Undraft blog post

svg fixup courtesy drzed, used with permission

.dockerignore

@@ -1 +0,0 @@
-.git

design/image_design/protocol_stack.svg

@@ -1,190 +1,16 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="362pt" height="422pt" viewBox="0 0 362 422" version="1.1">
-<defs>
-<g>
-<symbol overflow="visible" id="glyph0-0">
-<path style="stroke:none;" d="M 0.84375 3 L 0.84375 -11.984375 L 9.34375 -11.984375 L 9.34375 3 L 0.84375 3 Z M 1.796875 2.0625 L 8.40625 2.0625 L 8.40625 -11.03125 L 1.796875 -11.03125 L 1.796875 2.0625 Z M 1.796875 2.0625 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-1">
-<path style="stroke:none;" d="M 1.671875 -12.390625 L 3.34375 -12.390625 L 3.34375 0 L 1.671875 0 L 1.671875 -12.390625 Z M 1.671875 -12.390625 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-2">
-<path style="stroke:none;" d="M 3.34375 -11.015625 L 3.34375 -6.359375 L 5.453125 -6.359375 C 6.234375 -6.359375 6.835938 -6.5625 7.265625 -6.96875 C 7.691406 -7.375 7.90625 -7.945312 7.90625 -8.6875 C 7.90625 -9.425781 7.691406 -10 7.265625 -10.40625 C 6.835938 -10.8125 6.234375 -11.015625 5.453125 -11.015625 L 3.34375 -11.015625 Z M 1.671875 -12.390625 L 5.453125 -12.390625 C 6.835938 -12.390625 7.882812 -12.078125 8.59375 -11.453125 C 9.3125 -10.828125 9.671875 -9.90625 9.671875 -8.6875 C 9.671875 -7.46875 9.3125 -6.546875 8.59375 -5.921875 C 7.882812 -5.296875 6.835938 -4.984375 5.453125 -4.984375 L 3.34375 -4.984375 L 3.34375 0 L 1.671875 0 L 1.671875 -12.390625 Z M 1.671875 -12.390625 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-3">
-<path style="stroke:none;" d="M -0.046875 -12.390625 L 10.4375 -12.390625 L 10.4375 -10.984375 L 6.03125 -10.984375 L 6.03125 0 L 4.34375 0 L 4.34375 -10.984375 L -0.046875 -10.984375 L -0.046875 -12.390625 Z M -0.046875 -12.390625 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-4">
-<path style="stroke:none;" d="M 10.953125 -11.4375 L 10.953125 -9.671875 C 10.390625 -10.191406 9.785156 -10.582031 9.140625 -10.84375 C 8.503906 -11.101562 7.828125 -11.234375 7.109375 -11.234375 C 5.691406 -11.234375 4.601562 -10.800781 3.84375 -9.9375 C 3.09375 -9.070312 2.71875 -7.820312 2.71875 -6.1875 C 2.71875 -4.550781 3.09375 -3.300781 3.84375 -2.4375 C 4.601562 -1.570312 5.691406 -1.140625 7.109375 -1.140625 C 7.828125 -1.140625 8.503906 -1.269531 9.140625 -1.53125 C 9.785156 -1.789062 10.390625 -2.179688 10.953125 -2.703125 L 10.953125 -0.953125 C 10.359375 -0.554688 9.734375 -0.257812 9.078125 -0.0625 C 8.429688 0.132812 7.738281 0.234375 7 0.234375 C 5.125 0.234375 3.644531 -0.335938 2.5625 -1.484375 C 1.488281 -2.628906 0.953125 -4.195312 0.953125 -6.1875 C 0.953125 -8.175781 1.488281 -9.742188 2.5625 -10.890625 C 3.644531 -12.046875 5.125 -12.625 7 -12.625 C 7.75 -12.625 8.445312 -12.523438 9.09375 -12.328125 C 9.75 -12.128906 10.367188 -11.832031 10.953125 -11.4375 Z M 10.953125 -11.4375 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-5">
-<path style="stroke:none;" d="M 1.484375 -12.390625 L 3.15625 -12.390625 L 3.15625 -4.859375 C 3.15625 -3.535156 3.394531 -2.582031 3.875 -2 C 4.363281 -1.414062 5.144531 -1.125 6.21875 -1.125 C 7.300781 -1.125 8.082031 -1.414062 8.5625 -2 C 9.039062 -2.582031 9.28125 -3.535156 9.28125 -4.859375 L 9.28125 -12.390625 L 10.96875 -12.390625 L 10.96875 -4.65625 C 10.96875 -3.039062 10.566406 -1.820312 9.765625 -1 C 8.960938 -0.175781 7.78125 0.234375 6.21875 0.234375 C 4.65625 0.234375 3.472656 -0.175781 2.671875 -1 C 1.878906 -1.820312 1.484375 -3.039062 1.484375 -4.65625 L 1.484375 -12.390625 Z M 1.484375 -12.390625 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-6">
-<path style="stroke:none;" d="M 3.34375 -11.015625 L 3.34375 -1.375 L 5.375 -1.375 C 7.082031 -1.375 8.332031 -1.757812 9.125 -2.53125 C 9.914062 -3.3125 10.3125 -4.535156 10.3125 -6.203125 C 10.3125 -7.867188 9.914062 -9.085938 9.125 -9.859375 C 8.332031 -10.628906 7.082031 -11.015625 5.375 -11.015625 L 3.34375 -11.015625 Z M 1.671875 -12.390625 L 5.109375 -12.390625 C 7.515625 -12.390625 9.28125 -11.890625 10.40625 -10.890625 C 11.53125 -9.890625 12.09375 -8.328125 12.09375 -6.203125 C 12.09375 -4.066406 11.523438 -2.5 10.390625 -1.5 C 9.265625 -0.5 7.503906 0 5.109375 0 L 1.671875 0 L 1.671875 -12.390625 Z M 1.671875 -12.390625 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-7">
-<path style="stroke:none;" d="M 1.671875 -12.390625 L 3.921875 -12.390625 L 9.421875 -2.03125 L 9.421875 -12.390625 L 11.046875 -12.390625 L 11.046875 0 L 8.796875 0 L 3.296875 -10.375 L 3.296875 0 L 1.671875 0 L 1.671875 -12.390625 Z M 1.671875 -12.390625 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-8">
-<path style="stroke:none;" d="M 9.09375 -11.984375 L 9.09375 -10.34375 C 8.457031 -10.65625 7.859375 -10.882812 7.296875 -11.03125 C 6.734375 -11.175781 6.1875 -11.25 5.65625 -11.25 C 4.75 -11.25 4.046875 -11.070312 3.546875 -10.71875 C 3.054688 -10.363281 2.8125 -9.863281 2.8125 -9.21875 C 2.8125 -8.664062 2.972656 -8.25 3.296875 -7.96875 C 3.628906 -7.6875 4.253906 -7.460938 5.171875 -7.296875 L 6.1875 -7.09375 C 7.4375 -6.851562 8.359375 -6.429688 8.953125 -5.828125 C 9.546875 -5.234375 9.84375 -4.429688 9.84375 -3.421875 C 9.84375 -2.222656 9.4375 -1.3125 8.625 -0.6875 C 7.820312 -0.0703125 6.644531 0.234375 5.09375 0.234375 C 4.507812 0.234375 3.882812 0.164062 3.21875 0.03125 C 2.5625 -0.09375 1.878906 -0.285156 1.171875 -0.546875 L 1.171875 -2.28125 C 1.847656 -1.894531 2.515625 -1.601562 3.171875 -1.40625 C 3.828125 -1.21875 4.46875 -1.125 5.09375 -1.125 C 6.050781 -1.125 6.789062 -1.3125 7.3125 -1.6875 C 7.832031 -2.0625 8.09375 -2.597656 8.09375 -3.296875 C 8.09375 -3.898438 7.90625 -4.375 7.53125 -4.71875 C 7.15625 -5.0625 6.539062 -5.320312 5.6875 -5.5 L 4.671875 -5.6875 C 3.421875 -5.9375 2.515625 -6.328125 1.953125 -6.859375 C 1.398438 -7.390625 1.125 -8.128906 1.125 -9.078125 C 1.125 -10.171875 1.507812 -11.035156 2.28125 -11.671875 C 3.050781 -12.304688 4.113281 -12.625 5.46875 -12.625 C 6.050781 -12.625 6.644531 -12.566406 7.25 -12.453125 C 7.851562 -12.347656 8.46875 -12.191406 9.09375 -11.984375 Z M 9.09375 -11.984375 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-9">
-<path style="stroke:none;" d="M 1.4375 -3.671875 L 1.4375 -9.296875 L 2.96875 -9.296875 L 2.96875 -3.734375 C 2.96875 -2.847656 3.140625 -2.1875 3.484375 -1.75 C 3.828125 -1.3125 4.34375 -1.09375 5.03125 -1.09375 C 5.851562 -1.09375 6.503906 -1.351562 6.984375 -1.875 C 7.460938 -2.40625 7.703125 -3.125 7.703125 -4.03125 L 7.703125 -9.296875 L 9.234375 -9.296875 L 9.234375 0 L 7.703125 0 L 7.703125 -1.421875 C 7.328125 -0.859375 6.894531 -0.441406 6.40625 -0.171875 C 5.914062 0.0976562 5.347656 0.234375 4.703125 0.234375 C 3.640625 0.234375 2.828125 -0.09375 2.265625 -0.75 C 1.710938 -1.414062 1.4375 -2.390625 1.4375 -3.671875 Z M 5.28125 -9.515625 L 5.28125 -9.515625 Z M 5.28125 -9.515625 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-10">
-<path style="stroke:none;" d="M 9.328125 -5.609375 L 9.328125 0 L 7.796875 0 L 7.796875 -5.5625 C 7.796875 -6.4375 7.625 -7.09375 7.28125 -7.53125 C 6.945312 -7.96875 6.4375 -8.1875 5.75 -8.1875 C 4.914062 -8.1875 4.257812 -7.921875 3.78125 -7.390625 C 3.3125 -6.867188 3.078125 -6.15625 3.078125 -5.25 L 3.078125 0 L 1.546875 0 L 1.546875 -9.296875 L 3.078125 -9.296875 L 3.078125 -7.859375 C 3.441406 -8.410156 3.867188 -8.820312 4.359375 -9.09375 C 4.859375 -9.375 5.429688 -9.515625 6.078125 -9.515625 C 7.148438 -9.515625 7.957031 -9.179688 8.5 -8.515625 C 9.050781 -7.859375 9.328125 -6.890625 9.328125 -5.609375 Z M 9.328125 -5.609375 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-11">
-<path style="stroke:none;" d="M 9.546875 -5.03125 L 9.546875 -4.28125 L 2.53125 -4.28125 C 2.59375 -3.226562 2.90625 -2.425781 3.46875 -1.875 C 4.039062 -1.320312 4.835938 -1.046875 5.859375 -1.046875 C 6.441406 -1.046875 7.007812 -1.117188 7.5625 -1.265625 C 8.113281 -1.410156 8.660156 -1.628906 9.203125 -1.921875 L 9.203125 -0.46875 C 8.648438 -0.238281 8.085938 -0.0664062 7.515625 0.046875 C 6.941406 0.171875 6.359375 0.234375 5.765625 0.234375 C 4.273438 0.234375 3.097656 -0.191406 2.234375 -1.046875 C 1.367188 -1.910156 0.9375 -3.082031 0.9375 -4.5625 C 0.9375 -6.082031 1.347656 -7.285156 2.171875 -8.171875 C 2.992188 -9.066406 4.101562 -9.515625 5.5 -9.515625 C 6.75 -9.515625 7.734375 -9.113281 8.453125 -8.3125 C 9.179688 -7.507812 9.546875 -6.414062 9.546875 -5.03125 Z M 8.03125 -5.484375 C 8.019531 -6.316406 7.785156 -6.976562 7.328125 -7.46875 C 6.867188 -7.96875 6.265625 -8.21875 5.515625 -8.21875 C 4.660156 -8.21875 3.976562 -7.976562 3.46875 -7.5 C 2.957031 -7.019531 2.660156 -6.34375 2.578125 -5.46875 L 8.03125 -5.484375 Z M 8.03125 -5.484375 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-12">
-<path style="stroke:none;" d="M 1.609375 -12.921875 L 3.125 -12.921875 L 3.125 0 L 1.609375 0 L 1.609375 -12.921875 Z M 1.609375 -12.921875 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-13">
-<path style="stroke:none;" d=""/>
-</symbol>
-<symbol overflow="visible" id="glyph0-14">
-<path style="stroke:none;" d="M 8.84375 -7.515625 C 9.21875 -8.203125 9.671875 -8.707031 10.203125 -9.03125 C 10.734375 -9.351562 11.363281 -9.515625 12.09375 -9.515625 C 13.050781 -9.515625 13.789062 -9.175781 14.3125 -8.5 C 14.84375 -7.820312 15.109375 -6.859375 15.109375 -5.609375 L 15.109375 0 L 13.578125 0 L 13.578125 -5.5625 C 13.578125 -6.445312 13.421875 -7.101562 13.109375 -7.53125 C 12.796875 -7.96875 12.3125 -8.1875 11.65625 -8.1875 C 10.863281 -8.1875 10.238281 -7.921875 9.78125 -7.390625 C 9.320312 -6.867188 9.09375 -6.15625 9.09375 -5.25 L 9.09375 0 L 7.5625 0 L 7.5625 -5.5625 C 7.5625 -6.457031 7.398438 -7.117188 7.078125 -7.546875 C 6.765625 -7.972656 6.28125 -8.1875 5.625 -8.1875 C 4.84375 -8.1875 4.222656 -7.921875 3.765625 -7.390625 C 3.304688 -6.867188 3.078125 -6.15625 3.078125 -5.25 L 3.078125 0 L 1.546875 0 L 1.546875 -9.296875 L 3.078125 -9.296875 L 3.078125 -7.859375 C 3.429688 -8.421875 3.847656 -8.835938 4.328125 -9.109375 C 4.816406 -9.378906 5.394531 -9.515625 6.0625 -9.515625 C 6.738281 -9.515625 7.3125 -9.34375 7.78125 -9 C 8.257812 -8.65625 8.613281 -8.160156 8.84375 -7.515625 Z M 8.84375 -7.515625 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-15">
-<path style="stroke:none;" d="M 7.53125 -9.015625 L 7.53125 -7.578125 C 7.09375 -7.796875 6.640625 -7.960938 6.171875 -8.078125 C 5.710938 -8.191406 5.234375 -8.25 4.734375 -8.25 C 3.984375 -8.25 3.414062 -8.128906 3.03125 -7.890625 C 2.65625 -7.660156 2.46875 -7.3125 2.46875 -6.84375 C 2.46875 -6.488281 2.601562 -6.210938 2.875 -6.015625 C 3.144531 -5.816406 3.6875 -5.625 4.5 -5.4375 L 5.03125 -5.328125 C 6.113281 -5.085938 6.882812 -4.753906 7.34375 -4.328125 C 7.800781 -3.910156 8.03125 -3.320312 8.03125 -2.5625 C 8.03125 -1.695312 7.6875 -1.015625 7 -0.515625 C 6.320312 -0.015625 5.382812 0.234375 4.1875 0.234375 C 3.6875 0.234375 3.164062 0.1875 2.625 0.09375 C 2.082031 0 1.515625 -0.144531 0.921875 -0.34375 L 0.921875 -1.921875 C 1.484375 -1.628906 2.035156 -1.40625 2.578125 -1.25 C 3.128906 -1.101562 3.675781 -1.03125 4.21875 -1.03125 C 4.9375 -1.03125 5.488281 -1.15625 5.875 -1.40625 C 6.257812 -1.65625 6.453125 -2.003906 6.453125 -2.453125 C 6.453125 -2.867188 6.3125 -3.1875 6.03125 -3.40625 C 5.757812 -3.625 5.148438 -3.835938 4.203125 -4.046875 L 3.671875 -4.171875 C 2.722656 -4.367188 2.035156 -4.671875 1.609375 -5.078125 C 1.191406 -5.492188 0.984375 -6.0625 0.984375 -6.78125 C 0.984375 -7.65625 1.289062 -8.328125 1.90625 -8.796875 C 2.53125 -9.273438 3.414062 -9.515625 4.5625 -9.515625 C 5.125 -9.515625 5.648438 -9.472656 6.140625 -9.390625 C 6.640625 -9.304688 7.101562 -9.179688 7.53125 -9.015625 Z M 7.53125 -9.015625 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-16">
-<path style="stroke:none;" d="M 5.828125 -4.671875 C 4.585938 -4.671875 3.726562 -4.53125 3.25 -4.25 C 2.78125 -3.96875 2.546875 -3.488281 2.546875 -2.8125 C 2.546875 -2.269531 2.722656 -1.835938 3.078125 -1.515625 C 3.441406 -1.191406 3.929688 -1.03125 4.546875 -1.03125 C 5.390625 -1.03125 6.066406 -1.332031 6.578125 -1.9375 C 7.085938 -2.539062 7.34375 -3.335938 7.34375 -4.328125 L 7.34375 -4.671875 L 5.828125 -4.671875 Z M 8.875 -5.296875 L 8.875 0 L 7.34375 0 L 7.34375 -1.40625 C 7 -0.84375 6.566406 -0.425781 6.046875 -0.15625 C 5.523438 0.101562 4.890625 0.234375 4.140625 0.234375 C 3.179688 0.234375 2.421875 -0.03125 1.859375 -0.5625 C 1.296875 -1.09375 1.015625 -1.804688 1.015625 -2.703125 C 1.015625 -3.753906 1.363281 -4.546875 2.0625 -5.078125 C 2.769531 -5.609375 3.816406 -5.875 5.203125 -5.875 L 7.34375 -5.875 L 7.34375 -6.015625 C 7.34375 -6.722656 7.109375 -7.265625 6.640625 -7.640625 C 6.179688 -8.023438 5.535156 -8.21875 4.703125 -8.21875 C 4.171875 -8.21875 3.65625 -8.15625 3.15625 -8.03125 C 2.65625 -7.90625 2.171875 -7.71875 1.703125 -7.46875 L 1.703125 -8.875 C 2.265625 -9.09375 2.804688 -9.253906 3.328125 -9.359375 C 3.859375 -9.460938 4.367188 -9.515625 4.859375 -9.515625 C 6.203125 -9.515625 7.207031 -9.164062 7.875 -8.46875 C 8.539062 -7.769531 8.875 -6.710938 8.875 -5.296875 Z M 8.875 -5.296875 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-17">
-<path style="stroke:none;" d="M 7.71875 -4.75 C 7.71875 -5.863281 7.488281 -6.722656 7.03125 -7.328125 C 6.570312 -7.941406 5.929688 -8.25 5.109375 -8.25 C 4.296875 -8.25 3.660156 -7.941406 3.203125 -7.328125 C 2.742188 -6.722656 2.515625 -5.863281 2.515625 -4.75 C 2.515625 -3.65625 2.742188 -2.800781 3.203125 -2.1875 C 3.660156 -1.582031 4.296875 -1.28125 5.109375 -1.28125 C 5.929688 -1.28125 6.570312 -1.582031 7.03125 -2.1875 C 7.488281 -2.800781 7.71875 -3.65625 7.71875 -4.75 Z M 9.25 -1.15625 C 9.25 0.425781 8.894531 1.601562 8.1875 2.375 C 7.488281 3.144531 6.414062 3.53125 4.96875 3.53125 C 4.425781 3.53125 3.914062 3.488281 3.4375 3.40625 C 2.96875 3.332031 2.507812 3.210938 2.0625 3.046875 L 2.0625 1.5625 C 2.507812 1.800781 2.953125 1.976562 3.390625 2.09375 C 3.828125 2.21875 4.269531 2.28125 4.71875 2.28125 C 5.71875 2.28125 6.46875 2.015625 6.96875 1.484375 C 7.46875 0.960938 7.71875 0.175781 7.71875 -0.875 L 7.71875 -1.640625 C 7.40625 -1.085938 7 -0.675781 6.5 -0.40625 C 6.007812 -0.132812 5.421875 0 4.734375 0 C 3.597656 0 2.679688 -0.429688 1.984375 -1.296875 C 1.285156 -2.171875 0.9375 -3.320312 0.9375 -4.75 C 0.9375 -6.195312 1.285156 -7.351562 1.984375 -8.21875 C 2.679688 -9.082031 3.597656 -9.515625 4.734375 -9.515625 C 5.421875 -9.515625 6.007812 -9.378906 6.5 -9.109375 C 7 -8.835938 7.40625 -8.429688 7.71875 -7.890625 L 7.71875 -9.296875 L 9.25 -9.296875 L 9.25 -1.15625 Z M 9.25 -1.15625 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-18">
