Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

No amount of genius can overcome a preoccupation with detail.


computers / news.software.nntp / Re: Usenet peering over Tor

SubjectAuthor
* Usenet peering over TorJason Evans
+- Re: Usenet peering over TorMiner
+* Re: Usenet peering over TorRetro Guy
|+* Re: Usenet peering over TorJason Evans
||`- Re: Usenet peering over TorRetro Guy
|`* Re: Usenet peering over TorGrant Taylor
| `* Re: Usenet peering over TorRetro Guy
|  `* Re: Usenet peering over TorGrant Taylor
|   +* Re: Usenet peering over TorRetro Guy
|   |+* Re: Usenet peering over TorGrant Taylor
|   ||`* Re: Usenet peering over TorRetro Guy
|   || `- Re: Usenet peering over TorGrant Taylor
|   |`* Re: Usenet peering over TorAndreas Kempe
|   | `- Re: Usenet peering over TorRetro Guy
|   +* Re: Usenet peering over TorMatija Nalis
|   |+- Re: Usenet peering over TorRuss Allbery
|   |+* Re: Usenet peering over TorJulien ÉLIE
|   ||`* Re: Usenet peering over TorRetro Guy
|   || `- Re: Usenet peering over TorJulien ÉLIE
|   |`- Re: Usenet peering over TorGrant Taylor
|   `* Re: Usenet peering over TorMiner
|    `- Re: Usenet peering over TorGrant Taylor
`* Re: Usenet peering over TorJohn Goerzen
 `- Re: Usenet peering over TorThomas Hochstein

1
Usenet peering over Tor

<t60624$94k$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=771&group=news.software.nntp#771

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: jsev...@mailfence.com (Jason Evans)
Newsgroups: news.software.nntp
Subject: Usenet peering over Tor
Date: Tue, 17 May 2022 14:56:35 +0200
Organization: A noiseless patient Spider
Lines: 17
Message-ID: <t60624$94k$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7Bit
Injection-Date: Tue, 17 May 2022 12:56:36 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="6de42c1e7e73eae8634f53cef7d70b63";
logging-data="9364"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX185aWY/SPPw9+Or9BRWcjTN"
User-Agent: KNode/4.14.10
Cancel-Lock: sha1:HLiLR11Hi401uXdOlvkYnihbuhs=
 by: Jason Evans - Tue, 17 May 2022 12:56 UTC

Hi all,

First of all, I know that there have been some usenet servers that offer read-
only access to groups via a Tor onion service and that's not what I'm writing
about today.

I would like to know if anyone here has been experimenting with server to
server peering over Tor.

From my experience with running Tor onion services, it's quite easy to set up a
server that can receive traffic over Tor. However sending traffic over Tor is
another issue. It requires either setting up system proxies for outgoing
traffic or wrapping the INN binaries in the torsocks application.

If you've been working on this or are interested in working on this, please
reply or shoot me an email.

Jason

Re: Usenet peering over Tor

<t60a3t$6n5$1@txtcon.i2p>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=772&group=news.software.nntp#772

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!rocksolid2!txtcon.i2p!.POSTED.127.163.152.53!not-for-mail
From: inva...@invalid.invalid (Miner)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Tue, 17 May 2022 14:05:50 -0000 (UTC)
Organization: TxtCon.I2P
Message-ID: <t60a3t$6n5$1@txtcon.i2p>
References: <t60624$94k$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 17 May 2022 14:05:50 -0000 (UTC)
Injection-Info: txtcon.i2p; posting-account="miner"; posting-host="127.163.152.53";
logging-data="6885"; mail-complaints-to="txtcon@i2pmail.org"
 by: Miner - Tue, 17 May 2022 14:05 UTC

Jason Evans wrote:

> I would like to know if anyone here has been experimenting with
> server to server peering over Tor.
>
> If you've been working on this or are interested in working on
> this, please reply or shoot me an email.

Peering over Tor require additional tricks. Peering over I2P
works great (without tricks).

--
Miner

Re: Usenet peering over Tor

<04d569cad213f99655ed8364caeb11b7@news.novabbs.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=774&group=news.software.nntp#774

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!.POSTED.novabbs-org!not-for-mail
From: retro....@rocksolidbbs.com (Retro Guy)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Wed, 18 May 2022 09:12:42 +0000
Organization: Rocksolid Light
Message-ID: <04d569cad213f99655ed8364caeb11b7@news.novabbs.org>
References: <t60624$94k$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: i2pn2.org; posting-account="novabbs.org"; posting-host="novabbs-org:10.136.143.187";
logging-data="19613"; mail-complaints-to="usenet@i2pn2.org"
User-Agent: Rocksolid Light (www.novabbs.com/getrslight)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on novabbs.org
X-Rslight-Site: $2y$10$WW9tyvCSs7na4cOMU0F7qOu9vyo6bDKiYOmH4VcxFadzp4yuFeZcK
X-Rslight-Posting-User: 91053d4a47d51b416144568e5a1040f05e31ed1b
X-Face: .&YR-G(w(DZ$$,}%k=]*5*!p'=(anr"IT`wZG'2VWdfl\r)l[42u7JH`n(JUQ*e5*A|XCDf
?&\X&uwkl38"CYX3O8m}C8E4p'%N$2#kSTVzx{Ly|DjLT\Vk7NE}NQ(VC$Yq]i:7|z[.9iv^g>*8_B
H0=hZt'[%)4kG|
 by: Retro Guy - Wed, 18 May 2022 09:12 UTC

Jason Evans wrote:

> I would like to know if anyone here has been experimenting with server to
> server peering over Tor.

> From my experience with running Tor onion services, it's quite easy to set up a
> server that can receive traffic over Tor. However sending traffic over Tor is
> another issue. It requires either setting up system proxies for outgoing
> traffic or wrapping the INN binaries in the torsocks application.

> If you've been working on this or are interested in working on this, please
> reply or shoot me an email.

I have done this and it works fine. My previous partner in this project (rocksolid), trw, wrote a script to handle peering over tor and it works well. I'll post the script below. If you want to test, I'll be happy to test with you. Again, credit to trw for the script.

#!/bin/bash

# wrapper script for socat
# if socat crashes, which it likes to do, we wait for 120 s, and then restart the command
# waiting is neccessary because the port used by socat is not immediatly freed after the crash
# edit the variables below to control the behaviour of the socat command

localport="50119"
# the local port you want socat to listen on
proxyport="9050"
# the port of the proxy used (tor socks proxy)
proxyip="127.0.0.1"
# the ip on which the proxy is running
onion="localonionaddress.onion"
# the onion address of the hidden service you want to connect to
onionport="119"
# the port of the hidden service you want to connect to

while true
# enter eternal loop here
do
socat TCP4-LISTEN:"$localport",reuseaddr,fork SOCKS4A:"$proxyip":"$onion":"$onionport",socksport="$proxyport"
sleep 120
done
exit 0
# this line should never be reached, but just in case we close properly

--
Retro Guy

Re: Usenet peering over Tor

<t66519$ap6$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=777&group=news.software.nntp#777

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: jsev...@big-8.org (Jason Evans)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Thu, 19 May 2022 19:15:53 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 17
Message-ID: <t66519$ap6$1@dont-email.me>
References: <t60624$94k$1@dont-email.me>
<04d569cad213f99655ed8364caeb11b7@news.novabbs.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 19 May 2022 19:15:53 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="71a3177e48a329cab2c1d241985bfdcb";
logging-data="11046"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+2pCwfHStW50BSLBubk4+3"
User-Agent: Pan/0.149 (Bellevue; 4c157ba git@gitlab.gnome.org:GNOME/pan.git)
Cancel-Lock: sha1:UfAs9pCpOdRrRPrWjK5h+IUOo1s=
 by: Jason Evans - Thu, 19 May 2022 19:15 UTC

On Wed, 18 May 2022 09:12:42 +0000, Retro Guy wrote:

> I have done this and it works fine. My previous partner in this project
> (rocksolid), trw, wrote a script to handle peering over tor and it works
> well. I'll post the script below. If you want to test, I'll be happy to
> test with you. Again, credit to trw for the script.

