I2P
Download Tails 0.23 March 19, 2014
  1. Rationale
  2. Versions
  3. Design
  4. Implementation
  5. Ports allowed through the firewall
  6. Features that require an administration password
  7. Package source and upgrading I2P
    1. Check the binary packages
    2. Import the packages
  8. Things to meditate upon

Rationale

I2P is yet another anonymizing network (load-balanced unspoofable packet switching network) that provides access to eepsites (.i2p TLD); eepsites are a bit like Tor hidden services. Some users would like to be able to access eepsites from Tails.

Versions

I2P[https:/geti2p.net] has been included since Tails v0.7 with Iceweasel preconfigured using FoxyProxy so that eepsites (.i2p TLD) are directed to I2P. All other traffic gets routed through Tor.

Design

I2P has seen increased growth over the last few years with around 30,000 active peers routing traffic but it is still not as well known as Tor. I2P is not started automatically. Some reasons behind this decision include:

  1. increased usage of the system CPU (lots of computationally heavy crypto is needed for relaying traffic) and RAM (Java based)

  2. the possible raised suspicion from adversaries by being associated with yet another anonymity network (especially severe if one uses Tor bridges)

  3. some level of system compromise through 0-day exploits in the I2P client

Users that want to use I2P must start it manually from the Applications menu. In the future one may be able to start I2P during boot (see the boot menu TODO page).

Implementation

The I2P project hosts an APT repository from which users can easily install I2P. It installs the application to /usr/share/i2p. Upon the first start template files are copied, with changes, to the data directory at /var/lib/i2p/i2p-config/. This separation is essential and was not possible some years ago. This package includes an initscript which is configured by default to start the I2P client as the i2psvc user.

The above package is installed but its init script is not automatically run during boot. Instead, an I2P shortcut has been added to the applications menu which the user can use to start the I2P init script manually. A side-effect of installing the actual I2P program into /usr is that automatic updates are disabled by the program since the installation directory is not writable by the i2psvc user.

For better performance an exception has been made in the firewall configuration that grants direct access to the network for the I2P user running the client so it can reach the I2P network directly, both through TCP and UDP. As per the standard I2P configuration, UPnP will try to set up port-forwarding with any present firewall so that full performance can be achieved.

The I2P router is configured to run in hidden mode: killing I2P ungracefully is bad for the I2P network, and this is most likely a prevalent behaviour among Tails users. For I2P to shutdown gracefully, it needs up to 11 minutes to let all its current participatory tunnels to expire. Killing I2P before that makes peers using these participatory tunnels experience timeouts and disconnects, which most definitely is bad for the network. Since Tails users are likely to shutdown Tails quickly without waiting these 11 minutes, this is a good reason to enable hidden mode, that is to disable participating in I2P traffic: config/chroot local-hooks/16-i2p config.

FoxyProxy has been installed system-wide, and the default iceweasel profile provides with a configuration handling the I2P integration. FoxyProxy's whitelist filter is used to make sure that the corresponding urls will be proxied appropriately.

Below are the patterns that each url handeled by iceweasel will be matched against. These patterns will be tried in order, from top to bottom, until the first match is found:

  1. The I2P router console: urls matching the http://127.0.0.1:7657/* wildcard pattern will get a direct connection to the local host so the I2P router console can be reached.

  2. The local eepsite: urls matching the http://127.0.0.1:7658/* wildcard pattern will get a direct connection to the local host so the locally hosted eepsite can be reached.

  3. I2P eepsites: urls matching the ^https?://[-a-zA-Z0-9.]+\.i2p(:[0-9]{1,5})?(/.*)?$ regexp will be proxied through the local eepsite HTTP proxy run by the I2P client. Implementation note: FoxyProxy encloses the regexps between ^ and $ itself since isMultiLine="false", that's why the regexp in foxyproxy.xml lacks these chars.

  4. Tor HTTP(s): urls matching one of the https://* and http://* wildcard patterns will be proxied through polipo (and then its parent proxy, Tor).

  5. The rest: all remaining urls will be SOCKS5-proxied through Tor.

Also, do note that Tails' netfilter-based blocking ensures that no Internet traffic can be escape both Tor or I2P (and thus be non-anonymous) even if something is wrong in the above filters (or a future revision).

