etched has quit [Remote host closed the connection]
etched has joined #ipfs
trqx has quit [Remote host closed the connection]
trqx has joined #ipfs
aeftimia has joined #ipfs
leeola has quit [Quit: Connection closed for inactivity]
aeftimia has quit [Remote host closed the connection]
dhruvbaldawa has joined #ipfs
harlantwood has quit [Ping timeout: 248 seconds]
sorboside has joined #ipfs
etched has quit [Quit: etched]
etched has joined #ipfs
Oatmeal has joined #ipfs
dhruvbaldawa has quit [Remote host closed the connection]
guideline has quit [Ping timeout: 252 seconds]
Blustone has quit [Quit: Blustone]
kuroshi has quit [Quit: ZNC 1.6.3+deb1 - http://znc.in]
guideline has joined #ipfs
kode54 has joined #ipfs
Alpha64_ has joined #ipfs
Alpha64 has quit [Ping timeout: 240 seconds]
kode54 is now known as kuroshi
Caterpillar has quit [Excess Flood]
Caterpillar has joined #ipfs
apiarian has joined #ipfs
Alpha64 has joined #ipfs
Alpha64_ has quit [Ping timeout: 260 seconds]
warner has quit [Quit: ERC (IRC client for Emacs 25.2.1)]
dPow has quit [Remote host closed the connection]
dPow has joined #ipfs
etched has quit [Quit: etched]
warner has joined #ipfs
rcat has quit [Ping timeout: 240 seconds]
vivus has quit [Quit: Leaving]
<Li[m]>
musicmatze: Im basically using matrix to do (eventually) all that you're describing.
<Li[m]>
I'm not sure what you mean by distributed
<Li[m]>
I run a server, you run yours. DNS seems to be your problem, not matrix
<Li[m]>
lgierth: That's a very warped quote of what I said
<Li[m]>
If you said 'HIP deals with the problem of encrypting *all connections on the network* once and for all' then, yes, that's what I explained
<Li[m]>
It would spell the end of unencrypted traffic
<Li[m]>
HIP uses ipsec which is the only way to encrypt IP
<Kythyria[m]>
It's impossible to put datagrams inside DTLS -- Li
<Kythyria[m]>
And no, the sole thing HIP deals with, afaict, is mapping a pubkey to an IP address.
<Li[m]>
HIP splits the identifier role of IP address into an actual secure identifier
<Li[m]>
it fixes a problem, which is caused by using IP address to do 2 different things, which it obviously cant do
<Li[m]>
not sure what youre sayig about dtls
<Kythyria[m]>
It doesn't provide a way to determine if that key belongs to a host you're actually intending to talk to, a way to deal with network upsets besides address changes, or, afaik, actually do an encrypted conversation.
<Kythyria[m]>
For HIP to be the only way to encrypt IP would require it be impossible to put packets in anything else. Such as DTLS.
<Li[m]>
kythyria: so what? it doesnt provide you with all-knowledge of the universe, and nothing ever will
<Li[m]>
if you have no trusted key, you have no trusted key. out of luck you are
<Li[m]>
nothing can solve that
<Li[m]>
you mean ipsec ... you can put packets into an encrypted stream made at the transport layer, but that isnt encrypting IP itself
<Kythyria[m]>
Why isn't it?
<Li[m]>
ipsec is how you encrypt IP itself
<Li[m]>
IP is below the transport layer
<Kythyria[m]>
So? It's also below IPSec.
<Li[m]>
ipsec encrypts the packet at the network layer, it encrypts IP itself
<Li[m]>
cmon man
<Li[m]>
you know this
<Kythyria[m]>
So how do routers deal wth these packets where the IP heade is encrypted?
<Kythyria[m]>
You _can't_ encrypt the real network layer, unless you have a very strange protocol which IP isn't.
<Vaelatern>
Look at it on the wire.
<Vaelatern>
The protocol is quite clear as to how it works.
<Kythyria[m]>
IPSec has to sit where TCP does.
* Vaelatern
sighs and pulls up 4301
<Kythyria[m]>
There's nowhere else for it to go. You can't encrypt the IP header because intermediate nodes need to see it to deliver the packet, and it's not inside any transport.
<Li[m]>
thanks Vaelatern ... so from 4301
<Li[m]>
> t describes how to provide a set of security services for
<Li[m]>
traffic at the IP layer
<Li[m]>
there black on white my friend
<Li[m]>
or whatever your theme is
<Vaelatern>
green on black, 'cuz l33t or whatever
<Kythyria[m]>
Which it necessarily does by providing something that looks a lot like the interface IP itself provides, while being encapsulated in cleartext IP.
<Kythyria[m]>
"Encrypts IP itself" is a very strange way of wording that.
aeftimia has joined #ipfs
<Kythyria[m]>
By that standard, TLS "encrypts TCP itself"
<Kythyria[m]>
(before you say anything, yes, I know you can make a VPN out of IPsec, presumably by using GRE. But that's not the point here.)
aeftimia has quit [Ping timeout: 240 seconds]
lacour has joined #ipfs
r3dfish has joined #ipfs
r3dfish is now known as redfish
<Li[m]>
Ipsec being a part of IP spec that is heres an improvement; encrypt IP using IP specification
robattila256 has quit [Quit: WeeChat 1.9.1]
<Li[m]>
DTLS doesnt use IP's authentication header
<Kythyria[m]>
IP doesn't have an authentication header.
<Li[m]>
I think were done
<Kythyria[m]>
IPsec defines an authentication header which is placed in the packet body.
<Li[m]>
in the extension headers
<Li[m]>
header*
<Kythyria[m]>
The only field in the IP header that it makes any kind of sense to apply encryption to is the protocol number... and that's taken up with the "this packet is encrypted" value!
<Kythyria[m]>
Certainly RFC791 doesn't mention an "authentication header"
rcat has joined #ipfs
<Kythyria[m]>
You can possibly say that the IPv6 extension header counts. Possibly.