Hi Retro Guy,

Thanks for the script, I will look into this. I'll first try to establish
a connection between two VMs and then I may come back to you about peering
if everything works.

I wonder if creating a system service (e.g. systemd) would be more
beneficial than just having a bash script running in the background.

Jason

Re: Usenet peering over Tor

<f8ace85abd37517692c81f8dfd9cc41e@news.novabbs.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=778&group=news.software.nntp#778

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!.POSTED.novabbs-org!not-for-mail
From: retro....@rocksolidbbs.com (Retro Guy)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Fri, 20 May 2022 07:06:46 +0000
Organization: Rocksolid Light
Message-ID: <f8ace85abd37517692c81f8dfd9cc41e@news.novabbs.org>
References: <t60624$94k$1@dont-email.me> <04d569cad213f99655ed8364caeb11b7@news.novabbs.org> <t66519$ap6$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: i2pn2.org; posting-account="novabbs.org"; posting-host="novabbs-org:10.136.143.187";
logging-data="2179"; mail-complaints-to="usenet@i2pn2.org"
User-Agent: Rocksolid Light (www.novabbs.com/getrslight)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on novabbs.org
X-Rslight-Site: $2y$10$ARuh1Vp8GL9AyDuTRzLdYuLQufdumLCtYV.nX8u7IABZ5NHlN8p5u
X-Rslight-Posting-User: 91053d4a47d51b416144568e5a1040f05e31ed1b
X-Face: .&YR-G(w(DZ$$,}%k=]*5*!p'=(anr"IT`wZG'2VWdfl\r)l[42u7JH`n(JUQ*e5*A|XCDf
?&\X&uwkl38"CYX3O8m}C8E4p'%N$2#kSTVzx{Ly|DjLT\Vk7NE}NQ(VC$Yq]i:7|z[.9iv^g>*8_B
H0=hZt'[%)4kG|
 by: Retro Guy - Fri, 20 May 2022 07:06 UTC

Jason Evans wrote:

> On Wed, 18 May 2022 09:12:42 +0000, Retro Guy wrote:

>> I have done this and it works fine. My previous partner in this project
>> (rocksolid), trw, wrote a script to handle peering over tor and it works
>> well. I'll post the script below. If you want to test, I'll be happy to
>> test with you. Again, credit to trw for the script.

> Hi Retro Guy,

> Thanks for the script, I will look into this. I'll first try to establish
> a connection between two VMs and then I may come back to you about peering
> if everything works.

Anytime. While I do peer with several peers over i2p, I only peer between two
of my own servers with tor, but it works fine.

Feel free to just try running the script and pointing it to:
zkcvkb5xprurx5dvpanhyivneuzah6k6xayxgxd4h2ekklxgoi2x5aad.onion port 119

Then just telnet to the local port you set and you should hit one of my
inn2 servers (rocksolid2) via tor.

> I wonder if creating a system service (e.g. systemd) would be more
> beneficial than just having a bash script running in the background.

I don't see why that wouldn't work. You are just trying to proxy your connection
through a socks proxy (tor), so there are probably a few ways to do that.

trw, who wrote the script, is a bash master so that's how he chose to get the
job done. I've seen him slap out chans using just bash, so quite impressive to me.

--
Retro Guy

Re: Usenet peering over Tor

<t699eg$ko8$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=779&group=news.software.nntp#779

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Fri, 20 May 2022 17:49:46 -0600
Organization: TNet Consulting
Message-ID: <t699eg$ko8$1@tncsrv09.home.tnetconsulting.net>
References: <t60624$94k$1@dont-email.me>
<04d569cad213f99655ed8364caeb11b7@news.novabbs.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 20 May 2022 23:49:36 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="21256"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <04d569cad213f99655ed8364caeb11b7@news.novabbs.org>
Content-Language: en-US
 by: Grant Taylor - Fri, 20 May 2022 23:49 UTC

On 5/18/22 3:12 AM, Retro Guy wrote:
> I have done this and it works fine. My previous partner in this
> project (rocksolid), trw, wrote a script to handle peering over tor
> and it works well. I'll post the script below. If you want to test,
> I'll be happy to test with you. Again, credit to trw for the script.

My concern about peering over Tor is the absence of sending system
identification. It is typical for peering privileges to be associated
with the source IP. So, based on the very nature of Tor -- as I
understand it -- anyone that knows the Tor hidden service address will
be viewed as the same source and thus have the same privileges.

Does this mean that people will be using something else at the NNTP
level to manage peer identification and permissions therein?

Or is there some sort of Tor restriction on clients that can connect to
a Tor hidden service?

>                socat TCP4-LISTEN:"$localport",reuseaddr,fork
> SOCKS4A:"$proxyip":"$onion":"$onionport",socksport="$proxyport"

I don't see anything in the socat command to belay my concern.

It seems as if the command simply stands up a local listening socket
that passes through the Tor network to a news server that's behind a Tor
hidden service.

What am I missing?

--
Grant. . . .
unix || die

Re: Usenet peering over Tor

<d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=780&group=news.software.nntp#780

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!.POSTED.novabbs-org!not-for-mail
From: retro....@rocksolidbbs.com (Retro Guy)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Sat, 21 May 2022 03:50:47 +0000
Organization: Rocksolid Light
Message-ID: <d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org>
References: <t60624$94k$1@dont-email.me> <04d569cad213f99655ed8364caeb11b7@news.novabbs.org> <t699eg$ko8$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: i2pn2.org; posting-account="novabbs.org"; posting-host="novabbs-org:10.136.143.187";
logging-data="23140"; mail-complaints-to="usenet@i2pn2.org"
User-Agent: Rocksolid Light (www.novabbs.com/getrslight)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on novabbs.org
X-Rslight-Site: $2y$10$DIZ2zUMVEeHgIVBWOTyJeeCzZo2n4dHlbz/6j8cmBVaGeIxDfPceW
X-Rslight-Posting-User: 91053d4a47d51b416144568e5a1040f05e31ed1b
X-Face: .&YR-G(w(DZ$$,}%k=]*5*!p'=(anr"IT`wZG'2VWdfl\r)l[42u7JH`n(JUQ*e5*A|XCDf
?&\X&uwkl38"CYX3O8m}C8E4p'%N$2#kSTVzx{Ly|DjLT\Vk7NE}NQ(VC$Yq]i:7|z[.9iv^g>*8_B
H0=hZt'[%)4kG|
 by: Retro Guy - Sat, 21 May 2022 03:50 UTC

Grant Taylor wrote:

> On 5/18/22 3:12 AM, Retro Guy wrote:
>> I have done this and it works fine. My previous partner in this
>> project (rocksolid), trw, wrote a script to handle peering over tor
>> and it works well. I'll post the script below. If you want to test,
>> I'll be happy to test with you. Again, credit to trw for the script.

> My concern about peering over Tor is the absence of sending system
> identification. It is typical for peering privileges to be associated
> with the source IP. So, based on the very nature of Tor -- as I
> understand it -- anyone that knows the Tor hidden service address will
> be viewed as the same source and thus have the same privileges.

