I2P

The I2P network itself is message-based (like IP ), but also offers a library that enables data transfer and streaming of information and is similar to TCP . Each data transmission is encrypted several times in I2P , for this a total of four layers are used for encryption per data packet , in addition, the data traffic is routed via constantly changing participants and different tunnels (network chains). Your own I2P router is therefore constantly involved in the forwarding of various encrypted data packets for other I2P users. The receiving points ( downloaders / recipients) of the data packets are in turn protected by the encryption process ; for the most part, these consist of a pair of public keys .

I2P enables an anonymous, encrypted and decentralized communication layer distributed via peer-to-peer , which was designed to use any conventional protocol such as BitTorrent , eDonkey2000 , Kademlia , Usenet , Gnutella , e-mail , IRC , HTTP , HTTPS , Telnet , XMPP , Support IPv4 and IPv6 , as well as traditional distributed applications (e.g. Squid or DNS ).

functionality

The respective program running under I2P sends its data to the I2P router provided for this purpose. The I2P router first ensures that the data is encrypted and anonymized for forwarding . A route is then determined via several external I2P routers to a currently valid transfer point of the destination router. From there, the data is in turn passed on to the actual destination via several I2P routers. The routing routers used for this are called hops. For security reasons, however, only your own hops are counted to the transfer point; The sender has no influence on the number of hops determined by the destination router.

So that no data is lost on the way, which can already happen if an I2P router fails in a chain of routers, these are also sent again via a different route. Each of these routes corresponds to a tunnel. If the data were able to reach their destination via this route, this tunnel was successfully established.

The acknowledgment of receipt is in turn sent by the destination router via a new series of hops through new tunnels in the aforementioned manner.

To determine the respective transfer points and announce the tunnel occupancy, a request is made to the distributed I2P network database , which maintains a structured distributed hash table (DHT) based on the Kademlia algorithm. Every eleven minutes, the tunnels are discarded and replaced by new ones.

realization

The core of the I2P application is written in Java . A Java runtime environment must therefore be installed. Furthermore, there is a complete implementation in C ++ as well as other projects, some of which are in an early development stage.

Some of the services are integrated in the form of web applications and can be accessed via the browser. The “router console” plays the central role as the entry page.

Other services are partially implemented in that the I2P service works as a proxy (e.g. for HTTP, IRC, Mail, CVS), whereby it partially behaves like a normal server towards the respective client. In this way, the normal client programs, such as Firefox, can be used, which only have to be reconfigured on the own I2P server / proxy. Different 4-digit port numbers are usually used here.

There are also special additional programs in the I2P network that are listed under Applications .

Interfaces

• I2PTunnel is an application embedded in I2P that allows any TCP / IP services to be made available via I2P.
• SAM is a protocol that allows I2P-based programs to be developed in a wide variety of programming languages.
• BOB is another interface that allows I2P-based programs to be developed in a wider range of programming languages.

Applications

I2PSnark

I2PSnark is an anonymous BitTorrent client integrated in I2P as a web application. This allows special I2P bit torrents to be downloaded or generated using the I2P layer.

I2PSnark also supports magnet links . Thus it is possible to publish files only by exchanging magnet links in the torrent network.

I2P messenger

I2P-Bote is an end-to-end encrypted , network-internal and completely decentralized, serverless e-mail system. It supports the creation and use of different identities and filters the mail headers so that only the really necessary, non-identifying header components are used (but these are then also encrypted). This application is still in the alpha stage but is in active development. Currently you can use it via the web interface, but POP3 support is planned for the future , so that it can be used with every common e-mail program. I2P-Bote also offers a high-latency transport similar to mixmaster or mixminion, which is supposed to offer even greater anonymity. I2P-Bote can therefore also be described as a remailer. The original author or sender of the messenger mail can long ago be offline again when the messenger mail arrives at the node storing it. But for all those who prefer to send their messenger mails quickly, the fast, delayed method of sending, which is not forwarded via many other computers (except of course via I2P), will continue to exist. Each user can decide for himself how much anonymity and how much speed he wants.

Since all messenger mails are automatically encrypted end-to-end, the content of the mail cannot be read as plain text at any point, except for the sender and recipient themselves. This eliminates the need for normal e-mail systems (and thus also with Susimail) there is still a separate need to take care of the encryption and authentication of the emails if you don't want the operator of the email server to be able to read the content of the emails, for example.