<Kythyria[m]>
And in any case, that's still not encrypting "IP itself".
<Kythyria[m]>
Unless you're using VPN mode.
TheGuyWho has quit [Ping timeout: 260 seconds]
TheGuyWho has joined #ipfs
aeftimia has joined #ipfs
aeftimia has quit [Ping timeout: 240 seconds]
<Li[m]>
> RFC791 doesn't mention an "authentication header"
<Li[m]>
You should look up the meaning of 'RFC' and count how many there have been since 791
<Li[m]>
or check out 4302
<Li[m]>
time to walk out of the nineties
ianopolous has joined #ipfs
<Li[m]>
I really fail to see what youre trying to advance
<Li[m]>
the forced and impossible dual role of IP adresses has been recognized since darpa net
dhruvbaldawa has joined #ipfs
<Li[m]>
Im not pulling this out of thin air. The problems related to it will only be solved by using a second namespace to allow locator values to act as locator, and identifiers to identify
<Kythyria[m]>
It's clearly not impossible, seeing as it works.
<Kythyria[m]>
It nonetheless sstands that IPv4 does not have an "authentication header"
robattila256 has joined #ipfs
<Kythyria[m]>
It's rather difficult to call it a header to IP when it's contained entirely within the payload.
<Kythyria[m]>
And you can use the rest of IPsec perfectly fine without HIP, I suspect.
<Li[m]>
Yakov Rekhter once stated: ”Addressing follows topology or topology follows Addressing. Choose one.”
<Li[m]>
i dont give a fling f*** about ipv4 ... sorry I really have a thing for it
<Kythyria[m]>
Also, the original point of DNS is to be a namespace for identifying things and mapping those identifiers to where they currently are on the network.
<Li[m]>
theres an argument to be made that you can ditch TCP, use UDP or something that builds on it like QUIC and you could still get mobility, but you still miss a lot of benefits fo HIP
<Li[m]>
a domain name doesnt identify a host
<Li[m]>
it maps a meaninful name to an IP address which is defacto acting as your identifier
<Li[m]>
your TCP doesnt call a domain name
<Li[m]>
domain names address a human-machine ease of use problem, it does nothing to secure the network
<Li[m]>
I can use SSL certificates without DNS
<Kythyria[m]>
Most of the time you don't want to talk to one specific host.
joocain2_ has joined #ipfs
<Li[m]>
you always want to talk to a host
<Li[m]>
lol
aeftimia has joined #ipfs
<Kythyria[m]>
Sure, so there's always one specific host I want to communicate with?
<Kythyria[m]>
Normally you want to connect to any of the hosts providing a particular service.
<Li[m]>
yes, the one closest to you
<Kythyria[m]>
HIP doesn't help with that.
<Li[m]>
sure it does
<Kythyria[m]>
How?
<Li[m]>
HIP gives you multihoming. now you can keep testing for the best host for a given service
<Li[m]>
or use more than one
<Kythyria[m]>
You have to give every host a different key, though.
<Kythyria[m]>
Otherwise packets go to the wrong place when you jump to a different place in the network.
<Li[m]>
HIP means host identity protocol, of course every host has a different hid
joocain2 has quit [Ping timeout: 248 seconds]
<Kythyria[m]>
So now you're doing the same thing you could have done with a bunch of A records.
<Li[m]>
youre doing a hell of a lot more, you solve the dual-role problem of IP addresses
<Li[m]>
you end up with mobility, multi-homing, identity based firewalls
<Kythyria[m]>
In the case of a HTTP client communicating with servers which are located in many points around the network, you want to drop the connection when your IP address changes, because it quite likely changed because you moved! So you want to reconnect to whichever server is now near you!
<Kythyria[m]>
And that does require the application layer to notice. Heck, it requires the transport layer notice.
aeftimia has quit [Ping timeout: 240 seconds]
<Li[m]>
HIP does that way better, you dont need to drop the connection and it reconnects you to a new location
<Kythyria[m]>
How is that better?
<Kythyria[m]>
Now your packets are going to a different server that has no idea what to do with them?
<Li[m]>
why is losing the connection good?
<Kythyria[m]>
It is if you want to switch to a different peer.
<Li[m]>
what?
<Kythyria[m]>
You're going to have to disconnect from the old one and start talking to the new one.
<Li[m]>
I think you really dont know what HIP does
dhruvbaldawa has quit [Remote host closed the connection]
<Kythyria[m]>
It provides ways to map a public key fingerprint to the current addresses of the machine with the corresponding private key.
<Li[m]>
with HIP your 'IP address' are called locator values. you can keep changing location all day
<Li[m]>
the HID is the 'IP address' that your transport layer uses
<Li[m]>
not the locator
<Li[m]>
the locator is used to route the package
<Kythyria[m]>
I'm aware of that.
<Li[m]>
so you can keep your connection up and switch location all day
<Kythyria[m]>
And it has to keep going to the same machine.
<Li[m]>
and you can get rid of TLS
<Kythyria[m]>
Except for the bit where TLS is aware of domain names.
<Kythyria[m]>
I hope you already have a mechanism to determine your nameserver is trustworthy.
<Li[m]>
and you can have opaque network in terms of which application are use
<Li[m]>
How the fuck is that now solved but made a probem with HIP
<Li[m]>
why do you trust your name server now?
<Li[m]>
whats different?
<Li[m]>
you dont even need domain names with HIP to have secure connections
<Li[m]>
you can just use your buddies HIDs, just like when you use a tox messenger like thihng
<Li[m]>
then MITM is impossible
<Li[m]>
so you can keep your friends HID's handy
<Kythyria[m]>
Well, except for that you have no way of telling if the thing with a given pubkey is the thing you want to talk to.
<Kythyria[m]>
Which is why TLS cares about domain names in the first place!
<Li[m]>
youre really pointing to something that isnt a problem that HIP is solving
<Kythyria[m]>
You're the one claiming that HIP solves it.