-<path style="stroke:none;" d="M 10.125 -1.765625 L 10.125 -5.09375 L 7.375 -5.09375 L 7.375 -6.46875 L 11.78125 -6.46875 L 11.78125 -1.15625 C 11.132812 -0.695312 10.421875 -0.347656 9.640625 -0.109375 C 8.859375 0.117188 8.023438 0.234375 7.140625 0.234375 C 5.203125 0.234375 3.6875 -0.328125 2.59375 -1.453125 C 1.5 -2.585938 0.953125 -4.164062 0.953125 -6.1875 C 0.953125 -8.207031 1.5 -9.785156 2.59375 -10.921875 C 3.6875 -12.054688 5.203125 -12.625 7.140625 -12.625 C 7.941406 -12.625 8.707031 -12.519531 9.4375 -12.3125 C 10.164062 -12.113281 10.835938 -11.820312 11.453125 -11.4375 L 11.453125 -9.65625 C 10.835938 -10.175781 10.179688 -10.566406 9.484375 -10.828125 C 8.785156 -11.097656 8.050781 -11.234375 7.28125 -11.234375 C 5.757812 -11.234375 4.617188 -10.8125 3.859375 -9.96875 C 3.097656 -9.125 2.71875 -7.863281 2.71875 -6.1875 C 2.71875 -4.507812 3.097656 -3.25 3.859375 -2.40625 C 4.617188 -1.5625 5.757812 -1.140625 7.28125 -1.140625 C 7.875 -1.140625 8.398438 -1.1875 8.859375 -1.28125 C 9.328125 -1.382812 9.75 -1.546875 10.125 -1.765625 Z M 10.125 -1.765625 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-19">
-<path style="stroke:none;" d="M 6.984375 -7.875 C 6.816406 -7.96875 6.628906 -8.035156 6.421875 -8.078125 C 6.222656 -8.128906 6.003906 -8.15625 5.765625 -8.15625 C 4.898438 -8.15625 4.234375 -7.875 3.765625 -7.3125 C 3.304688 -6.75 3.078125 -5.941406 3.078125 -4.890625 L 3.078125 0 L 1.546875 0 L 1.546875 -9.296875 L 3.078125 -9.296875 L 3.078125 -7.859375 C 3.398438 -8.421875 3.816406 -8.835938 4.328125 -9.109375 C 4.847656 -9.378906 5.472656 -9.515625 6.203125 -9.515625 C 6.304688 -9.515625 6.421875 -9.507812 6.546875 -9.5 C 6.679688 -9.488281 6.828125 -9.46875 6.984375 -9.4375 L 6.984375 -7.875 Z M 6.984375 -7.875 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-20">
-<path style="stroke:none;" d="M 1.609375 -9.296875 L 3.125 -9.296875 L 3.125 0 L 1.609375 0 L 1.609375 -9.296875 Z M 1.609375 -12.921875 L 3.125 -12.921875 L 3.125 -10.984375 L 1.609375 -10.984375 L 1.609375 -12.921875 Z M 1.609375 -12.921875 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-21">
-<path style="stroke:none;" d="M 8.296875 -8.9375 L 8.296875 -7.515625 C 7.859375 -7.753906 7.421875 -7.929688 6.984375 -8.046875 C 6.554688 -8.160156 6.117188 -8.21875 5.671875 -8.21875 C 4.679688 -8.21875 3.910156 -7.90625 3.359375 -7.28125 C 2.816406 -6.65625 2.546875 -5.773438 2.546875 -4.640625 C 2.546875 -3.503906 2.816406 -2.617188 3.359375 -1.984375 C 3.910156 -1.359375 4.679688 -1.046875 5.671875 -1.046875 C 6.117188 -1.046875 6.554688 -1.101562 6.984375 -1.21875 C 7.421875 -1.34375 7.859375 -1.523438 8.296875 -1.765625 L 8.296875 -0.359375 C 7.867188 -0.160156 7.425781 -0.015625 6.96875 0.078125 C 6.507812 0.179688 6.023438 0.234375 5.515625 0.234375 C 4.109375 0.234375 2.992188 -0.203125 2.171875 -1.078125 C 1.347656 -1.960938 0.9375 -3.148438 0.9375 -4.640625 C 0.9375 -6.160156 1.351562 -7.351562 2.1875 -8.21875 C 3.019531 -9.082031 4.160156 -9.515625 5.609375 -9.515625 C 6.078125 -9.515625 6.535156 -9.46875 6.984375 -9.375 C 7.429688 -9.28125 7.867188 -9.132812 8.296875 -8.9375 Z M 8.296875 -8.9375 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-22">
-<path style="stroke:none;" d="M 5.46875 0.859375 C 5.039062 1.972656 4.617188 2.695312 4.203125 3.03125 C 3.796875 3.363281 3.25 3.53125 2.5625 3.53125 L 1.34375 3.53125 L 1.34375 2.265625 L 2.234375 2.265625 C 2.660156 2.265625 2.988281 2.160156 3.21875 1.953125 C 3.445312 1.753906 3.707031 1.285156 4 0.546875 L 4.265625 -0.15625 L 0.5 -9.296875 L 2.125 -9.296875 L 5.03125 -2.03125 L 7.9375 -9.296875 L 9.546875 -9.296875 L 5.46875 0.859375 Z M 5.46875 0.859375 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-23">
-<path style="stroke:none;" d="M 3.078125 -1.390625 L 3.078125 3.53125 L 1.546875 3.53125 L 1.546875 -9.296875 L 3.078125 -9.296875 L 3.078125 -7.890625 C 3.398438 -8.441406 3.804688 -8.847656 4.296875 -9.109375 C 4.785156 -9.378906 5.367188 -9.515625 6.046875 -9.515625 C 7.179688 -9.515625 8.097656 -9.066406 8.796875 -8.171875 C 9.503906 -7.273438 9.859375 -6.097656 9.859375 -4.640625 C 9.859375 -3.179688 9.503906 -2.003906 8.796875 -1.109375 C 8.097656 -0.210938 7.179688 0.234375 6.046875 0.234375 C 5.367188 0.234375 4.785156 0.101562 4.296875 -0.15625 C 3.804688 -0.425781 3.398438 -0.835938 3.078125 -1.390625 Z M 8.28125 -4.640625 C 8.28125 -5.765625 8.046875 -6.644531 7.578125 -7.28125 C 7.117188 -7.925781 6.484375 -8.25 5.671875 -8.25 C 4.867188 -8.25 4.234375 -7.925781 3.765625 -7.28125 C 3.304688 -6.644531 3.078125 -5.765625 3.078125 -4.640625 C 3.078125 -3.515625 3.304688 -2.628906 3.765625 -1.984375 C 4.234375 -1.347656 4.867188 -1.03125 5.671875 -1.03125 C 6.484375 -1.03125 7.117188 -1.347656 7.578125 -1.984375 C 8.046875 -2.628906 8.28125 -3.515625 8.28125 -4.640625 Z M 8.28125 -4.640625 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-24">
-<path style="stroke:none;" d="M 3.109375 -11.9375 L 3.109375 -9.296875 L 6.265625 -9.296875 L 6.265625 -8.109375 L 3.109375 -8.109375 L 3.109375 -3.0625 C 3.109375 -2.300781 3.210938 -1.8125 3.421875 -1.59375 C 3.628906 -1.382812 4.050781 -1.28125 4.6875 -1.28125 L 6.265625 -1.28125 L 6.265625 0 L 4.6875 0 C 3.507812 0 2.695312 -0.21875 2.25 -0.65625 C 1.800781 -1.09375 1.578125 -1.894531 1.578125 -3.0625 L 1.578125 -8.109375 L 0.453125 -8.109375 L 0.453125 -9.296875 L 1.578125 -9.296875 L 1.578125 -11.9375 L 3.109375 -11.9375 Z M 3.109375 -11.9375 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-25">
-<path style="stroke:none;" d="M 5.203125 -8.21875 C 4.378906 -8.21875 3.726562 -7.898438 3.25 -7.265625 C 2.78125 -6.628906 2.546875 -5.753906 2.546875 -4.640625 C 2.546875 -3.523438 2.78125 -2.644531 3.25 -2 C 3.726562 -1.363281 4.378906 -1.046875 5.203125 -1.046875 C 6.015625 -1.046875 6.660156 -1.367188 7.140625 -2.015625 C 7.617188 -2.660156 7.859375 -3.535156 7.859375 -4.640625 C 7.859375 -5.742188 7.617188 -6.613281 7.140625 -7.25 C 6.660156 -7.894531 6.015625 -8.21875 5.203125 -8.21875 Z M 5.203125 -9.515625 C 6.535156 -9.515625 7.578125 -9.082031 8.328125 -8.21875 C 9.085938 -7.363281 9.46875 -6.171875 9.46875 -4.640625 C 9.46875 -3.117188 9.085938 -1.925781 8.328125 -1.0625 C 7.578125 -0.195312 6.535156 0.234375 5.203125 0.234375 C 3.867188 0.234375 2.820312 -0.195312 2.0625 -1.0625 C 1.3125 -1.925781 0.9375 -3.117188 0.9375 -4.640625 C 0.9375 -6.171875 1.3125 -7.363281 2.0625 -8.21875 C 2.820312 -9.082031 3.867188 -9.515625 5.203125 -9.515625 Z M 5.203125 -9.515625 "/>
-</symbol>
-<symbol overflow="visible" id="glyph0-26">
-<path style="stroke:none;" d="M 3.265625 -1.40625 L 9.109375 -1.40625 L 9.109375 0 L 1.25 0 L 1.25 -1.40625 C 1.882812 -2.070312 2.75 -2.957031 3.84375 -4.0625 C 4.945312 -5.175781 5.640625 -5.890625 5.921875 -6.203125 C 6.453125 -6.804688 6.820312 -7.316406 7.03125 -7.734375 C 7.25 -8.160156 7.359375 -8.570312 7.359375 -8.96875 C 7.359375 -9.632812 7.128906 -10.171875 6.671875 -10.578125 C 6.210938 -10.992188 5.609375 -11.203125 4.859375 -11.203125 C 4.335938 -11.203125 3.785156 -11.109375 3.203125 -10.921875 C 2.617188 -10.742188 1.992188 -10.472656 1.328125 -10.109375 L 1.328125 -11.796875 C 2.003906 -12.066406 2.632812 -12.269531 3.21875 -12.40625 C 3.800781 -12.550781 4.335938 -12.625 4.828125 -12.625 C 6.109375 -12.625 7.128906 -12.300781 7.890625 -11.65625 C 8.660156 -11.007812 9.046875 -10.148438 9.046875 -9.078125 C 9.046875 -8.566406 8.945312 -8.082031 8.75 -7.625 C 8.5625 -7.175781 8.21875 -6.640625 7.71875 -6.015625 C 7.582031 -5.859375 7.140625 -5.394531 6.390625 -4.625 C 5.648438 -3.863281 4.609375 -2.789062 3.265625 -1.40625 Z M 3.265625 -1.40625 "/>
-</symbol>
-</g>
-</defs>
-<g id="surface0">
-<path style=" stroke:none;fill-rule:nonzero;fill:rgb(100%,100%,100%);fill-opacity:1;" d="M 0 0 L 661 0 L 661 401 L 0 401 Z M 0 0 "/>
-<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 15 17 L 33 17 L 33 20 L 15 20 Z M 15 17 " transform="matrix(20,0,0,20,-299,21)"/>
-<g style="fill:rgb(0%,0%,0%);fill-opacity:1;">
-  <use xlink:href="#glyph0-1" x="173.402344" y="396.875"/>
-  <use xlink:href="#glyph0-2" x="178.402344" y="396.875"/>
-</g>
-<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 15 14 L 24 14 L 24 17 L 15 17 Z M 15 14 " transform="matrix(20,0,0,20,-299,21)"/>
-<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 24 14 L 33 14 L 33 17 L 24 17 Z M 24 14 " transform="matrix(20,0,0,20,-299,21)"/>
-<g style="fill:rgb(0%,0%,0%);fill-opacity:1;">
-  <use xlink:href="#glyph0-3" x="84.671875" y="336.875"/>
-  <use xlink:href="#glyph0-4" x="84.671875" y="336.875"/>
-  <use xlink:href="#glyph0-2" x="96.488281" y="336.875"/>
-</g>
-<g style="fill:rgb(0%,0%,0%);fill-opacity:1;">
-  <use xlink:href="#glyph0-5" x="253.207031" y="336.875"/>
-  <use xlink:href="#glyph0-6" x="265.589844" y="336.875"/>
-  <use xlink:href="#glyph0-2" x="278.617188" y="336.875"/>
-</g>
-<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 15 11 L 24 11 L 24 14 L 15 14 Z M 15 11 " transform="matrix(20,0,0,20,-299,21)"/>
-<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 24 11 L 33 11 L 33 14 L 24 14 Z M 24 11 " transform="matrix(20,0,0,20,-299,21)"/>
-<g style="fill:rgb(0%,0%,0%);fill-opacity:1;">
-  <use xlink:href="#glyph0-7" x="68.988281" y="276.875"/>
-  <use xlink:href="#glyph0-3" x="91" y="276.875"/>
-  <use xlink:href="#glyph0-4" x="91" y="276.875"/>
-  <use xlink:href="#glyph0-2" x="102.816406" y="276.875"/>
-</g>
-<g style="fill:rgb(0%,0%,0%);fill-opacity:1;">
-  <use xlink:href="#glyph0-8" x="254.066406" y="276.875"/>
-  <use xlink:href="#glyph0-8" x="264.808594" y="276.875"/>
-  <use xlink:href="#glyph0-5" x="275.550781" y="276.875"/>
-</g>
-<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 15 8 L 33 8 L 33 11 L 15 11 Z M 15 8 " transform="matrix(20,0,0,20,-299,21)"/>
-<g style="fill:rgb(0%,0%,0%);fill-opacity:1;">
-  <use xlink:href="#glyph0-3" x="132.71875" y="216.875"/>
-  <use xlink:href="#glyph0-9" x="132.71875" y="216.875"/>
-  <use xlink:href="#glyph0-10" x="143.441406" y="216.875"/>
-  <use xlink:href="#glyph0-10" x="154.164062" y="216.875"/>
-  <use xlink:href="#glyph0-11" x="164.886719" y="216.875"/>
-  <use xlink:href="#glyph0-12" x="175.296875" y="216.875"/>
-  <use xlink:href="#glyph0-13" x="180.003906" y="216.875"/>
-  <use xlink:href="#glyph0-14" x="185.375" y="216.875"/>
-  <use xlink:href="#glyph0-11" x="201.859375" y="216.875"/>
-  <use xlink:href="#glyph0-15" x="212.269531" y="216.875"/>
-  <use xlink:href="#glyph0-15" x="221.078125" y="216.875"/>
-  <use xlink:href="#glyph0-16" x="229.886719" y="216.875"/>
-  <use xlink:href="#glyph0-17" x="240.257812" y="216.875"/>
-  <use xlink:href="#glyph0-11" x="251" y="216.875"/>
-  <use xlink:href="#glyph0-15" x="261.410156" y="216.875"/>
-</g>
-<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 15 5 L 33 5 L 33 8 L 15 8 Z M 15 5 " transform="matrix(20,0,0,20,-299,21)"/>
-<g style="fill:rgb(0%,0%,0%);fill-opacity:1;">
-  <use xlink:href="#glyph0-18" x="108.460938" y="156.875"/>
-  <use xlink:href="#glyph0-16" x="121.566406" y="156.875"/>
-  <use xlink:href="#glyph0-19" x="131.9375" y="156.875"/>
-  <use xlink:href="#glyph0-12" x="138.890625" y="156.875"/>
-  <use xlink:href="#glyph0-20" x="143.597656" y="156.875"/>
-  <use xlink:href="#glyph0-21" x="148.304688" y="156.875"/>
-  <use xlink:href="#glyph0-13" x="157.601562" y="156.875"/>
-  <use xlink:href="#glyph0-11" x="162.972656" y="156.875"/>
-  <use xlink:href="#glyph0-10" x="173.382812" y="156.875"/>
-  <use xlink:href="#glyph0-21" x="184.105469" y="156.875"/>
-  <use xlink:href="#glyph0-19" x="193.402344" y="156.875"/>
-  <use xlink:href="#glyph0-22" x="200.355469" y="156.875"/>
-  <use xlink:href="#glyph0-23" x="210.375" y="156.875"/>
-  <use xlink:href="#glyph0-24" x="221.117188" y="156.875"/>
-  <use xlink:href="#glyph0-20" x="227.757812" y="156.875"/>
-  <use xlink:href="#glyph0-25" x="232.464844" y="156.875"/>
-  <use xlink:href="#glyph0-10" x="242.816406" y="156.875"/>
-</g>
-<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 15 2 L 33 2 L 33 5 L 15 5 Z M 15 2 " transform="matrix(20,0,0,20,-299,21)"/>
-<g style="fill:rgb(0%,0%,0%);fill-opacity:1;">
-  <use xlink:href="#glyph0-1" x="162.113281" y="96.875"/>
-  <use xlink:href="#glyph0-26" x="167.113281" y="96.875"/>
-  <use xlink:href="#glyph0-4" x="177.875" y="96.875"/>
-  <use xlink:href="#glyph0-2" x="189.691406" y="96.875"/>
-</g>
-<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 15 -1 L 24 -1 L 24 2 L 15 2 Z M 15 -1 " transform="matrix(20,0,0,20,-299,21)"/>
-<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 24 -1 L 33 -1 L 33 2 L 24 2 Z M 24 -1 " transform="matrix(20,0,0,20,-299,21)"/>
-<g style="fill:rgb(0%,0%,0%);fill-opacity:1;">
-  <use xlink:href="#glyph0-8" x="50.472656" y="36.875"/>
-  <use xlink:href="#glyph0-24" x="61.214844" y="36.875"/>
-  <use xlink:href="#glyph0-19" x="68.089844" y="36.875"/>
-  <use xlink:href="#glyph0-11" x="68.089844" y="36.875"/>
-  <use xlink:href="#glyph0-16" x="78.5" y="36.875"/>
-  <use xlink:href="#glyph0-14" x="88.871094" y="36.875"/>
-  <use xlink:href="#glyph0-20" x="105.355469" y="36.875"/>
-  <use xlink:href="#glyph0-10" x="110.0625" y="36.875"/>
-  <use xlink:href="#glyph0-17" x="120.785156" y="36.875"/>
-</g>
-<g style="fill:rgb(0%,0%,0%);fill-opacity:1;">
-  <use xlink:href="#glyph0-6" x="224.125" y="36.875"/>
-  <use xlink:href="#glyph0-16" x="237.152344" y="36.875"/>
-  <use xlink:href="#glyph0-24" x="247.523438" y="36.875"/>
-  <use xlink:href="#glyph0-16" x="254.164062" y="36.875"/>
-  <use xlink:href="#glyph0-17" x="264.535156" y="36.875"/>
-  <use xlink:href="#glyph0-19" x="275.277344" y="36.875"/>
-  <use xlink:href="#glyph0-16" x="282.230469" y="36.875"/>
-  <use xlink:href="#glyph0-14" x="292.601562" y="36.875"/>
-  <use xlink:href="#glyph0-15" x="309.085938" y="36.875"/>
-</g>
-</g>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 486 560">
+<style><![CDATA[.B{font-family:Arial}.C{font-size:24px}]]></style>
+<g fill="#fff" stroke="#000" stroke-width="2">
+<path d="M23.4 383.8h360v60h-360zm0-60h180v60h-180zm180 0h180v60h-180zm-180-60h180v60h-180zm180 0h180v60h-180zm-180-60h360v60h-360zm0 0"/>
+<path d="M23.4 143.8h360v60h-360zm0 0"/>
+<path d="M23.4 83.8h360v60h-360zm0-60h180v60h-180zm180 0h180v60h-180zm0 0"/></g>
+<text xml:space="preserve" x="36.6" y="37.2" class="B C"><tspan x="59" y="60">Streaming</tspan></text>
+<text xml:space="preserve" x="211.8" y="37.1" class="B C"><tspan x="234.2" y="59.9">Datagrams</tspan></text>
+<text xml:space="preserve" x="153.7" y="99.6" class="B C"><tspan x="176.1" y="122.4">I2CP</tspan></text>
+<text xml:space="preserve" x="89.8" y="157.2" class="B C"><tspan x="112.2" y="180">Garlic Encryption</tspan></text>
+<text xml:space="preserve" x="51.4" y="279.6" class="B C"><tspan x="73.8" y="302.4">NTCP2</tspan></text><text xml:space="preserve" x="239.7" y="279.6" class="B C"><tspan x="262.1" y="302.4">SSU2</tspan></text>
+<text xml:space="preserve" x="67.2" y="339.6" class="B C"><tspan x="89.6" y="362.4">TCP</tspan></text>
+<text xml:space="preserve" x="245.2" y="339.4" class="B C"><tspan x="267.6" y="362.2">UDP</tspan></text>
+<text xml:space="preserve" x="169.1" y="399.6" class="B C"><tspan x="191.5" y="422.4">IP</tspan></text>
+<text xml:space="preserve" x="86.9" y="217.1" class="B C"><tspan x="109.3" y="239.9">Tunnel Messages</tspan></text>
+</svg>

