15:58:59 #startmeeting tor anti-censorship meeting 15:58:59 Meeting started Thu Sep 29 15:58:59 2022 UTC. The chair is meskio. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:58:59 Useful Commands: #action #agreed #help #info #idea #link #topic. 15:59:03 hello everybody 15:59:05 here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep 15:59:07 hello 15:59:14 please add what you've being working on 15:59:15 hi~ 15:59:18 and points for the agenda 15:59:43 I haven't touch the list in the discussion section, not sure how many are from last week and doesn't need discussion 16:00:42 but let's start from the first one 'snowflake-01 bridge resources' 16:00:49 dcf1, ln5? 16:01:08 the snowflake-01 bridge continues to see a lot of traffic, mostly from Iran 16:01:22 it's up around 2.5 Gbps constantly 16:01:38 wow, that is impresive 16:01:54 but from the performance graphs it is clear we have hit a bottleneck, after removing some other bottlenecks that are summarized in the pad 16:02:53 current thinking is that we are running into CPU limits with kernel resources 16:03:41 the immediate plan is to disable TCP connection tracking as evidence indicates it may be one of the limits we are facing; and anyway the conntrack table is getting close to filling up 16:03:45 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40189 16:04:31 and we also plan to do some experimentation with tuning the network interface driver 16:05:01 those change necessitate some preparation (e.g. tpo/anti-censorship/pluggable-transports/snowflake#40186) and a reboot (tpo/anti-censorship/pluggable-transports/snowflake#40188), which are expected to happen in a few hours 16:05:29 that's the news about the bridge 16:05:32 I guess we should consider enabling the multi-bridge support soon, was the last point in the agenda, but let me push it to be the next 16:05:36 whew 16:05:46 that is a lot of tuning 16:06:11 yeah, amazing work there, is impresive how much you are managing to get out of that machine 16:06:22 and they talk about 'web scale'... 16:06:24 yeah, thanks dcf... 16:06:25 snow-scale 16:06:28 it is quite a good machine too, don't get me wrong 16:07:34 gbps is a really cool word.... 16:07:58 especially on a single device 16:08:04 ln5's post about conntrack and ethtool: https://lists.torproject.org/pipermail/anti-censorship-team/2022-September/000262.html 16:08:49 o/ 16:09:24 should we move to discuss how we enable multi-bridge support? anything else on tunning the server/bridge? 16:09:40 i'm done on the snowflake-01 topic 16:09:47 o/ 16:10:10 context: https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/95 16:10:32 the things that are currently blocking us from enabling this distributed snowflake support is that 16:10:56 once we enable this, then all proxy that have not updated to the version support this will be rejected 16:11:46 currently, there are some standalone proxy that is not updated 16:12:23 and webextension proxy have mostly finished updating 16:12:41 thanks for this investigation shelikhoo, good work 16:13:26 28% of the unrestricted proxy poll don't support distributed snowflake server 16:13:26 we should enable this before next year since we will receive a drop of webext proxy as chrome will disable our extension soon 16:13:33 my interpretation is that it's fine to start rejecting these proxies 16:14:01 to be clear, i'm hoping we don't see a drop in the web-based proxies 16:14:02 yes, we are considering to set a deadline, and announce it 16:14:03 cohosh has a good observation in https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/95#note_2837409 16:14:13 +1 16:14:37 the ones that don't update are standalong ones that people operate themselves and haven't upgraded recently 16:14:53 we care more about absolute numbers than relative numbers, I think 16:15:10 if you want to smooth the transition, you can do an intermediate step before fully deploying the new feature 16:15:41 e.g., when a proxy without relay URL support does a poll, reject it with 10% probability and return a response that will appear in the log 16:16:02 operators who are watching their logs will see it and upgrade, the ones who are not watching will not 16:17:31 it looks like we are hitting the limits of the bridge, I'm wondering how long we can wait to do the final switch 16:17:59 dcf1: I like youre proposal, but depends how soon we want to do the change 16:18:00 yes, I'm thinking of a timeline for multi-bridge rollout on the order of within 1 month, if that's possible 16:19:00 if the concern is what will happen if we lose a large chunk of proxies all at once, you can dial that rejection probability parameter from 0% to 100% over a week, slowly, and see if things remain stable. it's doesn't have to be a sudden loss of 100% of old proxies. 