<Li[m]>
how to trust name servers
<Li[m]>
no I said you dont need TLS
<Kythyria[m]>
And TLS includes consideration of names.
<Li[m]>
the HID that the nameserver gives you is already a public key
<Kythyria[m]>
So if you don't need TLS that implies you don't need that feature either.
<Li[m]>
theres nothing HIP keeps name servers from doing
<Li[m]>
the root key can sign the HIDs and upload them to the root DNS
<Li[m]>
I mean the domain root kye
<Li[m]>
you can use HID pubkeys instead of making certificates for your hosts
<Li[m]>
its easier and also hides your transport layer
<Kythyria[m]>
How does hiding the transport layer help with name authentication?
<Li[m]>
its a bonus feature
<Li[m]>
then tor can be nowhere and everywhere, for exemple
<Li[m]>
and the great firewall crumbles
<Kythyria[m]>
Or gets configured to stomp on or extremely throttle anything not going to an approved address.
<Li[m]>
youre talking about name authentication which has nothing to do with HIP
<Kythyria[m]>
TLS does name authentication and you're claiming HIP makes TLS unnecessary.
<Li[m]>
sure you can completly shut out china from the world, so what
<Li[m]>
tls uses a certificate obtained from the name server to encrypt the wire
<Li[m]>
im saying you can use the HID just as well (better)
<Kythyria[m]>
TLS doesn't obtain a certificate from a name server.
dangduong[m] has left #ipfs ["User left"]
<Li[m]>
just swap the certificates with HIDs
<Li[m]>
you get more security and less work
<Kythyria[m]>
You lose name authentication.
<Li[m]>
no
<Li[m]>
you can use your domain root certificate to sign HIDs
<Kythyria[m]>
"domain root certificate"
<Kythyria[m]>
I have never encountered this term in any context to do with TLS.
<Li[m]>
you use signatures to create your tls certificates
<Kythyria[m]>
Does HIP actually have a way to communicate the name you're expecting to talk to?
<Li[m]>
it doesnt care about that
<Li[m]>
im saying DNS can use those keys instead of ssl keys
<Kythyria[m]>
DNS doesn't use those keys!
<Li[m]>
IM completly aware of that
<Kythyria[m]>
It doesn't use TLS keys either!
<Li[m]>
well then your in plain text, http without ssl is kind of stupid
<Li[m]>
plain text networking should only be seen in history books
<Li[m]>
im including tls in DNS because I wouldnt think of using it without
aeftimia has joined #ipfs
<Li[m]>
thanks for testing the theory, but I really think youd like to look into it
<Kythyria[m]>
Except that DNS is used without TLS.
aeftimia has quit [Ping timeout: 240 seconds]
tombusby has quit [Remote host closed the connection]
<Kythyria[m]>
TLS is then used to talk to whatever it is you were looking up the address of.
<Kythyria[m]>
And you include the name you looked it up by.
<Li[m]>
To enable scalability of routing systems, Rekhter's law states that "Addressing can follow topology or topology can follow addressing. Choose one." However, in today's IP-based networks this dons not hold as semantics of IP addresses are overloaded as identifier, and as locator. An identifier describes the identity of a device, while a locator describes its location and attachment in the network, i.e. the locator encodes
<Li[m]>
topological information. The identifier is mainly used by the application, the locator mainly used for routing. "As a result, it is difficult (if not impossible) to make a single number space serve both purposes efficiently".
<Li[m]>
thats all of it there
<Kythyria[m]>
How does an IP address define the "identity" of a device in the first place?
<Li[m]>
lol
<Li[m]>
but it does
<Kythyria[m]>
My phone has three IP addresses. Which one is its identity?
<Kythyria[m]>
And very few applications use IP addresses directly except as an implementation detail.
tombusby has joined #ipfs
<Kythyria[m]>
I suspect the reason nobody's much interested in HIP is because designing it that way mostly helps with handover in mobility scenarios. The rest of the time you want something that goes from name to locator rather than machine identity to locator.
<Kythyria[m]>
So Matrix handles mobility well enough, because if the connection hiccups for any reason you can retry the request. The server isn't moving much, after all.
Alpha64 has quit [Ping timeout: 246 seconds]
Alpha64 has joined #ipfs
Alpha64 has quit [Changing host]
Alpha64 has joined #ipfs
aeftimia has joined #ipfs
aeftimia has quit [Ping timeout: 248 seconds]
tiroliro has quit [Ping timeout: 246 seconds]
cwahlers_ has quit [Ping timeout: 240 seconds]
<Li[m]>
Lets talk again after we have an implementation
<Li[m]>
basically you said that the benefits arent worth the cost
<Li[m]>
and Im saying the costs are already incured by the flawed naming/tls system
<Kythyria[m]>
You're also omitting the cost of retrofitting everything. Again.
<Kythyria[m]>
And HIP doesn't have a naming system at all, so you still need to fix that bit somehow.
<Li[m]>
theres no retrofitting, its a shim, the application doesnt need to be aware of it, and the routers dont need to be aware of it
TheGuyWho has quit [Ping timeout: 240 seconds]
<Li[m]>
again, I didnt say hip fixes the naming system
<Li[m]>
i said and I repeat, again, that the naming system is already incurring the cost that hip would have
<Li[m]>
so theres negligible overhead
<Kythyria[m]>
And so if you started using HIP you would have the cost of the naming system and of HIP.
<Li[m]>
youre secure naming system already uses public key value tables
_slackbridge has joined #ipfs
<Li[m]>
and youre already having to dynamically update it
<Kythyria[m]>
And HIP doesn't help there. You still have to update the naming system when a machine disappears or appears.
slackbridge has quit [Read error: Connection reset by peer]
_slackbridge is now known as slackbridge
<Li[m]>
so now you move some of the overloading of the transport layer and overloading of network layer to a shim between them
<Kythyria[m]>
How is the transport layer overloaded?
<Kythyria[m]>
TCP is entirely unaware of all this naming and encryption stuff.
<Li[m]>
its trying to compensate for the IP namespace (not)functionning as an identifying namespace
<Kythyria[m]>
... no it's not?
<Li[m]>
sure it is, you just said the server has to be in the middle for the connection to be reestablish, but the hosts can handle locator switching themselves
<Kythyria[m]>
I said nothing about a server in the middle?
<Li[m]>
> So Matrix handles mobility well enough, because if the connection hiccups for any reason you can retry the request. The server isn't moving much, after all.
<Kythyria[m]>
And it's the server you're talking to.
<Li[m]>
this is unecessary and hacky
<Kythyria[m]>
How?
<Li[m]>
droping the connection isnt necesary
<Li[m]>
and moving locator value can be handled by the peers themselves
<Kythyria[m]>
Why isn't it? It'll get dropped if the underlying network fails.
<Kythyria[m]>
One of the peers being the server, and the other peer being the client.
<Li[m]>
itll just wait for a response until you reconnect
<Li[m]>
and since its the same hid, the tcp connection doesnt have to change value
<Li[m]>
it just resumes
<Kythyria[m]>
And how long can I vanish from the network for before the server times out or a buffer fills up, anyway?
_slackbridge has joined #ipfs
lacour has quit [Quit: Leaving]
<Kythyria[m]>
Hint: it's almost certainly a lot less time than the application layer can recover from cleany.
slackbridge has quit [Remote host closed the connection]
_slackbridge is now known as slackbridge
BronzeEagle has left #ipfs ["Leaving"]
<Li[m]>
why would it preclude the application doing it in that case?
TheGuyWho has joined #ipfs
<Li[m]>
the way you explain things, HIP will force everything else to stop working
<Kythyria[m]>
What?
<Kythyria[m]>
No.
<Kythyria[m]>
HIP is just redundant.
<Li[m]>
nameservers all of the sudden wont be trusted (are the now??) and the application wont be able to help reconnect
<Kythyria[m]>
HIP doesn't help with trusting nameservers. TLS already contains provisions for deceitful nameservers.
<Li[m]>
HIP gives multihoming and allows TCP to survive mobility
<Li[m]>
so its not just redundant
<Kythyria[m]>
And if your application can already deal with a flaky connection it has most of the pieces it needs to deal with mobility.
<Li[m]>
it also makes VPN redundant
dhruvbaldawa has joined #ipfs
<Li[m]>
and TLS
<Li[m]>
if we have a system that maps names to hids
<Kythyria[m]>
It doesn't make TLS redundant unless it comes with some other way to determine if you're talking to a host that is legitimately hosting a particular name.
<Li[m]>
tls doesnt tell you if the host is legitimate
<Li[m]>
you have to trust your table, no matter what
<Li[m]>
is the current SSL certificate you have legitimate?
Sacmanxman2 has joined #ipfs
<Li[m]>
thats a different problem, of key distribution
<Li[m]>
you keep switching the conversation around to theoretically unsolved problems (well now the blockchain is challenging that thou)
<Kythyria[m]>
TLS tells you if the host is legitimate with respect to a particular name.
<Kythyria[m]>
It doesn't care about your locator or machine identity.
<Li[m]>
how does reading 'google.com' tell me anything about which public key to trust for it?
<Li[m]>
hint:nothing
<Li[m]>
so that problem is unsolved
Sacmanxman2 has quit [Client Quit]
<Kythyria[m]>
TLS uses certificate authorities to solve that.
<Kythyria[m]>
Possibly badly, but it at least makes the effort.
<Li[m]>
you dont see that im saying we can use the exact same mechanicm but replace SSL keys with hids
<Kythyria[m]>
No you can't!
<Li[m]>
why not
<Kythyria[m]>
Because the keys are for one single machine.
<Kythyria[m]>
Er, the HIDs are.
<Kythyria[m]>
One HID, one machine.
<Li[m]>
so what, you get multiple values back
<Kythyria[m]>
From where?
<Li[m]>
you can already use multiple ssl certs
<Li[m]>
from the CA
<Kythyria[m]>
The certificate?
<Kythyria[m]>
I have to issue a new certificate every time I add or remove a machine from the cluster?
<Li[m]>
google.com -> [ HID1 HID2 HID3 ]
<Li[m]>
why no you modify the entries with your root key
<Kythyria[m]>
Okay, does HIP have anything at all that can tell me that that's correct.
<Kythyria[m]>
Remember, the CA is not a DNS server.
<Li[m]>
its just like the SSL cert, youre trusting from somewhere
<Kythyria[m]>
So you're blindly trusting the DNS server instead of trusting the CA?
<Li[m]>
yea sure, im just being broad here
<Kythyria[m]>
Or trusting the CA and the DNS server.
<Li[m]>
nonon use the same infrastructure as you use now
<Li[m]>
same model
<Li[m]>
just swap an SSL key for an hid
<Kythyria[m]>
What?
<Kythyria[m]>
So the keypair in the certificate is now a machine ID?
<Kythyria[m]>
So I have to have one certificate per machine.
<Li[m]>
thanksfully theyre automatically created for the machine to connect to anyone
<Li[m]>
you can even get rid of ssh keys
<Li[m]>
connect do an hid
<Kythyria[m]>
How?
<Li[m]>
if you dont want passwords
<Kythyria[m]>
So I can only log in to an SSH server with one user per machine?
<Kythyria[m]>
*client machine
<Li[m]>
you could use HIP to control access to anything
<Li[m]>
matrix login, ssh, wifi access, you name it
<Li[m]>
now hosts have an identity
<Kythyria[m]>
How?
<Li[m]>
lol
<Li[m]>
publib key encryption
<Kythyria[m]>
How does that help for matrix or SSH?
<Kythyria[m]>
I don't care what host the user is connecting from, I care about the user's credentials.