i2p2www/__init__.py

@@ -22,8 +22,8 @@ except ImportError:
 ###########
 # Constants
 
-CURRENT_I2P_VERSION = '2.3.0'
-CURRENT_I2P_FIREFOX_PROFILE_VERSION = '2.3.0'
+CURRENT_I2P_VERSION = '2.5.2'
+CURRENT_I2P_FIREFOX_PROFILE_VERSION = '2.5.2'
 CURRENT_I2P_OSX_VERSION = '1.9.0'
 
 CANONICAL_DOMAIN = 'geti2p.net'

i2p2www/blog/2023/12/18/i2p-release-2.4.0.rst

@@ -0,0 +1,103 @@
+{% trans -%}
+=================================================================
+I2P 2.4.0 Release with Congestion and NetDB Security improvements
+=================================================================
+{%- endtrans %}
+.. meta::
+    :author: idk
+    :date: 2023-12-18
+    :category: release
+    :excerpt: {% trans %}{% endtrans %}
+
+{% trans -%}
+Update details
+{%- endtrans %}
+============================================
+
+{% trans -%}
+This release, I2P 2.4.0, continues our effort to improve the security and stability of the I2P network.
+It contains significant improvements to the Network Database, an essential structure within the I2P network used for disovering your peers.
+{%- endtrans %}
+
+{% trans -%}
+The congestion handling changes will improve network stability by giving routers the ability to relieve congested peers by avoiding them.
+This will help the network limit the effect of tunnel spam.
+It will also help the network heal during and after DDoS attacks.
+{%- endtrans %}
+
+{% trans -%}
+The NetDb changes also help secure individual routers and the applications that use them. 
+Routers can now defend against attackers by separating the NetDB into multiple "Sub-DB's" which we use to prevent information leaks between applications and the router.
+This also improves the information available to Java routers about their NetDB activity and simplifies our support for multihoming applications.
+{%- endtrans %}
+
+{% trans -%}
+Also included are a number of bug fixes and enhancements across the I2PSnark and SusiMail applications.
+{%- endtrans %}
+
+{% trans -%}
+As usual, we recommend that you update to this release.
+The best way to maintain security and help the network is to run the latest release.
+{%- endtrans %}
+
+
+**{% trans %}RELEASE DETAILS{% endtrans %}**
+
+**{% trans %}Changes{% endtrans %}**
+
+- {% trans %}i2psnark: Uncomment and fix local torrent file picker{% endtrans %}
+- {% trans %}NetDB: Lookup handler/throttler fixes{% endtrans %}
+- {% trans %}Router: Restructure netDb to isolate data recieved as a client from data recieved as a router{% endtrans %}
+- {% trans %}Router: Implement handling and penalties for congestion caps{% endtrans %}
+- {% trans %}Router: Temporarily ban routers publishing in the future{% endtrans %}
+- {% trans %}Transports: Disable SSU 1{% endtrans %}
+
+**{% trans %}Bug Fixes{% endtrans %}**
+
+- {% trans %}Addressbook: Workaround for i2p-projekt.i2p etag bug (Gitlab #454){% endtrans %}
+- {% trans %}Console: Clear out "proxy must be running" status after success{% endtrans %}
+- {% trans %}Console: Don't lose tabs in log messages{% endtrans %}
+- {% trans %}Console: Fix sidebar not immediately showing results of manual update check{% endtrans %}
+- {% trans %}Console: Fix visibility of radio/checkboxes (light theme){% endtrans %}
+- {% trans %}Console: Prevent overflow of sidebar status{% endtrans %}
+- {% trans %}Debian: Change JRE dependency order (Gitlab #443, Debian #1024461){% endtrans %}
+- {% trans %}i2psnark: Increase comment bucket size to reduce duplicates{% endtrans %}
+- {% trans %}i2psnark: Prevent start-all from within search results erroring (Gitlab #445){% endtrans %}
+- {% trans %}i2ptunnel: Exempt tunnel name from XSS filter (Gitlab #467){% endtrans %}
+- {% trans %}i2ptunnel: Fix gzip footer check in GunzipOutputStream (Gitlab #458){% endtrans %}
+- {% trans %}i2ptunnel: Remove nonstandard Proxy-Connection headers (Gitlab #452){% endtrans %}
+- {% trans %}NTCP2: Fix updating address on transition to firewalled (Gitlab #435){% endtrans %}
+- {% trans %}SAM: Fix accept after soft restart (Gitlab #399){% endtrans %}
+- {% trans %}SAM: Reset incoming socket if no subsession is matched (Gitlab #456){% endtrans %}
+- {% trans %}SSU2: Fix uncaught IAE caused by itags with zero values (Gitlab #415){% endtrans %}
+- {% trans %}SSU2: Prevent rare IAE in peer test timer (Gitlab #433){% endtrans %}
+- {% trans %}Susimail: Dark theme fixes{% endtrans %}
+- {% trans %}Susimail: Fix binary content-encoding{% endtrans %}
+- {% trans %}Susimail: Fix incorrect "previous" icons{% endtrans %}
+- {% trans %}Susimail: Fix setting encoding for attachments{% endtrans %}
+- {% trans %}Susimail: Flush output to fix truncated mails{% endtrans %}
+- {% trans %}Sybil: Don't ban NAT64 addresses{% endtrans %}
+- {% trans %}Transport: Fix NPE during soft restart (Gitlab #437){% endtrans %}
+- {% trans %}UPnP: Fix handing of multiple IGDs{% endtrans %}
+- {% trans %}UPnP: Fix missing port in Host header causing failures on libupnp-based devices{% endtrans %}
+
+**{% trans %}Other{% endtrans %}**
+
+- API 0.9.61
+- {% trans %}Translation updates{% endtrans %}
+
+`{% trans %}Full list of fixed bugs{% endtrans %}`__
+
+__ http://{{ i2pconv('git.idk.i2p') }}/i2p-hackers/i2p.i2p/-/issues?scope=all&state=closed&milestone_title=2.4.0
+
+
+**{% trans %}SHA256 Checksums:{% endtrans %}**
+
+::
+
+      d08db62457d4106ca0e36df3487bdf6731cbb81045b824a003cde38c7e1dfa27  i2pinstall_2.4.0_windows.exe
+      ef5f3d0629fec292aae15d027f1ecb3cc7f2432a99a5f7738803b453eaad9cad  i2pinstall_2.4.0.jar
+      30ef8afcad0fffafd94d30ac307f86b5a6b318e2c1f44a023005841a1fcd077c  i2psource_2.4.0.tar.bz2
+      97be217bf07319a50b6496f932700c3f3c0cceeaf1e0643260d38c9e6e139b53  i2pupdate_2.4.0.zip
+      8f4a17a8cbadb2eabeb527a36389fd266a4bbcfd9d634fa4f20281f48c486e11  i2pupdate.su3
+

i2p2www/blog/2024/03/29/many-masks-one-mind.rst

@@ -0,0 +1,84 @@
+{% trans -%}
+========================================
+Many Masks, One Mind: Securing the NetDB
+========================================
+{%- endtrans %}
+.. meta::
+    :author: idk
+    :date: 2024-03-29
+    :category: development
+    :excerpt: {% trans %}Many Masks, One Mind: Securing the NetDB{% endtrans %}
+
+{% trans -%}
+Author's note: the attacks referred to in this article are not possible against current versions of I2P.
+{%- endtrans %}
+
+{% trans -%}
+As a self-organizing peer-to-peer network, I2P relies on the routers participating in the network to have a way to share information about what is on the network and how to reach it.
+I2P routers achieve this information sharing using the NetDB, a DHT based on Kademlia but modified to work for I2P.
+The NetDB needs to share two main kinds of entries, "RouterInfos" which peers will use to communicate with other routers directly, and "LeaseSets" which other peers will use to communicate with I2P clients through anonymous tunnels.
+Routers are frequently commmunicating NetDB entries with eachother, either by sending the information to a router or client, or requesting information from a router or client.
+This means that the entries can arrive directly or indirectly, anonymously or non-anonymously, depending on the needs of the network and the capabilities of the client.
+However, as an anonymizing network, it is also important that it remain impossible for information sent anonymously to be requested back non-anonymously.
+It is also important and for information sent non-anonymously to be impossible to request back anonymously.
+If it becomes possible for either of those situations to occur, then a linking attack may be carried out which allows an attacker to determine if a clients and routers are sharing a common view of the NetDB.
+If it can be reliably determined that the 2 targets share a common view of the NetDB, then there's a very good chance they are on the same router, weakening the target's anonymity drastically.
+Because there are so few anonymizing networks, and I2P is the only one where the routing table is shared via the operation of a DHT, this class of attack is all but unique to I2P and its resolution is important to I2P's success.
+{%- endtrans %}
+
+{% trans -%}
+Consider the following scenario: There is an I2P router hosting an I2P client.
+The router publishes a RouterInfo, and the I2P client publishes its LeaseSet.
+Because they are both published in the NetDB, other I2P routers can query the NetDB to discover how to communicate with them.
+This is normal and essential to the operation of an overlay network of the type implemented by I2P.
+An attacker runs an I2P router and queries the NetDB for the target RouterInfo and the target LeaseSet.
+It then crafts a new LeaseSet which is unique and and potentially even fake, and sends it down a tunnel to the LeaseSet for the client it is targeting for attack.
+The client processes the crafted LeaseSet and adds it to its own NetDB.
+The attacker then requests the crafted LeaseSet back directly, from the router, using the RouterInfo it got from the NetDB.
+If the crafted LeaseSet is received back as a reply, then the attacker can conclude that the target client and the target router share a common view of the NetDB.
+{%- endtrans %}
+
+{% trans -%}
+That is a simple example of a NetDB deanonymization attack class which relies on adding an entry into another person's NetDB with one identity, and then requesting it back out with another identity.
+In this case, the identities in question are the "router" and the "client" identity.
+However, client-to-client linking, which is less damaging, is also possible in some designs.
+Designing a defense against this class of attack requires giving the router a way of determining whether or not it is safe to communicate a piece of information with a potential identity.
+{%- endtrans %}
+
+{% trans -%}
+So how should we think about this problem?
+What we're dealing with here, really, has to do with the linkability of different "identities" on the network.
+The possibility of linking is created because all these identities share a common datastructure which "remembers" who it has communicated with, and who has communicated with it.
+It also "remembers" how that communication occurred.
+{%- endtrans %}
+
+{% trans -%}
+For a moment, we should imagine ourselves as an attacker.
+Imagine if you were trying to discover the identity of a master of disguise.
+You know for sure you have seen his real face, and you know for sure that you regularly communicate with one of his disguises.
+How would you go about establishing that the disguise identity and the real identity belong to the same person?
+I might tell the disguised person a secret.
+If the non-disguised person responds by using the secret information, then I can determine that the non-disguised person knows the secret.
+Under the assumption that the disguised person did not communicate the secret to anyone else, then I can assume that the non-disguised person and the disguised person are in fact, the same person.
+No matter how many masks the master of disguise wears, he has but one mind.
+{%- endtrans %}
+
+{% trans -%}
+In order to successfully protect the identities of I2P clients, I2P needs to be able to perform as a better master of disguise than the one described above.
+It needs to be able to "remember" several important pieces of information about how it has participated in the NetDB and respond appropriately based on those details.
+It must be able to recall:
+{%- endtrans %}
+
+* {% trans -%}Whether a NetDB Entry was received directly, or received down a client tunnel{%- endtrans %}
+* {% trans -%}Whether a NetDB Entry was sent by a peer in response to our lookup, or sent unsolicited{%- endtrans %}
+* {% trans -%}Which NetDB Entry was received down Which client Tunnel{%- endtrans %}
+* {% trans -%}Multiple versions of the same entry for different client tunnels{%- endtrans %}
+
+{% trans -%}
+Structurally, the most understandable and reliable way to handle this pattern is to use "Sub-DBs."
+Sub-DB's are miniature NetDB's which serve to help the NetDB organize entries without losing track.
+Every client gets a Sub-DB for its own use, and the router itself gets a fully-fledged NetDB.
+Using Sub-DB's, we give our master of disguise a rolodex of secrets organized by who shared those secrets with him.
+When a request is sent to a client, it only looks for entries which have been communicated to the client, and when a request is sent to a router, only the router-wide NetDB is used.
+By doing things this way, we resolve not only the simplest form of the attack, but also undermine the potency of the entire attack class.
+{%- endtrans %}