Yes, that's true. I2P makes it much easier.

> Does this mean that people will be using something else at the NNTP
> level to manage peer identification and permissions therein?

While I'm not sure if using or understanding it correctly, I use a 'password'
in innfeed and incoming.conf. While it seems to work ok, I'm not sure why
you can set a username in innfeed, but not incoming.conf. It's been a while
since I've spent much time on this.

> Or is there some sort of Tor restriction on clients that can connect to
> a Tor hidden service?

The newer v3 tor addresses are a bit better, as they shouldn't be known to
anyone unless you provide them the address. I do use a different address
for each peer.

>>                socat TCP4-LISTEN:"$localport",reuseaddr,fork
>> SOCKS4A:"$proxyip":"$onion":"$onionport",socksport="$proxyport"

> I don't see anything in the socat command to belay my concern.

> It seems as if the command simply stands up a local listening socket
> that passes through the Tor network to a news server that's behind a Tor
> hidden service.

Yes, that's exactly what it's doing, nothing more.

> What am I missing?

All your concerns are valid, so I don't think you're missing anything.

--
Retro Guy

Re: Usenet peering over Tor

<t69tpm$fk2$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=781&group=news.software.nntp#781

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Fri, 20 May 2022 23:37:04 -0600
Organization: TNet Consulting
Message-ID: <t69tpm$fk2$1@tncsrv09.home.tnetconsulting.net>
References: <t60624$94k$1@dont-email.me>
<04d569cad213f99655ed8364caeb11b7@news.novabbs.org>
<t699eg$ko8$1@tncsrv09.home.tnetconsulting.net>
<d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 21 May 2022 05:36:54 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="16002"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org>
Content-Language: en-US
 by: Grant Taylor - Sat, 21 May 2022 05:37 UTC

On 5/20/22 9:50 PM, Retro Guy wrote:
> Yes, that's true. I2P makes it much easier.

Would you please elaborate on what I2P does that's different?

I know /of/ I2P, but very little about it. Most of that is that the
client is written in Java, which is a bad thing IMHO.

> While I'm not sure if using or understanding it correctly, I use a
> 'password' in innfeed and incoming.conf. While it seems to work
> ok, I'm not sure why you can set a username in innfeed, but not
> incoming.conf. It's been a while since I've spent much time on this.

I don't know. That's probably a question for those that know INN better
than I do.

> The newer v3 tor addresses are a bit better, as they shouldn't be
> known to anyone unless you provide them the address. I do use a
> different address for each peer.

If I understand correctly, Tor v3 is effectively a larger address /
search space. Read: Bigger hey stack to hide in. ;-)

> Yes, that's exactly what it's doing, nothing more.

:-)

> All your concerns are valid, so I don't think you're missing anything.

As I see it, there should be something that provides client
authentication at the Tor layer or the INN / NNTP layer (preferably
something more than /just/ a password).

I suppose that you could add an additional VPN layer between Tor and
INN. Though now things are getting really complicated, and one needs to
ponder what the complication provides.

So I'll back up and ask what is the motivation for running / peering
with INN via a Tor hidden service?

--
Grant. . . .
unix || die

Re: Usenet peering over Tor

<de5ff5e2f742e0a9224dd1747a8bdbd4@news.novabbs.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=782&group=news.software.nntp#782

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!.POSTED.novabbs-org!not-for-mail
From: retro....@rocksolidbbs.com (Retro Guy)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Sat, 21 May 2022 06:00:32 +0000
Organization: Rocksolid Light
Message-ID: <de5ff5e2f742e0a9224dd1747a8bdbd4@news.novabbs.org>
References: <t60624$94k$1@dont-email.me> <04d569cad213f99655ed8364caeb11b7@news.novabbs.org> <t699eg$ko8$1@tncsrv09.home.tnetconsulting.net> <d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org> <t69tpm$fk2$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: i2pn2.org; posting-account="novabbs.org"; posting-host="novabbs-org:10.136.143.187";
logging-data="791"; mail-complaints-to="usenet@i2pn2.org"
User-Agent: Rocksolid Light (www.novabbs.com/getrslight)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on novabbs.org
X-Rslight-Site: $2y$10$8r2beHD5tf4wrElJFfE02.eIzpiRli3LXBu/fNbBQwyhpRO5sRw7W
X-Rslight-Posting-User: 91053d4a47d51b416144568e5a1040f05e31ed1b
X-Face: .&YR-G(w(DZ$$,}%k=]*5*!p'=(anr"IT`wZG'2VWdfl\r)l[42u7JH`n(JUQ*e5*A|XCDf
?&\X&uwkl38"CYX3O8m}C8E4p'%N$2#kSTVzx{Ly|DjLT\Vk7NE}NQ(VC$Yq]i:7|z[.9iv^g>*8_B
H0=hZt'[%)4kG|
 by: Retro Guy - Sat, 21 May 2022 06:00 UTC

Grant Taylor wrote:

> On 5/20/22 9:50 PM, Retro Guy wrote:
>> Yes, that's true. I2P makes it much easier.

> Would you please elaborate on what I2P does that's different?

There are two features in I2P that help with this. One is that you
can tie a client key (generated by the client) to a server tunnel.
You can whitelist key(s) for this tunnel, and only allow specific
clients to connect.

Also, if you run I2P on the same server as inn2 (or whatever), I2P
can provide a specific ip address for each client, so you can allow
connections from one IP address, but not others.

None of this is available with Tor.

>> The newer v3 tor addresses are a bit better, as they shouldn't be
>> known to anyone unless you provide them the address. I do use a
>> different address for each peer.

> If I understand correctly, Tor v3 is effectively a larger address /
> search space. Read: Bigger hey stack to hide in. ;-)

I have read that it is also more difficult to just guess addresses, so
harder to just try to connect to servers. The chance that your new address
that you have not advertised is tried, is much lower.

>> All your concerns are valid, so I don't think you're missing anything.

> As I see it, there should be something that provides client
> authentication at the Tor layer or the INN / NNTP layer (preferably
> something more than /just/ a password).

> I suppose that you could add an additional VPN layer between Tor and
> INN. Though now things are getting really complicated, and one needs to
> ponder what the complication provides.

This is something I've considered. It shouldn't be too difficult, but I
haven't felt the need to put time into it. Maybe in the future.

> So I'll back up and ask what is the motivation for running / peering
> with INN via a Tor hidden service?

The motivation is the same as why I run my own news servers instead of use
someone else's. Why I run my own mail server. Why I develop a web interface
for usenet newsgroups, and my own php news server. Because it's fun, a
challenge, and keeps my brain busy.

None if this will change the world, it's just a hobby that I enjoy.

--
Retro Guy

Re: Usenet peering over Tor

<slrnt8hlir.2d6.mnalis-news@leia.home.lan>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=783&group=news.software.nntp#783

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!newsfeed.CARNet.hr!.POSTED.185.80.195.78!not-for-mail
From: mnalis-n...@voyager.hr (Matija Nalis)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Sat, 21 May 2022 14:08:59 +0200
Organization: CARNet, Croatia
Sender: mnalis@public.hr
Message-ID: <slrnt8hlir.2d6.mnalis-news@leia.home.lan>
References: <t60624$94k$1@dont-email.me>
<04d569cad213f99655ed8364caeb11b7@news.novabbs.org>
<t699eg$ko8$1@tncsrv09.home.tnetconsulting.net>
<d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org>
<t69tpm$fk2$1@tncsrv09.home.tnetconsulting.net>
Injection-Info: news1.carnet.hr; posting-host="185.80.195.78";
logging-data="2845419"; mail-complaints-to="abuse@CARNet.hr"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:h7wK1TMONSsW29er1z9AhCBnPJ0=
 by: Matija Nalis - Sat, 21 May 2022 12:08 UTC

On Fri, 20 May 2022 23:37:04 -0600, Grant Taylor <gtaylor@tnetconsulting.net> wrote:
> On 5/20/22 9:50 PM, Retro Guy wrote:
>> While I'm not sure if using or understanding it correctly, I use a
>> 'password' in innfeed and incoming.conf. While it seems to work
>> ok, I'm not sure why you can set a username in innfeed, but not
>> incoming.conf. It's been a while since I've spent much time on this.
>
> I don't know. That's probably a question for those that know INN better
> than I do.