<Li[m]>
HIDs are only provable with a priv/pub key authentication
<Kythyria[m]>
You're proposing using IP addresses as user identifiers albeit in a world where IP addresses are unforgeable.
<Li[m]>
yea I understand, im just saying its possible
<Kythyria[m]>
And pointless!
<Li[m]>
im just adding chocolate on the cake
<Li[m]>
sure dont use it
<Li[m]>
but now you can
<Kythyria[m]>
Why would I want to?
<Li[m]>
or you can restrict your sshd to only allow ssh access from know HIDs
<Kythyria[m]>
You'd never configure it to not require authentication from particular HIDs though. That would be silly.
<Li[m]>
then stealing your ssh key wouldnt be enough to ssh in your server, and you would get rid of all the ssh crawling
<Li[m]>
why not? some ppl dont use passwords
<Li[m]>
nobody could connect without your HID privkey
<Kythyria[m]>
I doubt they use nothing but IP whitelisting for authentication though.
<Li[m]>
im just showing you how mindblowing this thing is
<Li[m]>
not suggesting we should do that
<Kythyria[m]>
Then why are you proposing it as interesting?
<Li[m]>
because it is interesting to consider an identity based network and what it makes possible
<Kythyria[m]>
A machine identity based network.
<Li[m]>
all of the sudden there is no more 'public-facing' part of the network, everybody is a peer in a mesh
<Li[m]>
well the network is a network of machines if you didnt know that
<Kythyria[m]>
Which is true today.
<Kythyria[m]>
You'd still have a "public facing" part, it's the part that doesn't have HID whitelisting enabled.
<Li[m]>
I mean it in the sense govts mean when they force 'public-facing' servers to register somehow
<Li[m]>
in very strict coutries thats a big problem
<Li[m]>
it also means the dark web would just explode into full activity
<Li[m]>
which I consider the greatest thing that can happen to us right now
<Kythyria[m]>
They'd probably switch to requiring you register anything that can receive packets from the public internet at all.
<Kythyria[m]>
And HIP doesn't hide your location at all.
<Li[m]>
yea that means theyv lost
<Li[m]>
at that point the govt simply loses control
<Li[m]>
if they want to cripple the network that bad
<Kythyria[m]>
How is that losing?
<Li[m]>
govt relies on public support
<Li[m]>
the public will choose the internet over govt
<Li[m]>
but this is getting into social theory, im not that interested really, just mentionning it
<Li[m]>
just look at india when they banned banknotes, imagine that but way more chaotic
<Kythyria[m]>
Plus you'd get that part with any system of distribution for keys that can be used for IPSec.
Aranjedeath has quit [Quit: Three sheets to the wind]
<Li[m]>
just go all the way and secure every god damn packet everywhere
<Li[m]>
thats HIP
<Kythyria[m]>
That's IPSec. HIP is just a means of key distribution.
<Li[m]>
its like saying 'fuck it, just encrypt everything, ever'
<Kythyria[m]>
Or... not even key distribution, it expects you to already know the key.
<Li[m]>
mandatory ipsec
<Li[m]>
thats simply not true
dimitarvp has quit [Quit: Bye]
<Kythyria[m]>
You have to know the fingerprint, at least.
<Li[m]>
thats the HID
<Li[m]>
itself
<Li[m]>
is the fingerprint
<Kythyria[m]>
Yes.
<Li[m]>
it certifies itself, like tor adresses and IPFS hashes
<Kythyria[m]>
So HIP requires you already know the fingerprint of the individual machine you want to connect to.
<Kythyria[m]>
And know on other grounds that that is the fingerprint you want.
<Li[m]>
sure, how is that different from now, having to know the IP address you want ot connect to?
<Li[m]>
and then connecting to anything since there is no way to verify ownership of that address
<Kythyria[m]>
You don't need HIP for IPsec everywhere. Stick the pubkeys in DNS.
<Li[m]>
ok good luck, im going to leave this here
<Kythyria[m]>
And with TLS you don't verify ownership of the address, you verify ownership of a domain name.
<Kythyria[m]>
The domain name probably being what the user entered or the application otherwise cares about.
<Li[m]>
yea I said I got it. thanks for the debate, good luck
Adbray has quit [Remote host closed the connection]
<Li[m]>
at least we agree on matrix
<Kythyria[m]>
That said, apparently you can design a multi-box load balancer so that the whole cluster has one IP address, but adapting that to HIP would result in the cluster sharing a keypair.
<Kythyria[m]>
I'm not sure if the workers or balancers would be the ones terminating the encryption thougn. Google has the workers terminate TLS IIRC.