i2p2www/blog/2024/04/08/new_release_i2p_2.5.0.rst

@@ -0,0 +1,93 @@
+{% trans -%}
+=====================
+New Release I2P 2.5.0
+=====================
+{%- endtrans %}
+.. meta::
+    :author: idk
+    :date: 2024-04-08
+    :category: release
+    :excerpt: {% trans %}I2P 2.5.0 release{% endtrans %}
+
+{% trans -%}
+This release, I2P 2.5.0, provides more user-facing improvements than the 2.4.0 release, which was focused on implementing the NetDB isolation strategy.
+{%- endtrans %}
+
+{% trans -%}
+New features have been added to I2PSnark like the ability to search through torrents.
+Bugs have been fixed to improve compatibility with other I2P torrent clients like BiglyBT and qBittorrent.
+We would like to thank all of the developers who have worked with libtorrent and qBittorrent to enable and improve their I2P support.
+New features have also been added to SusiMail including support for Markdown formatting in emails and the ability to drag-and-drop attachments into emails.
+Tunnels created with the Hidden Services manager now support "Keepalive" which improves performance and compatibility with web technologies, enabling more sophisticated I2P sites.
+{%- endtrans %}
+
+{% trans -%}
+During this release we also made several tweaks to the NetDB to improve its resilience to spam and to improve the router's ability to reject suspicious messages.
+This was part of an effort to "audit" the implementation of "Sub-DB isolation" defenses from the 2.4.0 release.
+This investigation uncovered one minor isolation-piercing event which we repaired.
+This issue was discovered and fixed internally by the I2P team.
+{%- endtrans %}
+
+{% trans -%}
+During this release several improvements were made to the process of releasing our downstream distributions for Android and Windows.
+This should result in improved delivery and availability for these downstream products.
+{%- endtrans %}
+
+{% trans -%}
+As usual, we recommend that you update to this release.
+The best way to maintain security and help the network is to run the latest release.
+{%- endtrans %}
+
+**{% trans %}RELEASE DETAILS{% endtrans %}**
+
+**{% trans %}Changes{% endtrans %}**
+
+- {% trans %}I2PTunnel: Implement support for Keepalive/Server-side Persistence{% endtrans %}
+- {% trans %}Susimail: Add markdown support for formatted plain-text content{% endtrans %}
+- {% trans %}Susimail: Add HTML Email support{% endtrans %}
+- {% trans %}I2PSnark: Add search capability{% endtrans %}
+- {% trans %}I2PSnark: Preserve private=0 in torrent files{% endtrans %}
+- {% trans %}Data: Store compressed RI and LS{% endtrans %}
+
+**{% trans %}Bug Fixes{% endtrans %}**
+
+- {% trans %}Susimail: Fix handling of forwarded mail with attachments{% endtrans %}
+- {% trans %}Susimail: Fix handling of forwarded mail with unspecified encoding{% endtrans %}
+- {% trans %}Susimail: Fix forwarding of HTML-only email{% endtrans %}
+- {% trans %}Susimail: Bugfixes in presentation of encoded attachmments, mail body{% endtrans %}
+- {% trans %}I2PSnark: Handle data directory changes{% endtrans %}
+- {% trans %}SSU2: Cancel peer test if Charlie does not have B cap{% endtrans %}
+- {% trans %}SSU2: Treat peer test result as unknown if Charlie is unreachable{% endtrans %}
+- {% trans %}Router: Filter additional garlic-wrapped messages{% endtrans %}
+- {% trans %}I2CP: Prevent loopback messages to same session{% endtrans %}
+- {% trans %}NetDB: Resolve Exploratory/Router isolation-piercing event{% endtrans %}
+
+**{% trans %}Other{% endtrans %}**
+
+- API 0.9.62
+- {% trans %}Translation updates{% endtrans %}
+
+`{% trans %}Full list of fixed bugs{% endtrans %}`__
+
+__ http://{{ i2pconv('git.idk.i2p') }}/i2p-hackers/i2p.i2p/-/issues?scope=all&state=closed&milestone_title=2.5.0
+
+
+**{% trans %}SHA256 Checksums:{% endtrans %}**
+
+::
+      
+    i2pinstall_2.5.0-0.jar - 61d3720accc6935f255611680b08ba1a414d32daa00d052017630c2424c30069
+    i2pinstall_2.5.0-0_windows.exe - a0d84c519f3c35874a9f661b9f40220e5a1d29716166c682e2bd1ee15ff83f33
+    i2pinstall_2.5.0.jar - 61d3720accc6935f255611680b08ba1a414d32daa00d052017630c2424c30069
+    i2pinstall_2.5.0.jar.sig - c8a6d79909d06ac6bca23d8e890765c6e6ed21a535f7529e0708797fdaf9fc1b
+    i2pinstall_2.5.0_windows.exe - 762b9d672dfff0baccd46f970deb5a2621358d1e2dfc0dd85a78aecda3623ac6
+    i2pinstall_2.5.0_windows.exe.sig - 103a1bd155110514fe9ae075243cc66e2fef866353165b2c806248e15925e957
+    i2psource_2.5.0.tar.bz2 - 6bda9aff7daa468cbf6ddf141c670140de4d1db145329645a90c22c1e5c7bc01
+    i2psource_2.5.0.tar.bz2.sig - a1d0ea6f2051ed0643bc2c0207a2cf594f2b2bc4303ac49cd6a43baaf0558f62
+    i2pupdate-2.5.0.su3 - 7bcfc3df3a14a0b9313b9a0fe20e56db75267d5afcfd8a3203fbfcfac46deae4
+    i2pupdate-2.5.0.su3.torrent - a7dd76348bf404d84a67bda8b009d54cc08748c036988dbe78bff6ca6928950c
+    i2pupdate.su3 - 7bcfc3df3a14a0b9313b9a0fe20e56db75267d5afcfd8a3203fbfcfac46deae4
+    i2pupdate.zip - d0a4cfe6cb587e0ffabcfb6012682f400a38ee87f23fa90f8a18f25e77b742d8
+    i2pupdate_2.5.0.zip - d0a4cfe6cb587e0ffabcfb6012682f400a38ee87f23fa90f8a18f25e77b742d8
+    i2pupdate_2.5.0.zip.sig - 411eb4ca31e2984dae4c943136411e8ee85435f59749391edefec07509cfd5af 
+

i2p2www/blog/2024/04/25/stormy_weather.rst

@@ -0,0 +1,21 @@
+{% trans -%}
+==============
+Stormy Weather
+==============
+{%- endtrans %}
+.. meta::
+    :author: idk
+    :date: 2024-04-25
+    :category: release
+    :excerpt: {% trans %}Stormy Weather{% endtrans %}
+
+{% trans -%}
+The I2P network is currently under a Denial-of-Service attack.
+This attack affects I2P and i2pd but in different ways and is having a serious effect on network health.
+Reachability of I2P sites is badly degraded.
+{%- endtrans %}
+
+{% trans -%}
+If you are hosting a service inside I2P and it is hosted on a Floodfill router, you should consider multihoming the service on a Floodfill-disabled router to improve reachability.
+Other mitigations are being discussed but a long-term, backward-compatible solution is still being worked on.
+{%- endtrans %}

i2p2www/blog/2024/05/06/i2p_2.5.1_released.rst

@@ -0,0 +1,60 @@
+{% trans -%}
+=====================
+New Release I2P 2.5.1
+=====================
+{%- endtrans %}
+.. meta::
+    :author: idk
+    :date: 2024-05-06
+    :category: release
+    :excerpt: {% trans %}I2P 2.5.1 Release{% endtrans %}
+
+{% trans -%}
+I2P 2.5.1 is being released to address Denial-of-Service Attacks affecting the I2P network and services.
+With this release we disable the IP-based parts of the Sybil attack detection tool which were targeted to amplify the effect and duration of the attack.
+This should help the network return to normal operation.
+Those of you who have disabled the Sybil attack detection tool may safely re-enable it.
+Adjustments to other subsystems to improve RouterInfo validation and peer selection have also been made.
+{%- endtrans %}
+
+{% trans -%}
+As usual, we recommend that you update to this release.
+The best way to maintain security and help the network is to run the latest release.
+{%- endtrans %}
+
+**{% trans %}RELEASE DETAILS{% endtrans %}**
+
+**{% trans %}Changes{% endtrans %}**
+
+- {% trans %}Susimail: Add search box{% endtrans %}
+- {% trans %}Susimail: UI Improvements{% endtrans %}
+- {% trans %}NetDB: Don't lookup RI if on banlist{% endtrans %}
+- {% trans %}Tomcat: update to 9.0.88{% endtrans %}
+
+**{% trans %}Bug Fixes{% endtrans %}**
+
+- {% trans %}Sybil: Disable IP-Closeness Checks in Sybil Attack Analysis Tool{% endtrans %}
+- {% trans %}Profiles: Don't update last heard from if tunnel fails{% endtrans %}
+- {% trans %}NetDB: Improve validation of RI's before storing, sending RI's{% endtrans %}
+
+`{% trans %}Full list of fixed bugs{% endtrans %}`__
+
+__ http://{{ i2pconv('git.idk.i2p') }}/i2p-hackers/i2p.i2p/-/issues?scope=all&state=closed&milestone_title=2.5.1
+
+**{% trans %}SHA256 Checksums:{% endtrans %}**
+
+::
+      
+    1b0c1a12e64bd6dabd894a297b7bfd60ebe218a9177086f27367b8d4f1e30ab9  i2pinstall_2.5.1-0.jar
+    f9b2038cc6376a7b67a7cbc6ff07046b0a5f6146658dfb910ca4532c81263177  i2pinstall_2.5.1-0_windows.exe
+    1b0c1a12e64bd6dabd894a297b7bfd60ebe218a9177086f27367b8d4f1e30ab9  i2pinstall_2.5.1.jar
+    d0150a4f7abcdc85cddae277fa951c2ee76ccc7403d98cd255791ac752a7e36b  i2pinstall_2.5.1.jar.sig
+    f9b2038cc6376a7b67a7cbc6ff07046b0a5f6146658dfb910ca4532c81263177  i2pinstall_2.5.1_windows.exe
+    4bc7e59ee0036389a0f76fc76b2303eeae62bf6eaaf608c9939226febf9ddeae  i2psource_2.5.1.tar.bz2
+    251293c39c333bd7d8ad01235ef15bccf15df1b72dd18917de06cdb212b7801f  i2psource_2.5.1.tar.bz2.sig
+    163b7fe3e9941bd412bad1b80f34e2a8cd1ade2e77cbe4cfb58eca42f3ca4b62  i2pupdate-2.5.1.su3
+    461b5fe51d2d953ba798eee867e434b4bf234911418c0dd5560b558f755f6657  i2pupdate-2.5.1.su3.torrent
+    a4db0e6a9ee56df2d9bb2b12d9eb3a04501aeeac83773817f62565e632d88228  i2pupdate_2.5.1.zip
+    c592bc6d1ffcc988f021bbd30ea6e5063f31bb5175846be96c5c2724294bd99b  i2pupdate_2.5.1.zip.sig
+    163b7fe3e9941bd412bad1b80f34e2a8cd1ade2e77cbe4cfb58eca42f3ca4b62  i2pupdate.su3
+    a4db0e6a9ee56df2d9bb2b12d9eb3a04501aeeac83773817f62565e632d88228  i2pupdate.zip

i2p2www/blog/2024/05/15/2.5.2-Release.rst

@@ -0,0 +1,50 @@
+===========================================
+{% trans -%}2.5.2 Release{%- endtrans %}
+===========================================
+
+.. meta::
+    :author: zzz
+    :date: 2024-05-15
+    :category: release
+    :excerpt: {% trans %}2.5.2 Release with HTTP fix{% endtrans %}
+
+{% trans -%}
+I2P 2.5.2 is released to fix a bug introduced in 2.5.0 causing truncation of some HTTP content.
+{%- endtrans %}
+
+{% trans -%}
+As usual, we recommend that you update to this release.
+The best way to maintain security and help the network is to run the latest release.
+{%- endtrans %}
+
+**{% trans %}RELEASE DETAILS{% endtrans %}**
+
+**{% trans %}Changes{% endtrans %}**
+
+- {% trans %}Console: Update rrd4j to 3.9.1-preview{% endtrans %}
+- {% trans %}Router: Publish G cap if symmetric natted{% endtrans %}
+
+**{% trans %}Bug Fixes{% endtrans %}**
+
+- {% trans %}i2ptunnel: Fix bug causing truncation of some HTTP content{% endtrans %}
+- {% trans %}i2ptunnel: Fix custom option form width (light theme){% endtrans %}
+- {% trans %}Tunnels: Fix selection of peers with expired RIs{% endtrans %}
+
+**{% trans %}Other{% endtrans %}**
+
+- {% trans %}Translation updates{% endtrans %}
+
+
+`{% trans %}Full list of fixed bugs{% endtrans %}`__
+
+__ http://{{ i2pconv('git.idk.i2p') }}/i2p-hackers/i2p.i2p/-/issues?scope=all&state=closed&milestone_title=2.5.2
+
+**{% trans %}SHA256 Checksums:{% endtrans %}**
+
+::
+      
+     1aa1ac29620886a7d744424318287c67dc9ead488e6ab434848597ee9db7ce18  i2pinstall_2.5.2_windows.exe
+     751f48cfb380c8796bd645621b149114d55f32cd4330784cb287be9413b02569  i2pinstall_2.5.2.jar
+     f23d0746d72a55cccbd17f40762e491ae1b42cdf55d7e73404d213a84985ca73  i2psource_2.5.2.tar.bz2
+     adba8b7512d27a44ed876ec4beb39a82ebb34dc243ec024aff289e91823fc0c7  i2pupdate_2.5.2.zip
+     0d1d09d3d8199ea1a2ea983f5023125449ea55e93e20f5fbf1b7ad9e466bb6fc  i2pupdate.su3

i2p2www/pages/downloads/browser-content.html

@@ -33,7 +33,7 @@
 <img src="{{ url_for('static',
 filename='images/firefox57.connectionsettings.png') }}" alt="{{ _('Firefox57
 Connection Settings') }}" title="{{ _('Firefox57 Connection Settings') }}">
-<p>{% trans -%} Finally, go to the address <em>about:config</em> and find the property media.peerConnection.ice.proxy_only. Ensure that this setting is True. {%- endtrans %}</p>
+<p>{% trans -%} Finally, go to the address <em>about:config</em> and find the property media.peerConnection.ice.proxy_only. Ensure that this setting is True. Now find the property keyword.enabled, and set it to False.{%- endtrans %}</p>
 <img src="{{ url_for('static',
 filename='images/firefox.webrtc.png') }}" alt="{{ _('Firefox57
 PeerConnection Settings') }}" title="{{ _('Firefox57 PeerConnection Settings') }}">

i2p2www/pages/downloads/debian.html

@@ -86,13 +86,11 @@ part of <a href="#Post-install_work">starting I2P</a> and configuring it for you
 
 <h2 id="debian">{{ _('Instructions for Debian') }}</h2>
 
-<p><b>WARNING:</b>
-Our Debian repos <a href="https://deb.i2p2.de/">deb.i2p2.de</a> and
-<a href="http://deb.i2p2.no/">deb.i2p2.no</a> are currently down, and probably will not be back soon.
-Please follow <a href="https://i2pforum.net/viewtopic.php?p=2855">these instructions</a>
-to use the Ubuntu PPA as a workaround.
-We will announce any updates here and on <a href="https://i2pforum.net/">i2pforum.net</a>.
-We apologize for the inconvenience.
+<p><b>NOTICE:</b>
+Our old Debian repos <a href="https://deb.i2p2.de/">deb.i2p2.de</a> and
+<a href="http://deb.i2p2.no/">deb.i2p2.no</a> are EOL.
+Please follow <a href="https://deb.i2p.net">these instructions</a>
+to update to the new repository, <code>deb.i2p.net</code>.
 </p>
 
 <em>{% trans -%}Currently supported architectures{%- endtrans %}: amd64, i386, armhf, arm64, powerpc, ppc64el, s390x</em>
@@ -116,7 +114,7 @@ user to root with <code>su</code> or by prefixing each command with <code>sudo</
     <pre>
     <code>
     # Use this command on Debian Bullseye or newer only.
-  echo "deb [signed-by=/usr/share/keyrings/i2p-archive-keyring.gpg] https://deb.i2p2.de/ $(lsb_release -sc) main" \
+  echo "deb [signed-by=/usr/share/keyrings/i2p-archive-keyring.gpg] https://deb.i2p.net/ $(lsb_release -sc) main" \
   | sudo tee /etc/apt/sources.list.d/i2p.list
     </code>
     </pre>
@@ -124,7 +122,7 @@ user to root with <code>su</code> or by prefixing each command with <code>sudo</
     <pre>
     <code>
     # Use this command on Debian Downstreams like LMDE or ParrotOS only.
-  echo "deb [signed-by=/usr/share/keyrings/i2p-archive-keyring.gpg] https://deb.i2p2.de/ $(dpkg --status tzdata | grep Provides | cut -f2 -d'-') main" \
+  echo "deb [signed-by=/usr/share/keyrings/i2p-archive-keyring.gpg] https://deb.i2p.net/ $(dpkg --status tzdata | grep Provides | cut -f2 -d'-') main" \
   | sudo tee /etc/apt/sources.list.d/i2p.list
     </code>
     </pre>
@@ -132,7 +130,7 @@ user to root with <code>su</code> or by prefixing each command with <code>sudo</
     <pre>
     <code>
     # Use this command on Debian Buster or older only.
-  echo "deb https://deb.i2p2.de/ $(lsb_release -sc) main" \
+  echo "deb https://deb.i2p.net/ $(lsb_release -sc) main" \
   | sudo tee /etc/apt/sources.list.d/i2p.list
     </code>
     </pre>
@@ -140,7 +138,7 @@ user to root with <code>su</code> or by prefixing each command with <code>sudo</
     <pre>
     <code>
     # Use this command on Debian Buster or older only.
-  echo "deb https://deb.i2p2.de/ $(dpkg --status tzdata | grep Provides | cut -f2 -d'-') main" \
+  echo "deb https://deb.i2p.net/ $(dpkg --status tzdata | grep Provides | cut -f2 -d'-') main" \
   | sudo tee /etc/apt/sources.list.d/i2p.list
     </code>
     </pre>

i2p2www/pages/downloads/easyinstall.html

@@ -60,7 +60,7 @@ special configuration. You don't even need to close existing Firefox windows.
 {%- set name     = 'Windows' -%}
 {%- set icon     = 'images/download/windows.png' -%}
 {%- set filename = 'I2P-Easy-Install-Bundle-%s.exe' -%}
-{%- set hash     = 'def95180e5783686f68dcf2958cfa693f17a91da53a97f8ae75c98529c4e23a8' -%}
+{%- set hash     = '183874f5f60e9ae68e7ec06de66a244125e74ca211cec134952022a22d5514aa' -%}
 
