Call for volunteers: IPv6 DHT

Discussion of Transmission that doesn't fit in the other categories
jch
Posts: 175
Joined: Wed May 13, 2009 12:08 am

Re: Call for volunteers: IPv6 DHT

Post by jch »

x190 wrote:I feel like a proud father. My first IPv6 peer!!!
Congratulations! What you're seeing is an address generated by the Windows implementation of 6to4 (which duplicates the IPv4 address at both bit 16 and bit 96).
I see I'm blocking quite a few incoming IPv6 connection attempts,
Why not open just the Transmission port? It shouldn't be any more risky than just running Transmission in the first place.

--Juliusz
x190
Posts: 5094
Joined: Sun Nov 30, 2008 4:59 am

Re: Call for volunteers: IPv6 DHT

Post by x190 »

jch wrote: Why not open just the Transmission port? It shouldn't be any more risky than just running Transmission in the first place.

--Juliusz
It seems Transmission makes almost no attempt to make connections to peers it gets from DHT. e.g. Learned 69 peers from DHT, but I'm only connected to the grand total of 1.

I assume I'm only looking at my OS X firewall as connection attempts are logged by the console. I may give it a try. Can you take a look at the trac ticket below and tell me if Transmission can use it's loaded blocklists against IPv6 addresses.

http://trac.transmissionbt.com/ticket/252
http://trac.transmissionbt.com/attachme ... -test.diff
Attachments
Screen shot 2010-04-28 at 1.45.32 AM.png
Screen shot 2010-04-28 at 1.45.32 AM.png (8.29 KiB) Viewed 5896 times
jch
Posts: 175
Joined: Wed May 13, 2009 12:08 am

Re: Call for volunteers: IPv6 DHT

Post by jch »

x190 wrote:It seems Transmission makes almost no attempt to make connections to peers it gets from DHT. e.g. Learned 69 peers from DHT, but I'm only connected to the grand total of 1.
There are multiple factors at play here. First, Transmission deliberately prefers peers obtained from trackers to peers obtained from the DHT -- an arbitrary choice, but one that makes sense considering that the user can control the set of trackers, but not the set of DHT nodes. Second, the DHT is much slower than either trackers or PEX, so by the time Transmission has obtained any peers from the DHT, it usually already has plenty of tracker and PEX peers (note that if a peer can be obtained both from the tracker and the DHT, it will be marked as whatever place it was first learnt about).

Finally, the DHT has no mechanism to discard unreachable hosts. According to some estimates, up to 2/3 of DHT peers are unreachable.

I'd suggest the following test: choose a torrent, and in its inspector pane, manually remove all of the trackers. Then stop transmission, remove this particular torrent's resume file, and restart transmission. You'll see how fast the torrent is able to get up to speed from the DHT and PEX only.
Can you [...] tell me if Transmission can use it's loaded blocklists against IPv6 addresses.
A quick glance at the code in r10539 seems to indicate it's IPv4-only. I could be wrong, I've only looked in the most obvious place.

I'm not going to implement IPv6 support in the blacklist, since (1) I happen to think that manually maintained blocklists are a silly idea, and (2) in the rare cases when I do want to blacklist a range, I prefer to do it at the lowest layer possible -- in a host specific firewall, or, better yet, in my router's firewall.

(Before anyone accuses me of being a "rotten apple" again -- the above does not mean I'm opposed to the feature, just that *I* am not going to implement it. I'll be happy to review patches if somebody else writes them.

--Juliusz
x190
Posts: 5094
Joined: Sun Nov 30, 2008 4:59 am

Re: Call for volunteers: IPv6 DHT

Post by x190 »

Again, thanks for taking an interest in this issue, jch. Regarding the connections issue, I should have stated that I was running this torrent for many hours sans trackers. Although the DHT count at times went well over 69, my total connections were PEX 1, DHT 1. I will do more testing.

I was under the impression that by using a Teredo tunnel, I was bypassing my router firewall. Is this incorrect? I must respectfully disagree with your position vis-a-vis blocklists and P2P. I personally have seen connection attempts while torrenting from companies such as Hali***ton (34.x.x.x) and it gives me the creeps to know that outfits like that are trying to snoop around on my computer.