aeftimia has joined #ipfs
TheGuyWho has quit [Ping timeout: 248 seconds]
aeftimia has quit [Ping timeout: 248 seconds]
girrrrrrr2 has joined #ipfs
infinity0_ has joined #ipfs
infinity0 is now known as Guest79735
infinity0 has joined #ipfs
infinity0_ is now known as infinity0
infinity0 has quit [Changing host]
Guest79735 has quit [Ping timeout: 258 seconds]
TheGuyWho has joined #ipfs
ygrek_ has joined #ipfs
tombusby has quit [Remote host closed the connection]
tombusby has joined #ipfs
Alpha64 has quit [Read error: Connection reset by peer]
aeftimia has joined #ipfs
espadrine has quit [Ping timeout: 248 seconds]
TheGuyWho has quit [Ping timeout: 248 seconds]
aeftimia has quit [Ping timeout: 248 seconds]
TheGuyWho has joined #ipfs
whenisnever has joined #ipfs
aeftimia has joined #ipfs
aeftimia has quit [Ping timeout: 260 seconds]
rendar has joined #ipfs
kirby__ has joined #ipfs
kuroshi is now known as kode54
girrrrrrr3 has joined #ipfs
girrrrrrr3 has quit [Changing host]
girrrrrrr3 has joined #ipfs
sim590 has quit [Ping timeout: 248 seconds]
sim590 has joined #ipfs
girrrrrrr2 has quit [Ping timeout: 248 seconds]
redfish has quit [Ping timeout: 240 seconds]
graffen has quit [Quit: leaving]
girrrrrrr2 has joined #ipfs
girrrrrrr3 has quit [Ping timeout: 240 seconds]
graffen has joined #ipfs
sorboside has quit [K-Lined]
girrrrrrr3 has joined #ipfs
aeftimia has joined #ipfs
girrrrrrr2 has quit [Ping timeout: 248 seconds]
aeftimia has quit [Ping timeout: 240 seconds]
jokoon has joined #ipfs
girrrrrrr3 has quit [Ping timeout: 240 seconds]
girrrrrrr2 has joined #ipfs
pat36 has joined #ipfs
aeftimia has joined #ipfs
talonz has joined #ipfs
aeftimia has quit [Ping timeout: 240 seconds]
pvh has quit [Quit: Connection closed for inactivity]
whenisnever has quit [Ping timeout: 248 seconds]
whenisnever has joined #ipfs
aeftimia has joined #ipfs
aeftimia has quit [Ping timeout: 248 seconds]
jonnycrunch has quit [Ping timeout: 240 seconds]
jonnycrunch has joined #ipfs
ianopolous has quit [Ping timeout: 248 seconds]
synthmeat has quit [Quit: WeeChat 1.9.1]
SL__ has joined #ipfs
maxlath has joined #ipfs
SL__ has quit [Client Quit]
synthmeat has joined #ipfs
jokoon has quit [Read error: Connection reset by peer]
TheGuyWho has quit [Ping timeout: 248 seconds]
TheGuyWho has joined #ipfs
dhruvbaldawa has quit [Remote host closed the connection]
TheGuyWho has quit [Ping timeout: 255 seconds]
<musicmatze[m]>
Li: "I run a server, you run yours" <<< Exactly that! With my idea, there would be _no servers_! There _could_ be federated caching server, but the network would be alive without them! And why should DNS be my problem? IPFS lives completely without DNS, doesn't it?
<musicmatze[m]>
I just noticed that my IRC bouncer does not bounce as nice as it should do... the messages I wrote yesterday evening via matrix are not in my IRC log -.-'
<Kubuxu>
nicolagreco: nothing to worry, it was fixed in 99% this week, there is about 1% of cases left but it isn't huge issues.
<Kubuxu>
nicolagreco: join #ipfs-pinbot
<Kubuxu>
you are still on pinbot's friends list
<pjz>
is there a python library somewhere that I can use to precompute the hash address of a binary file?
<Kubuxu>
pjz: not really
Jesin has quit [Quit: Leaving]
<pjz>
to do so it would have to 1. chunk the file 2. hash the chunks 3. build the glue 4. hash the glue correct?
kaotisk-irc has quit [Quit: Leaving]
kaotisk has joined #ipfs
mog has joined #ipfs
whenisnever has quit [Ping timeout: 240 seconds]
<pjz>
Hmm. But a small file wouldn't require chunking
<pjz>
where 'small' is 'less than chunksize' obviously
plutey has joined #ipfs
<Icefoz_>
pjz: I would gladly help build such a thing if possible.
<Kubuxu>
pjz: in case of small files (<256kiB) and `ipfs add` with --raw-leaves you as the result you will get a CID with straight multihash of the data wrapped in multibase
<Icefoz_>
Being able to precompute the hash of a file would be very useful.
plutey has left #ipfs ["Ex-Chat"]
<Kubuxu>
as part of new ipld-unixfs I would love to draw out "canonical" hashing/chunking/tree-building algorithms
<Kubuxu>
and then building tool like this would be much cleaner cut
plut has joined #ipfs
<Kubuxu>
IDK how many modules are for python there but multibase, multihash and CID en/decoders are necessary
plut_ has joined #ipfs
ygrek_ has joined #ipfs
plut has quit [Client Quit]
plut_ has quit [Read error: Connection reset by peer]
plut has joined #ipfs
leeola has joined #ipfs
<pjz>
There's a pymultihash and a py-cid
plut has quit [Client Quit]
<pjz>
python projects on github now
<pjz>
I just can't get them to spit out the same results as go-ipfs, even on small files
<Kubuxu>
pjz: are you using `--raw-leaves` option with `ipfs add`?
<pjz>
yeah, I have a little test program, so I just tried that
<Kubuxu>
normally the binary chunks are wrapped in cbor which is hard to explain
<pjz>
though the raw-leaves version doesn't start siwh Qm ?
plut has joined #ipfs
<pjz>
doesn't start with Qm.. which I thought it would
<Kubuxu>
yeah, they start with `z` which is multibase prefix for base58
<Kubuxu>
and then the CID encoded in base58 follows
<Kubuxu>
Qm.. is CIDv0 (CID concept didn't exist when we created it).
plut has quit [Client Quit]
aeftimia has joined #ipfs
jungly has joined #ipfs
dhruvbaldawa has joined #ipfs
girrrrrrr2 has quit [Ping timeout: 248 seconds]
<pjz>
Kubuxu: am I correct that a CID is a multihash+encoding ?
<voker57>
Kubuxu: you mean, use exactly this version? I'm using 0.4.12-rc1+ from git
<Kubuxu>
this or higher
<Kubuxu>
so rc1+ is ok
ligi has quit [Ping timeout: 248 seconds]
bwerthma1n has joined #ipfs
bwerthmann has quit [Ping timeout: 258 seconds]
ligi has joined #ipfs
ligi has quit [Changing host]
ligi has joined #ipfs
pat36 has quit [Read error: Connection reset by peer]
pat36 has joined #ipfs
pcctw has joined #ipfs
whenisnever has joined #ipfs
ligi has quit [Ping timeout: 246 seconds]
ccii1 has joined #ipfs
whenisnever has quit [Ping timeout: 246 seconds]
ccii has quit [Ping timeout: 248 seconds]
dorsatum_ has joined #ipfs
pat36 has quit [Read error: Connection reset by peer]
pat36 has joined #ipfs
<ehmry>
is there an IPFS mirror of the IETF RFCs yet? :)
<Icefoz_>
Ooh, that's a good idea.