 {% call package_outer('windows', name, icon) %}
     <div class = "file">

i2p2www/pages/downloads/firefox.html

@@ -45,7 +45,7 @@ start an installer, "double-click" the downloaded .exe file.
 {%- set name     = 'Windows' -%}
 {%- set icon     = 'images/download/windows.png' -%}
 {%- set filename = 'I2P-Easy-Install-Bundle-%s.exe' -%}
-{%- set hash     = 'def95180e5783686f68dcf2958cfa693f17a91da53a97f8ae75c98529c4e23a8' -%}
+{%- set hash     = '183874f5f60e9ae68e7ec06de66a244125e74ca211cec134952022a22d5514aa' -%}
 
 {% call package_outer('windows', name, icon) %}
     <div class = "file">

i2p2www/pages/downloads/list.html

@@ -57,7 +57,7 @@ If you would like to try the latest experimental I2P projects, visit the <a href
         {%- endtrans %}</p>
     <div class="file">
         <p></p>
-        <a class="default" href="{{ get_url('downloads_mac') }}">{% trans %}Here is a helpful guide to installing I2P for Mac OS using a separate Java installation and the classic installer.{% endtrans %}</a>
+        <a class="default" href="{{ get_url('downloads_macos') }}">{% trans %}Here is a helpful guide to installing I2P for Mac OS using a separate Java installation and the classic installer.{% endtrans %}</a>
     </div>
     {% endcall %}
 

i2p2www/pages/downloads/macros

@@ -1,14 +1,14 @@
-{% set i2pinstall_windows_hash = '2081f8415013c80daa6b69b6f16f2ebf10aa20ee3cace20936e0268b2e816a3f' %}
-{% set i2pinstall_jar_hash     = '977ebce33001345731de6fe0b623f59a867de6fa6a6c46d8ad686e306310b28d' %}
-{% set i2psource_hash          = 'a0a8fb08e9c72eaef22f155b9c9aa0ea90fb331d2bbcf76f82649f0b9efe5f5b' %}
-{% set i2pupdate_hash          = '59b569dc17fad0e30e246048a3c275e403b308024eb88fda29ae83294bdbe8e6' %}
+{% set i2pinstall_windows_hash = '1aa1ac29620886a7d744424318287c67dc9ead488e6ab434848597ee9db7ce18' %}
+{% set i2pinstall_jar_hash     = '751f48cfb380c8796bd645621b149114d55f32cd4330784cb287be9413b02569' %}
+{% set i2psource_hash          = 'f23d0746d72a55cccbd17f40762e491ae1b42cdf55d7e73404d213a84985ca73' %}
+{% set i2pupdate_hash          = 'adba8b7512d27a44ed876ec4beb39a82ebb34dc243ec024aff289e91823fc0c7' %}
 {% set i2p_android_hash        = '272acf543c4489dc3775c07c42eb91710b4ed377c78aff605e3d44e73fad5110' %}
 {% set i2p_macnative_hash      = '18cb22cfcc3cbe0cec150e89a394d1a35703cb508ed627ef48084b7ba7c90dde' %}
 
 {% set i2p_windows_subver = '' %}
 {% set i2p_macosx_launcher_version = '1.9.0' %}
 
-{% set i2p_android_version = '2.2.1' %}
+{% set i2p_android_version = '2.5.2' %}
 {% set i2p_android_version_kytv = '0.9.22' %}
 {% set i2p_android_version_fdroid = '2.2.1' %}
 

i2p2www/pages/papers/anonbib.bib

@@ -31,6 +31,16 @@
 #
 # Proposed new sections: application privacy, data anonymization, ...
 #
+@inproceedings {abdo,
+  author = {Jacques Bou Abdo and Liaquat Hossain},
+  title = {Modeling the Invisible Internet},
+  booktitle = {Complex Networks and their Applications XII},
+  year = {2024},
+  url = {https://link.springer.com/chapter/10.1007/978-3-031-53472-0_30},
+  publisher = {Springer},
+  month = {February},
+  www_section = traffic,
+}
 
 @article {qu2020,
   author = {QU Yun-xuan and WANG Yi-jun and XUE Zhi},

i2p2www/pages/site/docs/api/samv3.html

@@ -1,7 +1,7 @@
 {% extends "global/layout.html" %}
 {% block title %}SAM V3{% endblock %}
-{% block lastupdated %}2023-11{% endblock %}
-{% block accuratefor %}API 0.9.59{% endblock %}
+{% block lastupdated %}2024-01{% endblock %}
+{% block accuratefor %}API 0.9.61{% endblock %}
 {% block content %}
 <p>SAM is a simple client protocol for interacting with I2P.
 SAM is the recommended protocol for non-Java applications to connect to the I2P network,
@@ -252,7 +252,7 @@ To implement a basic TCP-only, peer-to-peer application, the client must support
 <li> HELLO VERSION MIN=3.1 MAX=3.1 <br> Needed for all of the remaining ones
 <li> DEST GENERATE SIGNATURE_TYPE=7 <br> To generate our private key and destination
 <li> NAMING LOOKUP NAME=... <br> To convert .i2p addresses to destinations
-<li> SESSION CREATE STYLE=STREAM ID=... DESTINATION=... <br> Needed for STREAM CONNECT and STREAM ACCEPT
+<li> SESSION CREATE STYLE=STREAM ID=... DESTINATION=... i2cp.leaseSetEncType=4,0<br> Needed for STREAM CONNECT and STREAM ACCEPT
 <li> STREAM CONNECT ID=... DESTINATION=... <br> To make outgoing connections
 <li> STREAM ACCEPT ID=... <br> To accept incoming connections
 </ul>
@@ -260,6 +260,7 @@ To implement a basic TCP-only, peer-to-peer application, the client must support
 
 
 <h2>General Guidance for Developers</h2>
+<h3>Application Design</h3>
 <p>
 SAM sessions (or inside I2P, tunnel pools or sets of tunnels) are designed to be long-lived.
 Most applications will only need one session, created at startup and closed on exit.
@@ -273,7 +274,9 @@ Also, please ensure your application settings
 will result in your users contributing more resources to the network than they consume.
 I2P is a peer-to-peer network, and the network cannot survive if a popular application
 drives the network into permanent congestion.
-</p><p>
+</p>
+<h3>Compatibility and Testing</h3>
+<p>
 The Java I2P and i2pd router implementations are independent and have minor differences
 in behavior, feature support, and defaults.
 Please test your application with the latest version of both routers.
@@ -294,8 +297,20 @@ See below.
 For more guidance to developers on ensuring your application uses only the resources it needs, please see
 <a href="{{ site_url('docs/applications/embedding') }}">our guide to bundling I2P with your application</a>.
 </p>
-
-
+<h3>Signature and Encryption Types</h3>
+<p>
+I2P supports multiple signature and encryption types.
+For backward compatibility, SAM defaults to old and inefficient types, so all clients should
+specify newer types.
+</p><p>
+The signature type is specified in the DEST GENERATE and SESSION CREATE (for transient) commands.
+All clients should set SIGNATURE_TYPE=7 (Ed25519).
+</p><p>
+The encryption type is specified in the SESSION CREATE command.
+Multiple encryption types are allowed.
+Clients should set either i2cp.leaseSetEncType=4 (for ECIES-X25519 only)
+or i2cp.leaseSetEncType=4,0 (for ECIES-X25519 and ElGamal, if compatibility is required).
+</p>
 
 
 <h2>Version 3 Changes</h2>
@@ -1808,6 +1823,22 @@ their meaning:
  TIMEOUT         Timeout while waiting for an event (e.g. peer answer)
 </pre>
 
+<p>
+Different implementations may not be consistent in which RESULT is returned
+in various scenarios.
+
+<p>
+Most responses with a RESULT, other than OK, will also include a MESSAGE with additional information.
+The MESSAGE will generally be helpful in debugging problems.
+However, MESSAGE strings are implementation-dependent,
+may or may not be translated by the SAM server to the current locale,
+may contain internal implementation-specific information such as exceptions,
+and are subject to change without notice.
+While SAM clients may choose to expose MESSAGE strings to users,
+they should not make programmatic decisions based on those strings,
+as that will be fragile.
+
+
 
 <h3 id="options">Tunnel, I2CP, and Streaming Options</h3>
 <p>

i2p2www/pages/site/docs/applications/bittorrent.html

@@ -1,7 +1,7 @@
 {% extends "global/layout.html" %}
 {% block title %}{% trans %}Bittorrent over I2P{% endtrans %}{% endblock %}
-{% block lastupdated %}2023-01{% endblock %}
-{% block accuratefor %}0.9.57{% endblock %}
+{% block lastupdated %}2024-01{% endblock %}
+{% block accuratefor %}0.9.61{% endblock %}
 {% block content %}
 
 <p>{% trans -%}
@@ -58,6 +58,19 @@ For most low- to medium-bandwidth and low- to medium-connection counts, 3 is suf
 Please specify the tunnel quantity in the SESSION CREATE message
 to get consistent performance with the Java I2P and i2pd routers.
 </p><p>
+I2P supports multiple signature and encryption types.
+For compatibility, I2P defaults to old and inefficient types, so all clients should
+specify newer types.
+</p><p>
+If using SAM, the signature type is specified in the DEST GENERATE and SESSION CREATE (for transient) commands.
+All clients should set SIGNATURE_TYPE=7 (Ed25519).
+</p><p>
+The encryption type is specified in the SAM SESSION CREATE command or in i2cp options.
+Multiple encryption types are allowed.
+Some trackers support ECIES-X25519, some support ElGamal, and some support both.
+Clients should set i2cp.leaseSetEncType=4,0 (for ECIES-X25519 and ElGamal)
+so that they may connect to both.
+</p><p>
 DHT support requires SAM v3.3 PRIMARY and SUBSESSIONS for TCP and UDP over the same session.
 This will require substantial development effort on the client side, unless the client is written in Java.
 i2pd does not currently support SAM v3.3.

i2p2www/pages/site/docs/how/network-database.html

@@ -1,7 +1,7 @@
 {% extends "global/layout.html" %}
 {% block title %}{% trans %}The Network Database{% endtrans %}{% endblock %}
-{% block lastupdated %}2023-11{% endblock %}
-{% block accuratefor %}0.9.59{% endblock %}
+{% block lastupdated %}2024-04{% endblock %}
+{% block accuratefor %}0.9.62{% endblock %}
 {% block content %}
 <h2>{% trans %}Overview{% endtrans %}</h2>
 
@@ -529,7 +529,34 @@ Routing keys are never sent on-the-wire in any I2NP message, they are only used
 determination of distance.
 {%- endtrans %}</p>
 
-
+<h2 id="segmentation">{% trans %}Network Database Segmentation - Sub-Databases{% endtrans %}</h2>
+<p>{% trans -%}Traditionally Kademlia-style DHT's are not concerned with preserving the unlinkability of information stored on any particular node in the DHT.
+For example, a piece of information may be stored to one node in the DHT, then requested back from that node unconditionally.
+Within I2P and using the netDb, this is not the case, information stored in the DHT may only be shared under certain known circumstances where it is "safe" to do so.
+This is to prevent a class of attacks where a malicious actor can try to associate a client tunnel with a router by sending a store to a client tunnel, then requesting it back directly from the suspected "Host" of the client tunnel.
+{%- endtrans %}</p>
+<h3>{% trans %}Segmentation Structure{% endtrans %}</h3>
+<p>{% trans -%}I2P routers can implement effective defenses against the attack class provided a few conditions are met.
+A network database implementation should be able to keep track of whether a database entry was recieved down a client tunnel or directly.
+If it was recieved down a client tunnel, then it should also keep track of which client tunnel it was recieved through, using the client's local destination.
+If the entry was recieved down multiple client tunnels, then the netDb should keep track of all destinations where the entry was observed.
+It should also keep track of whether an entry was recieved as a reply to a lookup, or as a store.
+{%- endtrans %}</p>
+<p>{% trans -%}In both the Java and C++ implementations, this achieved by using a single "Main" netDb for direct lookups and floodfill operations first.
+This main netDb exists in the router context.
+Then, each client is given it's own version of the netDb, which is used to capture database entries sent to client tunnels and respond to lookups sent down client tunnels.
+We call these "Client Network Databases" or "Sub-Databases" and they exist in the client context.
+The netDb operated by the client exists for the lifetime of the client only and contains only entries that are communicated with the client's tunnels.
+This makes it impossible for entries sent down client tunnels to overlap with entries sent directly to the router.
+{%- endtrans %}</p>
+<p>{% trans -%}Additionally, each netDb needs to be able to remember if a database entry was recieved because it was sent to one of our destinations, or because it was requested by us as part of a lookup.
+If a database entry it was recieved as a store, as in some other router sent it to us, then a netDb should respond to requests for the entry when another router looks up the key.
+However, if it was recieved as a reply to a query, then the netDb should only reply to a query for the entry if the entry had already been stored to the same destination.
+A client should never answer queries with an entry from the main netDb, only it's own client network database.
+{%- endtrans %}</p>
+<p>{% trans -%}These strategies should be taken and used combined so that both are applied.
+In combination, they "Segment" the netDb and secure it against attacks.
+{%- endtrans %}</p>
 
 <h2 id="delivery">{% trans %}Storage, Verification, and Lookup Mechanics{% endtrans %}</h2>
 
@@ -584,7 +611,13 @@ The floodfill router replies with a
 with the Message ID set to the value of the Reply Token.
 {%- endtrans %}</p>
 
-
+<p>In some circumstances, a router may also send the RouterInfo DatabaseStoreMessage out
+an exploratory tunnel; for example, due to connection limits, connection incompatibility,
+or a desire to hide the actual IP from the floodfill.
+The floodfill may not accept such a store in times of overload or based
+on other criteria; whether to explicitly declare non-direct store of a RouterInfo illegal is a topic
+for further study.
+</p>
 
 
 <h3>{% trans %}LeaseSet Storage to Floodfills{% endtrans %}</h3>
@@ -607,6 +640,13 @@ This message is sent back to one of the client's inbound tunnels.
 
 
 <h3>{% trans %}Flooding{% endtrans %}</h3>
+<p>
+Like any router, a floodfill uses various criteria to validate the LeaseSet or RouterInfo before storing it locally.
+These criteria may be adaptive and dependent on current conditions including current load, netdb size,
+and other factors.
+All validation must be done before flooding.
+</p>
+
 <p>{% trans floodsize=3 -%}
 After a floodfill router receives a DatabaseStoreMessage containing a
 valid RouterInfo or LeaseSet which is newer than that previously stored in its
@@ -627,6 +667,14 @@ as this is a direct connection, so there are no intervening routers
 The other routers do not reply or re-flood, as the Reply Token is zero.
 {%- endtrans %}</p>
 
+<p>
+Floodfills must not flood via tunnels; the DatabaseStoreMessage must be sent over a direct connection.
+</p>
+
+<p>
+Floodfills must never flood an expired LeaseSet or a RouterInfo published more than one hour ago. 
+</p>
+
 
 <h3 id="lookup">{% trans %}RouterInfo and LeaseSet Lookup{% endtrans %}</h3>
 <p>{% trans i2np=site_url('docs/protocol/i2np') -%}

i2p2www/pages/site/docs/how/peer-selection.html

@@ -1,8 +1,16 @@
 {% extends "global/layout.html" %}
 {% block title %}{% trans %}Peer Profiling and Selection{% endtrans %}{% endblock %}
-{% block lastupdated %}{% trans %}July 2010{% endtrans %}{% endblock %}
-{% block accuratefor %}0.8{% endblock %}
+{% block lastupdated %}2024-02{% endblock %}
+{% block accuratefor %}0.9.62{% endblock %}
 {% block content %}
+<h2>NOTE</h2>
+This page describes the Java I2P implementation of peer profiling and selection as of 2010.
+While still broadly accurate, some details may no longer be correct.
+We continue to evolve banning, blocking, and selection strategies to address newer threats, attacks, and network conditions.
+The current network has multiple router implementations with various versions.
+Other I2P implementations may have completely different profiling and selection strategies,
+or may not use profiling at all.
+
 <h2>{% trans %}Overview{% endtrans %}</h2>
 
 <h3>{% trans %}Peer Profiling{% endtrans %}</h3>

i2p2www/pages/site/docs/naming.html

@@ -168,18 +168,39 @@ Otherwise, it forwards the request to a configured HTTP outproxy.
 Thus, in practice, all HTTP (I2P Site) hostnames must end in the pseudo-Top Level Domain '.i2p'.
 {%- endtrans %}</p>
 
