Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Wednesday, November 16, 2011

Anonymizing your network

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties.
Many applications are available that interface with I2P, including mail, peer-peer, IRC chat, and others.
The I2P project was formed in 2003 to support the efforts of those trying to build a more free society by offering them an uncensorable, anonymous, and secure communication system. I2P is a development effort producing a low latency, fully distributed, autonomous, scalable, anonymous, resilient, and secure network. The goal is to operate successfully in hostile environments - even when an organization with substantial financial or political resources attacks it. All aspects of the network are open source and available without cost, as this should both assure the people using it that the software does what it claims, as well as enable others to contribute and improve upon it to defeat aggressive attempts to stifle free speech.
Anonymity is not a boolean - we are not trying to make something "perfectly anonymous", but instead are working at making attacks more and more expensive to mount. I2P is a low latency mix network, and there are limits to the anonymity offered by such a system, but the applications on top of I2P, such as Syndie, I2P mail, and I2PSnark extend it to offer both additional functionality and protection.
I2P is still a work in progress. It should not be relied upon for "guaranteed" anonymity at this time, due to the relatively small size of the network and the lack of extensive academic review. It is not immune to attacks from those with unlimited resources, and may never be, due to the inherent limitations of low-latency mix networks.
I2P works by routing traffic through other peers, as shown in the following picture. All traffic is encrypted end-to-end. For more information about how I2P works, see the Introduction
2011-11-08 - I2P 0.8.11 - Announcement - Download 
Java Runtime 1.5 or higher. (Oracle/Sun Java Version 6, OpenJDK 6, or IcedTea6 recommended)
Determine your installed Java version here or type java -version at your command prompt.
Clean installs 
Graphical installer: 
i2pinstall_0.8.11.exe (SHA256 fa3d566874f196e32e1d5987d3dedb956cfa0b2a93a0735e53d6dd9fa2b1769a sig)
Download that file and run it.If you're not on windows you can type java -jar i2pinstall_0.8.11.exe in a terminal to run the installer. Mac users can avoid going to the terminal by renaming the downloaded file to end with .jar and then double-clicking the installer. On other platforms you may be able to right-click and select "Open with Java".
Command line (headless) install:
Download the graphical installer file above and run  
java -jar i2pinstall_0.8.11.exe -console 
from the command line. This will work on windows. linux, and mac (yes really).
After running the installer on windows, simply click on the "Start I2P" button which will bring up the router console, which has further instructions

  • 1. Introduction
  • 2. Legal Disclaimer
  • 3. The Problem with Tor
  • 4. How it Works
    I2P uses bundeled encryption over a multi-proxy like Tor. The packets are bounced all over the globe with anyone using I2P. However, the packets are encrypted with ElGamal and AES encryption. Using bundled encryption like this allows a packet to only decrypt the next hop as it passes through various nodes on its path. I2P is end-to-end encryption. Nothing is else is decrypted along its path including the sender and recipient. Once inside the network ip addresses are not even used. Your node is assigned an address of garbled text to use as an identifier. I2P is also a decentralized network. Every client is also a server on the network. This allows no single point of failure and more anonymity. There are tons of documents in the I2P control panel explaining this more in depth. For now, that should give you a good overview on how I2P works.
  • 5. Beyond Web Surfing
  • 6. Installation
  • 7. How Strong is I2P?
  • 8. Where this can be improved
  • 9. Conclusion
6. InstallationBefore you begin, you should make sure you have Java 1.5 or greater installed. If not, install it now.
# apt-get install sun-java6-jre
Whether Debian or Ubuntu, the repos for this package are the same. Add the following lines repository sources.
# The actual repo for i2p on Debian, even though its ubuntu
deb natty main
deb-src natty main
Now we update our packages and use apt-get again to install I2P.
# apt-get update
# apt-get install i2p
Now that the package is installed, we still have one more thing to take care of. By default i2p runs on port 20,000. If you are using a NAT firewall you need to open that port in your router's settings. Depending on how iptables is configured in your OS, you may have to allow the port to be open there too. Here are some iptables commands that will allow traffic with TCP and UDP on that port.
iptables -I INPUT 1 -i wlan0 -p tcp --tcp-flags SYN,RST,ACK SYN 
--dport 20000 -m conntrack --ctstate NEW -j ACCEPT

iptables -I INPUT 1 -i wlan0 -p udp --dport 20000 -m conntrack --ctstate NEW -j ACCEPT
As you can see here, I am specifying wlan0 as the interface to apply this rule. You may need to supply a different interface or remove this and -i to make applicable to all interfaces. I will show you later how to change the port i2p is using. For now we need to get it running first.
The last thing we need to do is start our i2p router. This is what we will use each time to start and stop i2p on our machine.
$ sh /usr/bin/i2prouter start
Starting I2P Service...
Waiting for I2P Service.....
running: PID:26163
Since i2p is decentralized, you will need a few minutes to gather peers. While using kde, Konqueror will pop up shortly displaying the i2p router console. If not, you can navigate to in your browser after a few seconds. You should see something like the image below.
i2p router console
On the left panel, there is a section marked Peers. The i2p console suggests having at least ten peers before attempting to begin. However, depending on how much speed those peers are uploading, this may not be sufficent to connect to a web page. I've found fourty to sixty peers is usually a good place to start. This may the point you want to make a cup of coffee as the part can take a while.
When first starting, the console will be testing the network. The console will show this on the left panel under Network. In a few seconds you should either say Ok or Firewalled. Firewalled means i2p is not getting through your firewall. Under the Tunnels section you should see either Accepting or Rejecting Tunnels. These are self-explanitory. The i2p console states that both of these can show false positives for broken connections. But if you experience any problems this is a good place to start.
You can also click on Bandwidth In/Out to set up the upload and download speed you would like to handle. Keep in mind that this not only affects you, but the entire network. When too people don't upload the entire network may slow to a crawl. You can also set what port you want i2p to run on in this section. Using the default may aid an attacker in discovering what you're running should this protocol become vulerable.
Once we have enough peers, we just need to configure Firefox to use the proxy. Go to Firefox's edit tab and select Preferences. Select the network tab and click the button marked Settings. Fill up the next pop-up box with these settings to tunnel Firefox through i2p.
settings to tunnel Firefox through i2p
Now we can surf the Internet without fear of everyone and their mother looking over our shoulder.
7. How Strong is I2P?
I2P claims to be strong enough to stop your mom, your ISP, or you government from finding where you connect. While I question the last one, I decided to test it for myself. I opened up Wireshark to sniff my packets while I did some surfing the net. Not only could I not see the websites I connected to, I couldn't see myself connecting the the I2P network either. On top of that, there was no http traffic shown. Mostly TCP packets that were blank or UDP that were only full of garbled text.
I decided to visit a site to try to reveal my ip and user-agent. What came back was an ip address on the other side of the globe and a user-agent string that claimed I was using Windows. This adds another level of protection as determining an OS is usually one of the first steps in an attack.
8. Where this can be improved
While this protocol just began in 2003, it is still very young. Worse yet, it is still very under-utilized. This is bad because very few people upload as much as they download. The more users who get on this network, the faster it will become. Perhaps some kind souls will dedicate some bandwidth to help this along.
Surfing the web seemed easy once you had enough peers. The only speed bump was that i2p does not play well with SSL. No https traffic makes it through. One can use a tool like to rip the SSL out of your traffic. Perhaps this kind of thing could be done by the development team without sslstrip. Imagine that, using sslstrip to actually improve security! I'll take AES over SSL any day.

No comments: