#tor-meeting log

16:01:19 <Shelikhoo[mds]> #startmeeting tor anti-censorship meeting
16:01:19 <MeetBot> Meeting started Thu Mar 26 16:01:19 2026 UTC.  The chair is Shelikhoo[mds]. Information about MeetBot at https://wiki.debian.org/MeetBot.
16:01:19 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
16:01:19 <Shelikhoo[mds]> here is our meeting pad: https://pad.riseup.net/p/r.9574e996bb9c0266213d38b91b56c469
16:01:19 <Shelikhoo[mds]> editable link available on request
16:01:19 <cohosh> hi
16:01:22 <onyinyang> hihi
16:01:56 <meskio[mds]> hello
16:03:34 <Shelikhoo[mds]> while everyone is updating their status, one update from a topic from last week:
16:03:47 <Shelikhoo[mds]> about    Release schedule planning for containers
16:04:06 <Shelikhoo[mds]> the link to the issue is here: https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/181
16:04:29 <Shelikhoo[mds]> anyway, that is it for the update
16:04:53 <Shelikhoo[mds]> I will wait 1 min before start with the discussion topics
16:05:25 <Shelikhoo[mds]> 3 Bucket NAT Type Testing Proposal:
16:05:35 <Shelikhoo[mds]> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40077#note_3382448
16:05:46 <Shelikhoo[mds]> instead of having one single test, we run 2 webrtc connect test in parallel... (full message at <https://matrix.debian.social/ircbridge/media/v1/media/download/ATgtE8_E4-SsDmJpzK9Ra2Wkrmbe9qs_Yy1_4js1UCs8gumkuWAXHKgale75mIX8wwLaZjU6BvWxA6JUv2TeaJxCedTvGNKgAG1hdHJpeC5kZWJpYW4uc29jaWFsL1BCbElTVEZiR2ZIZWdhZVJkZVBic1pnTg>)
16:06:10 <Shelikhoo[mds]> sorry for the bad format, I will try again
16:06:17 <Shelikhoo[mds]> instead of having one single test, we run 2 webrtc connect test in parallel
16:06:26 <Shelikhoo[mds]> one of them have a "no server reflective candidcate, Endpoint+Port Dependent (Pinned) Filter, Endpoint+Port Dependent Mapping" network environment on server side's webrtc to test if the proxy is of type "open", it is open if the client can connect
16:06:58 <Shelikhoo[mds]> one of them have a "Endpoint+Port Dependent Filter, Independent Mapping" to test if the proxy is of type "moderate", if connects then it is
16:07:00 <Shelikhoo[mds]> the nat type test assist server get these network environment by modifying the sdp info(which we already do to remove some host candidate); connecting via socks5 proxy, the socks5 proxy simulate these network types by intentionally sabotaging the relayed connection
16:07:05 <Shelikhoo[mds]> the nat type test assist server get these network environment by modifying the sdp info(which we already do to remove some host candidate); connecting via socks5 proxy, the socks5 proxy simulate these network types by intentionally sabotaging the relayed connection
16:07:13 <Shelikhoo[mds]> This design would reduce the amount of change of logic we need to make on proxy, however, would result in increase of server load.
16:07:23 <Shelikhoo[mds]> *
16:07:23 <Shelikhoo[mds]> the nat type test assist server get these network environment by modifying the sdp info(which we already do to remove some host candidate); connecting via socks5 proxy, the socks5 proxy simulate these network types by intentionally sabotaging the relayed connection
16:07:58 <cohosh> modifying the sdp info is a nice trick
16:07:58 <Shelikhoo[mds]> About this design
16:08:00 <Shelikhoo[mds]> Is there any missing points/miscategorization that is not discussed?
16:08:16 <Shelikhoo[mds]> Is there any unintented side effects that is not discussed?
16:08:20 <meskio[mds]> I assume the server load is only while doing the NAT type test, that should only happen once in a long while, isn't it?
16:08:39 <cohosh> would this remove the need for the network namespace and iptables setup on the probetest server?
16:09:31 <Shelikhoo[mds]> yes, about the server load, it will require twice amount of connection test
16:09:35 <meskio[mds]> ahh, I'm slow, you mean the snowflake server, not the proxy, I see
16:09:52 <cohosh> i think the probetest server?
16:10:13 <meskio[mds]> yes
16:10:30 <Shelikhoo[mds]> yes, the probetest server get twice amount of connection test
16:10:57 <cohosh> this is co-hosted with the broker
16:10:58 <Shelikhoo[mds]> cohosh: yes, with sdp modify and socks5, this would remove the need for the namespace and iptables setup
16:11:30 <Shelikhoo[mds]> so it wlll not require any more special root required setup that is risky to make update to
16:12:12 <cohosh> Shelikhoo[mds]: this is a really nice proposal. i'll take a look at the proposal after the meeting, i won't be able to give it a detailed review of the categorization in the time here if that's what you're looking for
16:12:21 <Shelikhoo[mds]> the server load will increase as the socks5 udp proxy will require more system resource than linux netfilter
16:13:04 <cohosh> ah i see, the proxy is running in front of the probetest
16:13:11 <Shelikhoo[mds]> yes! I was trying to avoid make making mistakes that might be costly to fix later
16:13:43 <cohosh> we were already having some load and accuracy problems with the probetest service as it is, that is worth thinking about
16:14:00 <Shelikhoo[mds]> yes, the probetest will connect to proxy(that wants its nat type tested) via a socks5 proxy that is restricting the connectivity
16:14:04 <cohosh> i suppose we should see where we're at with that now
16:15:08 <Shelikhoo[mds]> cohosh: the snowflake client already support connect via socks5 proxy
16:15:59 <Shelikhoo[mds]> so we just need to copy and paste the code from snowflake client about connecting via socks5 proxy to the nat type test server
16:16:10 <cohosh> right, i mean if we're going to require more resources for the probetest service we should do some work to see how overloaded it currently is
16:16:26 <cohosh> and the broker machine
16:16:59 <Shelikhoo[mds]> yes... I will have look at it, and update the server load info on the ticket
16:17:29 <Shelikhoo[mds]> at least it should not be too hard for us to run this nat type testing on another machine
16:18:59 <cohosh> well, it depends on how expensive it is and who is paying for it
16:19:29 <Shelikhoo[mds]> yes... that is true for sure
16:20:07 <cohosh> the last probetest performance discussion seems to be in https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40071
16:21:07 <cohosh> thanks for working on this issue Shelikhoo[mds]
16:21:09 <Shelikhoo[mds]> I mean from a technological point of view, it will not take a lot of engineering to get it to run on another machine
16:21:39 <dcf1> Tell me more about the socks5 UDP proxy part. I don't understand whether the socks5 proxy is part of a scaffolding/testing plan, or whether it is the intended end-user deployment (i.e. we include the socks5 UDP proxy with Tor Browser and Orbot, it runs as long as snowflake is running).
16:22:14 <Shelikhoo[mds]> thanks cohosh for the valuable feedbacks as well!
16:22:53 <Shelikhoo[mds]> dcf1: no, this socks5 udp proxy will be run at nat type server to restrict the connectivity of the server's webrtc connection
16:23:01 <dcf1> I may be misunderstanding some details, but for an end-user deployment, I wonder if a fully-fledged proxy is needed. Could it be a program that doesn't use a proxy interface to decide what packets to send, but just a program that already knows what packets to send to report "moderate" or "strict"?
16:23:14 <dcf1> Shelikhoo[mds]: oh, indeed I completely misunderstood.
16:23:26 <Shelikhoo[mds]> so it will be deployed on the server side(at broker machine or nat type assist service machine), but not on end user's machine
16:23:34 <dcf1> thanks
16:24:24 <Shelikhoo[mds]> for the proxy side, it will be the exact same as now, with the exception of attempt to connect to 2 instead of 1 nat type test assist url
16:24:49 <cohosh> Shelikhoo[mds]: do we need the socks proxy? what if the probetest service modifies its own sdp? similar to how we scrub out local addresses?
16:25:51 <cohosh> oh it also implements the restrictions
16:26:32 <cohosh> ok that's as much review as i can give immediately :)
16:28:51 <Shelikhoo[mds]> I would be more than happy to know....
16:28:51 <Shelikhoo[mds]> s/would/will/
16:28:51 <Shelikhoo[mds]> cohosh: I didn't think a way to accurately simulate the filtering and mapping restriction with sdp modification alone, but if you think up such a nice plan please do share it
16:28:51 <Shelikhoo[mds]> that is everything I have about this topic for now as well
16:28:55 <Shelikhoo[mds]> anything more we wants to discuss in this meeting?
16:29:11 <Shelikhoo[mds]> * didn't think up a way
16:30:19 <Shelikhoo[mds]> #endmeeting