Hopefully someone who uses that should try changing password on only one side
and see if the authentication fails (or there might be a bug - e.g. option is
ignored and all access is always enabled)

>> The newer v3 tor addresses are a bit better, as they shouldn't be
>> known to anyone unless you provide them the address. I do use a
>> different address for each peer.
>
> If I understand correctly, Tor v3 is effectively a larger address /
> search space. Read: Bigger hey stack to hide in. ;-)

Sure - as are *all* username/password schemes (and even RSA keys, TLS etc)...

As long as attacker can try a "key", and see if worked, the system
is suspectable to brute force attacks. It is all about bigger haystack,
to make bruteforcing non-viable.

> As I see it, there should be something that provides client
> authentication at the Tor layer or the INN / NNTP layer (preferably
> something more than /just/ a password).

TLS itself (which hopefully one who cares about privacy uses on their NNTP servers!)
allows authentication via client-side certificates too.

I do not think inn implements that possibility directly (at least it
did not when I last looked at it in more detail - which was admittedly long ago).

Although if inn is in dedicated container (or other services do not mind),
one could probably choose to trust only their local CA (i.e. remove all
other CAs from /etc/ssl/certs), and sign only trusted peer certs with that
local CA.

Or one could use external TLS wrapper for inn (like stunnel) to accomplish that
client certificate verificaton (i.e. stunnel "verifyPeer=yes").

Although AUTHINFO password is probably just fine for most use cases (if it is
of reasonable complexity).
That is assuming that incoming.conf AUTHINFO feature actually works correctly :-)

> So I'll back up and ask what is the motivation for running / peering
> with INN via a Tor hidden service?

Few random ideas, I'm sure there are a lot more:

- you might want to protect the identity of peers posting information that high-level
adversaries do not like (e.g. China dissidents, wikileaks-like stuff etc).

- the more traffic initiates over your TOR node, the better you are protected against
side-channel attacks when you're being actively monitored, as more noise is introduced.
Usenet introduces lots of noise, so Usenet good :)

- non-public privacy oriented hierarchies

- sites whose operators prefer not divulging their IP address space / county of origin / company affiliations.

--
Opinions above are GNU-copylefted.
<

Re: Usenet peering over Tor

<87zgjadhik.fsf@hope.eyrie.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=784&group=news.software.nntp#784

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!paganini.bofh.team!news.killfile.org!news.eyrie.org!.POSTED!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Sat, 21 May 2022 08:36:51 -0700
Organization: The Eyrie
Message-ID: <87zgjadhik.fsf@hope.eyrie.org>
References: <t60624$94k$1@dont-email.me>
<04d569cad213f99655ed8364caeb11b7@news.novabbs.org>
<t699eg$ko8$1@tncsrv09.home.tnetconsulting.net>
<d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org>
<t69tpm$fk2$1@tncsrv09.home.tnetconsulting.net>
<slrnt8hlir.2d6.mnalis-news@leia.home.lan>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: hope.eyrie.org;
logging-data="29766"; mail-complaints-to="news@eyrie.org"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:GYLkpKEGj3nnuZ4C1vwC08SzYTI=
 by: Russ Allbery - Sat, 21 May 2022 15:36 UTC

Matija Nalis <mnalis-news@voyager.hr> writes:

> TLS itself (which hopefully one who cares about privacy uses on their
> NNTP servers!) allows authentication via client-side certificates too.

> I do not think inn implements that possibility directly (at least it did
> not when I last looked at it in more detail - which was admittedly long
> ago).

INN does not. Client certificate authentication is in general kind of a
pain in the ass and is very rarely implemented by clients (and when it is,
the UI is normally horrible, such as in web browsers), so there was never
enough demand for this feature.

The code is probably straightforward enough (although I haven't looked at
the OpenSSL API in detail). The protocol would presumably just use SASL
EXTERNAL, which I think is also reasonably straightforward. The hard part
is the configuration and attempting to explain in even vaguely coherent
English how to set up the validation chain, CA, and so forth, without
generating a flurry of confused people and support questions.

I've done this multiple times for other services and, honestly, automating
the whole thing end-to-end was always easier than trying to explain to
someone else what to do. (But alas INN can't do that.)

> Although AUTHINFO password is probably just fine for most use cases (if
> it is of reasonable complexity).

Particularly if you're only doing it over TLS. Then you can just use a
long random password and while there are some remaining drawbacks compared
to mutual TLS, they're relatively unimportant most of the time.

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

Please post questions rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.

Re: Usenet peering over Tor

<t6bc0u$e3d$1@txtcon.i2p>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=785&group=news.software.nntp#785

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!rocksolid2!txtcon.i2p!.POSTED.127.163.152.53!not-for-mail
From: inva...@invalid.invalid (Miner)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Sat, 21 May 2022 18:45:51 -0000 (UTC)
Organization: TxtCon.I2P
Message-ID: <t6bc0u$e3d$1@txtcon.i2p>
References: <t60624$94k$1@dont-email.me> <04d569cad213f99655ed8364caeb11b7@news.novabbs.org> <t699eg$ko8$1@tncsrv09.home.tnetconsulting.net> <d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org> <t69tpm$fk2$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 21 May 2022 18:45:51 -0000 (UTC)
Injection-Info: txtcon.i2p; posting-account="miner"; posting-host="127.163.152.53";
logging-data="14445"; mail-complaints-to="txtcon@i2pmail.org"
 by: Miner - Sat, 21 May 2022 18:45 UTC

Grant Taylor wrote:

> I know /of/ I2P, but very little about it. Most of that is
> that the client is written in Java, which is a bad thing IMHO.

i2pd - a full-featured C++ implementation of the I2P router

--
Miner

Re: Usenet peering over Tor

<t6degv$18241$1@news.trigofacile.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=786&group=news.software.nntp#786

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.trigofacile.com!.POSTED.176.143-2-105.abo.bbox.fr!not-for-mail
From: iul...@nom-de-mon-site.com.invalid (Julien ÉLIE)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Sun, 22 May 2022 15:40:47 +0200
Organization: Groupes francophones par TrigoFACILE
Message-ID: <t6degv$18241$1@news.trigofacile.com>
References: <t60624$94k$1@dont-email.me>
<04d569cad213f99655ed8364caeb11b7@news.novabbs.org>
<t699eg$ko8$1@tncsrv09.home.tnetconsulting.net>
<d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org>
<t69tpm$fk2$1@tncsrv09.home.tnetconsulting.net>
<slrnt8hlir.2d6.mnalis-news@leia.home.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Sun, 22 May 2022 13:40:47 -0000 (UTC)
Injection-Info: news.trigofacile.com; posting-account="julien"; posting-host="176.143-2-105.abo.bbox.fr:176.143.2.105";
logging-data="1312897"; mail-complaints-to="abuse@trigofacile.com"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0)
Gecko/20100101 Thunderbird/91.9.0
Cancel-Lock: sha1:D6m0gbEpT+cJMSikwQmdF5lwfcg= sha256:4/2ELDwIHHhaw2ULg7J+xcG5Bli2HohWYbZOxcziya0=
sha1:Zrbf167LVd/QfogF93tco0b5C8o= sha256:pSw6mZ5E6CCf80dIbkwBjP6dyJZFng76qQfNrBDGg54=
In-Reply-To: <slrnt8hlir.2d6.mnalis-news@leia.home.lan>
 by: Julien ÉLIE - Sun, 22 May 2022 13:40 UTC