Due to the fact that I2P-Bote is completely decentralized, there is of course no such mail server that could link different anonymous identities with each other (keyword: profiling ): Even the forwarding and storing computers know neither the real sender nor his pseudonymous e-mail Address, and only the last node of the "high-latency" mail routes and the storing computers even know the anonymous recipient address. And even for them, the subject, date, etc. cannot be seen.

I2P messenger

IRC

There are several IRC servers in I2P . These can be reached at the address localhost: 6668 (or localhost / 6668 for some IRC programs), provided I2P is running on the same computer. Otherwise, the IP of the computer on which the I2P router is running must be used. Channels are # i2p-de, # i2p-help, # i2p-chat and # i2p. If you do not want to or cannot join these rooms anonymously and via I2P, there is still the possibility of access via Freenode . The room names are the same there and there are changates.

MuWire

MuWire is a program for searching and exchanging files. MuWire makes it possible to anonymously share entire directories or drives of data. The user can determine and change at any time whether he releases his files for all MuWire users or only for certain users.

The use of MuWire requires the creation of a nickname, which is combined with a cryptographically strong I2P address and forms an identity for MuWire on an anonymous level. With this function it is possible for MuWire users to chat anonymously and encrypted with one another, to publish released files in a personal RSS (web feed) or to subscribe to the RSS of other users.

MuWire can be started and operated directly with I2P via the web browser or as a separate desktop application.

Susimail

I2P has a free, pseudonymous e-mail service hosted by Postman. Susimail was developed to avoid security gaps in traditional email clients. These clients provide information about the actual identity of the user, for example, and thus endanger anonymity.

Syndiemedia

Syndiemedia, or Syndie for short, is an attempt to create a user-friendly and secure blogging tool that uses the techniques of anonymous and secure systems such as I2P, Tor , Freenet , MNet and others. The content distribution page is detached from the system used; Syndie can be used via the web with all common anonymizers. Syndie allows users to form cross-network communities instead of focusing on a specific network, making them less trending.

Syndie's approach is to merge the security, anonymity and cryptography worlds with the simplicity and user focus of the blogging world. From the user point of view, Syndie can be seen as a secure distributed LiveJournal , while technically it is much simpler. In March 2007 Syndie was published as an independent project under the umbrella of I2P with the version number 1.005a. The current version (June 2013) is 1.103b.

Tahoe LAFS

Tahoe-LAFS (Tahoe Least-Authority File Store) is a free and open, secure, decentralized, fault-tolerant, distributed data store and distributed encrypted file system. Tahoe LAFS can be used as an online backup system or as a file or web host, depending on which front end is used to insert and access files on the Tahoe system.

With Tahoe-LAFS, files are encoded, encrypted and randomly stored on several computers of the distributed users when they are uploaded into individual data blocks. This means that data stored with Tahoe-LAFS remains confidential and accessible even if some computers fail as storage servers or are taken over by an attacker or are no longer available. When requesting (downloading) a file, the individual distributed data blocks of the desired file are searched for, put together and decrypted again on their own storage medium.

The random and encrypted storage of individual, distributed data blocks ensures that the operators of Tahoe-LAFS do not know which data content is being stored on the available shared data memory. Even if someone breaks the encryption and can prove that certain data is stored on a PC, it cannot be proven that the operator of the PC knew about it (disputability through migration). When used via I2P, anonymous and distributed networks can also be formed. The source code is available under both the GPL and the Transitive Grace Period Public License.

BiglyBT

The open source tool BiglyBT enables all functions of the BitTorrent network to be used via plug-in via the I2P network and brings some additional features with it. For example, a "swarm" function can be activated with which ongoing downloads can be accelerated. Or files can be tagged and thus better organized.

I2PRufus

I2PRufus is an anonymous, Rufus-based BitTorrent client. This allows special I2P bit torents to be downloaded or generated using the I2P layer; it must also be installed.

Robert

Robert is a further development of I2PRufus. Instead of SAM, he uses BOB. Robert has to be installed additionally.

i2p-bt

i2p-bt is a command line bit torrent client for I2P.

