90% on target. 10% possibly off target.

I forget what it is called, but AMD has their own version as well.

it probably could, to me that along with traffic analysis are things that fall more into state sponsored level attack. guess avoiding those chipsets is the way or disabling it, but only 3 people are going to do that. like i'd think that at least with intel it's basically a backdoor, probably would take a fair amount of effort for someone outside of them to exploit it. but i guess that doesn't stop intel from gathering intel, lol

there's a surprising amount of low-lying fruit that can be way easier to do for non state actors. Best to assume your ip address is known to be running i2p as public knowledge, and like just poking around the netdb will give info that can sometimes lead to deanon if not careful

I wonder how the intel management engine and AMD PSP could be used to track I2P users. They make up the majority of the nodes on this network. We really don't have a way to fight that unless we all jump to RISC-V right? Also, that article is interesting but incredibly outdated. It's from 2010. Id imagine the security posture of i2p has improved dramatically since then.

you should be able to set the port like z3d said and it'll only use that, dangerous to share obviously because port scanning could be done to identify from suspected ips

i think in theory this is probably true to an extent, we're getting into the realm of traffic analysis. There's some info on this on http://i2p-projekt.i2p/en/docs/how/threat-model

As not_bob mentioned, it's useful.

I2P+ comes with feature rich console interface, one that also happens to be a great place for beginners to start out - doesn't mean users would need to keep the outproxy.

Some otherwise might not have opportunity to try outproxy (some lazy, some unsure how).

And having access to browse clearnet also means a user is more likely to keep an i2p browser (in turn, i2prouter) set up - this means more traffic for all of us. And that's good for all.

In this way, I'd say it's a win win, to have built in (by default, not required to keep).

The management engine cannot be completely disabled in intel chips that ship with it because some of the things it handles are required for the chip to actually work. Really, you are better served by getting a chip without a management engine. Most AMD chips have their own version of the intel management engine, so they aren't safe. ARM boards are usually a little safer but not all. All of the Apple chips have a technology very similar to management engine built in. I don't know about the RISC-V boards but they are borderline trash so far anyway so they aren't a great escape route either.

incorrect. The port the relay uses to the outside world is random and not to be disclosed, and certainly never a fixed port posted on a ramble post. Also, this fails to address my question. products like the firewalla purple can phone home and keep track of all the connections made on the port I granted a firewall exception to. My question was whats stopping the companies behind these products (or even just he ISPs themselves) from linking all the connections people are making on I2P? They wouldn't know the content of the data being sent but they would be able to piece together the paths it took potentially leading to deanon.

i gave tuckit a "force_outbound_quantity = x" to get around it, that would be even better :)

I can fix the display so if it's over the limit it still shows correctly.

There's no way to create an exception for i2p as the destinations vary.

Allow all inbound and outbound traffic on your configured TCP and UDP port indicated on http://127.0.0.1:7657/confignet#udpconfig in I2P+. You should expect that traffic to only be handled by your Java runtime. No other ports on I2P need to exposed publicly (in your firewall).

Just if anyone finds this, the outproxy is disabled by default in i2pd.

good doggy

i'm not completely sure but i'd hazard a guess that it could have something to do with i2p+ being more selective in it's peer profiling compared to i2pd and that java routers use different bids for NTCP2 and SSU2

emissary is super exciting, just kinda showed up out of nowhere

It's very useful to have a working outproxy. You will find many sites that are banned when you use Tor, but work just fine though an I2P outproxy.

But, remember to use one browser just for I2P. Never let it touch the normal clearnet. Going through an outproxy is fine though.

found it. theres an outproxy in i2p+ by default. Why would that be there? I thought the entire point was to keep traffic internal to the i2p network

I wonder why i2pd has a lower rate than i2p+. Does it just have a different way of evaluating that metric?

I'm continuing to experiment with this and torrents. I migrated it back to my server and tried taking it out of the container since I was running the container rootless when I first tried it there. rootless podman containers supposedly have issues with UDP connections. The torrenting speed in qbittorrent and snark are a little better, but still topping out at only about 200k so there's still more room for tweaking here.

Right now, things seem more stable with I2P+ than I2PD, but I'm blaming that squarely on my own ignorance in how to properly tune this setup.