16:19:26 then, if things prove to keep working well with 100% of old proxies excluded, turn on the new feature 16:19:42 technically, we could do the roll-out where if the proxy supports the new url format, we assign it to other snowflakes, and if it doesn't, we only match it with people who wanted to use the snowflake it knows how to use? 16:20:02 i'm not saying we necessarily want to add that complexity, but, is it an option technically or am i misunderstanding some piece 16:20:03 no, the issue is that we are just rejecting x % of the poll, not x% of the proxy 16:20:30 unless we determine whether to reject based on hash of ip address rather than random 16:20:45 otherwise the same proxy will just try again 16:20:48 arma2: I think that's correct. clients that want to use the snowflake-01 bridge (implicitly or explicitly) could use an old proxy 16:21:03 shelikhoo: I am not making myself clear. There are 2 different things: 16:21:15 1. there is a relay URL feature that is incompatible with old proxies 16:21:29 2. there is concern about what will happen if all the old proxies are suddenly lost 16:21:57 my point is that there is no reason for 1 and 2 to be coupled. you don't have to suddenly lose all old proxies on the same day you activate the relay URL feature 16:22:02 arma2: we could do that, but the current code don't support this, and it would take a while to implement multi-pool support 16:22:26 you can remove all the old proxies (suddenly or gradually) first; then, if things remain working well, activate the relay URL feature 16:23:00 it doesn't matter if old proxies continue to poll after getting probabilistically rejected, because you haven't activated the new feature that they are incompatible with yet 16:23:24 yes, dcf1. We can remove them first and see what happens. Right now I don't think tor browser is shipped with distributed snowflake proxy support yet 16:23:55 ohhh, that is something we need to change... 16:24:48 it's backward compatible with old clients, right? 16:25:03 yes. client is backward compatible 16:25:06 if i were doing this, which i am not, i would be thinking of (a) change the broker to only pair only style proxies with clients whose requests are compatible with them, then (b) make tor browser clients do the new thing 16:25:08 proxy, broker is not 16:25:20 s/only style proxies/old style proxies/ oops 16:25:43 cohosh: yes, it's supposed to be. the client upgrade can happen at any time, before or after the broker change, it's just the second bridge won't be used at all until clients have upgraded 16:25:47 o/ 16:26:11 arma2: I hear shelikhoo saying that your proposal will require some work 16:27:00 the first proposal will require additional work, which is the reason we are not doing this in the first place 16:27:34 right. is it five lines of code, if you know the right place and the right five lines? :) 16:28:20 the benefit would be that we can make dcf's two topics even more unrelated 16:28:57 no... I estimate it would be about 40-80 hours on this task....which convert to 1-2 month wall clock time.. 16:29:07 but I could be wrong 16:29:40 we can just do the switch and see what happens 16:29:47 since the client is not currently using this 16:29:53 we can revert it if we wish 16:30:17 that is probably not worth it, how much effort you think it will take to do what dcf proposes to have the option to configure a percentage of old proxies to be rejected 16:30:20 ? 16:30:30 yeah I also feel, even a sudden loss of that proxy capability likely will not be a problem 16:31:17 we'll see, as we are hitting a limitation on unrestricted NAT proxies... 16:31:19 in other words it does not make me feel uncomfortable if you decide to yolo it. as you say, it's easy to revert if there's a problem. 16:31:41 dcf's reject should take 16 hours or 1 - 2 weeks wall clock time 16:31:48 yeah i think we'll be ok 16:31:50 maybe we can reject old proxy 16:31:57 and see what happens 16:32:13 if something goes wrong we can revert it 16:32:40 on the compatibility problem, it may look bad to see a lot of rejections, but we don't have metrics on how long clients are actually waiting, and there are other fixes in the works to alleviate this stress 16:33:34 sounds good to me, the original proposal AFAIK is to decide on a date we do the switch and make a call for proxies to update before that date as a last oportunities 16:33:58 should we do something like Oct 19th (in 3 weeks)? 