I2P an anonymous network interrogated

It's quite surprising the free software project I2P isn't more popular. One the one side it's easy to install, it's said to be secure and last, but not least: it's way quicker than for example TOR has ever been.

Instead of the Anomos project I2P is not one service. It's a package of services like the anymous browsing, an anonymous usage of the IRC, news readers, emails, blogs, different ways of filesharing etc.

Lately we spoke with zzz, one of the current organizers of this project. They became aware of us after gulli published the Anomos interview a few weeks ago. And as they're soon going to present themself to the public at the Chemnitzer Linux Tage we wanted to launch this interview before this event takes place. But don't be confused: I2P also works perfectly with Windows XP and Vista. Click the link for the german version of this interview.

Lars Sobiraj aka Ghandy: Hi zzz!

zzz: Hi ghandy, and thank you very much for the opportunity to discuss I2P. I read your excellent interview with the Anomos developer, and I'm quite happy to share our project with your readers. We recently released version 0.7 of I2P, so this is a perfect time.

Ghandy: For the start: Would you like to introduce yourself to our dear readers?

zzz: No, I work on an anonymous network, and I wish to remain anonymous, sorry.

Ghandy: No problem at all, I perfectly understand your reasons. The original creator "JRandom" gave up the project in November 2007 and took a longer break. You and the developer "complication" took it over in order to continue it. How did you get in touch with this project? And generally: What's so interesting for you speaking about that topic? How do you share the work?

zzz: I2P was started by jrandom in 2003, and like Tor has a strong focus on cryptography and anonymity, using techniques such as tunnels and onion routing, but with a number of different design choices.

I was looking for anonymous networking software in early 2005, and I first tried Freenet, but it did not work well for me at all. Next I tried I2P, and while it didn't work that great at the time either, I saw that the potential was there.

I started my first "eepsites" (internal i2p websites) not too long after (accessible through the i2p "inproxy" as go.gulli.com/gulli/url/http://zzz.i2p.to/ and go.gulli.com/gulli/url/http://stats.i2p.to/ but these links will be slow). Late in 2005 I started submitting patches for the code.

While jrandom left in late '07, read the full story here, even by early 2007 his attention has shifted to Syndie, an anonymous, encrypted, high-security blogging and communication platform. Complication and I increased our involvement over that year, and of course after jrandom left there has been a number of changes and shifts in responsibilities.

In addition to coding, there are a number of key components to running a project, including hosting of key services within the network (IRC, email, version control system, blogs, forums, download sites), code review, release building, press announcements, translations, user support, and so on.

There are probably a dozen people involved. How do we share the work and stay organized while communicating solely over our anonymous network? I don't know exactly, but it works.

Ghandy: I2P is a collection of different services. How did it come that you did split it up and what were the reasons to do so? What is I2P offering in detail?

zzz: I2P is composed of the core router, and I2P-enabled applications, some of which are bundled in our packages and some are available separately. There is a very strong architectural dividing line between the router and the applications, to ensure security.

The core router creates tunnels for local applications, and routes data for others through their tunnels.

The bundled applications include an http proxy, an IRC proxy, an "addressbook" for naming resolution, a web-based "router console" to administer the router, a bittorrent client "i2psnark", a web-based email client, and others. Applications not bundled with I2P include a port of Phex (filesharing based on the Gnutella network), a port of eMule, and several more bittorrent clients.

Several types of standard applications can be used unchanged with I2P - web browsers, IRC clients, news readers, email clients, and others. For further reading, an introduction to I2P is here.

Ghandy: What are the pros and cons to surf incognito if you compare I2P with other options such as TOR, a proxy or a VPN?

zzz: First of all I want to say that I have a tremendous amount of respect for Tor, Roger Dingledine and the other Tor developers, and what they have accomplished. I2P and Tor started at about the same time and have a lot of similarities.

Tor has benefitted greatly from funding, academic analysis, and a large user base. We are exchanging ideas with Tor and I expect that both projects will benefit from that as well.

The fundamental difference is that Tor is designed for "exit traffic" to the regular internet. I2P is designed for in-network traffic - what Tor calls "hidden services". Tor has 1000 "exit nodes". I2P has only one. Exiting from an anonymous network to the regular internet has serious potential vulnerabilities.

As Roger Dingledine said in his talk at 25C3 (Dec. 29 2008), "Tor does not magically encrypt the internet". Neither does I2P. Accessing standard services through exit nodes can be done safely, but it takes great care. Snooping or worse by exit nodes, and blocking of exit nodes is problematic. That said, if your primary goal is anonymous access to the regular internet, Tor is the better solution.

I2P was designed from the beginning for anonymity and security of internal network traffic and services, and we've spent several years making it fast and reliable.

If you desire anonymous, encrypted communication primarily within an overlay network, I2P is a good choice. I2P is peer-to-peer friendly, we welcome p2p traffic.