I'm really excited to see how that emissary project grows too, but I'm not sure I trust it just yet. I'm going to wait for others who actually know what they are doing to vet the project as well as SSU2 support to finish before I give it a try.

i assumed which is why i brought up the i2cp thing earlier, but wasn't sure if you had it in some other container or something in the other machine that'd be blocking connections, must've had something going on with the firewall somewhere

weird about the wrapper, never tried it on alpine linux so maybe there's a workaround or the i2prouter script could be modified. jbigi i've had to compile to get it to work right at least with i2p+ sometimes. if you don't see libjbigi.so in your /i2p directory then you'd just need to compile it

the devs are around here, quickest answer to get the wrapper to work right would be to pop in to irc2p

pretty good breakdown, if you end up messing around in both you'll find they can be good for different things. i2p+ is more selective and wants to put resources to things like service tunnels, it happens to be very good for hosting things in i2p and if you want to do other stuff on top of torrents/eepsites. i2pd is bare bones and uses little resources, usually very fast if tunnel build success is good, good for torrenting. it has its own trade offs. i watch the memory usage on that one closely. I like i2pd a lot for certain things but i've learned you do need to be careful with it at times and set conservative limits

i2p+ will usually see build success +70%, i2pd should hang somewhere around 30-50, lower with floodfill. In practice though i2pd should be running great at 30-50, but if it drops under 10 you get problems.

I decided to try running i2p+ on the same equipment as a comparison to see if it works better for me than i2pd. I have some issues with it.

First, I can't get it to use the wrapper. I'm running it in alpine linux aarch64. Looking at the i2prouter script, it doesn't seem to have any way to handle aarch64, though interestingly it does still have the older ARM architectures in the script. I suspect this is why it doesn't want to use the wrapper, even though the wrapper itself does support aarch64. I was able to work around this temporarily with runplain.sh but it's not quite ideal as I'd like to allocate more ram to i2p+. I also want to get jbigi loaded in, but I suspect the wrapper might be needed for that to work anyway.

Anyway, my findings so far in comparing the two on this aarch64 relay:

• i2pd is way faster to bring up and tear down, though we expected that
• i2pd uses next to no ram.
• i2pd is rocket fast but then seems to eventually stop responding to http after being used for a while
• i2p+ is heavy, but not as bad as I thought it would be. A diskless alpine system is running quite happily at less than 1G of ram used. Seeing as this board has 4GB on it, I still have some room to test further after I can allocate more to the JVM after fixing the wrapper.
• i2p+ is pretty! :)
• i2p+ definitely has a higher tunnel success rate the i2pd but it also takes a lot longer to get that high. It's camping out at 83% now. I never got that high with i2pd.
• i2p+ creates significantly fewer tunnels than i2pd. i2pd would have over 6600 tunnels created at times, just giving away all the bandwidth I had to offer it and coming nowhere near taxing the CPU or memory available on the host. i2p+ seems much more conservative in how it participates with the network. Whereas i2pd would build fast, it would also shed a lot of its tunnels whereas i2p+ can maintain connections better. I suspect I could improve that behavior in i2pd by assigning limits but I'm still feeling this thing out, trying to find where the limits are.

Its actually running on a separate physical device. I wanted to put in the media server itself, but my container network skills aren't great and that server get taken down from time to time for me to mess with. Uptime matters here, so it made sense to keep i2p separated from the server.

i don't know what you did as far as containerizing/vm but i'd expect it's got something to do with that assuming there isn't something upstream blocking it. i2p routers will work best opening the TCP/UDP port so it will allow incoming connections

I better isolated the i2pd machine on my network just in case something goes wrong with it and I don't notice right away. While doing so, I noticed roughly half the connections to the i2p relay port are being blocked by my firewall. Strangely, the firewall is set to allow all on that port. It says it's blocking based on ingress firewall's IP filtering rules.

What rules? I didn't give it any rules. If it's unsolicited, it's blocked, but the i2p relay is requesting those connections so the firewall shouldn't be blocking them, right?

i'm not sure about SAM since this is qbit, but with I2CP running either biglybt or snark can be glitchy on separate machines especially with i2pd, java seems to handle random disconnects better where i2pd might not recover, possibly due to latency. As far as i know I2CP is intended to be used on the same machine. you can do this but it runs much better with java routers from what i've found where i think i2pd is best if you keep it on the same machine.

possibly things to check - trackers are working since no dht, in a good swarm, tunnel quantity/number of hops. like are peers available or is it a throughput issue

I got it working. qbittorrent in a rootless podman container on a media server and the relay elsewhere on the network. Unfortunately, the performance is quite poor. I'm aware this is going to be slower than clearnet torrenting, but I'm only getting around 5KiB/s. That seems off to me.

It has been in development for 9 months. If you decide to test it out, please let me know if you run into any issues.