Hi Matija,

>>> While I'm not sure if using or understanding it correctly, I use a
>>> 'password' in innfeed and incoming.conf. While it seems to work
>>> ok, I'm not sure why you can set a username in innfeed, but not
>>> incoming.conf. It's been a while since I've spent much time on this.
[...]
> Although AUTHINFO password is probably just fine for most use cases (if it is
> of reasonable complexity).
> That is assuming that incoming.conf AUTHINFO feature actually works correctly :-)

Yes, I confirm AUTHINFO works fine in both innfeed and innd.
I thoroughly tested it when implementing NNTP v2.

The reason behind that behaviour is historical. Prior to INN 2.6.0,
released in 2015, a remote peer could just send "AUTHINFO PASS" (without
a previous "AUTHINFO USER" command), which is contrary to RFC 4643, to
be authenticated.
innd does not historically take into account a username, but only a
password.

(Note that a mere "AUTHINFO USER" is allowed by RFC 4643, but not a mere
"AUTHINFO PASS".)

From ChangeLog in 2.6.0:

%%%
The NNTP protocol requires a username to be sent before a password when
authentication is used. innd was wrongly allowing only a password to be
sent by authenticated peers.

Owing to the implementation of RFC 4643 (AUTHINFO USER/PASS) in innd, if
remote peers have to authenticate in order to feed articles, they now
have to send a username (which was previously wrongly optional), before
sending their password. The mandatory username, though currently unused
by innd, can be whatever the remote peer wishes. In previous versions
of INN, inncheck was already complaining when passwd.nntp contained an
empty username associated with a password.

A manual review of authenticated feeds should then be done so as to
ensure that they are properly working.
%%%

When doing that change (committed in 2009), I normally made sure other
major open source NNTP servers were sending AUTHINFO USER and therefore
this would not break badly existing interoperability.
Seems like it did not (nobody using other NNTP servers I did not look at
ever complained) :-)

--
Julien ÉLIE

« Tout homme devrait un jour se marier ; après tout, le bonheur n'est
pas la seule chose dans la vie. »

Re: Usenet peering over Tor

<303ef7c982836503c4aa470e8cd9afe0@news.novabbs.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=787&group=news.software.nntp#787

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!.POSTED.novabbs-org!not-for-mail
From: retro....@rocksolidbbs.com (Retro Guy)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Sun, 22 May 2022 20:54:24 +0000
Organization: Rocksolid Light
Message-ID: <303ef7c982836503c4aa470e8cd9afe0@news.novabbs.org>
References: <t60624$94k$1@dont-email.me> <04d569cad213f99655ed8364caeb11b7@news.novabbs.org> <t699eg$ko8$1@tncsrv09.home.tnetconsulting.net> <d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org> <t69tpm$fk2$1@tncsrv09.home.tnetconsulting.net> <slrnt8hlir.2d6.mnalis-news@leia.home.lan> <t6degv$18241$1@news.trigofacile.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: i2pn2.org; posting-account="novabbs.org"; posting-host="novabbs-org:10.136.143.187";
logging-data="18068"; mail-complaints-to="usenet@i2pn2.org"
User-Agent: Rocksolid Light (www.novabbs.com/getrslight)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on novabbs.org
X-Rslight-Site: $2y$10$wTNf.2iMajyx6PEF2RqSb.mB7rNcD3tYENKrX0v9.qFEktJS3DIX2
X-Rslight-Posting-User: 91053d4a47d51b416144568e5a1040f05e31ed1b
X-Face: .&YR-G(w(DZ$$,}%k=]*5*!p'=(anr"IT`wZG'2VWdfl\r)l[42u7JH`n(JUQ*e5*A|XCDf
?&\X&uwkl38"CYX3O8m}C8E4p'%N$2#kSTVzx{Ly|DjLT\Vk7NE}NQ(VC$Yq]i:7|z[.9iv^g>*8_B
H0=hZt'[%)4kG|
 by: Retro Guy - Sun, 22 May 2022 20:54 UTC

Julien_ÉLIE wrote:

> Hi Matija,

>>>> While I'm not sure if using or understanding it correctly, I use a
>>>> 'password' in innfeed and incoming.conf. While it seems to work
>>>> ok, I'm not sure why you can set a username in innfeed, but not
>>>> incoming.conf. It's been a while since I've spent much time on this.
> [...]
>> Although AUTHINFO password is probably just fine for most use cases (if it is
>> of reasonable complexity).
>> That is assuming that incoming.conf AUTHINFO feature actually works correctly :-)

> Yes, I confirm AUTHINFO works fine in both innfeed and innd.
> I thoroughly tested it when implementing NNTP v2.

> The reason behind that behaviour is historical. Prior to INN 2.6.0,
> released in 2015, a remote peer could just send "AUTHINFO PASS" (without
> a previous "AUTHINFO USER" command), which is contrary to RFC 4643, to
> be authenticated.
> innd does not historically take into account a username, but only a
> password.

Thank you for the info and confirmation. It works for me also, but I just never
understood if I was using it correctly due to USER only being available on one
end.

--
Retro Guy

Re: Usenet peering over Tor

<t6eaa0$18g2o$1@news.trigofacile.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=788&group=news.software.nntp#788

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.trigofacile.com!.POSTED.san13-h02-176-143-2-105.dsl.sta.abo.bbox.fr!not-for-mail
From: iul...@nom-de-mon-site.com.invalid (Julien ÉLIE)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Sun, 22 May 2022 23:34:56 +0200
Organization: Groupes francophones par TrigoFACILE
Message-ID: <t6eaa0$18g2o$1@news.trigofacile.com>
References: <t60624$94k$1@dont-email.me>
<04d569cad213f99655ed8364caeb11b7@news.novabbs.org>
<t699eg$ko8$1@tncsrv09.home.tnetconsulting.net>
<d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org>
<t69tpm$fk2$1@tncsrv09.home.tnetconsulting.net>
<slrnt8hlir.2d6.mnalis-news@leia.home.lan>
<t6degv$18241$1@news.trigofacile.com>
<303ef7c982836503c4aa470e8cd9afe0@news.novabbs.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Sun, 22 May 2022 21:34:56 -0000 (UTC)
Injection-Info: news.trigofacile.com; posting-account="julien"; posting-host="san13-h02-176-143-2-105.dsl.sta.abo.bbox.fr:176.143.2.105";
logging-data="1327192"; mail-complaints-to="abuse@trigofacile.com"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0)
Gecko/20100101 Thunderbird/91.9.0
Cancel-Lock: sha1:hVnV7TxMmBkoO/mnGeKLezcvBdo= sha256:kswFRkyoDCx7A3zTCSURadmK9lZtgWdbP4eKwdFnoMs=
sha1:Pjt5ii2ZqiquDtDdF5UxT72ZYIM= sha256:/u0LG5aV6TuC+yuoiqathxSb+RpvqMmR0zTCIuhAiz4=
In-Reply-To: <303ef7c982836503c4aa470e8cd9afe0@news.novabbs.org>
 by: Julien ÉLIE - Sun, 22 May 2022 21:34 UTC

Hi Retro Guy,
>> innd does not historically take into account a username, but only a
>> password.
>
> Thank you for the info and confirmation. It works for me also, but I
> just never understood if I was using it correctly due to USER only
> being available on one end.