Over 95% of I2P users also route traffic for others, unlike in Tor where the percentage is very small. In other words, almost everyone contributes to the capacity of the network, rather than just using the resources of a few large nodes.

I2P uses high-security, custom-designed interfaces for applications.

Tor is much better at circumventing blocking by ISPs and state-level adversaries. As the I2P user base grows, that will become a priority for us as well.

In comparison with Anomos, in many ways, what they are working on (turnkey, anonymous, encrypted bittorrent) is what we already have with i2psnark. But we don't advertise I2P as such, and we have a lot of complexity and other stuff visible to a user that only cares about bittorrent. One possibility is creating an I2P package that hides some of that. We met the Anomos guys at 25C3 and wish them the best. I'm excited about their design and I look forward to their product, and I hope we get to work with them further.

Ghandy: I2P wasn't originally created for anonymous filesharing. What do you expect, how many people are using it anyway? How attractive is it to do it that way? Which speed do you reach?

zzz: We have just under 1000 users at any point in time, and over 3000 unique users per month. By that measure we are perhaps 100x smaller than Tor. But if you look at our "hidden service" count of perhaps 600 at a time (which includes bittorrent clients), maybe that is similar to Tor hidden services... I don't know.

I2P was designed as an overlay network for anonymous, encrypted communication. It's therefore ideal for peer-to-peer applications. Those applications push a tremendous amount of traffic, as you know - so they generate "cover traffic" for other applications. Trying to make p2p apps go faster helps us make the whole network better. So we don't discourage p2p at all:

All I2P p2p applications are in-network only, there is no access to "regular internet" torrents, for example. All p2p clients are modified to work with the I2P network and ensure security, you cannot use a standard client. As the network is small, so is the selection of available content. Typical bittorrent download speeds are 5 KByte/sec to 20 KBps, which is enough to get a 700MB movie in about a day. The network is much much faster than it used to be, and we continue to make improvements. Whether our anonymity and security, combined with these speeds and restrictions, is "attractive" is for each potential user to assess. As we like to say, "anonymity isn't free" - the encryption and routing add significant overhead.

Ghandy: Some analysts say that privacy doesn't exist in the USA. Do you think this might change since Obama is president? What's your assessment speaking of european countries?

zzz: I think privacy is under severe and increasing threat throughout the world. I don't think that Obama will have much effect on the global trend.

Ghandy: How easy or hard is it to install I2P?

zzz: It's a cross-platform product, and the installation goes smoothly for most people on Linux or Windows, including Vista.

(Hint from Ghandy: In case you're using a german distribution of Vista, create the directory for the software directly at C:/ and nowhere else and then it will work for sure!)

Ghandy: How safe is your service nowadays? I heard that you can't assure safety until version 1.0 is out. When can we expect the first official version?

zzz: I don't know if we can ever "assure" safety for a particular use. "Safety" is relative and depends on your "threat model", in other words the goals, resources and abilities of your adversaries.

To elaborate, the two areas of concern are that the network is relatively small, and the design and implementation have not received any independent review. However we haven't yet attracted the attention of determined adversaries, as far as I know. The basic architecture and cryptography of I2P have not changed in many years.

We also are working on several advanced features in I2P that will enhance anonymity and security. As a package, I think of it as "super-secret" mode, or an overlay on the overlay network.

When we find bugs or anonymity holes in the design or implementation, we fix them. When will it be "perfect" or "official" or "1.0"? Not very soon. Users of any anonymous network should do their own research and think carefully about what they want to use it for, and how to use it safely.

Ghandy: Did you ever think about working together with The Pirate Bay or MiniNova to create a common service?

zzz: The proposals posted last year at tfr.org or  newteevee.com generated a lot of discussion within I2P. We are working closely with Onioncat, this may or may not be one piece of the puzzle. The path from here to there is not clear to me at this time.

Ghandy: Speaking of I2P: What are your plans, what can we expect during the next weeks, months and years?

zzz: #1 priority is to grow the network. We can do that through more press like this interview; by working more closely with other projects such as Tor, Anomos, and Onioncat; and by making our website and software better, faster, easier to understand and use, and available in more languages. So we're looking for more users and more contributors.

Thanks again for the opportunity and the great questions. If any of your readers have questions they can try our website, our forum, including a german section or IRC irc.freenode.net #i2p.

Ghandy: Thank you for filling out such long and in-depth answers! And generally spoken: Of course for providing us this service.

source of some pics: Florian Kuhlmann @ flickr, thx!

• 6 Kommentare zum Artikel

interrogate heißt übrigens verhören, nicht interviewen...

kioken am 09.03.2009 15:56

jemanden befragen bzw. ausfragen - das ist nicht ganz unpassend in diesem Zusammenhang... ;-)

Ghandy am 09.03.2009 16:04

[...] Diskussion lesen oder Artikel kommentieren