change per boot, which is indeed a good mitigation that can greatly protect and make de-anonymization difficult. But essentially, the risk still seems to be there.

This is a very interesting discussion, thanks for sharing. I hope the i2p team will write and share more technical ppt material.
>>o<<
Post Reply