If you can point me to info on how to implement an ip6fw where I can define certain address ranges to block I would be grateful. Admittedly, I'm probably getting a little ahead of the curve here as I don't think anyone maintains a blocklist for IPv6 addresses yet. I assume that Transmission's IPv4 blocklist capabilities will be unaffected by my use of the Teredo tunnel.
x190
Posts: 5094
Joined: Sun Nov 30, 2008 4:59 am

Re: Call for volunteers: IPv6 DHT

Post by x190 »

If anyone else out there using IPv6 DHT has an interest in using blocklists with IPv6, please take a look at the following and add your comments which I'm sure will be a lot more enlightened than mine. :)

http://trac.transmissionbt.com/ticket/3180
x190
Posts: 5094
Joined: Sun Nov 30, 2008 4:59 am

Re: Call for volunteers: IPv6 DHT

Post by x190 »

x190 wrote:If anyone else out there using IPv6 DHT has an interest in using blocklists with IPv6, please take a look at the following and add your comments which I'm sure will be a lot more enlightened than mine. :)

http://trac.transmissionbt.com/ticket/3180
Recommended reading: Security in an IPv6 Environment by Minoli and Kouns

See below for a short quote. Substitute Miredo for Teredo and OS X for Windows if that applies to you. Seems the only piece of the puzzle missing is good IPv6 blocklist support by Transmission. :wink:
Attachments
Screen shot 2010-04-30 at 12.15.31 PM.png
Screen shot 2010-04-30 at 12.15.31 PM.png (94.45 KiB) Viewed 5871 times
x190
Posts: 5094
Joined: Sun Nov 30, 2008 4:59 am

Re: Call for volunteers: IPv6 DHT

Post by x190 »

Well I"ll be, jch, Phoenix Labs blocks Teredo tunnels! Oh well, they don't block proxies. :)

Links and comments added:

http://trac.transmissionbt.com/ticket/3180
x190
Posts: 5094
Joined: Sun Nov 30, 2008 4:59 am

Re: Call for volunteers: IPv6 DHT

Post by x190 »

jch, has IPv6 DHT worked for you recently? (Transmission v1.93)

Code: Select all

Last login: Mon May  3 10:31:55 on console
$ traceroute6 -m 10 -p 6881 router.utorrent.com
traceroute6: nodename nor servname provided, or not known
$ traceroute6 -m 10 -p 6881 router.bittorrent.com
traceroute6: nodename nor servname provided, or not known
$ traceroute6 -m 10 -p 6881 dht.transmissionbt.com
traceroute6 to dht.transmissionbt.com (2a01:e0b:1:20:240:63ff:fee5:cb37) from 2001::xxxx:xxxx:0:xxxx:xxxx:xxxx, 10 hops max, 12 byte packets
 1  teredo.bit.nl  794.116 ms  206.135 ms  206.861 ms
 2  teredo-gw.jun1.bit-1.network.bit.nl  401.034 ms  221.881 ms  206.635 ms
 3  amsterdam-6k-1.routers.proxad.net  405.736 ms *  174.984 ms
 4  * * *
 5  bzn-crs16-1-be1102.intf.routers.proxad.net  471.563 ms  225.567 ms *
 6  * * *
 7  2a01:e0b:1:20:240:63ff:fee5:cb37  222.956 ms  224.521 ms *
Attachments
Screen shot 2010-05-03 at 10.50.17 AM.png
Screen shot 2010-05-03 at 10.50.17 AM.png (16.5 KiB) Viewed 5835 times
x190
Posts: 5094
Joined: Sun Nov 30, 2008 4:59 am

Re: Call for volunteers: IPv6 DHT

Post by x190 »

Back in business. Was dht.transmissionbt.com down on the IPv6 side?
jch
Posts: 175
Joined: Wed May 13, 2009 12:08 am

Re: Call for volunteers: IPv6 DHT

Post by jch »

x190 wrote:Was dht.transmissionbt.com down on the IPv6 side?
Something has changed on the server side -- dht.transmissionbt.com used to be a pool of two addresses, it is now just a single address. I'll try to get it sorted out.

Temporary outages like that are not too worrying, though. Transmission implements four different techniques for bootstrapping a DHT, and using dht.transmissionbt.com is just a last-resort technique for when the DHT hasn't reached critical mass yet (and the IPv6 DHT hasn't).

(FWIW, Skype had their DHT collapse a couple of years ago. It took three days for the DHT to recover, three days during which every node was hitting the Skype servers for bootstrapping.)

