How an I2P router works without a dedicated IP address. The magic of directly connecting two subscribers behind NAT

Most Internet users do not have a dedicated address. This is due to the limited range of addresses in the fourth version of Internet Protocol (IPv4) – 4.2 billion. Considering that there are twice as many people on the planet, and some of them have several gadgets, you can’t get enough addresses. The problem is solved in the IPv6 protocol, which has an unimaginably large range where there will be enough addresses for the entire solar system, even when all the planets are inhabited. However, the catch is that IPv6 is being introduced very slowly and reluctantly into the modern network. Therefore, we have what we have: Internet providers release hundreds and thousands of people into the global network under one IPv4 address (via NAT-server).

The model of accessing the network through NAT works only in one direction - from the user behind the Internet to the web resource. When a connection is established by the user, the web server can respond to him, but if there is no established session, the user cannot be reached from the outside, because thousands of other subscribers of the provider access the network under the same IP address, which in fact does not belong to any of them.

In an I2P key, the complexity of the situation lies in the fact that the hidden network is completely decentralized and all participants communicate directly with their neighbors. The question this article will answer: how does interaction occur with users whose I2P routers are not directly accessible for establishing a connection?.

UDP Hole punch

To understand the next part of the article, you need to look at the UDP communication protocol. UDP does not control the integrity of packets, but it can transmit them very quickly. A clear example of the use of UDP is video and audio calls over the Internet, where irretrievable loss of information is preferable to listening to irrelevant words five seconds ago after a freeze, or NTP - time synchronization protocol, where a minimum delay is needed.

In the TCP protocol, information is transmitted within an established session with packet integrity monitoring. In UDP, information simply flies to the given address without any control.

In UDP, there is the concept of “hole punch,” which means a short-term reservation of a port on a NAT server, which is assigned to the subscriber. All information coming to this port will be transferred to a specific subscriber. In order for the created window to remain assigned to the subscriber, he needs to regularly send some information through it.

From all that has been said, the main thing to understand is that as long as a UDP window (hole punch) exists, anyone can send information to it, and the user to whom the window is assigned will receive it. No pre-established sessions are required like in TCP.

A little about I2P transport protocols

I2P uses crypto wrappers of the TCP and UDP protocols - these are NTCP2 and SSU, respectively. These are the lowest-level I2P protocols through which all information transfer between nodes is carried out. Sometimes these protocols are called crypto analogues of TCP and UDP, but in fact they are crypto wrappers that work on top of TCP and UDP.

NTCP2 uses TCP as transport, so it is directly dependent on the allocated IP address. If there is no direct reach, NTCP2 cannot work. It is logical that SSU works on top of UDP and has its feature in the form of a window. This allows you to use SSU to work without a white address, for example, when using cellular communications.

The screenshot shows the web interface of the router running on a USB modem. Two columns are highlighted: network status with unavailable status and a list of external addresses. The SSU column displays the address of the provider's NAT server and the port that is currently assigned to the subscriber, that is, it is a window (hole punch). NTCP2 shows no signs of life, all connections with the outside world go through SSU, and for the provider this is encrypted UDP traffic.

It should be noted that user application traffic and the I2P transport protocol are two independent planes, i.e. in fact, user TCP traffic can be sent through the SSU.

Conductor flag

IN article about floodphiles describes the mechanics of routers publishing information about themselves (Router Info, abbreviated as “RI”), which contains public encryption keys and flags (Router Caps) indicating the router’s throughput and other important parameters. Based on this information, network participants select routers to participate in their tunnels.

In addition to the general router flags, there are flags for each address specified in the RI. For example, IPv4 may be behind the scenes, while IPv6 may be available globally. Agree that it is at least not reasonable to designate two addresses with completely different statuses with one common flag.

Special flags there are not many addresses:

We are interested in the flag C, which signals that the router can act as an introducer. In the modern implementation of i2pd, this flag is assigned automatically if there is direct accessibility via SSU, that is, the I2P router has a dedicated IP address and an open port for receiving external calls without breaking the window.

Conductors (introducers))

An I2P router that communicates with the outside world exclusively through SSU through window hole punching cannot publish a temporary address and port from the current window to Router Info.

When working behind NAT, the router searches its database for RI, which can be a conductor. When asking a router for a guide service, consent is expected. If consent is received, the poorly accessible router acquires a conductor and from that moment on it can accept connections initiated from outside.

When a router works through an explorer, it enters its address and expiration time into its Router Info. The agreement between the router and the conductor lasts an hour, after which the router selects a new conductor, or re-applies to the previous one, resetting the hour counter. The new Router Info is communicated to all current interlocutors, and is also published on floodfills. As a rule, the router simultaneously uses the services of three conductors, publishing the address of each in RI.

The conductor's task is to mediate in establishing a session between his ward router and the third node.

The external router (Alice in the screenshot) sends a request to the conductor (Bob), which passes information about the new connection to the router behind it (Charlie). The message (RelayIntro) reports the IP address and port of the person who wants to establish a connection. The router then sends an empty UDP packet to this address, thereby forming a window (hole punch). Then, through this window, the SSU connection is fully initialized.

In this way, a connection can be established between two routers, each of which is located behind the network: the first, when accessing the conductor, forms a window, and the second router, when accessing the interlocutor’s window, forms its own window. After this, two I2P routers without dedicated IP addresses communicate directly with each other. Gracefully!

For a more detailed introduction to the SSU mechanisms, see documentation.

Off-label use

Using the feature with conductors (introducers) is also possible in the case of a dedicated IP address. This may be necessary to hide the IP address from the Router Info file. In this case, even a detailed analysis of well-known I2P routers will not give attackers the IP address of our router, because it is not published in clear text, but is transmitted personally to everyone who establishes a connection with us.

It is important to understand that we are talking about a direct connection to the router, and not directly to some of our hidden resources. Connecting to hidden resources almost always occurs through a chain of transit routers, where only the closest neighbor in the tunnel will connect to our router through a conductor.

To i2pd with a dedicated IP address worked through conductors, publishing only their addresses, it is necessary to prohibit incoming connections to the working port of the I2P router (that is, close the working port specified on the main page in the web console).

For iptables firewall rules will look like this:

iptables -A INPUT -p tcp --dport <i2pd_port> -j DROP
iptables -A INPUT -p udp --dport <i2pd_port> -j DROP

If you have an IPv6 interface, perform similar operations with it through the utility ip6tables.

The output will be a router with the network status "Firewalled" and operating mode exclusively through conductors. However, we must take into account that this may insignificantly damage the speed.