I2P_Developers/i2p.i2p
3
1
Fork 11
Code Issues 341 Pull Requests 6 Packages Projects Releases Wiki Activity

RAP/RAR flags interaction with subdbs #75

New Issue
Open
opened 2025-04-21 14:59:12 -04:00 by idk · 2 comments
idk commented 2025-04-21 14:59:12 -04:00
Owner
Copy Link

More questinos than answers, consider this a placeholder issue for now... Ripping out RAP/RAR would be another huge batch of changes, probably not the right time... anyway:

The goal of subdbs is to do a "better" job of isolation than the RAP/RAR flags do, right?

But the recent changes don't remove or deprecate the RAP/RAR flags, and actually add a couple setReceivedAsReply() calls in InboundMessageDistributor. Is this a temporary belt-and-suspenders plan, with RAP/RAR slated to be removed in some future release? If subdbs are "better", then could the RAP/RAR flags actually be interfering with the "correct" operation of the subdbs, and impairing whatever improvements subdbs are supposed to bring? Has this been tested? What's the plan?

Also, I have questions about the 2.3.0 change to KNDF.validate(ls), where the date comparison was changed to a deep equals, with a lot of TODO comments. I don't quite understand the point of that change but it's not clear that the author of the change does either. The code now only messes with the flags if the leasesets are (almost) completely identical, but if so, why mess with the flags at all? I think the change breaks some stuff, but not sure.

Anyway, now for 2.4.0, subnetdbs should impact what that 2.3.0 code is trying to do? Or not? But there's no further changes there...

More questinos than answers, consider this a placeholder issue for now... Ripping out RAP/RAR would be another huge batch of changes, probably not the right time... anyway: The goal of subdbs is to do a "better" job of isolation than the RAP/RAR flags do, right? But the recent changes don't remove or deprecate the RAP/RAR flags, and actually add a couple setReceivedAsReply() calls in InboundMessageDistributor. Is this a temporary belt-and-suspenders plan, with RAP/RAR slated to be removed in some future release? If subdbs are "better", then could the RAP/RAR flags actually be interfering with the "correct" operation of the subdbs, and impairing whatever improvements subdbs are supposed to bring? Has this been tested? What's the plan? Also, I have questions about the 2.3.0 change to KNDF.validate(ls), where the date comparison was changed to a deep equals, with a lot of TODO comments. I don't quite understand the point of that change but it's not clear that the author of the change does either. The code now only messes with the flags if the leasesets are (almost) completely identical, but if so, why mess with the flags at all? I think the change breaks some stuff, but not sure. Anyway, now for 2.4.0, subnetdbs should impact what that 2.3.0 code is trying to do? Or not? But there's no further changes there...
idk added the netdb label 2025-04-21 14:59:12 -04:00
idk self-assigned this 2025-04-21 14:59:12 -04:00
idk commented 2025-04-21 14:59:13 -04:00
Author
Owner
Copy Link

Agreed and thanks for the explanation. Yeah definitely definitely do not rip out RAP/RAR.

Point is that belt+suspenders is fine but if the belt disagrees with the suspenders, is that good or bad? Could be either. Or both. But there should be a long-term plan about it.

Agreed and thanks for the explanation. Yeah definitely definitely do not rip out RAP/RAR. Point is that belt+suspenders is fine but if the belt disagrees with the suspenders, is that good or bad? Could be either. Or both. But there should be a long-term plan about it.
idk commented 2025-04-21 14:59:13 -04:00
Author
Owner
Copy Link

But the recent changes don't remove or deprecate the RAP/RAR flags, and actually add a couple setReceivedAsReply() calls in InboundMessageDistributor. Is this a temporary belt-and-suspenders plan, with RAP/RAR slated to be removed in some future release? If subdbs are "better", then could the RAP/RAR flags actually be interfering with the "correct" operation of the subdbs, and impairing whatever improvements subdbs are supposed to bring? Has this been tested? What's the plan?