Ports allowed through the firewall

Services on I2P are accessed through tunnels built by I2P. Services that a user hosts, such as an eepsite or IRC Server are accessed remotely via Server Tunnels. End users will access services using client tunnels. I2P is shipped with a few tunnels preconfigured and the ports that they use have exceptions added to ferm. These ports include:

  • 2727, BOB: BOB is an application bridge allowing non-Java clients to interact with I2P.
  • 4444, I2P HTTP Proxy: Used to access sites with the .i2p TLD
  • 4445 ,HTTPS Outproxy tunnel: Disabled in by default in Tails in I2PTunnel since all HTTPS traffic in Tails gets routed through Tor.
  • 6668, Tunnel to Irc2P: Used to connect to the main I2P-only IRC network
  • 7656, SAM: SAM is an application bridge allowing non-Java clients to use I2P. More information: SAMv1, SAMv2,
  • 7657, I2P router console: The router console is accessible in the web browser at http://127.0.0.1:7657
  • 7658, local 'eepsite': Each I2P installation is configured out of the box with the possibility to host one's own website (or eepsite) on the I2P network. The eepsite will not be acessible remotely unless its tunnel is started.
  • 7659, SMTP Proxy: Tunnel to smtp.postman.i2p. More information is available from within I2P at Postman's HQ
  • 7660, POP3 Proxy: Tunnel to pop3.postman.i2p. More information is available from within I2P at Postman's HQ
  • 8998, MTN Proxy: Tunnel to mtn.i2p2.i2p, a Monotone server.

Features that require an administration password

The amnesia user does not have access to /var/lib/i2p. In practice this will not be an issue unless one wants to

  • host content on an eepsite
  • use the integrated I2P-only bittorrent client, I2PSnark

In order to utilize these features users need to set an administration password.

Package source and upgrading I2P

Tails uses the I2P (and deps) Debian packages prepared by KillYourTV, the official I2P Linux package maintainer as listed on the I2P Team page. The I2P source package and its binaries are imported into to our own APT repository into the devel or stable suite. The suite will depend on whether a major- or point-release is being prepared.

Check the binary packages

Content

dpkg-deb --contents i2p-router_*.deb | awk '{print $6}' | \
   grep -v -E '^\./($|usr/(share/doc/i2p-router/|share/i2p/|share/$|share/doc/$|bin/eepget|bin/i2prouter-nowrapper|share/man/man1/eepget\.1\.gz$|share/man/$|share/man/man1/$|bin/$|$))'

dpkg-deb --contents i2p_*.deb | awk '{print $6}' | \
   grep -v -E '^\./($|etc/$|etc/i2p/|etc/init\.d/i2p$|etc/init\.d/$|usr/$|usr/share/$|usr/share/man/$|usr/share/man/man1/$|usr/share/man/man1/i2prouter\.1\.gz$|usr/share/doc/$|usr/share/doc/i2p$|usr/bin/$|usr/bin/i2prouter$)'

dpkg-deb --contents libjbigi-jni_*.deb | awk '{print $6}' | \
   grep -v -E '^\./($|usr/$|usr/lib/$|usr/lib/jni/|usr/share/$|usr/share/doc/$|usr/share/doc/libjbigi-jni$)'

Maintainer scripts

Have a look at *.{pre,post}{inst,rm}.

Import the packages

  1. scp the source and binary packages to incoming.deb.tails.boum.org
  2. move the uploaded files somewhere, and set permissions on it, so that the reprepro user can read it
  3. use reprepro includesrc to import the source package(s)
  4. use reprepro includedeb to import the binary package(s)

Things to meditate upon

  • Pattern 4 will catch ftp://.* and redirect them to Tor through SOCKS5. This effectively breaks FTP completely, so there's room for adding a pattern above number 4 which matches ftp connections (i.e. ^ftp://.*) and proxies them through some ftp proxy using Tor as its parent proxy. See FTP in Iceweasel. As an addition, at the moment (versions <=0.8) ftp does not work in I2P for technical reasons, so no pattern for that is needed.

  • Do we want to enable the "Hidden mode" which completely disables participating traffic?

  • Pros:

  • the IP address will not be published in I2P's distributed NetDB so any adversary trying to enumerate all I2P users can only find the user if he or she happens to use the adversary as an entry to the I2P network. Hence the reason not to enable I2P per default due to increased suspicion (3) is somewhat alleviated.

  • there will be no additional network traffic used for relaying other I2P peers traffic, so the network traffic reason (1) for not starting I2P per default is essentially completely eliminated, and the CPU/RAM reason (2) is made considerably less severe.

  • Cons:

  • there's no "cover-traffic", which may decrease the anonymity somewhat.

  • Are the patterns used above correct for their intended purposes? Does the FoxyProxy setup in any way open up for attacks? See iceweasel addon - FoxyProxy.