Transmission for I2P

Transmission for I2P is a porting of the bit torrent client Transmission to the I2P network.

I2Phex

I2Phex is a P2P program based on the open source program Phex . This forms an anonymous Gnutella network within the I2P network. It has to be installed additionally. The discussion and coordination on I2Phex takes place in the forums of the project.

iMule

iMule is a program based on aMule for anonymous file sharing via I2P.

Night flash

Based on iMule with active further development u. a. in terms of ease of use.

Outproxy

The I2P community operates an outproxy. Such an outproxy allows users to access released websites outside of the I2P network.

Difference to Tor

While Tor mainly offers anonymous proxy servers for various Internet services such as IRC, e-mail or HTTP, with I2P everything primarily happens within the network. This has the advantage that the user data is end-to-end encrypted. This is also the case with Tor hidden services , but not when normal, publicly accessible web services are used via Tor.

The same applies to e-mails that are routed via an I2P-internal server (Susimail): These are only encrypted from the sender to the server and from the server to the recipient - I2P-Bote is not affected because it is serverless.

In contrast to Tor, I2P manages without a central node database ( directory server ) and is therefore completely decentralized. With I2P, the node list is instead kept as a distributed database by the most powerful nodes (so-called floodfill peers ) using the Kademlia algorithm. Since there is no central instance with the node list, at least the address of another I2P participant must be known when I2P is started in order to be able to participate in the I2P network. You can then receive information on other I2P nodes from this participant. To avoid this starting problem, some I2P participants regularly publish the node list on various websites. The I2P client tries to call up these websites automatically when it starts in order to get to addresses of I2P nodes.

Since I2P does not use any entry nodes compared to Tor, it is also not possible to see what the I2P user is sending himself, since one gets lost in the noise of the forwarded traffic from other I2P users.

I2P also only uses unidirectional tunnels, which is helpful in defending against timing attacks , because a request and the response to it do not take the same path. However, this also doubles the number of tunnels established, which in turn increases the likelihood of establishing a tunnel with nodes that are under the control of an attacker. This could mean for this attacker u. U. a de-anonymization of the traffic relationship between sender and recipient will be possible.

In addition to onion routing , garlic messages are also used with I2P . These implement end-to-end encryption within the I2P network and bundle one or more messages that are decrypted jointly by the recipient. The individual messages do not necessarily all have to be intended for the recipient himself, but can in some cases also contain forwarding and delay instructions. This is of particular interest for non-time-critical services, since the time-dependent decoupling of the message forwarding that is realized by the delay additionally strengthens anonymity.

Attack Procedure

In 2011, an attack method on the I2P network was documented and it was shown that an attacker with moderate resources can find out the identity of an HTTP service (an “eepsite”). According to the I2P developers, this attack is no longer possible due to further security optimizations (among other things, the tunnels are now routed via three routers), especially since the I2P network has grown significantly in the meantime in terms of users.

Related projects

• Freenet
• Gate (network)
• RetroShare
• GNUnet
• JonDo

Web links

• Official I2P website
• The German I2P manual
• Anonymous internet use I2P . Telepolis
• Entry about I2P in the ubuntuusers wiki
• Interview with I2P: Anonymous network ( Memento from January 25, 2013 in the web archive archive.today )

I2P must be installed for the following links:

• Official I2P website in the I2P network
• I2P messenger website
• I2P messenger website

Individual evidence

1. ↑ staas.home.xs4all.nl . (PDF)
2. ^ The i2p Open Source Project on Open Hub: Languages ​​Page . In: Open Hub . (accessed on September 3, 2018).
3. ^ Invisible Internet Protocol Daemon. Retrieved December 26, 2019 . 
4. ↑ Alternative I2P clients - I2P. Retrieved December 26, 2019 . 
5. ^ I2P Technical Introduction: Network Database. Retrieved February 24, 2012 . 
6. ^ I2P Technical Introduction: Garlic messages. Retrieved August 29, 2011 . 
7. ↑ Michael Herrmann: Effect on the anonymity of performance-based peer selection in Onion routers: A case study with I2P (PDF) Master's thesis in computer science, carried out at the Chair of Network Architecture and Network Services, Faculty of Computer Science, Technical University of Munich , March 2011.