<ehmry>
I'm about to go offline so I'm dumping the rsync mirror right now
xnbya has quit [Ping timeout: 255 seconds]
xnbya has joined #ipfs
pat36 has quit [Read error: Connection reset by peer]
pat36 has joined #ipfs
lacour has joined #ipfs
TheGuyWho has quit [Ping timeout: 240 seconds]
dorsatum__ has joined #ipfs
dorsatum_ has quit [Ping timeout: 260 seconds]
Jesin has quit [Quit: Leaving]
TheGuyWho has joined #ipfs
Jesin has joined #ipfs
etched has quit [Quit: etched]
maxlath has quit [Ping timeout: 264 seconds]
Jesin has quit [Quit: Leaving]
etched has joined #ipfs
pat36 has quit [Read error: Connection reset by peer]
pat36 has joined #ipfs
Jesin has joined #ipfs
Encrypt has joined #ipfs
jaboja has joined #ipfs
ygrek_ has quit [Ping timeout: 264 seconds]
dhruvbaldawa has quit [Remote host closed the connection]
pat36 has quit [Read error: Connection reset by peer]
pat36 has joined #ipfs
etched has quit [Quit: etched]
pat36 has quit [Read error: Connection reset by peer]
pat36 has joined #ipfs
tec__ has quit [Remote host closed the connection]
tec__ has joined #ipfs
<victorbjelkholm>
ehmry: there is! Check out archives.ipfs.io
aeftimia has quit [Remote host closed the connection]
aeftimia has joined #ipfs
caladrius has joined #ipfs
aeftimia has quit [Ping timeout: 248 seconds]
tec__ has quit [Remote host closed the connection]
rendar has quit [Quit: std::lower_bound + std::less_equal *works* with a vector without duplicates!]
Jesin has quit [Quit: Leaving]
tec__ has joined #ipfs
esph has quit [Ping timeout: 240 seconds]
Alpha64 has quit [Ping timeout: 248 seconds]
Alpha64_ has joined #ipfs
esph has joined #ipfs
erictapen has quit [Ping timeout: 240 seconds]
tec__ has quit [Ping timeout: 246 seconds]
tec__ has joined #ipfs
Caterpillar has quit [Quit: You were not made to live as brutes, but to follow virtue and knowledge.]
dsc_ has quit [Ping timeout: 240 seconds]
aeftimia has joined #ipfs
treora has quit [Ping timeout: 248 seconds]
eater has quit [Ping timeout: 252 seconds]
erictapen has joined #ipfs
aeftimia has quit [Remote host closed the connection]
aeftimia has joined #ipfs
eater has joined #ipfs
aeftimia has quit [Remote host closed the connection]
treora has joined #ipfs
aeftimia has joined #ipfs
dorsatum__ has quit [Quit: This computer has gone to sleep]
dsc_ has joined #ipfs
aeftimia has quit [Remote host closed the connection]
Jesin has joined #ipfs
aeftimia has joined #ipfs
Milijus has quit [Ping timeout: 246 seconds]
bwerthmann has joined #ipfs
pvh has joined #ipfs
aeftimia has quit [Ping timeout: 260 seconds]
dorsatum__ has joined #ipfs
bwerthma1n has quit [Ping timeout: 258 seconds]
<pvh>
thanks whyrusleeping.
whenisnever has joined #ipfs
aeftimia has joined #ipfs
ianopolous has joined #ipfs
pat36 has quit [Read error: Connection reset by peer]
erictapen has quit [Ping timeout: 255 seconds]
pat36 has joined #ipfs
aeftimia has quit [Remote host closed the connection]
aeftimia has joined #ipfs
dorsatum__ has quit [Quit: This computer has gone to sleep]
aeftimia has quit [Ping timeout: 248 seconds]
aeftimia has joined #ipfs
pat36 has quit [Read error: Connection reset by peer]
pat36 has joined #ipfs
dorsatum__ has joined #ipfs
Alpha64_ has quit [Ping timeout: 252 seconds]
Alpha64 has joined #ipfs
pat36 has quit [Read error: Connection reset by peer]
pat36 has joined #ipfs
erictapen has joined #ipfs
erictapen has quit [Remote host closed the connection]
erictapen has joined #ipfs
jungly has quit [Remote host closed the connection]
dhruvbaldawa has joined #ipfs
Encrypt has quit [Ping timeout: 264 seconds]
Xe has quit [Ping timeout: 246 seconds]
whenisnever has quit [Ping timeout: 240 seconds]
trn has quit [Quit: quit]
Encrypt has joined #ipfs
dorsatum__ has quit [Ping timeout: 260 seconds]
pat36 has quit [Read error: Connection reset by peer]
pat36 has joined #ipfs
Encrypt has quit [Quit: Quit]
Xe has joined #ipfs
trn has joined #ipfs
aeftimia_ has joined #ipfs
aeftimia has quit [Remote host closed the connection]
whenisnever has joined #ipfs
maxlath has joined #ipfs
aeftimia_ has quit [Remote host closed the connection]
aeftimia has joined #ipfs
rsynnest has joined #ipfs
jaboja has quit [Ping timeout: 246 seconds]
dhruvbaldawa has quit [Remote host closed the connection]
erictapen has quit [Ping timeout: 240 seconds]
ilyaigpetrov has joined #ipfs
whenisnever has quit [Ping timeout: 240 seconds]
caladrius has quit [Quit: shutdown -h now]
jaboja has joined #ipfs
Alpha64 has quit [Quit: Alpha64]
Milijus has joined #ipfs
Encrypt has joined #ipfs
maxlath has quit [Ping timeout: 252 seconds]
maxlath has joined #ipfs
girrrrrrr2 has joined #ipfs
kus_ubuntui686 has joined #ipfs
kus_ubuntui686 has quit [Max SendQ exceeded]
harlantwood has joined #ipfs
dorsatum_ has joined #ipfs
cblgh has quit [Quit: Lost terminal]
cblgh has joined #ipfs
cblgh has quit [Changing host]
cblgh has joined #ipfs
<teej>
Hello. I'm reading the IPFS Docs, but I'm not sure how to get a file from one system to another. I have IPFS installed on both systems. I've then added a file using `ipfs add` and it gave me a file hash. I tried using `ipfs get /ipfs/FILEHASH` but it would return `Error: merkledag: not found`. I'm assuming merkledag is a missing binary?
