Why is I2P set as a server for I2P and shares traffic when Tails is set as client only for the TOR network ?

I2P is designed around the idea that every node should be "participating", i.e. relaying other I2P users traffic. After all, it is I2P's default setting to have it enabled. Assuming that very few I2P users deviate from this default, if we'd disable it, it'd make "non-participating I2P users" a way to identify Tails users with some probability.

How is the attention of bringing all that traffic to a PC helping with anonymity. ?

That's irrelevant. I2P makes no real effort to hide the fact that you're using it even if you use the Hidden mode (i.e. no participating traffic, and your IP address isn't published in the I2P NetDB). Essentially I2P in Hidden mode is the same as being a Tor client that's not using a bridge. Hence the adversary would just have to keep a list of all participating I2P nodes (trivial) and check whether you're connecting to any of them (trivial in Tails' threat model).

So, until I2P implements something like Tor bridges (they have a proposal for it called "fully restricted routes") the Hidden mode is irrelevant w.r.t. attracting attention. If anything it may attract more attention because an adversary may interpret it as suspicious (i.e. clueless users that want to be "extra anonymous" activate it).

@ good points:

I agree with the comment that i2p should be started in hidden mode for tails. I2P benifits greatly from i2prouters that are online for very long periods at a time, tails users imo wont fit in to this, and this can have the opposite effect at being helpful to the network

I'm amazed to see a (basically) good technical point after the thread has gone this wild. While this point isn't completely correct, it at least lead me to realize another reason to run I2P in hidden mode which I believe is valid.

It's true that short-lived participating I2P nodes that kill their I2P identity (due to lack of persistence in a live environment) after shutdown are of limited worth to the network since they won't earn enough reputation to relay with full capacity. They won't harm the network, though, just not achieve their full potential. They can improve their reputation somewhat by making the I2P identity persistent (see ?todo item).

As you can see, short-lived participating nodes, with or without persistent I2P identity, are not harmful. What is harmful is to kill I2P ungracefully, and I expect this to be a prevalent behaviour among Tails users. For I2P to shutdown gracefully, it needs up to 11 minutes to let all its current participatory tunnels to expire. Killing I2P before that makes peers using these participatory tunnels experience timeouts and disconnects, which most definitely is bad for the network. Since Tails users are likely to shutdown Tails quickly without waiting these 11 minutes, this is a good reason to enable hidden mode = disable participating traffic.

See the new todo item ?i2p hidden mode.

The level of confusion in this thread is astounding. Below I will try to tackle the worst of what I sampled (I don't have enough sanity to read all of this thread), and I will answer the same thing repeatedly in hope that that will make it sink in.

The short tl;dr is: I2P is safe in Tails' threat model, with or without "hidden mode".

The longer tl;dr is:

1. Running an I2P client is not worse in any meaningful way compared to running a Tor client, at least in Tails' threat model (which is the same as the one Tor assumes).
2. Actually I2P is worse than Tor in that it lacks something like Tor bridges. If you require Tor bridges to hide your Tor usage (not for censorship circumvention), and want the same for I2P, then you are out-of-luck. Don't use I2P in this particular case.
3. Running an I2P client which has its IP address published in the I2P netDB is equally anonymous as an I2P client in "hidden mode", at least in Tails' threat model, and by our definition of anonymity (which has to do with correlating activity (e.g. which web sites you visit) with origin (your IP address)).
4. For point 3 above to become invalid we need a threat model with a weaker adversary than what Tails currently has. Hence the things you are worrying about regarding I2P are pointless since assuming a weaker adversary than the one in Tails' threat model, which would allow us to do super insecure stuff that completely breaks anonymity in the real world.

So, here comes the Tails vs. I2P FAQ or something like that:

@ Confused:

i2p uses a different protocol from https and can be distinguished by a sophisticated adversary even when encrypted inside Tor circuits.

I2P uses a different protocol, yes. Even a sophisticated adversary most likely can't identify I2P traffic going through a Tor circuit. For the record, Tails doesn't pipe I2P through Tor. I2P conntects directly to the Internet, like it is intended.

However, what matters is this: When using I2P any adversary with the same capabilities as your ISP can easily see that you are connecting to the I2P network. It's equally simple for such an adversary to see that Tor client connects to the Tor network. This is what's relevant.

i2p does NOT start up when you boot tails but only if you call it from the menu (or from a shell).