--jch
x190
Posts: 5094
Joined: Sun Nov 30, 2008 4:59 am

Re: Call for volunteers: IPv6 DHT

Post by x190 »

IPv6 DHT rocks! Unfortunately, the same can't be said for my *art*work. :lol: Sorry, just had to post this-- a bit of success after days of fighting with Miredo/Teredo, PG2, and Growl. :D
Attachments
Screen shot 2010-05-05 at 12.07.53 AM.png
Screen shot 2010-05-05 at 12.07.53 AM.png (80.12 KiB) Viewed 5815 times
x190
Posts: 5094
Joined: Sun Nov 30, 2008 4:59 am

Re: Call for volunteers: IPv6 DHT

Post by x190 »

jch,

Do you get this DHT (I assume) network node from China using IANA reserved and internal IP addresses. Can't seem to block these addresses. Not sure if that's a UDP6 issue or because these addresses are most likely spoofed somehow. Any insights?

Code: Select all

Allw- 180.97.107.22:49718 -> 254.245.190.156:51413 udp6 'Transmission (584)'
Allw- 254.245.190.156:51413 -> 180.97.107.22:49718 udp6 'Transmission (584)
Allw- 254.121.25.53:51413 -> 180.97.107.22:49718 udp6 'Transmission (584)'
Allw- 180.97.107.22:49718 -> 254.1.135.16:51413 udp6 'Transmission (584)'
-Allw- 180.97.107.22:49718 -> 254.161.110.214:41414 udp6 'Transmission (584)'
Allw- 180.97.107.22:49718 -> 254.146.224.6:9090 udp6 'Transmission (584)'
-Allw- local:49718 -> 190.160.209.182:9090 (http) udp4 'Transmission (584)
'Allw- 254.245.190.156:51413 -> 180.97.107.22:49718 udp6 'Transmission (584)'
Allw- 180.97.107.22:49718 -> 254.209.53.240:51349 udp6 'Transmission (584)'
Allw- 180.97.107.22:49718 -> ]0.0.0.4:9090
Fri May  7 2010 08:17:16.99  MDT 
-Allw- 180.97.107.22:49718 -> 254.243.48.5:58744 udp6 'Transmission (584)'
jch
Posts: 175
Joined: Wed May 13, 2009 12:08 am

Re: Call for volunteers: IPv6 DHT

Post by jch »

x190 wrote:Allw- 254.245.190.156:51413 -> 180.97.107.22:49718 udp6 'Transmission (584)
Something's definitely fishy -- there shouldn't be any traffic from class E addresses. I suspect that it's simply the logging software that's buggy, and mis-printing IPv6 addresses.
Can't seem to block these addresses.
X190, if you think that by manually blocking addresses you're increasing your anonymity, you're mistaken. BitTorrent is intrinsically a noisy protocol -- please assume that your wife, your neighbour and your friendly local law enforcement agency know exactly what it is that you are downloading.
x190
Posts: 5094
Joined: Sun Nov 30, 2008 4:59 am

Re: Call for volunteers: IPv6 DHT

Post by x190 »

jch wrote:
x190 wrote:Allw- 254.245.190.156:51413 -> 180.97.107.22:49718 udp6 'Transmission (584)
Something's definitely fishy -- there shouldn't be any traffic from class E addresses. I suspect that it's simply the logging software that's buggy, and mis-printing IPv6 addresses.
I figured that. Strange also that this China net is the only one that logs as udp6 even tho' I seem to have a healthy IPv6 DHT network. All the thousands of other T related connections are logged as udp4. Guess the Chinese have their own way of doing things and perhaps aren't very concerned about our protocols. :)
jch wrote:X190, if you think that by manually blocking addresses you're increasing your anonymity, you're mistaken. BitTorrent is intrinsically a noisy protocol -- please assume that your wife, your neighbour and your friendly local law enforcement agency know exactly what it is that you are downloading.
I think you misinterpret my purpose. Mainly I am trying to learn new things. I follow the laws of my country, but I still value my privacy. Uninvited guests with nefarious intentions are unwelcome.
jch
Posts: 175
Joined: Wed May 13, 2009 12:08 am

Re: Call for volunteers: IPv6 DHT

Post by jch »

Guess the Chinese have their own way of doing things and perhaps aren't very concerned about our protocols.
Nonsense. There is no evidence whatsoever of China not obeying Internet standards (except for the Great Firewall playing weird tricks with DNS). I actually trust the Chinese to do things right much more than Verizon.

What your log shows is packets exchanged between China and Class E space. First, there is no such thing as Class E -- a packet to Class E space should be shot on sight by any half-competent ISP. Second, even if your ISP did let such packets through, there's no reason why they should go through your machine.

I'm fairly confident that your log is incorrect. Please file a bug with whoever produced whatever software you're using for logging.

--jch
Post Reply