-<p>{% trans i2ptld='https://datatracker.ietf.org/doc/draft-grothoff-iesg-special-use-p2p-names/',
-rfc6761='http://tools.ietf.org/html/rfc6761' -%}
-We have <a href="{{ i2ptld }}">applied to reserve the .i2p TLD</a>
-following the procedures specified in <a href="{{ rfc6761 }}">RFC 6761</a>.
-{%- endtrans %}</p>
-
 <p>{% trans -%}
 If the router fails to resolve the hostname, the HTTP proxy returns
 an error page to the user with links to several "jump" services.
 See below for details.
 {%- endtrans %}</p>
 
+
+<h2 id="alt">.i2p.alt Domain</h2>
+We previously <a href="https://datatracker.ietf.org/doc/draft-grothoff-iesg-special-use-p2p-names/">applied to reserve the .i2p TLD</a>
+following the procedures specified in <a href="https://www.rfc-editor.org/rfc/rfc6761.html">RFC 6761</a>.
+However, this application and all others were rejected, and RFC 6761 was declared a "mistake".
+</p>
+<p>
+After many years of work by the GNUnet team and others, the .alt domain was reserved as a special-use TLD
+in <a href="https://www.rfc-editor.org/rfc/rfc9476.html">RFC 9476</a> as of late 2023.
+While there are no official registrars sanctioned by IANA, we have registered the .i2p.alt domain
+with the primary unofficial registrar <a href="https://gana.gnunet.org/dot-alt/dot_alt.html">GANA</a>.
+This does not prevent others from using the domain, but it should help discourage it.
+</p>
+<p>
+One benefit to the .alt domain is that, in theory, DNS resolvers will not forward .alt requests
+once they update to comply with RFC 9476, and that will prevent DNS leaks.
+For compatibility with .i2p.alt hostnames, I2P software and services should be updated to handle
+these hostnames by stripping off the .alt TLD.
+These updates are scheduled for the first half of 2024.
+</p>
+<p>
+At this time, there are no plans to make .i2p.alt the preferred form for display and interchange of I2P hostnames.
+This is a topic for further research and discussion.
+</p>
+
+
+
 <h2 id="addressbook">{% trans %}Address Book{% endtrans %}</h2>
 <h3>{% trans %}Incoming Subscriptions and Merging{% endtrans %}</h3>
 

i2p2www/pages/site/docs/ports.html

@@ -1,7 +1,7 @@
 {% extends "global/layout.html" %}
 {% block title %}{% trans %}Ports Used by I2P{% endtrans %}{% endblock %}
-{% block lastupdated %}2022-08{% endblock %}
-{% block accuratefor %}0.9.55{% endblock %}
+{% block lastupdated %}2024-02{% endblock %}
+{% block accuratefor %}0.9.62{% endblock %}
 {% block content %}
 
 <p>{% trans -%}
@@ -11,7 +11,7 @@ and some typical related applications.
 {%- endtrans %}</p>
 
 <p>{% trans faq=site_url('faq') -%}
-Note that many of these are not enabled by default.
+Note that many of these are not installed or enabled by default.
 There is more information in <a href="{{ faq }}#ports">the FAQ</a>.
 See also the documentation for individual plugins.
 Plugin authors please add any ports you use here.
@@ -22,7 +22,8 @@ in the 767x range.
 <table>
 <tr><th>Port</th><th>Usage</th></tr>
 <tr><td>123</td><td>SNTP</td></tr>
-<tr><td>1488</td><td>XD client web UI</td>
+<tr><td>1488</td><td>XD client web UI (old)</td>
+<tr><td>1776</td><td>XD client web UI (new)</td>
 <tr><td>1900</td><td>UPnP SSDP UDP multicast listener</td>
 <tr><td>2827</td><td>BOB Bridge</td></tr>
 <tr><td>3456</td><td>Tahoe-LAFS-Controller Plugin</td></tr>
@@ -44,7 +45,7 @@ in the 767x range.
 <tr><td>7655</td><td>SAM Bridge (UDP)</td></tr>
 <tr><td>7656</td><td>SAM Bridge (TCP)</td></tr>
 <tr><td>7657</td><td>Router Console</td></tr>
-<tr><td>7658</td><td>I2P Site</td></tr>
+<tr><td>7658</td><td>I2P Site (Jetty)</td></tr>
 <tr><td>7659</td><td>SMTP Proxy</td></tr>
 <tr><td>7660</td><td>POP3 Proxy</td></tr>
 <tr><td>7661</td><td>Pebble Plugin</td></tr>
@@ -57,6 +58,7 @@ in the 767x range.
 <tr><td>7668</td><td>I2P Site SSL</td></tr>
 <tr><td>7669</td><td>Garlic Farm</td></tr>
 <tr><td>7670</td><td>Git SSH</td></tr>
+<tr><td>7672</td><td>Railroad Plugin</td></tr>
 <tr><td></td><td><i>{% trans %}recommended spot for new plugins/applications{% endtrans %}</i></td></tr>
 <tr><td>7680</td><td>don't use - Windows Delivery Optimization</td></tr>
 <tr><td>8002</td><td>I2PSnark (standalone install only)</td></tr>

i2p2www/pages/site/docs/protocol/index.html

@@ -1,7 +1,7 @@
 {% extends "global/layout.html" %}
 {% block title %}{% trans %}Protocol Stack{% endtrans %}{% endblock %}
-{% block lastupdated %}2021-12{% endblock %}
-{% block accuratefor %}0.9.52{% endblock %}
+{% block lastupdated %}2024-01{% endblock %}
+{% block accuratefor %}0.9.61{% endblock %}
 {% block content %}
 
 <p>{% trans docs=site_url('docs') -%}
@@ -86,8 +86,7 @@ However, each of these layers adds additional functionality, to allow applicatio
         <br />
         <a href="{{ site_url('docs/api/i2ptunnel') }}">I2PTunnel</a>
         <br />
-        <a href="{{ site_url('docs/api/sam') }}">SAM</a>/<a href="{{ site_url('docs/api/samv2') }}">SAMv2</a>/<a href="{{ site_url('docs/api/samv3') }}">SAMv3</a>(*),
-        <a href="{{ site_url('docs/api/bob') }}">BOB</a>        
+        <a href="{{ site_url('docs/api/samv3') }}">SAMv3</a>
     </li>
     <li>
         {% trans %}<b>I2P Application Proxy Layer:</b> proxy systems.{% endtrans %}

i2p2www/pages/site/docs/transport/ssu.html

@@ -1,9 +1,15 @@
 {% extends "global/layout.html" %}
 {% block title %}{% trans %}Secure Semireliable UDP{% endtrans %} (SSU){% endblock %}
-{% block lastupdated %}2022-07{% endblock %}
-{% block accuratefor %}0.9.54{% endblock %}
+{% block lastupdated %}2024-01{% endblock %}
+{% block accuratefor %}0.9.61{% endblock %}
 {% block content %}
 
+<p>
+<b>DEPRECATED</b> - SSU has been replaced by SSU2.
+SSU support was removed from i2pd in release 2.44.0 (API 0.9.56) 2022-11.
+SSU support was removed from Java I2P in release 2.4.0 (API 0.9.61) 2023-12.
+</p>
+
 <p>{% trans transports=site_url('docs/transport'), ntcp=site_url('docs/transport/ntcp'), ntcp2=site_url('docs/spec/ntcp2') -%}
 SSU (also called "UDP" in much of the I2P documentation and user interfaces)
 is one of two <a href="{{ transports }}">transports</a> currently implemented in I2P.

i2p2www/pages/site/get-involved/guides/reseed-policy.html

@@ -26,16 +26,6 @@ Optional:
 <li>IPv6</li>
 </ul>
 
-<p>{% trans -%}
-When your setup is complete and ready for testing, we will need the HTTPS URL,
-the SSL public key certificate (only if selfsigned), and the su3 public key certificate.
-After testing is complete, these will be added to the hardcoded entries in the Java and C++ routers in the next release,
-and you will start seeing traffic.
-We also will need your email address so we may continue to contact you about reseed administration issues.
-The email will not be made public but will be known to the other reseed operators.
-You should expect that your nick or name and its association with that URL or IP will become public.
-{%- endtrans %}</p>
-
 <h3>{% trans %}Information Required{% endtrans %}</h3>
 
 <p>{% trans -%}

i2p2www/pages/site/get-involved/roadmap.html

@@ -1,6 +1,6 @@
 {% extends "global/layout.html" %} 
 {% block title %} {{ _('Roadmap') }}{% endblock %}
-{% block lastupdated %}2022-11{% endblock %} {% block content %}
+{% block lastupdated %}2024-04{% endblock %} {% block content %}
 
 <p>
     This is the official project roadmap for the desktop and Android Java I2P releases only. Some related tasks for resources such as the website and plugins may be included.
@@ -9,40 +9,156 @@
     For details and discussion on specific items, search on gitlab or zzz.i2p. For contents of past releases, see the release notes. For other project goals, see the meeting notes.
 </p>
 <p>
-    We do not maintain separate unstable and stable branches or releases. We have a single, stable release path. Our normal release cycle is 13 weeks, with releases in February, May, August, and November.
+    We do not maintain separate unstable and stable branches or releases. We have a single, stable release path. Our typical release cycle is about 13 weeks.
 </p>
 <p>
     Older releases are at the bottom of the page.
 </p>
 
-<h2 id="2.4.0">2.4.0 (API 0.9.60)</h2>
-<p><b>Target release: September 2023</b></p>
+
+<h2 id="2.6.0">2.6.0 (API 0.9.63)</h2>
+<p><b>Target release: Late June 2024</b></p>
 <ul>
     <li>
-        NetDB context management
+        "Install Plugin from File" command-line option
     </li>
     <li>
-        Streaming replay fix
+        Generic UDP Tunnels in I2PTunnel
+    </li>
+    <li>
+        Browser Proxy in I2PTunnel
+    </li>
+    <li>
+        Torrent update sources for Plugins
+    </li>
+    <li>
+        Website Migration
+    </li>
+    <li>
+        Reduce memory usage for netdb
+    </li>
+    <li>
+        Continue removing SSU1 code
+    </li>
+    <li>
+        i2ptunnel HTTP server reduce thread usage
+    </li>
+</ul>
+
+
+
+<h2 id="2.5.1">2.5.1 (API 0.9.62)</h2>
+<p><b>Released: May 6, 2024</b></p>
+<ul>
+    <li>
+        NetDB DDoS mitigations
+    </li>
+    <li>
+        Add Tor blocklist
+    </li>
+    <li>
+        susimail fixes
+    </li>
+    <li>
+        susimail search
+    </li>
+    <li>
+        Continue removing SSU1 code
+    </li>
+    <li>
+        Tomcat 9.0.88
+    </li>
+</ul>
+
+
+
+<h2 id="2.5.0">2.5.0 (API 0.9.62)</h2>
+<p><b>Released: April 8, 2024</b></p>
+<ul>
+    <li>
+        Console iframe improvements
+    </li>
+    <li>
+        Redesign i2psnark bandwidth limiter
+    </li>
+    <li>
+        Javascript drag-and-drop for i2psnark and susimail
+    </li>
+    <li>
+        i2ptunnel SSL error handling improvements
+    </li>
+    <li>
+        i2ptunnel persistent HTTP connection support
+    </li>
+    <li>
+        Start removing SSU1 code
+    </li>
+    <li>
+        SSU2 relay tag request handling improvements
+    </li>
+    <li>
+        SSU2 peer test fixes
+    </li>
+    <li>
+        susimail initial loading speedup
+    </li>
+    <li>
+        susimail javascript markdown for plain text emails
+    </li>
+    <li>
+        susimail HTML email support
+    </li>
+    <li>
+        susimail fixes and improvements
+    </li>
+    <li>
+        tunnnel peer selection adjustments
+    </li>
+    <li>
+        Update RRD4J to 3.9
+    </li>
+    <li>
+        Update gradlew to 8.5
+    </li>
+</ul>
+
+<h2 id="2.4.0">2.4.0 (API 0.9.61)</h2>
+<p><b>Released: December 18, 2023</b></p>
+<ul>
+    <li>
+        NetDB context management/Segmented NetDB
     </li>
     <li>
         Handle congestion capabilities by deprioritizing overloaded routers
     </li>
-    <li>
-        "Install Plugin from File" command-line option
-    </li>
-    <li>
-        Generic UDP Tunnels in HSM
-    </li>
     <li>
         Revive Android helper library
     </li>
     <li>
-        Website Migration
+        i2psnark local torrent file selector
+    </li>
+    <li>
+        NetDB lookup handler fixes
+    </li>
+    <li>
+        Disable SSU1
+    </li>
+    <li>
+        Ban routers publishing in the future
+    </li>
+    <li>
+        SAM fixes
+    </li>
+    <li>
+        susimail fixes
+    </li>
+    <li>
+        UPnP fixes
     </li>
 </ul>
 
 <h2 id="2.3.0">2.3.0 (API 0.9.59)</h2>
-<p><b>Target release: June 2023</b></p>
+<p><b>Released: June 28, 2023</b></p>
 <ul>
     <li>
         Tunnel peer selection improvements
@@ -64,8 +180,16 @@
     </li>
 </ul>
 
+<h2 id="2.2.1">2.2.1 (API 0.9.58)</h2>
+<p><b>Released: April 12, 2023</b></p>
+<ul>
+    <li>
+        Packaging fixes
+    </li>
+</ul>
+
 <h2 id="2.2.0">2.2.0 (API 0.9.58)</h2>
-<p><b>Target release: April 2023</b></p>
+<p><b>Released: March 13, 2023</b></p>
 <ul>
     <li>
         Tunnel peer selection improvements

i2p2www/spec/common-structures.rst

@@ -3,8 +3,8 @@ Common structures Specification
 ===============================
 .. meta::
     :category: Design
-    :lastupdated: 2023-01
-    :accuratefor: 0.9.57
+    :lastupdated: 2024-01
+    :accuratefor: 0.9.61
 
 .. contents::
 
@@ -623,11 +623,10 @@ A PublicKey_ followed by a SigningPublicKey_ and then a Certificate_.
 
   padding :: random data
              length -> 0 bytes or as specified in key certificate
-             padding length + signing_key length == 128 bytes
+             public_key length + padding length + signing_key length == 384 bytes
 
   signing__key :: `SigningPublicKey` (partial or full)
                   length -> 128 bytes or as specified in key certificate
-                  padding length + signing_key length == 128 bytes
 
   certificate :: `Certificate`
                  length -> >= 3 bytes

i2p2www/spec/datagrams.rst

@@ -104,7 +104,7 @@ Format
                The signature may be verified by the signing public key of $from
 
   payload ::  The data
-              Length: 0 to ~31.5 KB (see notes)
+              Length: 0 to about 31.5 KB (see notes)
 
   Total length: Payload length + 427+
 {% endhighlight %}

i2p2www/spec/i2cp.rst

@@ -3,8 +3,8 @@ I2CP Specification
 ==================
 .. meta::
     :category: Protocols
-    :lastupdated: 2023-10
-    :accuratefor: 0.9.59
+    :lastupdated: 2024-01
+    :accuratefor: 0.9.62
 
 .. contents::
 
@@ -235,6 +235,8 @@ below.
 ==============  ======================
    Version      Required I2CP Features
 ==============  ======================
+   0.9.62       MessageStatus message Loopback error code
+
    0.9.43       BlindingInfo message supported
 
                 Additional HostReply message failure codes
@@ -1095,6 +1097,11 @@ Status Code  As Of Release           Name           Description
 
                                                     This is a guaranteed failure.
 
+    23          0.9.62      Loopback Denied         The message was attempted to be sent from and to
+                                                    the same destination or session.
+
+                                                    This is a guaranteed failure.
+
 ===========  =============  ======================  ==========================================================
 
 When status = 1 (accepted), the nonce matches the nonce in the

i2p2www/spec/i2np.rst

@@ -3,8 +3,8 @@ I2NP Specification
 ==================
 .. meta::
     :category: Protocols
-    :lastupdated: 2023-10
-    :accuratefor: 0.9.59
+    :lastupdated: 2024-05
+    :accuratefor: 0.9.62
 
 .. contents::
 
@@ -45,6 +45,8 @@ below.
 ==============  ================================================================
  API Version    Required I2NP Features
 ==============  ================================================================
+   0.9.58       Minimum peers will build tunnels through, as of 0.9.62
+
    0.9.55       SSU2 transport support (if published in router info)
 
    0.9.51       Short tunnel build messages for ECIES-X25519 routers
@@ -1196,9 +1198,21 @@ Notes
 
 * The returned peer hashes are not necessarily closer to the key than the
   router being queried.
+  For replies to regular lookups, this facilitates discovery of new floodfills
+  and "backwards" searching (further-from-the-key) for robustness.
 