Correct.

The fact that Tails users even have i2p installed at all distinguishes them from other Tor users.

Incorrect. You need to start I2P for it to make any difference. The difference it makes is that an adversary that can observe your traffic (e.g. you ISP) can see that you are using both Tor and I2P in parallel. If that is an uncommon combination it could serve as a way to identify Tails users that start I2P, but I suspect it is common enough to make such a classifier very inefficient.

i2p sharing involves passing encrypted data, which can be logged and which can possibly be decrypted by a sophisticated adversary who obtains by hook or crook SSL session keys, possibly sometimes revealing content with which the hapless Tails user would not wish to be associated, particularly not in the eyes of the law.

This is very unlikely, and it should be pointed out that Tor is no better in this respect (in fact I2P uses much stronger crypto than Tor currently does).

Even if an adversary cannot decrypt the data passed on by a particular IP participating in the i2p network, he can easily determine the IP addresses of participating computers, and probably correlate this with the IP addresses of Tails users. (Guilt by association happens in real courtrooms all the time, so I think this is valid cause for concern.)

I2P and Tor are completely equal in this regard.

The Tails developers feel that participating in i2p sharing provides some kind of "camouflage". Referring, I think, to potential issues like traffic analysis, or timing or Entry-Exit correlation attacks which might identify Tor users. But aren't there less dangerous forms of real or fake traffic which could help slow traffic analysis or timing/correlation attacks? Like occasionally requesting popular or random Wikipedia pages, or the landing pages of popular websites?

The camouflage/cover-traffic argument is pretty weak, I have to admit, but it never was the main argument in favour of participating in I2P. Doing cover traffic right is hard, and what you suggest isn't good enough. For it to do anything it has to be a constant cover flow, and even then it's arguable how efficient it is.

comment 85 So if i was using Comcast and i connected to a I2P user on Verizon then both ISPs would log our ip address connection and association with each other ???

Yes. So the situation is the same as with Tor; both ISPs can see that one of them is a Tor client since the other is a Tor relay, which is public knowledge.

@ Tails handles i2p and Tor traffic separately

someone seemed to express above a concern that i2p shared content might be stored in /tmp files in a persistent volume, but I assume until told otherwise that it lives only in RAM when a Tails user enables i2p.

I2P doesn't cache any traffic it relays, so that encrypted data only lives in RAM.

@ comment 109

This is a very good post which clearly outlines the differences (or rather the lack of) between I2P and Tor. I recommend everyone to read it.

@ comment 113:

1)Pervert wishes to look at a I2P site with bestiality and I2P site also runs a Tor-Hidden server. 2)pervert send request to relays (tails users inc ) to hide him and his request. 3)Relay (tails users inc ) connects to I2P bestiality site and sends data back to pervert. So Tails users are making direct connects to target machines such as tor-hidden server machines and are having their IP addresses logged.

The same applies to the Tor relay that makes the final direct connection to the Tor hidden service. If what you describe is an issue the Tor network is doomed, since all relay operators are in the same situation as the I2P users. Luckily it isn't the case since relays in both Tor and I2P has pretty good deniability in this situation.

@ comment 114

See this is why as people are saying that I2P should not even be included with Tails as the vast majority of users think they have the same anonymity and are as hidden as Tor without knowing that they are in fact sharing their IP address directly with thousands of computers and ISP hosts.

Please realize that "sharing your IP address" in this context only means that whoever you shared it to knows that you are using I2P, not your activities within I2P.

When you use Tor every eavesdropper between you and the Tor network will know it, and that includes you ISP, government, NSA, ECHELON etc. In other words real adversaries will still see that your IP address connects to the Tor network. The same goes for I2P with hidden mode. At least Tails' threat model assumes such an adversary, so additional vectors of learning this fact (e.g. through I2P's netDB) are redundant and harmless.

@ comment 115

Tails comment 110 is a complete contradiction of Tails comment 5 ?

I changed my mind about the "hidden mode" option. Prior to comment 110 I hadn't thought about the nasty implications of ungracefully shutting down I2P. Sorry for the confusion.

I still think the best would be if Tails users could be participating I2P nodes so they won't leech the network. Then we could advertise I2P as the service to use for file-sharing and other things which are bad for the Tor network. But with I2P in hidden mode it's just as for the I2P network as it is for the Tor network.