<teej>
I have used `pacman -Ss merkledag` but did not obtain any binaries of that name.
<Icefoz_>
teej: Nope, 'merkledag' is the name of the data structure that represents a file in IPFS, more or less
<Icefoz_>
So I believe it's just saying that it can't find any node that has the given file.
<Icefoz_>
s/file/hash/
<teej>
Oh.
<teej>
Hmm... Let me look up how to connect the nodes.
<Icefoz_>
Ideally they should find each other without intervention, but it can take a few minutes.
<teej>
Icefoz_: The two systems are on the same machine.
<Icefoz_>
You can do `ipfs swarm peers` and `ipfs swarm addrs` to see what peers it knows about.
<Icefoz_>
Huh, two VM's then?
pat36 has quit [Read error: Connection reset by peer]
pat36 has joined #ipfs
<Icefoz_>
teej: When I have two machines on the same network then IPFS generally figures out that they can talk to each other within a few minutes. Never tried with two VM's on the same machine; I don't know enough to say whether firewall or NAT settings might have to be messed with to let them communicate with each other.
<teej>
Icefoz_: Do I have to have the `ipfs daemon` running on both?
dhruvbaldawa has joined #ipfs
<Icefoz_>
Yes, the daemon is what actually does the communication, though if the daemon isn't running I'd expect the command line client to say `api not found` or something like that.
<teej>
Icefoz_: Oh after making the daemon run, it starts to work.
<Icefoz_>
Huzzah!
<Icefoz_>
For reference, you can add a node's IP address and crypto key to the "Bootstrap" section in the ~/.ipfs/config file which will basically tell that IPFS node "always try to connect to this particular node if you can"
<teej>
Icefoz_: It didn't give a message about the daemon not running though. I think this should be added.
<Icefoz_>
That's strange. What version are you using?
<teej>
The latest 0.4.11.
<Icefoz_>
Hmm.
<Icefoz_>
Ahhhh, I get the same error when it's not running now, yes.
<Icefoz_>
It just means that the go-ipfs program is trying to do seven different things at once and there's non-obvious overlap between them. :-P
<Icefoz_>
Which is still a problem.
whenisnever has joined #ipfs
<teej>
Um... I think if I was confused about what the error message meant, I'm sure that many other users would be as well.
<Icefoz_>
Exactly. "manipulate local repository" and "talk to daemon" are different things and it should be obvious which commands do which.
<Icefoz_>
"ipfs get" apparently means "search local repository, then if you don't find something and a daemon is around, as the daemon to try to get it"
<teej>
Icefoz_: Then the error message should be something like "unable to find HASH in local repository, try using `ipfs daemon`"
<Icefoz_>
Yep.
<Icefoz_>
It should.
<Icefoz_>
I agree 100%.
<Icefoz_>
I'm not a developer but my impression is that IPFS has done a lot of experimentation and development in the last few years and, as a result, is a bit of a clutter.
<teej>
Icefoz_: Maybe the person was sleepy when he made his argument?
<teej>
Icefoz_: Or maybe things have changed in 2 years.
pat36 has quit [Read error: Connection reset by peer]
<Icefoz_>
Maybe. :-)
pat36 has joined #ipfs
<teej>
Icefoz_: I'm not sure why "copying" a file takes a long time.
<teej>
Well it's taking a while.
<teej>
It's about 7.8 GB.
<Icefoz_>
Couldn't say for sure, though it breaks the file into chunks and has to checksum each chunk, so that might be fairly CPU-intensive.
<teej>
And it's stuck at around 1.03 GB.
<Icefoz_>
That is odd.
<teej>
Oh, CPU intensive... Hmm...
<teej>
I'm going to try to make the command more verbose.
}ls{ has joined #ipfs
maxlath has quit [Ping timeout: 240 seconds]
Taoki has joined #ipfs
<teej>
Okay. Apparently there are no `--verbose` flags/options.
<teej>
Icefoz_: I'm actually using my host and a Docker container.
Mateon1 has quit [Ping timeout: 240 seconds]
<Icefoz_>
Aha.
Mateon1 has joined #ipfs
jaboja has quit [Quit: Leaving]
<teej>
Icefoz_: If I want to add a bootstrap peer, I would use the command `ipfs bootstrap add` but how do I find my peer name?
ianopolous has quit [Ping timeout: 240 seconds]
<teej>
Is it the ID in `ipfs id`?
<Icefoz_>
Not sure but I think so...
<Icefoz_>
Yeah, looks like it. You can also list the keys it knows about with `ipfs key list -l`
maxlath has joined #ipfs
dorsatum_ has quit [Quit: This computer has gone to sleep]
<teej>
Icefoz_: It says the peer address should start with `/`. So I'll use the "Addresses" section in `ipfs id`.
dorsatum_ has joined #ipfs
<teej>
It worked.
<teej>
So it's the whole thing.
<Icefoz_>
Good!
Alpha64 has joined #ipfs
maxlath has quit [Ping timeout: 248 seconds]
pvh has quit [Quit: Connection closed for inactivity]
dorsatum_ has quit [Quit: This computer has gone to sleep]
<teej>
I think it would be better if I made the blocksize smaller.
<Icefoz_>
Couldn't tell you that. I thought the default was 256k or such.