+* The key for an exploration lookup is usually generated randomly.
+  Therefore, the response's non-floodfill peer_hashes may be selected using an
+  optimized algorithm, such as providing peers that are close to the key but not
+  necessarily the closest in the entire local network database, to avoid an
+  inefficient sort or search of the entire local database.
+  Other strategies such as caching may also be appropriate.
+  This is implementation-dependent.
+	
 * Typical number of hashes returned: 3
 
+* Recommended maximum number of hashes to return: 16
+
 * The lookup key, peer hashes, and from hash are "real" hashes, NOT routing
   keys.
 

i2p2www/spec/ntcp2.rst

@@ -3,8 +3,8 @@ NTCP 2
 ======
 .. meta::
     :category: Transports
-    :lastupdated: 2022-12
-    :accuratefor: 0.9.56
+    :lastupdated: 2024-01
+    :accuratefor: 0.9.61
 
 .. contents::
 
@@ -1383,6 +1383,14 @@ Raw contents
 
 {% endhighlight %}
 
+Notes
+`````
+- As the receiver must get the entire frame to check the MAC,
+  it is recommended that the sender limit frames to a few KB
+  rather than maximizing the frame size.
+  This will minimize latency at the receiver.
+
+
 
 Unencrypted data
 ````````````````

i2p2www/spec/proposals/159-ssu2.rst

@@ -5,8 +5,8 @@ SSU2
     :author: eyedeekay, orignal, zlatinb, zzz
     :created: 2021-09-12
     :thread: http://zzz.i2p/topics/2612
-    :lastupdated: 2022-12-19
-    :status: Open
+    :lastupdated: 2024-01-05
+    :status: Closed
     :target: 0.9.56
 
 .. contents::
@@ -39,7 +39,7 @@ Connection Migration            0.9.55+ dev            0.9.56  2022-11
 Immediate ACK flag              0.9.55+ dev            0.9.56  2022-11
 Key Rotation                    0.9.57  2023-02        0.9.58  2023-05
 Disable SSU 1 (i2pd)            0.9.56  2022-11
-Disable SSU 1 (Java I2P)        0.9.58  2023-05        0.9.59  2023-08
+Disable SSU 1 (Java I2P)        0.9.58  2023-05        0.9.61  2023-12
 ==========================      =====================  ====================
 
 Basic Session includes the handshake and data phase.

i2p2www/spec/proposals/163-datagram2.rst

@@ -5,9 +5,9 @@ Datagram2 Protocol
     :author: zzz
     :created: 2023-01-24
     :thread: http://zzz.i2p/topics/3540
-    :lastupdated: 2023-01-24
+    :lastupdated: 2024-04-14
     :status: Open
-    :target: 0.9.60
+    :target: 0.9.64
 
 .. contents::
 
@@ -16,12 +16,12 @@ Datagram2 Protocol
 Overview
 ========
 
-Pulled out from [Prop123]_ as a separate proposal. Copied from [Prop123]_:
+Pulled out from [Prop123]_ as a separate proposal.
 
 Offline signatures cannot be verified in the repliable datagram processing.
 Needs a flag to indicate offline signed but there's no place to put a flag.
 
-Will require a completely new protocol number and format.
+Will require a completely new I2CP protocol number and format,
 to be added to the [DATAGRAMS]_ specification.
 Let's call it "Datagram2".
 
@@ -31,106 +31,271 @@ Motivation
 
 Left over from LS2 work otherwise completed in 2019.
 
+The first application to use Datagram2 is expected to be
+bittorrent UDP announces, as implemented in i2psnark and zzzot,
+see [Prop160]_.
+
+
+Repliable Datagram Spec
+========================
+
+For reference,
+following is a review of the specification for repliable datagrams,
+copied from [Datagrams]_.
+The standard I2CP protocol number for repliable datagrams is PROTO_DATAGRAM (17).
+
+.. raw:: html
+
+  {% highlight lang='dataspec' -%}
++----+----+----+----+----+----+----+----+
+  | from                                  |
+  +                                       +
+  |                                       |
+  ~                                       ~
+  ~                                       ~
+  |                                       |
+  +                                       +
+  |                                       |
+  |                                       |
+  +----+----+----+----+----+----+----+----+
+  | signature                             |
+  +                                       +
+  |                                       |
+  +                                       +
+  |                                       |
+  +                                       +
+  |                                       |
+  +                                       +
+  |                                       |
+  +----+----+----+----+----+----+----+----+
+  | payload...
+  +----+----+----+----//
+
+
+  from :: a `Destination`
+          length: 387+ bytes
+          The originator and signer of the datagram
+
+  signature :: a `Signature`
+               Signature type must match the signing public key type of $from
+               length: 40+ bytes, as implied by the Signature type.
+               For the default DSA_SHA1 key type:
+                  The DSA `Signature` of the SHA-256 hash of the payload.
+               For other key types:
+                  The `Signature` of the payload.
+               The signature may be verified by the signing public key of $from
+
+  payload ::  The data
+              Length: 0 to about 31.5 KB (see notes)
+
+  Total length: Payload length + 427+
+{% endhighlight %}
+
 
 
 Design
 ======
 
-Define new protocol 19 - Repliable datagram with options.
-
-New signature specification.
-
+- Define new protocol 19 - Repliable datagram with options.
+- Add flags field for offline signatures and future expansion
+- Move signature after the payload for easier processing
+- New signature specification different from repliable datagram or streaming, so that
+  signature verification will fail if interpreted as repliable datagram or streaming.
+  This is accomplished by moving the signature after the payload,
+  and by adding a prelude to the signature function.
+- Add replay prevention as in [Prop164]_ for streaming.
+- Offline signature section must be before the variable-length
+  payload and signature sections, as it specifies the length
+  of the signature.
 
 
 Specification
 =============
 
-Add Datagram2 to [DATAGRAMS]_ as follows:
+Protocol
+--------
+
+The new I2CP protocol number for Datagram2 is 19.
+Add it as PROTO_DATAGRAM2 to [I2CP]_.
 
 
 Format
 -------
 
-Preliminary, copied from [Prop123]_:
+Add Datagram2 to [DATAGRAMS]_ as follows:
 
 .. raw:: html
 
-  {% highlight %}
-From (387+ bytes)
+  {% highlight lang='dataspec' -%}
++----+----+----+----+----+----+----+----+
+  |                                       |
+  ~            from                       ~
+  ~                                       ~
+  |                                       |
+  +----+----+----+----+----+----+----+----+
+  |  flags  |       tohash      |         |
+  +----+----+----+----+----+----+         +
+  |                                       |
+  ~     offline_signature (optional)      ~
+  ~   expires, sigtype, pubkey, offsig    ~
+  |                                       |
+  +----+----+----+----+----+----+----+----+
+  |                                       |
+  ~            payload                    ~
+  ~                                       ~
+  |                                       |
+  +----+----+----+----+----+----+----+----+
+  |                                       |
+  ~            signature                  ~
+  ~                                       ~
+  |                                       |
+  +----+----+----+----+----+----+----+----+
 
-  Flags (2 bytes)
-  Bit order: 15 14 ... 3 2 1 0
-  Bit 0: If 0, no offline keys; if 1, offline keys
-  Bits 1-15: set to 0 for compatibility with future uses
-  If flag indicates offline keys, the offline signature section:
+  from :: a `Destination`
+          length: 387+ bytes
+          The originator and (unless offline signed) signer of the datagram
 
-  Expires timestamp
-  (4 bytes, big endian, seconds since epoch, rolls over in 2106)
+  flags :: (2 bytes)
+           Bit order: 15 14 ... 3 2 1 0
+           Bits 3-0: Version: 0x02 (0 0 1 0)
+           Bit 4: If 0, no offline sig; if 1, offline signed
+           Bits 15-5: unused, set to 0 for compatibility with future uses
 
-  Transient sig type (2 bytes, big endian)
+  tohash :: (4 bytes)
+            The first 4 bytes of the target destination, for replay prevention
 
-  Transient signing public key (length as implied by sig type)
+  offline_signature ::
+               If flag indicates offline keys, the offline signature section,
+               with the following 4 fields. Length: varies by online and offline
+               sig types, typically 102 bytes for Ed25519
+               This section can, and should, be generated offline.
 
-  Signature of expires timestamp, transient sig type,
-  and public key, by the destination public key,
-  length as implied by destination public key sig type.
-  This section can, and should, be generated offline.
+  expires :: Expires timestamp
+             (4 bytes, big endian, seconds since epoch, rolls over in 2106)
 
-  Payload
+  sigtype :: Transient sig type (2 bytes, big endian)
+
+  pubkey :: Transient signing public key (length as implied by sig type),
+            typically 32 bytes for Ed25519 sig type.
+
+  offsig :: a `Signature`
+            Signature of expires timestamp, transient sig type,
+            and public key, by the destination public key,
+            length: 40+ bytes, as implied by the Signature type, typically
+            64 bytes for Ed25519 sig type.
+
+  payload ::  The data
+              Length: 0 to about 61 KB (see notes)
+
+  signature :: a `Signature`
+               Signature type must match the signing public key type of $from
+               (if no offline signature) or the transient sigtype
+               (if offline signed)
+               length: 40+ bytes, as implied by the Signature type, typically
+               64 bytes for Ed25519 sig type.
+               The `Signature` of the payload and other fields as specified below.
+               The signature is verified by the signing public key of $from
+               (if no offline signature) or the transient pubkey
+               (if offline signed)
 
-  Signature
 {% endhighlight %}
 
+Total length: minimum 433 + payload length;
+typical length for X25519 senders and without offline signatures:
+461 + payload length.
+Note that the message will typically be compressed with gzip at the I2CP layer,
+which will result in significant savings if the from destination is compressible.
 
 
 Signatures
 ----------
 
-TBD
+The signature is over the following fields.
 
-Prelude: "DatagramProtocol" ?
+- Prelude: "DatagramProtocol" ? (not included in the datagram)
+- flags
+- tohash
+- offline_signature (if present)
+- payload
+
+In repliable datagram, for the DSA_SHA1 key type, the signature was over the
+SHA-256 hash of the payload, not the payload itself; here, the signature is
+always over the fields above (NOT the hash), regardless of key type.
 
 
+ToHash Verification
+-------------------
+
+Receivers must verify that the tohash field matches the first four bytes
+of their destination hash, and discard on mismatch, for replay prevention.
 
 
 SAM
 ---
 
-Add STYLE=DATAGRAM2
+Add STYLE=DATAGRAM2 to the SAMv3 specification.
+Update the information on offline signatures.
+
+
+Overhead
+--------
+
+This design adds 6 bytes of overhead to repliable datagrams; 2 for flags and 4 for replay prevention.
+This is acceptable.
 
 
 
 Security Analysis
 =================
 
+Four bytes for the hash prefix should be sufficient?
 
 
 
 Notes
 =====
 
+- The practical length is limited by lower layers of protocols - the tunnel
+  message spec [TUNMSG]_ limits messages to about 61.2 KB and the transports
+  [TRANSPORT]_ currently limit messages to about 64 KB, so the data length here
+  is limited to about 61 KB.
+- See important notes about the reliability of large datagrams [API]_. For
+  best results, limit the payload to about 10 KB or less.
+
+
 
 
 Compatibility
 ===============
 
-None
+None. Applications must be rewritten to route Datagram2 I2CP messages
+based on protocol and/or port.
+Datagram2 messages that are misrouted and interpreted as
+Repliable datagram or streaming messages will fail based on signature, format, or both.
+
 
 
 Migration
 =========
 
 Each UDP application must separately detect support and migrate.
+The most prominent UDP application is bittorrent.
+
+Bittorrent
+----------
 
 Bittorrent DHT: Needs extension flag probably,
 e.g. i2p_dg2, coordinate with BiglyBT
 
-Bittorrent UDP Announces [Prop160]_: Design in from the beginning?
-Coorindate with BiglyBT, i2psnark, zzzot
+Bittorrent UDP Announces [Prop160]_: Design in from the beginning.
+Coordindate with BiglyBT, i2psnark, zzzot
 
-Bote: Unlikely
+Others
+------
 
-Streamr: Just switch, nobody's using it
+Bote: Unlikely to migrate, not actively maintained
+
+Streamr: Nobody's using it, no migration planned
 
 SAM UDP apps: None known
 
@@ -138,11 +303,17 @@ SAM UDP apps: None known
 References
 ==========
 
+.. [API]
+    {{ site_url('docs/api/datagrams', True) }}
+
+.. [BT-SPEC]
+    {{ site_url('docs/applications/bittorrent', True) }}
+
 .. [DATAGRAMS]
     {{ spec_url('datagrams') }}
 
 .. [I2CP]
-    {{ spec_url('i2cp') }}
+    {{ site_url('docs/protocol/i2cp', True) }}
 
 .. [Prop123]
     {{ proposal_url('123') }}
@@ -150,5 +321,12 @@ References
 .. [Prop160]
     {{ proposal_url('160') }}
 
-.. [BT-SPEC]
-    {{ site_url('docs/applications/bittorrent', True) }}
+.. [Prop164]
+    {{ proposal_url('164') }}
+
+.. [TRANSPORT]
+    {{ site_url('docs/transport', True) }}
+
+.. [TUNMSG]
+    {{ spec_url('tunnel-message') }}#notes
+

i2p2www/spec/proposals/165-ssu2-fix.rst

@@ -0,0 +1,169 @@
+===========================
+I2P proposal #165: SSU2 fix
+===========================
+.. meta::
+    :author: weko, orignal, the Anonymous, zzz
+    :created: 2024-01-19
+    :thread: http://i2pforum.i2p/viewforum.php?f=13
+    :lastupdated: 2024-01-19
+    :status: Open
+    :target: 0.9.62
+
+.. contents::
+
+
+
+Proposal by weko, orignal, the Anonymous and zzz.
+
+
+Overview
+--------
+
+Suggesting changes in SSU2 after the attack on I2P that used SSU2’s
+problem.
+
+
+Threat model
+------------
+
+An attacker creates new fake RIs (router doesn’t exist): is regular RI,
+but he puts address, port, s and i keys from real Bob’s router, then he
+floods the network. When we are trying to connect to this (as we think
+real) router, we, as Alice can connect to this address, but we can’t be