I didn't rip them out for at least 2 reasons

  1. I anticipate subDb's using more memory than the monolithic netDb with RAP/RAR flags, and have/am considering consider adding an option to disable subDb's on those devices. This is part of the reason we didn't catch the memory leak, it was just sort of assumed that we would want to keep the DB's around and that memory use would go up, but that was obviously an extremely inadequate analysis to be addressed in some of the other tickets.
  2. The general outline of the netDb deanonymization attacks is that the attacker sends a message containing a LeaseSet or RouterInfo to a client, then trying to obtain it back from a floodfill that it thinks is hosting that client in a way that it can prove happened. By preserving the RAP/RAR flags(possibily temporarily, possibly permanently), we can use them to analyze the subDb's for internal consistency and gain more insight into the path the attacks take. If they are working properly, client DB's should only have one set of flags, main DB's should only have another set of flags. So far this is true. 2.5. I want to see if I can use disagreements between the flags and the Client DB's to identify attempted attacks.

Response on validate() to come, I have to go through my email and chat logs to get the details but my basic recollection is that the attack relied on sending a crafted leaseSet belonging to the attacker to a floodfill, then the attacker sends a slightly altered version of it to a client that it thinks is hosted on the floodfill that it's talking to, then requests it back out of the floodfill that the client associated with. There were 2 or 3 attacks which followed this general form, which were the ultimate motivation for separating out the client DB's. If clients and floodfills were updating information owned by the other in a remotely discernible way then giving them separate DB's where dis-associated clients could not update information in eachother's subDb seemed like the long-term solution. This is also the reason the main DB was originally called the floodfill DB.