16:34:05 yes.. but if we wants to revert it, then we can't set a deadline 16:34:23 we can say we are going to reject it in 3 weeks 16:34:39 really appreciate what you are doing shelikhoo, it is good that most of the work is already in place at the time it is needed 16:34:50 and on next monday, try to start rejecting old proxies for a while 16:34:57 and collect some user feedback 16:35:08 I will write a guide on how to revert the rejection 16:35:13 ahh, I see 16:35:21 that is a good idea 16:35:23 so that everyone in the team can revert it 16:35:27 shelikhoo: awesome 16:35:41 and I do the rejection setting on the monday 16:35:45 and see what happens 16:35:46 +1 16:36:14 if things goes wrong, everyone can revert it, even if I am out of hour 16:36:21 I think we should mention that we are rejecting them in tor-relays and the forum, maybe we get some people to update 16:36:28 yes 16:36:32 +1 16:36:58 and if it goes well next week we should start looking into how to get it into TB 16:37:21 yes! 16:40:03 great, we have a plan 16:40:07 anything else on this topic? 16:40:14 nothing from me 16:40:22 let's move to 'snowflake proxy resources' 16:40:49 I added the discussion item though I have not been working on it 16:40:58 I posted some links with the information I know about 16:41:18 the discussion subthread starts at https://lists.torproject.org/pipermail/anti-censorship-team/2022-September/000249.html 16:41:35 heh you worked on it a bit, your suggestions are good 16:41:39 merge request to have existing unrestricted NAT proxies do more work: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/merge_requests/47 16:42:40 I don't have any specific points to discuss, it looks like meskio is already reviewing !47 16:42:58 yes, it looks trivial, but my knowledge of the webextension is not so great 16:43:20 the only thing i'll add is we had some people in universities reach out and offer to run some standalone proxies on un-NAT'd servers 16:43:50 nice 16:43:57 there were also a few concerning instances on the forum where people were talking about turning off the firewalls of their home networks to improve their proxy compatability 16:44:26 i learned how to haxxor my verizon router to make the standalone snowflake on this laptop be unrestricted, and it makes a huge difference in how many clients i see 16:44:40 I wonder if we should work on a callout and/or documentation around how to configure unrestricted proxies, but we can wait to see if next week the problem is still there... 16:44:42 (haxxor = log in to router, find section named 'static nat', click on some stuff) 16:45:12 meskio: there is a ticket on exactly that, 16:45:14 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40128 16:45:19 i'm hesitant to encourage this in general 16:45:32 but the question cohosh raises is a good one, around whether we should be instructing eager naive people to shoot their network in the foot 16:45:37 arma2: ohhh, static nat, I didn't know about that, I just redirect a big chunk of UDP ports into my snowflake 16:45:54 meskio: i imagine that the crappy web interface varies widely from one router to the next 16:46:26 I have an openwrt, and I failed to modify the nat to allow unrestricted proxy... 16:46:37 meskio: i also had to tell it to map my laptop to the external ip address, manually, so if the external ip address changes, my laptop won't be able to send any packets until i remember i did that and go fix it on the router. not best for normal users. 16:46:44 anyway, I see cohosh concerns, makes sense, let's see if our other approaches work 16:47:34 i think that's all from me on this 16:47:48 cool 16:47:50 meskio: linux by default don't support full cone masquerading 16:47:51 https://github.com/Chion82/netfilter-full-cone-nat 16:47:58 you might wish to look into this 16:48:15 thanks 16:48:24 this is everything from me 16:48:28 wow, kernel modules... 16:48:38 anyway, 'gettor telegram bot down' 16:48:51 I see a fix was deployed last week 16:49:07 anything to talk about here? or is a leftover from last week? 16:49:16 leftover from last week 16:49:28 cool, maybe the same with moat being down? 16:49:40 no that's new 16:49:47 ahh, cool 16:49:52 but meskio might wish to chat with the developer about this 16:50:04 but i don't have much to say, i just brought it up because we don't know how long it was down for 16:50:26 shelikhoo: you mean about gettor telegram? yes, I've being talking with them :) 16:50:27 I only deployed the change to get it working, but the developer have then pushed additional commits 16:50:32 some people have suggested it's the reason snowflake grew so popular, but idk how to verify that 16:50:38 yes, gettor telegram 16:50:55 cool, I'll check on the changes 16:51:00 sorry, cohosh continue 16:51:08 that's it, heh 16:51:22 so having moat back reduce the load on snowflake? 16:51:37 we'll see, as we have a next topic on how iran is blocking obfs4... 