And I definitely still think that "hidden mode" is irrelevant w.r.t. anonymity.

@ comment 117:

When using Tails I2P you are no longer using Tor and Iceweasel connects directly into the I2P network giving out your IP address to all the computers connected to it.

For the record, when using Tor you are also connecting directly to the Tor network (well, your Entry Guards). That's unavoidable. It's equally unavoidable to "leak" your IP address to all eavesdroppers between you and the Tor network (e.g. your ISP) (see answer to comment 114 above). So while what you say is almost true, it has no adverse implications for anonymity.

Tor Hides the Users Ip Address. I2P uses the users Ip addresses and computers to hide the I2P sites. As I2P makes no attempt to hide users Ip address and is the complete opposite of Tor i myself agree with others that it should have never been included with Tails.

This is completely incorrect. Both the client and destination in I2P builds their own tunnels that "meet" at some other node, so in other words it works (essentially) the same as with TorHidden services. This grants anonymity to both the client and destination; neither will know the other's IP address.

@ comment 119:

doesn't that mean, that all i2p traffic gets routed through tor, too? No, that would be Liberté Linux, which also uses I2P in hidden mode when I2P is enabled. Seems they think about potential issues before adding stuff to the distro, not after.

Liberte Linux' does that for completely different reasons: it proxies I2P through Tor. The reason Liberte does this is to make I2P work better behind excessive firewalls that only allow e.g. HTTP(s) traffic, for which Tor works somewhat better on its own. If hidden mode wasn't set in such a setup, the Tor/I2P client's IP address may be leaked in the I2P traffic to the Tor exit node, which is quite unneccesary as it kills any potential extra anonymity that Torification of I2P provides.

@ comment 121:

All this time i thought i was connecting through Tor and being protected when using I2p. >:[

I2P has the same anonymity properties of Tor, so you are equally "protected" when using I2P on its own.

You can't be anonymous and give out your computer address and location at the same time.

I think you have got confused by the (many) incorrect posts by uninformed users above because this doesn't make any sense. Tor is an anonymity network. I2P is an anonymity network. Why is directly connecting to the I2P network worse than directly connecting to the Tor network? In order to communicate with a computer over the Internet your IP address will leak no matter what. That's what the IP address is for, so people can send you shit back. And that's required with both Tor and I2P to use their anonymity service.

@ Disclaimer: I am an I2P developer:

Thanks for a very enlightening post!

However, there are countries which would be happy enough to just block any I2P user regardless of what they might be doing (though to my knowledge there have been no such blocks), and so for users in those countries (or more wary users elsewhere) "hidden mode" disables publishing of the router's IP:port in the network database.

Sure, but you have to admit (well you do in the next quote actually :)) that "hidden mode" is a very weak protection against censorship which is equivalent to detection that one is using I2P? In fact "hidden mode" is to me a sort of misnomer (router.participating=BOOL or similar would be more honest and less confusing, IMHO) as it gives the impression that it makes you hidden, akin to using bridges with Tor. What "hidden mode" in fact does is to put the I2P client in the exact same situation of a normal Tor client (not using bridges).

However, [Hidden mode] does not prevent your router from connecting to other routers in the network (as outlined above, this is necessary for I2P to function), and your IP could still be found via monitoring connections to other known I2P routers (or by an ISP monitoring connections) [added emphasis].

This is what I've been trying to say all along so please, other readers of this thread, make note of this: "hidden mode" is not a solution to hide the fact that you are using I2P. At least when dealing with the adversary in Tails' threat model.

@ comment 128:

A computer is running I2P , a hidden-tor server and a webpage. this computer get taken down through a raid. Every computer on the I2P network that has connected to it will show in the ISP logs as passing traffic for that computer regardless if the content is encrypted.

Say that the computer runs a Tor relay instead of a participating I2P node. Then every other Tor relay that connected to the computer (and every Tor client if the computer's Tor relay got the Guard flag) is in the same position. I'd find it much more likely that an operator of a Tor hidden service also runs a Tor relay compared to a participating I2P node. I expect either to be very uncommon, though.

Hence your example doesn't show that anything particular to I2P is broken. Rather it says that a responsible Tor hidden service operator shouldn't run other services on the same host (except other Tor hidden services, of course).