> But the recent changes don't remove or deprecate the RAP/RAR flags, and actually add a couple setReceivedAsReply() calls in InboundMessageDistributor. Is this a temporary belt-and-suspenders plan, with RAP/RAR slated to be removed in some future release? If subdbs are "better", then could the RAP/RAR flags actually be interfering with the "correct" operation of the subdbs, and impairing whatever improvements subdbs are supposed to bring? Has this been tested? What's the plan? I didn't rip them out for at least 2 reasons 1. I anticipate subDb's using more memory than the monolithic netDb with RAP/RAR flags, and have/am considering consider adding an option to disable subDb's on those devices. This is part of the reason we didn't catch the memory leak, it was just sort of assumed that we would want to keep the DB's around and that memory use would go up, but that was obviously an extremely inadequate analysis to be addressed in some of the other tickets. 2. The general outline of the netDb deanonymization attacks is that the attacker sends a message containing a LeaseSet or RouterInfo to a client, then trying to obtain it back from a floodfill that it thinks is hosting that client in a way that it can prove happened. By preserving the RAP/RAR flags(possibily temporarily, possibly permanently), we can use them to analyze the subDb's for internal consistency and gain more insight into the path the attacks take. If they are working properly, client DB's should only have one set of flags, main DB's should only have another set of flags. So far this is true. **2.5.** I want to see if I can use disagreements between the flags and the Client DB's to identify attempted attacks. Response on `validate()` to come, I have to go through my email and chat logs to get the details but my basic recollection is that the attack relied on sending a crafted leaseSet belonging to the attacker to a floodfill, then the attacker sends a slightly altered version of it to a client that it thinks is hosted on the floodfill that it's talking to, then requests it back out of the floodfill that the client associated with. There were 2 or 3 attacks which followed this general form, which were the ultimate motivation for separating out the client DB's. If clients and floodfills were updating information owned by the other in a remotely discernible way then giving them separate DB's where dis-associated clients could not update information in eachother's subDb seemed like the long-term solution. This is also the reason the `main` DB was originally called the `floodfill` DB.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
#1026
#1031
#1033
#1036
#1040
#1049
#1051
#1065
#1067
#1076
#1105
#1112
#1139
#1166
#1170
#1172
#1176
#1200
#1222
#1223
#1259
#1263
#1274
#1289
#1302
#1304
#1306
#1308
#1320
#1337
#1338
#1372
#1381
#1384
#1393
#1399
#1410
#1415
#1418
#1438
#1453
#1460
#1479
#1491
#1499
#1519
#1522
#1560
#1564
#1584
#1609
#1613
#1637
#1655
#1657
#1684
#1685
#1689
#1694
#1697
#1716
#1724
#1740
#1742
#1753
#1758
#1766
#1767
#1775
#1802
#1805
#1834
#1837
#1838
#1847
#1848
#1869
#1877
#1893
#1907
#1911
#1915
#1928
#1938
#1951
#1979
#1981
#1982
#1985
#1990
#1999
#2018
#2023
#2024
#2035
#2039
#2056
#2080
#2081
#2083
#2085
#2086
#2088
#2090
#2099
#2100
#2101
#2102
#2106
#2110
#2112
#2114
#2121
#2142
#2145
#2146
#2147
#2149
#2158
#2160
#2162
#2169
#2173
#2177
#2182
#2193
#2212
#2221
#2230
#2231
#2233
#2238
#2240
#2241
#2244
#2251
#2252
#2255
#2257
#2259
#2261
#2263
#2264
#2265
#2269
#2271
#2274
#2275
#2278
#2281
#2297
#23
#2302
#2303
#2304
#2305
#2306
#2309
#2319
#2323
#2324
#2325
#2336
#2337
#2340
#2341
#2346
#2350
#2363
#2371
#2374
#2375
#2376
#2381
#2386
#2393
#2396
#2402
#2411
#2420
#2421
#2426
#2428
#2429
#2431
#2433
#2434
#2446
#2459
#2467
#2472
#2475
#2496
#2497
#2506
#2509
#2512
#2540
#2562
#2572
#2608
#2609
#2613
#2619
#2620
#2625
#2640
#2641
#2642
#2643
#2646
#2647
#2650
#2653
#2655
#2656
#2658
#2660
#2664
#2670
#2672
#2675
#2680
#2681
#2682
#2689
#2690
#2691
#2695
#2700
#2701
#2703
#2704
#2705
#2707
#2711
#2721
#2729
#2730
#2733
#2734
#2735
#2736
#2737
#2738
#2750
#2751
#2754
#2763
#2764
#2766
#2771
#2772
#2773
#2774
#2775
#2780
#2782
#2792
#2793
#2795
#2796
#2799
#2801
#2802
#2803
#2805
#2807
#371
#374
#375
#376
#377
#378
#380
#381
#383
#384
#385
#386
#392
#44
#532
#629
#662
#666
#689
#691
#698
#699
#719
#725
#730
#731
#738
#745
#752
#774
#816
#818
#82
#829
#847
#857
#888
#933
#961
#971
#977
#981
0.9.18
0.9.20
0.9.21
0.9.23
0.9.24
0.9.25
0.9.27
0.9.28
0.9.29
0.9.30
0.9.31
0.9.32
0.9.33
0.9.35
0.9.36
0.9.37
0.9.38
0.9.39
0.9.42
0.9.43
0.9.45
0.9.46
0.9.47
0.9.48
0.9.49
0.9.50
0.9.9
BOB
I2CP
SAM
addressbook
api
apps
blocker
build
console
critical
crypto
data
debian
defect
docker
duplicate
easy-install bundle
enhancement
eventually
general
i2psnark
i2ptunnel
infrastructure
installer
jetty
maintenance
major
minor
misc
naming
netdb
not a bug
not our bug
package
profiles
research
router
soon
streaming
susidns
susimail
systray
task
tests
transport
trivial
tunnels
unconfirmed
undecided
update
utils
website
wontfix
works-for-me
wrapper
No Label netdb
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
echelon idk zzz
No Assignees idk
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: I2P_Developers/i2p.i2p#75
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?