This behaviour is worth documenting in incoming.conf; I'll add a
sentence for the "password" keyword saying that innd will accept any
username provided by the remote peer (mandatory in the authentication
protocol) as long as the password corresponds.

Thanks for recalling that point!

--
Julien ÉLIE

« – Tu parles ?
– Tu parles ! » (Astérix)

Re: Usenet peering over Tor

<t6gp7d$shf$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=792&group=news.software.nntp#792

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Mon, 23 May 2022 14:02:00 -0600
Organization: TNet Consulting
Message-ID: <t6gp7d$shf$1@tncsrv09.home.tnetconsulting.net>
References: <t60624$94k$1@dont-email.me>
<04d569cad213f99655ed8364caeb11b7@news.novabbs.org>
<t699eg$ko8$1@tncsrv09.home.tnetconsulting.net>
<d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org>
<t69tpm$fk2$1@tncsrv09.home.tnetconsulting.net>
<de5ff5e2f742e0a9224dd1747a8bdbd4@news.novabbs.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Mon, 23 May 2022 20:01:49 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="29231"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <de5ff5e2f742e0a9224dd1747a8bdbd4@news.novabbs.org>
Content-Language: en-US
 by: Grant Taylor - Mon, 23 May 2022 20:02 UTC

On 5/21/22 12:00 AM, Retro Guy wrote:
> There are two features in I2P that help with this.

Both of the listed options; client key, and client IP, sound like they
would help considerably to make connections over I2P behave more like
connections over native IP.

> This is something I've considered. It shouldn't be too difficult,
> but I haven't felt the need to put time into it. Maybe in the future.

My concern with VPN is the make it work with SOCKS(Tor) thing. There
are ways to SOCKSify things; LD_PRELOAD tricks, routing tricks, but they
are -- let's go with -- non-clean / non-obvious and feel like they might
be making things harder than strictly necessary.

> The motivation is the same as why I run my own news servers instead of
> use someone else's. Why I run my own mail server. Why I develop a web
> interface for usenet newsgroups, and my own php news server. Because
> it's fun, a challenge, and keeps my brain busy.

Okay. I can get behind that. But where does the academic exercise end
and practicality take over? E.g. is establishing peers via I2P and / or
Tor something that people are interested in? Or is this truly an
academic exercise.

Aside: I can get behind purely academic exercises. I just want to know
if that's all this will be or if there is more to this.

> None if this will change the world, it's just a hobby that I enjoy.

ACK

I can get behind and support that.

--
Grant. . . .
unix || die

Re: Usenet peering over Tor

<t6gpkp$8qr$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=793&group=news.software.nntp#793

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Mon, 23 May 2022 14:09:07 -0600
Organization: TNet Consulting
Message-ID: <t6gpkp$8qr$1@tncsrv09.home.tnetconsulting.net>
References: <t60624$94k$1@dont-email.me>
<04d569cad213f99655ed8364caeb11b7@news.novabbs.org>
<t699eg$ko8$1@tncsrv09.home.tnetconsulting.net>
<d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org>
<t69tpm$fk2$1@tncsrv09.home.tnetconsulting.net>
<slrnt8hlir.2d6.mnalis-news@leia.home.lan>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Mon, 23 May 2022 20:08:57 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="9051"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <slrnt8hlir.2d6.mnalis-news@leia.home.lan>
Content-Language: en-US
 by: Grant Taylor - Mon, 23 May 2022 20:09 UTC

On 5/21/22 6:08 AM, Matija Nalis wrote:
> Sure - as are *all* username/password schemes (and even RSA keys,
> TLS etc)...

Eh ... now you're getting into why is fire hot territory.

> As long as attacker can try a "key", and see if worked, the system is
> suspectable to brute force attacks. It is all about bigger haystack,
> to make bruteforcing non-viable.

ACK

> TLS itself ... allows authentication via client-side certificates too.

True! I use this very thing between email servers.

> I do not think inn implements that possibility directly (at least it
> did not when I last looked at it in more detail - which was admittedly
> long ago).

I don't recall reading about support for it either. But my ignorance
doesn't preclude such support from existing.

> Although if inn is in dedicated container (or other services do
> not mind), one could probably choose to trust only their local CA
> (i.e. remove all other CAs from /etc/ssl/certs), and sign only trusted
> peer certs with that local CA.

I don't think you want to /only/ rely on if a client certificate
validates or not. I believe you want some sort of sub-selection of
which certificate is allowed, assuming that it does validate.

E.g. Sendmail will happily conditionally look for the CN of a client
certificate /if/ the signer is trusted. Meaning that I can specify my
server's CNs from their Let's Encrypt certificates and only my servers
are allowed to relay, no other servers using Let's Encrypt certificates.

> Or one could use external TLS wrapper for inn (like stunnel)
> to accomplish that client certificate verificaton (i.e. stunnel
> "verifyPeer=yes").

Ya.... But then you have the issue of getting client information from
the external sub-system into INN for it to make decisions.

--
Grant. . . .
unix || die

Re: Usenet peering over Tor

<t6gpm8$8qr$2@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=794&group=news.software.nntp#794

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Mon, 23 May 2022 14:09:55 -0600
Organization: TNet Consulting
Message-ID: <t6gpm8$8qr$2@tncsrv09.home.tnetconsulting.net>
References: <t60624$94k$1@dont-email.me>
<04d569cad213f99655ed8364caeb11b7@news.novabbs.org>
<t699eg$ko8$1@tncsrv09.home.tnetconsulting.net>
<d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org>
<t69tpm$fk2$1@tncsrv09.home.tnetconsulting.net> <t6bc0u$e3d$1@txtcon.i2p>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Mon, 23 May 2022 20:09:44 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="9051"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <t6bc0u$e3d$1@txtcon.i2p>
Content-Language: en-US
 by: Grant Taylor - Mon, 23 May 2022 20:09 UTC

On 5/21/22 12:45 PM, Miner wrote:
> i2pd - a full-featured C++ implementation of the I2P router

Thank you for that information Miner.

I'll keep that in mind for the next time the need for I2P comes up.

--
Grant. . . .
unix || die

Re: Usenet peering over Tor

<b52a8cbc80121006c43934d1f5518414@news.novabbs.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=796&group=news.software.nntp#796

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!.POSTED.novabbs-org!not-for-mail
From: retro....@rocksolidbbs.com (Retro Guy)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Wed, 25 May 2022 07:37:47 +0000
Organization: Rocksolid Light
Message-ID: <b52a8cbc80121006c43934d1f5518414@news.novabbs.org>
References: <t60624$94k$1@dont-email.me> <04d569cad213f99655ed8364caeb11b7@news.novabbs.org> <t699eg$ko8$1@tncsrv09.home.tnetconsulting.net> <d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org> <t69tpm$fk2$1@tncsrv09.home.tnetconsulting.net> <de5ff5e2f742e0a9224dd1747a8bdbd4@news.novabbs.org> <t6gp7d$shf$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: i2pn2.org; posting-account="novabbs.org"; posting-host="novabbs-org:10.136.143.187";
logging-data="21592"; mail-complaints-to="usenet@i2pn2.org"
User-Agent: Rocksolid Light (www.novabbs.com/getrslight)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on novabbs.org
X-Rslight-Site: $2y$10$H8WjAg2mQjmL3PvHmw1vKulUXkHUXhcQzausJ6Lo1wOlX3YhO3dgq
X-Rslight-Posting-User: 91053d4a47d51b416144568e5a1040f05e31ed1b
X-Face: .&YR-G(w(DZ$$,}%k=]*5*!p'=(anr"IT`wZG'2VWdfl\r)l[42u7JH`n(JUQ*e5*A|XCDf
?&\X&uwkl38"CYX3O8m}C8E4p'%N$2#kSTVzx{Ly|DjLT\Vk7NE}NQ(VC$Yq]i:7|z[.9iv^g>*8_B
H0=hZt'[%)4kG|
 by: Retro Guy - Wed, 25 May 2022 07:37 UTC

Grant Taylor wrote:

> On 5/21/22 12:00 AM, Retro Guy wrote:

>> The motivation is the same as why I run my own news servers instead of
>> use someone else's. Why I run my own mail server. Why I develop a web
>> interface for usenet newsgroups, and my own php news server. Because
>> it's fun, a challenge, and keeps my brain busy.