+sure what done it with real Bob’s RI. This is possible and was used for
+a Distributed Denial of Service attack (make big amount of such RIs and
+flood the network), also this can make de-anon attacks easier by framing
+good routers and do not framing attacker’s routers, if we ban IP with
+many RIs (instead better distrubute tunnel building to this RIs as to
+one router).
+
+
+Potential fixes
+---------------
+
+1. Fix with support for old (before the change) routers
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. _overview-1:
+
+Overview
+^^^^^^^^
+
+A workaround to support SSU2 connections with old routers.
+
+Behavivor
+^^^^^^^^^
+
+Bob’s router profile should have ‘verified’ flag, it’s false by default
+for all new routers (with no profile yet). When ‘verified’ flag is
+false, we never do connections with SSU2 as Alice to Bob - we can’t be
+sure in RI. If Bob connected to us (Alice) with NTCP2 or SSU2 or we
+(Alice) connected to Bob with NTCP2 once (we can verify Bob’s
+RouterIdent in these cases) - flag is set to true.
+
+Problems
+^^^^^^^^
+
+So, there is a problem with fake SSU2-only RI flood: we can’t verify it
+by ourselves and are forced to wait when the real router will make
+connections with us.
+
+2. Verify RouterIdent during connection creation
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. _overview-2:
+
+Overview
+^^^^^^^^
+
+Add “RouterIdent” block for SessionRequest and SessionCreated.
+
+Possible format of RouterIdent block
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+1 byte flags, 32 bytes RouterIdent. Flag_0: 0 if receiver’s RouterIdent;
+1 if sender’s RouterIdent
+
+Behavior
+^^^^^^^^
+
+Alice (should(1), can(2)) send in payload RouterIdent block Flag_0 = 0
+and Bob’s RouterIdent. Bob (should(3), can(4)) check if is it his
+RouterIdent, and if not: terminate the session with “Wrong RouterIdent”
+reason, if it is his RouterIdent: send RI block with 1 in Flag_0 and
+Bob’s RouterIdent.
+
+With (1) Bob does not support old routers. With (2) Bob supports old
+routers, but can be a victim of DDoS from routers that are trying to
+make connection with fake RIs. With (3) Alice does not support old
+routers. With (4) Alice supports old routers and is using a hybrid
+scheme: Fix 1 for old routers and Fix 2 for new routers. If RI says new
+version, but while in the connection we didnt’s recieve the RouterIdent
+block - terminate and remove RI.
+
+.. _problems-1:
+
+Problems
+^^^^^^^^
+
+An attacker can mask his fake routers as old, and with (4) we are
+waiting for ‘verified’ as in fix 1 anyways.
+
+Notes
+^^^^^
+
+Instead of 32 byte RouterIdent, we can probably use 4 byte
+siphash-of-the-hash, some HKDF or something else, which must be
+sufficient.
+
+3. Bob sets i = RouterIdent
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. _overview-3:
+
+Overview
+^^^^^^^^
+
+Bob uses his RouterIdent as i key.
+
+.. _behavior-1:
+
+Behavior
+^^^^^^^^
+
+Bob (should(1), can(2)) uses his own RouterIdent as i key for SSU2.
+
+Alice with (1) connects only if i = Bob’s RouterIdent. Alice with (2)
+uses the hybrid scheme (fix 3 and 1): if i = Bob’s RouterIdent, we can
+make the connection, otherwise we should verify it first (see fix 1).
+
+With (1) Alice does not support old routers. With (2) Alice supports old
+routers.
+
+.. _problems-2:
+
+Problems
+^^^^^^^^
+
+An attacker can mask his fake routers as old, and with (2) we are
+waiting for ‘verified’ as in fix 1 anyways.
+
+.. _notes-1:
+
+Notes
+^^^^^
+
+To save on RI size, better add handling if i key isn’t specified. If it
+is, then i = RouterIdent. In that case, Bob does not support old
+routers.
+
+Backward compability
+--------------------
+
+Described in fixes.
+
+
+Current status
+--------------
+
+i2pd: Fix 1.

i2p2www/spec/ssu.rst

@@ -3,8 +3,8 @@ SSU Protocol Specification
 ==========================
 .. meta::
     :category: Transports
-    :lastupdated: 2022-06
-    :accuratefor: 0.9.54
+    :lastupdated: 2024-01
+    :accuratefor: 0.9.61
 
 .. contents::
 
@@ -12,6 +12,10 @@ SSU Protocol Specification
 Overview
 ========
 
+DEPRECATED - SSU has been replaced by SSU2.
+SSU support was removed from i2pd in release 2.44.0 (API 0.9.56) 2022-11.
+SSU support was removed from Java I2P in release 2.4.0 (API 0.9.61) 2023-12.
+
 See [SSU]_ for an overview of the SSU transport.
 
 

i2p2www/spec/ssu2.rst

@@ -3,8 +3,8 @@ SSU2
 ======
 .. meta::
     :category: Transports
-    :lastupdated: 2023-01
-    :accuratefor: 0.9.57
+    :lastupdated: 2024-02
+    :accuratefor: 0.9.61
 
 .. contents::
 
@@ -40,7 +40,7 @@ Connection Migration            0.9.55+ dev            0.9.56  2022-11
 Immediate ACK flag              0.9.55+ dev            0.9.56  2022-11
 Key Rotation                    0.9.57  2023-02        0.9.58  2023-05
 Disable SSU 1 (i2pd)            0.9.56  2022-11
-Disable SSU 1 (Java I2P)        0.9.58  2023-05        0.9.59  2023-08
+Disable SSU 1 (Java I2P)        0.9.58  2023-05        0.9.61  2023-12
 ==========================      =====================  ====================
 
 Basic Session includes the handshake and data phase.
@@ -4768,9 +4768,9 @@ Message Contents
 The Data messages should contain the following blocks.
 Order is not specified except that Padding must be last:
 
-- Path Validation or Path Response block.
-  Path Validation contains opaque data, recommended 8 bytes minimum.
-  Path Response contains the data from the Path Validation.
+- Path Challenge or Path Response block.
+  Path Challenge contains opaque data, recommended 8 bytes minimum.
+  Path Response contains the data from the Path Challenge.
 - Address block containing the recipient's apparent IP
 - DateTime block
 - ACK block
@@ -4779,7 +4779,7 @@ Order is not specified except that Padding must be last:
 It is not recommended to include any other blocks
 (for example, I2NP) in the message.
 
-It is allowed to include a Path Validation block in the message
+It is allowed to include a Path Challenge block in the message
 containing the Path Response, to initiate a validation
 in the other direction.
 
@@ -4917,8 +4917,8 @@ the other peer should initiate a path challenge in the other direction.
 
 Use as Ping/Pong
 -----------------
-Path Validation and Path Response blocks may be used at any time as Ping/Pong packets.
-Reception of a Path Validation block does not change any state at the receiver,
+Path Challenge and Path Response blocks may be used at any time as Ping/Pong packets.
+Reception of a Path Challenge block does not change any state at the receiver,
 unless received from a different IP/port.
 
 

i2p2www/static/hosts.txt

@@ -61,3 +61,7 @@ wiki.i2p-projekt.i2p=Y2t37BDz4~Th--CvXrSTw03ty7hKdLqi4TV3~GDzcaJwKZ7dHY21w4dVP0H
 stormycloud.i2p=ZvTcy3AWfaqfF1ilXT7v7Q9ljT8MR1kbPsqRP3X8rin7DPORIhhfhveOHlZerUy~kSpJxnXHoFSvKzW7MhPVrLNs~aeiFobEEJ06NqTVARCMEL194VOhi7jkNehkvvg07FM3cpT0acA7OSUyx8g7xNATiXyYWjWWvfGc~I1uhdzNLapNksrT5LJdHPNMpjP~QXifz9hLYPf0WM8wrg2uTZ0k3An5YZFt1D4hxOONqiLevOFhnauQlKAFjpJ-h~f1PH3L6-qnwaPJmR0WXeMs3Cm38cIS4QKkjUZfYE66Gn7fnS2uo5mo3VDpufP8jU2fzxwylok4MsHPYQfVloF9SbS5PxCNaHzgyIchOaI4aQ0VEz6YymRrwTGqd515PXvgBxZwFmP8h-aFCWPl~zRK9W0beoBi~Hryf3wLSShjgJyotWEwjn05HV~jzkfd6r8zSev8IErdjqQoL7fwn6BKgp1CMvcsZHROmBpGWHu~pumFZCm2P-iM5U~YvFIEhLXBBQAEAAcAAA==#!date=1653318605#sig=7hrZC5ntQcLteUrJTptovOCMBtsze2WwxrqG-l77AfBJGe9jJFdh7zSvnncsDe9EOwJWFsq~zJwdWPAsL6PSDA==
 exit.stormycloud.i2p=Ms6qmq4ZpttjEZK8r7ev38BL8dyT~-ENUK~j74G-nN-WIN7-rUJWbbYAyagQOyerJ31Bf52vtJeXPVHGQdUnbOgBmNkN-Hoo6LkDle1Su7eKYlOrbE2RNihOCh-U0Yq7vDYDBnKI8ldE7s24RY4Nmk1ZlVq8nQwT~RrNf0nbBKBjgGKJkmsfBq6i0G6eZN9Cy2Ip6uGbG70jHzzyAqW9hLUxLArVZKNMAh-fzgGUQkj3llOMqJ5NQqZn2sMrcKkO~c2nn65KNYp2zAGUnbzz3y5M~BOBj9egGYzoakDpGTEpErNj8PiO3oDeKrlgsFFsfmfcMyTKrv82FhBiwxi-izX~P7vo7wcOqhmfic5jqgzY5J-8hEpg0LerjcrW0GjOzHra20GclknvtY5M9m9eUJnRDt43n5IwBrO6-C3VJJLvWvi1gabEP2wuKvAcgHcLn6vU1reqS7QwT~Y-bteoUEw1gZ-GCPkRhGKmr6d2NyxLzEEJispBLoCoTWKPZCHkBQAEAAcAAA==#!action=addsubdomain#date=1654125792#olddest=ZvTcy3AWfaqfF1ilXT7v7Q9ljT8MR1kbPsqRP3X8rin7DPORIhhfhveOHlZerUy~kSpJxnXHoFSvKzW7MhPVrLNs~aeiFobEEJ06NqTVARCMEL194VOhi7jkNehkvvg07FM3cpT0acA7OSUyx8g7xNATiXyYWjWWvfGc~I1uhdzNLapNksrT5LJdHPNMpjP~QXifz9hLYPf0WM8wrg2uTZ0k3An5YZFt1D4hxOONqiLevOFhnauQlKAFjpJ-h~f1PH3L6-qnwaPJmR0WXeMs3Cm38cIS4QKkjUZfYE66Gn7fnS2uo5mo3VDpufP8jU2fzxwylok4MsHPYQfVloF9SbS5PxCNaHzgyIchOaI4aQ0VEz6YymRrwTGqd515PXvgBxZwFmP8h-aFCWPl~zRK9W0beoBi~Hryf3wLSShjgJyotWEwjn05HV~jzkfd6r8zSev8IErdjqQoL7fwn6BKgp1CMvcsZHROmBpGWHu~pumFZCm2P-iM5U~YvFIEhLXBBQAEAAcAAA==#oldname=stormycloud.i2p#oldsig=N1FSIv1OYX~CDdJiGNPtmVvvNQG7LFzGZzyWH9g0d~HMLc-igxUwsp6mWO9oIFePr~-D-eZ-wewUYmaKBm89Bg==#sig=bLFzyq9ubUO0dvuAnKCiz02EI4xj4Fb6l1C0Z~c-gZPYiWo7VWoMBUdib2L5kBNCRyj7Mx--zKHfGOOuWoGOBw==
 ramble.i2p=xyOqhmjnO6Sc-t~2aeSW31bNkYTmhfHdQ7lYV-ENZ2AtkzMm4EsuNZLBQ9pMLV5ADc7lB1~l0q6jB~qstXL~vkIyPjfLWFSma0bCawCLgQrnC4RB3cbYxCF4CrD~-6Vb2GvV4jhrEnBLixtTqXMtW00otmuuzwWS80Pus4laOy066PuPPZR9QebY18W5Ae7-Hgaz92KNjtkkFe3IjPi05vM0g3rLiXpL-69hgyEy-1plJikdGD4wtiPmHr6utB5GVXvU4pBI0g-0CW9-OXDjAZLwBK33hVIGgDudYOmxiw-mAi227AIZBS~t-uQJHsyRZ0FWs0Kmj2mGupqz2fThuUW-UNOJL3FyvgTJawZ5Y4y0-76szgc~o6s33fnTQTwD1UdGXAy1TcRsUh16wyR-3lS8Ig6foTlzTD-LO0PF7WSWZzatwk6aQdTgjNW72a33DISA7Ry6G5M9J321XHyA52SpkbyqPxSj-BjqZX-vGozShBe1Q3fgkFzUPTnax-QNBQAEAAcAAA==#!date=1607587030#sig=Oq-xYrbUQkBqVU39e8-KX5-uSyemy3iStol-CU3lu2KBkmeDDL0KeuETM-kKat2cR4q3B4DpGFRlRlZq~rYaCA==
+r4sas.i2p=ABQFq3xLCaQ4wCOuL2rMdwPyQwVz1xrktkLMLShZJo2L7VZJgfTBWbfUWHCzWXKcIzxmzjcnvRfp5Y5udL1HmU5CVZ2bp1jis3FPgjcJoGqcsM7w~Lad5aYkf7If8IcH7DIpavJt3ch~yxt8571CVmv2F9R4TorSOnc04kHkOrqjIyHGHCN7TsyZ23FtADGM7uaRdEk8Cbtx6905ZW4mrc1AW6F6YqiLCnSC8vLEH80ELTR3FTTkveGenKg-9ITGW3X-99qcCvp-Br1QlUAyV-XorUym2dkpWPWDV2WXUZEX6WdQMBOvU0gQ6ig6WsNBvrKXop6R4Q333gsT7XkXSg5~I74c9ntFVuewZYbfuwu-ws-4Gb2ZyRVkccUpt1AYgruXwqyxLkx4GFVN4EYX0N~JYKPaU1yb7Xw~nnCVXH5uAbeIv3glAleK4huUfqK-1ZJRy0h81ualE--XLEsOEKNGFW8bleltl~6MxGSOiEaMawHHICW2FdCEmebG6JJHBQAEAAEAAA==
+opentracker.r4sas.i2p=P8CBg89WyA17SFPZJSQn9do~iCo2j8i-c8YmaByQS3TgY92or5-z7uml-5v6aV63LmO5epPptCN1pCzPyKg6aAa0mFuAG0jsV0GyjOqsQ57I~PomGZDYWnK3-Oj-ZDg128BwdXfNEa2YKxTTQGu2h5n141ObTm~NRGJBNeb0E4MGnRqvA24kI75LTtacq8M75ACW7CfhpBoWDCRTnrV0nHbH0yR4NiYRHs8WllUcP2oe2H~sNJYOuGkHxxaSTvD0wPTLL-Wx0weWV6v~QPkFA6ZkEaIAJbQjOCP4u0WJ1auaaljjnxTs-pSpd2UMV5uIN~4RIWEf6D2Q1RZg3IW9ulmP6FV2-UgZTsZ9UU3leQ2Qdt7ZOo49Nws5bKr9Lg4PeAeIa3Xx86yemDmzDO8YPjEEErcspz-SSrglnJP~PuGLJtN0v6uBZlGyKbBO7Z4tQc-nA2oHWGX9TVwQkWpcAGiZmDcoHqNhDj1OzsQ87WzkLt9X9fx4NsJUSch0Qm61BQAEAAcAAA==#!action=addsubdomain#date=1640739404#olddest=ABQFq3xLCaQ4wCOuL2rMdwPyQwVz1xrktkLMLShZJo2L7VZJgfTBWbfUWHCzWXKcIzxmzjcnvRfp5Y5udL1HmU5CVZ2bp1jis3FPgjcJoGqcsM7w~Lad5aYkf7If8IcH7DIpavJt3ch~yxt8571CVmv2F9R4TorSOnc04kHkOrqjIyHGHCN7TsyZ23FtADGM7uaRdEk8Cbtx6905ZW4mrc1AW6F6YqiLCnSC8vLEH80ELTR3FTTkveGenKg-9ITGW3X-99qcCvp-Br1QlUAyV-XorUym2dkpWPWDV2WXUZEX6WdQMBOvU0gQ6ig6WsNBvrKXop6R4Q333gsT7XkXSg5~I74c9ntFVuewZYbfuwu-ws-4Gb2ZyRVkccUpt1AYgruXwqyxLkx4GFVN4EYX0N~JYKPaU1yb7Xw~nnCVXH5uAbeIv3glAleK4huUfqK-1ZJRy0h81ualE--XLEsOEKNGFW8bleltl~6MxGSOiEaMawHHICW2FdCEmebG6JJHBQAEAAEAAA==#oldname=r4sas.i2p#oldsig=qtQ2nLeD87nD4oqCQvv8YMrcBtpLgYa3eDWQi5MDyNT8npG2yuxRwtYcU5zukyaod6MqoXNLNh9oAORVOU25~Q==#sig=ORrgekcqTYUnrxM5NZHl7I19x5lX~oVmOJsROufRkJ4fG1JaCjhh1zi1mRa4Y8k4XO6hQYr9N6sWN0na5hMKBw==
+skank.i2p=kagASzrpRCxoEzpKoGiA1KBTl-8-VAoDqaqq-iheMu5jmOt69pVIzsKJ571klT30zUCPJkW~6eTY3Kt4HhUoCcBxQOOdTc2yrW7wHmHjt~q~Ci92Cmz8xd~NwiZzdjONpA6AD~fQkl7oN4pKjmk58ZrOHNEXJYjZzceCtlCnoOgXMCUigTFr45nvTeloDOgCnU5vdjNbv-28Cwfy0hXEAHrPcEJdOdguD9HNiTeexjb0hxrl8ugwRaNBMFpMMhQgKwR1NJuvqol87XXvv2DE9mp2Gs~hdaHuJL2DGXitoq-OT3Si~~axGUyKKpo~unfwy9JSAA0aNkzRJ6SPBFNnsqZDzsMMnhupT3YDVeEzMjQSb08kYaHeBWM-hz7IUGI7tGNcb2g3kZlUKYAB9~QHF7m6kS0xbvwx8L~nDRpLpX~UURCsvy5LxoQkebvn7UGa1r6AAbDbaJoqPWeY98RU5m3V-cbG-1D4iSB8OvRUELjlE3vL7y7JCyMdJhAJxGCzBQAEAAcAAA==#!date=1507614292#sig=5INCXrtvcn9Q7YlouY4qEPghL6OD5ZQDN30GYKdcNli9PrTUfpYYAFvcBLx5R4KwJSIUoJMe5Uh37t2FyQ3KBw==
+opentracker.skank.i2p=5tSb-9kujvxfA9v-pgRPe4Fxv6FtLU~lykVKYRCPfwXS8Uizy-Ljn~yE9vGCf3KBeUudLUfRGTYBflJE04kYInZf28lLeG5xkLI29Hwz4lbUX~13BFZrPc-lnCVA6gyr4dAtcVf0b9YJSX2idOPiuZXkasa02SQb6k5yT5~4UvHHsTchO-XDkf38hsx~xjumfhg9DHI2CWrsuRFNR8K0CN9Z6H608jxWfizqsMH0EE6bohfmC42HVkZWXInAmtH1mSyC5t0RZiIVKcT8SvSoRr6QQpwBWsoUi6SyoWTRKT8LD9pT-3LNxabR60S28eiAgX1khDkIZEQvDXcie6TDIihZc0HhaYs2T67WlOKUovHQ4CqtfGDsD9Fpud3SyxXsq-A40NNlXTYStIW2JnwetTot8of5~PF1uv1XPMbfItvqDlMBz9TBtI5BJujD3SinHkcaWDVgr6bddsTJrjBZVojZurfeSMbEB~Y6NScr1O8V4BR2fpr6fFxWiqE5lTDDBQAEAAcAAA==#!action=addsubdomain#date=1711375599#olddest=kagASzrpRCxoEzpKoGiA1KBTl-8-VAoDqaqq-iheMu5jmOt69pVIzsKJ571klT30zUCPJkW~6eTY3Kt4HhUoCcBxQOOdTc2yrW7wHmHjt~q~Ci92Cmz8xd~NwiZzdjONpA6AD~fQkl7oN4pKjmk58ZrOHNEXJYjZzceCtlCnoOgXMCUigTFr45nvTeloDOgCnU5vdjNbv-28Cwfy0hXEAHrPcEJdOdguD9HNiTeexjb0hxrl8ugwRaNBMFpMMhQgKwR1NJuvqol87XXvv2DE9mp2Gs~hdaHuJL2DGXitoq-OT3Si~~axGUyKKpo~unfwy9JSAA0aNkzRJ6SPBFNnsqZDzsMMnhupT3YDVeEzMjQSb08kYaHeBWM-hz7IUGI7tGNcb2g3kZlUKYAB9~QHF7m6kS0xbvwx8L~nDRpLpX~UURCsvy5LxoQkebvn7UGa1r6AAbDbaJoqPWeY98RU5m3V-cbG-1D4iSB8OvRUELjlE3vL7y7JCyMdJhAJxGCzBQAEAAcAAA==#oldname=skank.i2p#oldsig=1qmKeCQ93tGCmP9oQuH-AgTwnyEqGuK58A6aIYAzb9qmUS37K6xJPzQH7okbexmPzhADMzDUojRuJSEaDn~QBQ==#sig=OZKaH6LbB5Ff-ErNWAA5vK8EIUC6Sjjy-uOHZISasxlPQcPezAW3cNx4yxgMTMyA40RzDaw1H2pDidZgw8OXAg==

i2p2www/static/styles/duck/desktop.css

@@ -321,7 +321,7 @@ div#content .inner .sidebar, div#content .inner .sidebar > nav {
 }
 
 div#content .content-inner {
-    margin-left: 252px;
+    margin-left: 22%;
     padding-right: 4em;
 }
 

i2p2www/templatevars.py

@@ -25,7 +25,7 @@ I2P_TO_CLEAR = {
     'mail.i2p': 'i2pmail.org',
     'lists.i2p': 'lists.i2p.email',
     'i2p-javadocs.i2p': 'docs.i2p-projekt.de/javadoc', # Hacky to include the path, but it works!
-    'idk.i2p/javadoc': 'docs.i2p-projekt.de/javadoc', # Hacky to include the path, but it works!
+    'idk.i2p/javadoc-i2p': 'docs.i2p-projekt.de/javadoc', # Hacky to include the path, but it works!
     "idk.i2p": "eyedeekay.github.io",
     'stats.i2p': 'stats.i2p', # Inproxy disabled at request of site owner
     'zzz.i2p': 'zzz.i2p',     # Inproxy disabled at request of site owner
@@ -139,7 +139,8 @@ def utility_processor():
 
     # Convert an I2P url to an equivalent clearnet one
     def convert_url_to_clearnet(value):
-        if not value.endswith('.i2p'):
+        parts = value.split("/")
+        if not parts[0].endswith('.i2p'):
             # The url being passed in isn't an I2P url, so just return it
             return value
         if request.headers.get('X-I2P-Desthash') and not request.headers.get('X-Forwarded-Server'):