16:51:50 oh i don't think that was the case 16:52:14 there is an enormous spike in moat requests, on the bridgedb server recently, if i remember that graph correctly 16:52:24 enormous to the point that it seems unlikely they are mostly humans 16:52:45 ufff 16:52:51 yeah, moat shouldn't get that many requests because you can only really use it once 16:53:07 I wonder if they go over the domain front... 16:53:08 within a like 3 hour time span 16:53:28 might be a good idea to regenerate the moat captchas as a precaution, I think meskio did it the last time 16:53:58 dcf1: yes, we don't relay on those so much anymore, as most people get bridges from circumvention settings that doesn't use captchas 16:54:07 but I can regenerate them just in case 16:55:42 thanks meskio! 16:55:55 we have detected some blocking of obfs4 bridges in Iran, as we connect the bridge inside iran from outside 16:55:58 ok, let's keep an eye on that, I'll try to investigate the stats to see what they are looking into 16:56:34 shelikhoo: re the obfs4 bridge blocking from outside, do we know if the tcp connection worked? 16:56:39 yes, the obfs4 bridges was a fresh private bridge, so they block it by protocol or something else 16:56:55 yes, I tested before with netcat 16:57:03 with content like "11" "wwww" 16:57:15 so we could connect, and then we did an obfs4 handshake, and then we couldn't connect? 16:57:20 was the bridge given out? 16:57:38 "well that's not good" :) 16:57:39 cohosh: no, hasn't being given to anybody, was just configured 16:57:43 TCP's SYN SYN_ACK ACK is working 16:57:46 oof 16:57:58 and then the payload packet get dropped 16:58:06 after the first one 16:58:08 they might be blocking random looking traffic 16:58:17 in the past, iran did http whitelisting, i.e. they did dpi to guess the protocol and then they squeezed everything that didn't classify as a protocol they liked 16:58:28 BTW, the bridge was not running the latest obfs4proxy 16:59:02 i would be surprised if they are basing their decision on entropy. but, i have been surprised before. but, rarely by that censoring approach. 16:59:24 and, connecting via obfs4 to bridges in iran, from inside iran, still works? 16:59:34 yes 16:59:40 (for a while) 17:00:04 sounds like the next steps are either (a) keep listening for more info in case somebody learns more, or (b) try to do some more concrete and more controlled experiment 17:00:07 then we received the report that it is blocked after we start distributing it 17:00:08 but maybe our bridge got too public, or our traffic too 1:1 upload/download and they block it 17:01:12 or they are blocking traffic for services created recently by accounts outside the country 17:01:18 also if it doesn't get blocked with obfs4proxy-0.0.14 on both ends that would be awesome, I think that's unlikely to be the issue though 17:02:19 yes, we should test that 17:02:39 eth0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 17:02:39 RX: bytes packets errors dropped overrun mcast 17:02:39 25579021098 70409889 0 1555 0 0 17:02:39 TX: bytes packets errors dropped carrier collsns 17:02:39 16187808560 17206989 0 0 0 0 17:02:50 I don't think it is blocked by traffic ratio 17:03:34 mmm, good point 17:03:45 while we have the machine, we could try webtunnel to see if it works 17:03:58 even if it's not rolled out in tor browser yet 17:04:08 so, or the bridgeline was leaked, or they just block unkown/random/obfs4 traffic 17:04:13 also inside the country 17:04:21 * arma2 runs to next meeting, will read backlog after, thanks! 17:04:38 yes, we can try it 17:04:54 I think iran is blocking TLS based on Go's fingerprint 17:05:10 so we need to get uTLS in webtunnel 17:05:14 cohosh, dcf1: if you want access to the machine feel free to ask 17:05:18 doesn't snowflake use Go's fingerprint for broker connections though? 17:05:19 before sure to work 17:05:37 utls support in snowflake also hasn't shipped in tor browser yet from what i can tell 17:05:41 cohosh: depend on platform, the fingerprint is different 17:06:04 the one blocked arm based system's fingerprint 17:06:08 I think... 17:06:23 the one blocked is arm based system's fingerprint 17:06:28 like android phone 17:07:00 mmmm 17:07:17 ah i see, and we wouldn't get snowflake traffic from mobile networks anyway 17:07:30 there is only one way to find out... so we should try it 17:07:46 :) 17:08:19 I think in iran people usually just use LTE, not a lot of people have fiber connection... 17:08:46 based on user feedback 17:09:27 maybe they are tethering the LTE connection to their desktop device? 17:10:35 I will test if obsf4proxy-0.0.14 does make any difference on the connection 17:10:45 yes. let's test it 17:11:55 anything else on this topic? 17:12:05 or maybe we can close the meeting 17:12:16 nothing from me 17:13:09 #endmeeting