> Okay. I can get behind that. But where does the academic exercise end
> and practicality take over? E.g. is establishing peers via I2P and / or
> Tor something that people are interested in? Or is this truly an
> academic exercise.

I would assume that my peers in I2P, I have three, probably do so for the same
reasons that I do, because we can. You will find, for example, a poster in
this group that runs their own server and peers through mine via I2P. You
can't trace them, and they are making valid and useful posts, so there are
people in these networks that are valuable to the community, and enjoy the
exercise of trying something different.

> Aside: I can get behind purely academic exercises. I just want to know
> if that's all this will be or if there is more to this.

One reason for me is to stay in touch with alternative networks. It keeps
me up to date on I2P and Tor. These networks may get a bad reputation from
some bad players, but they are functioning networks, and there are plenty
of people using them for very valid purposes.

I'm old enough to remember (and I would guess many of us in this group
are), when using a BBS or the internet made you suspect.

In the early 90s, my wife at the time found me talking (voice) to someone
online using powwow and accused me of all sorts of stuff. It was new to me,
voice over internet, and I just had to mess with it. I still have that same
interest and excitement doing things online.

--
Retro Guy

Re: Usenet peering over Tor

<t6lju4$578$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=797&group=news.software.nntp#797

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!rocksolid2!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Wed, 25 May 2022 10:02:23 -0600
Organization: TNet Consulting
Message-ID: <t6lju4$578$1@tncsrv09.home.tnetconsulting.net>
References: <t60624$94k$1@dont-email.me>
<04d569cad213f99655ed8364caeb11b7@news.novabbs.org>
<t699eg$ko8$1@tncsrv09.home.tnetconsulting.net>
<d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org>
<t69tpm$fk2$1@tncsrv09.home.tnetconsulting.net>
<de5ff5e2f742e0a9224dd1747a8bdbd4@news.novabbs.org>
<t6gp7d$shf$1@tncsrv09.home.tnetconsulting.net>
<b52a8cbc80121006c43934d1f5518414@news.novabbs.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Wed, 25 May 2022 16:02:12 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="5352"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <b52a8cbc80121006c43934d1f5518414@news.novabbs.org>
Content-Language: en-US
 by: Grant Taylor - Wed, 25 May 2022 16:02 UTC

On 5/25/22 1:37 AM, Retro Guy wrote:
> I would assume that my peers in I2P, I have three, probably do so for
> the same reasons that I do, because we can. You will find, for example,
> a poster in this group that runs their own server and peers through
> mine via I2P.

That's interesting enough that I'll add the C++ implementation of i2pd
that Miner mentioned to my list of things to check out so that I could
consider being an additional I2P news peer.

> You can't trace them, and they are making valid and useful posts, so
> there are people in these networks that are valuable to the community,
> and enjoy the exercise of trying something different.

I learned a long time ago that the communications medium is not a
reliable indicator of the validity / usefulness of the communications.

> One reason for me is to stay in touch with alternative networks. It
> keeps me up to date on I2P and Tor.

I get that. That's one of the reasons that I got my amateur radio
license. Knowledge of how to use something and being able to do so
completely above board.

> These networks may get a bad reputation from some bad players, but
> they are functioning networks, and there are plenty of people using
> them for very valid purposes.

Yep. See previous statement.

> I'm old enough to remember (and I would guess many of us in this
> group are), when using a BBS or the internet made you suspect.

I'm guessing that you probably started using computers 5-10 years before me.

> In the early 90s, my wife at the time found me talking (voice) to
> someone online using powwow and accused me of all sorts of stuff. It
> was new to me, voice over internet, and I just had to mess with it. I
> still have that same interest and excitement doing things online.

Chuckle.

--
Grant. . . .
unix || die

Re: Usenet peering over Tor

<slrntaia98.2b2d5.jgoerzen@slrnh.complete.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=846&group=news.software.nntp#846

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.quux.org!alexnews.alexandria.complete.org!.POSTED!not-for-mail
From: jgoer...@complete.org (John Goerzen)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Wed, 15 Jun 2022 00:34:48 -0000 (UTC)
Organization: Alexandria NNCP news system
Message-ID: <slrntaia98.2b2d5.jgoerzen@slrnh.complete.org>
References: <t60624$94k$1@dont-email.me>
Injection-Date: Wed, 15 Jun 2022 00:34:48 -0000 (UTC)
Injection-Info: alexnews.alexandria.complete.org;
logging-data="352747"; mail-complaints-to="jgoerzen@complete.org"
User-Agent: slrn/1.0.3 (Linux)
 by: John Goerzen - Wed, 15 Jun 2022 00:34 UTC

On 2022-05-17, Jason Evans <jsevans@mailfence.com> wrote:
> From my experience with running Tor onion services, it's quite easy to set up a
> server that can receive traffic over Tor. However sending traffic over Tor is
> another issue. It requires either setting up system proxies for outgoing
> traffic or wrapping the INN binaries in the torsocks application.

Late to the party I know, but I thought I might mention Yggdrasil:

https://yggdrasil-network.github.io/

Yggdrasil is an IPv6 global mesh network. It is always end-to-end encrypted,
and each node's IPv6 address is derived from its public key. You can therefore
do IP-based auth in traditional ways (in INN's config or with firewalls).
Yggdrasil shows up as a tun-type interface on your system.

Yggdrasil's goals are somewhat different than Tor's; it doesn't aim to provide
the kind of strong anonymity that Tor does, but rather it aims to be a
performant first-class network with modern security and routing.

I run NNCP over it and therefore already offer Usenet via NNCP over Yggdrasil
for those interested in that kind of peering.

There is no reason that you couldn't run INN over Yggdrasil because it's just
another interface to the system. Yggdrasil's design nicely avoids a lot of
problems with traditional IP networks (giving you a "direct" unfiltered
connection to the network, the IP address follows the device wherever it goes,
etc.)

