Cloud-based Censorship Resistant I2P Reseeding

From early March until April, 2019, we conducted measurements from 1.7K network locations located in 164 countries to examine the accessibility of four different I2P services: the official homepage, its mirror site, reseed servers, and active relays in the network. We could identify blocking attempts in five countries. China consistently hinders access to I2P by poisoning DNS resolutions of the I2P homepage and reseed servers; SNI-based blocking was detected in Oman and Qatar when accessing the I2P homepage over HTTPS; TCP packet injection was detected in Iran, Oman, Qatar, and Kuwait when visiting the mirror site via HTTP; and explicit block pages were discovered when visiting the mirror site from Oman, Qatar, and Kuwait. Our findings were presented at the 9th USENIX Workshop on Free and Open Communications on the Internet.

To remedy the SNI-based blocking problem, we recently set up an I2P reseed server over Cloudflare since this is the only provider currently supporting Encrypted SNI. To cope with the problem of several censors preventing users from using I2P by blocking access to the download homepage and reseed severs, we opt to mirror the latest I2P installation packages and reseed bundle on major cloud providers as this is one of the ways to hinder network filtering by making the cost of collateral damage as high as possible. The installation packages will be updated as soon as new version is released, while the reseed bundle will be updated periodically to provide censored users with currently active relays in the network. To that end, the censors will have to bare high collateral damage to block access to all of the aforementioned cloud service providers to prevent I2P users from manually reseeding. While the censors can also block access to active I2P relays contained in the reseed bundle, we did not notice such a blocking case in the wild.

To that end, censored users can download the installation packages and the latest reseed bundle from these cloud storage providers:

With the reseed bundle fetched from one of the above cloud storages, censored users can manually reseed from the I2P router console http://localhost:7657/configreseed (or http://localhost:7647/configreseed if the client is an I2P Browser bundle on MacOS) by clicking Browse to point to the reseed bundle under Reseed from File.

In addition to hosting on cloud storages, we also distribute the installation packages and the reseed bundle on the InterPlanetary File System (IPFS), which is an emerging technology that powers the Distributed Web. Moreover, contents on IPFS are harder to block because content on IPFS is stored on several IPFS nodes distributed across the globe. Files stored on IPFS can be located by Content Identifiers (CID). In order to fetch files from IPFS, users can install IPFS on their machine, or use one of the public IPFS gateways, which can be found here.

To download a file or a directory, users can simply append the CID of that file/directory to the URL of the above public IPFS gateways. The CID of the directory, where the current I2Pv0.9.42 installation packages are stored, is QmU1HJvxvzpizLHm84zg3yEYvaRvfPJWabj5ZGfWtejw2B, and the CID of the I2P browser for MacOS QmdNJ1zA7P6VSDmMZ8YhicgHKzzU8KhLaRTaNfQcnuzbHr. Users can visit these URL to download installation packages:

For the reseed bundle, its CID can be obtained by querying the DNS TXT record of the domain _dnslink.reseed.np-tokumei.net. This TXT record is changed periodically as the content of the reseed bundle is also changed frequently. In Unix environment, users can use dig command to get the CID of the latest reseed bundle. For instance, at the time of composing this post, the TXT record was returned as follow.

dig +short _dnslink.reseed.np-tokumei.net TXT

output: "dnslink=/ipfs/QmTdoTuxdThXjDvDpQ5ihByXAaLxMQw1h3JNg3Lr16QDC3"

Users can simply take the above CID (i.e., QmTd...) and append it to any of the public IPFS gateways to download the reseed bundle. Then, from the I2P router console, the reseed bundle can be used for manual reseeding as shown above.

It is worth noting that censors can always interfere with the DNS resolution process above. Thus, it is desirable that the DNS resolution of _dnslink.reseed.np-tokumei.net should be conducted using DNS over HTTPS/TLS techniques. Alternatively, any online DNS lookup tool can also be used to obtain the most current CID of the reseed bundle, e.g., https://dnschecker.org/#TXT/_dnslink.reseed.np-tokumei.net.

If you run into problems accessing any URL provided above, feel free to contact me at [email protected] or DM me on Twitter @NP_tokumei, I will try my best to help as much as possible.

Avatar
Nguyen Phong Hoang
Postdoctoral Researcher

Related