John

Re: Usenet peering over Tor

<td3jpt$ums$1@nyheter.lysator.liu.se>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1105&group=news.software.nntp#1105

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!eternal-september.org!reader01.eternal-september.org!nyheter.lysator.liu.se!.POSTED!not-for-mail
From: kem...@lysator.liu.se (Andreas Kempe)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Thu, 11 Aug 2022 19:03:25 -0000 (UTC)
Organization: Lysator ACS
Message-ID: <td3jpt$ums$1@nyheter.lysator.liu.se>
References: <t60624$94k$1@dont-email.me>
<04d569cad213f99655ed8364caeb11b7@news.novabbs.org>
<t699eg$ko8$1@tncsrv09.home.tnetconsulting.net>
<d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org>
<t69tpm$fk2$1@tncsrv09.home.tnetconsulting.net>
<de5ff5e2f742e0a9224dd1747a8bdbd4@news.novabbs.org>
Injection-Date: Thu, 11 Aug 2022 19:03:25 -0000 (UTC)
Injection-Info: nyheter.lysator.liu.se; posting-account="kempe";
logging-data="31452"; mail-complaints-to="newsmaster@lysator.liu.se"
User-Agent: slrn/1.0.3 (FreeBSD)
 by: Andreas Kempe - Thu, 11 Aug 2022 19:03 UTC

Den 2022-05-21 skrev Retro Guy <retro.guy@rocksolidbbs.com>:
> Grant Taylor wrote:
>
>> On 5/20/22 9:50 PM, Retro Guy wrote:
>>> Yes, that's true. I2P makes it much easier.
>
>> Would you please elaborate on what I2P does that's different?
>
> There are two features in I2P that help with this. One is that you
> can tie a client key (generated by the client) to a server tunnel.
> You can whitelist key(s) for this tunnel, and only allow specific
> clients to connect.
>

Sorry for coming in so late, but I want to point out that Tor does
support client keys with for onions. You can generate keys and
configure Tor to only allow connections from clients with specific
keys.

It is a useful feature that can definitely increase security should
your onion address leak for some reason so I thought it worth
mentioning.

There are instruction available from the Tor project at
https://community.torproject.org/onion-services/advanced/client-auth/.

Best regards,
Andreas Kempe

Re: Usenet peering over Tor

<716b67d5c767e7c58e0d94872143acac@news.novabbs.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1106&group=news.software.nntp#1106

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!.POSTED.novabbs-org!not-for-mail
From: retro....@rocksolidbbs.com (Retro Guy)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Sat, 13 Aug 2022 10:15:44 +0000
Organization: Rocksolid Light
Message-ID: <716b67d5c767e7c58e0d94872143acac@news.novabbs.org>
References: <t60624$94k$1@dont-email.me> <04d569cad213f99655ed8364caeb11b7@news.novabbs.org> <t699eg$ko8$1@tncsrv09.home.tnetconsulting.net> <d4486ae4a0726e951ed7f46be3004d01@news.novabbs.org> <t69tpm$fk2$1@tncsrv09.home.tnetconsulting.net> <de5ff5e2f742e0a9224dd1747a8bdbd4@news.novabbs.org> <td3jpt$ums$1@nyheter.lysator.liu.se>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: i2pn2.org; posting-account="novabbs.org"; posting-host="novabbs-org:10.136.143.187";
logging-data="16580"; mail-complaints-to="usenet@i2pn2.org"
User-Agent: Rocksolid Light (www.novabbs.com/getrslight)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on novabbs.org
X-Rslight-Site: $2y$10$x4h6H9jdMFMe1a7LQOYcQufyWiie8LJNlpGN43ij6HnIW5NkaYsrS
X-Rslight-Posting-User: 91053d4a47d51b416144568e5a1040f05e31ed1b
X-Face: .&YR-G(w(DZ$$,}%k=]*5*!p'=(anr"IT`wZG'2VWdfl\r)l[42u7JH`n(JUQ*e5*A|XCDf
?&\X&uwkl38"CYX3O8m}C8E4p'%N$2#kSTVzx{Ly|DjLT\Vk7NE}NQ(VC$Yq]i:7|z[.9iv^g>*8_B
H0=hZt'[%)4kG|
 by: Retro Guy - Sat, 13 Aug 2022 10:15 UTC

Andreas Kempe wrote:

> Den 2022-05-21 skrev Retro Guy <retro.guy@rocksolidbbs.com>:
>> Grant Taylor wrote:
>>
>>> On 5/20/22 9:50 PM, Retro Guy wrote:
>>>> Yes, that's true. I2P makes it much easier.
>>
>>> Would you please elaborate on what I2P does that's different?
>>
>> There are two features in I2P that help with this. One is that you
>> can tie a client key (generated by the client) to a server tunnel.
>> You can whitelist key(s) for this tunnel, and only allow specific
>> clients to connect.
>>

> Sorry for coming in so late, but I want to point out that Tor does
> support client keys with for onions. You can generate keys and
> configure Tor to only allow connections from clients with specific
> keys.

> It is a useful feature that can definitely increase security should
> your onion address leak for some reason so I thought it worth
> mentioning.

> There are instruction available from the Tor project at
> https://community.torproject.org/onion-services/advanced/client-auth/.

Thank you for this info and link. I was not aware this is possible with tor.

--
Retro Guy

Re: Usenet peering over Tor

<nsn.20221017081652.1355@scatha.ancalagon.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1296&group=news.software.nntp#1296

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.szaf.org!thangorodrim.ancalagon.de!.POSTED.scatha.ancalagon.de!not-for-mail
From: thh...@thh.name (Thomas Hochstein)
Newsgroups: news.software.nntp
Subject: Re: Usenet peering over Tor
Date: Mon, 17 Oct 2022 08:16:59 +0200
Message-ID: <nsn.20221017081652.1355@scatha.ancalagon.de>
References: <t60624$94k$1@dont-email.me> <slrntaia98.2b2d5.jgoerzen@slrnh.complete.org> <t8d3md$hom$1@tncsrv09.home.tnetconsulting.net> <slrntakiu4.2tvuv.jgoerzen@slrnh.complete.org> <t8qma0$2si$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Info: thangorodrim.ancalagon.de; posting-host="scatha.ancalagon.de:10.0.1.1";
logging-data="16419"; mail-complaints-to="abuse@th-h.de"
User-Agent: ForteAgent/8.00.32.1272
X-NNTP-Posting-Date: Mon, 17 Oct 2022 08:16:52 +0200
X-Clacks-Overhead: GNU Terry Pratchett
Cancel-Lock: sha1:r0815LWCQMXMiesWQshAa4g3zkA=
X-Face: *OX>R5kq$7DjZ`^-[<HL?'n9%\ZDfCz/_FfV0_tpx7w{Vv1*byr`TC\[hV:!SJosK'1gA>1t8&@'PZ-tSFT*=<}JJ0nXs{WP<@(=U!'bOMMOH&Q0}/(W_d(FTA62<r"l)J\)9ERQ9?6|_7T~ZV2Op*UH"2+1f9[va
 by: Thomas Hochstein - Mon, 17 Oct 2022 06:16 UTC

Grant Taylor wrote:

> What addresses does Yggdrasil Network use? It looked to me like they
> were using IPv6 addresses that aren't currently routed globally. I
> think I saw a few different /16 xx:xx::/xx networks listed in
> documentation. But I didn't see anything that actually clearly sated
> what Yggdrasil Network uses.

| Will Yggdrasil conflict with my network routing?
|
| Yggdrasil uses the 0200::/7 range, which is a range deprecated by the
| IETF. It has been deprecated since 2004, pending changes to an RFC which
| simply never materialised all these years later. It was decided to use
| this range instead of fc00::/7 (which is more typically allocated to
| private networks) in order to prevent conflicts with existing ULA ranges.
<https://yggdrasil-network.github.io/faq.html>

> I naively assume that standard destination based routing is used such
> that the kernel sends traffic for various destinations into the tun0 /
> ygg0 / etc. network interface and the Yggdrasil Network daemon handles
> the rest.

Looks like that.

> My opinion is that the Yggdrasil Network's website is lacking a
> significant amount of technical documentation.

Most probably that's "in the code", currently, and nobody wrote it down
yet. :)

-thh

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor