Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Censorship resistance, especially in China #424

Closed
blurHY opened this issue Jul 12, 2019 · 38 comments
Closed

Censorship resistance, especially in China #424

blurHY opened this issue Jul 12, 2019 · 38 comments

Comments

@blurHY
Copy link

blurHY commented Jul 12, 2019

In China, IPFS is unusable because of the GFW.
What does GFW do:

  • Block all default bootstrap nodes
  • Set up a node and start collecting ips to ban

What can we do to make it censorship-resistant ?

@blurHY
Copy link
Author

blurHY commented Aug 1, 2019

Location: Shanghai
Port not opened

image

I think the traffic is limited by GFW, it used to be 7MB/s.

@Stebalien
Copy link
Member

Stebalien commented Aug 1, 2019

The bootstrapping issue can be solved with some domain fronting (maybe). It will take some work but not an insurmountable amount of work.

However, the more general problem is currently very hard to solve due to the peer to peer nature of IPFS. At the end of the day, the best solution to this issue is to make the underlying libp2p protocols indispensable so that they can't be blocked without harming commerce (like, e.g., HTTPS).

An alternative is to use domain fronting + relays for everything but that's not sustainable as it requires routing all traffic through these relays.

@blurHY
Copy link
Author

blurHY commented Aug 4, 2019

I have used v2ray and https to bypass GFW for about one year, because GFW cannot distinguish legal traffic or not.
There's an better example, resillio sync, and its Chinese competitor, (i forgot the name). It has an enterprise version, so GFW cannot block though it has some illegal usage

It seems there's a company working on IPFS and i2p, hopefully it may make IPFS irreplaceable.

Microsoft is probably using p2p to accelerate updating, and it works.

@LeafarDev
Copy link

LeafarDev commented Aug 7, 2019

@blurHY which company ?

@blurHY
Copy link
Author

blurHY commented Aug 8, 2019

http://www.verysync.com/

It's for enterprise file syncing, and then GFW won't ban it. So we can use it to download movie, etc.

@Ayms
Copy link

Ayms commented Oct 27, 2019

As a coincidence I posted yesterday ipfs/ipfs#439

See also Ayms/node-Tor#2 (comment)

node-Tor was not blocked by the GFW despite of the fact that the nodes were in the consensus, in fact we don't know exactly why, maybe because it implements some variants of the protocol compared to usual Tor nodes (see the node-Tor repo)

But for sure http://peersm.com/peersm2 is not blocked (you can try it it transports the Tor protocol over WebSockets connected to our server for the demo), or if it is now it is because our server is blacklisted (because recognized as a Tor node), it's easy to bypass setting up an unknown server not registered in the consensus

Maybe we will implement WebRTC, we think that for p2p projects such as ipfs two hops are enough (because the guards concept do not apply)

@blurHY
Copy link
Author

blurHY commented Oct 27, 2019

@Ayms centralization ?

@Ayms
Copy link

Ayms commented Oct 28, 2019

@blurHY what do you mean? That's the contrary... decentralization

@blurHY
Copy link
Author

blurHY commented Oct 28, 2019

Do you mean tor or what ?

That's centralized and there's no other ways than DHT against censorship. DHT can be also blocked by GFW.

@Ayms
Copy link

Ayms commented Oct 28, 2019

Of course the Tor network is (very) centralized and DHT are great (but can be dangerous if implemented à la bittorrent, see, https://github.com/Ayms/torrent-live) I don't mean the Tor network, I mean the Tor protocol that could apply to projects such as IPFS (and DHT...)

Did you try peersm2 (this one is using the Tor network, that's just a demo app)? Does it pass the GFW?

@blurHY
Copy link
Author

blurHY commented Oct 28, 2019

Not yet.

But as I said, it definitely can't avoid being collected and banned

Set up a node and start collecting ips to ban

@Ayms
Copy link

Ayms commented Oct 28, 2019

What? The GFW collecting browsers? Sorry, no, the next step is probably to implement WebRTC because here the target node to which the browser connects to via ws can indeed be banned

@blurHY
Copy link
Author

blurHY commented Oct 28, 2019

Yes, they can.
Don't forget the network connectivity is terrible in China. They would ban anything as long as it won't affect economy.

@Ayms
Copy link

Ayms commented Oct 28, 2019

No they can't, except blocking everything (that's what you mean?), like ws, webrtc, or fingerprinting tor over it

Can you try the link :-) ? That's a 5mn test, circuits created=success,. It was bypassing easily the GFW years ago (as well as node-Tor nodes), some folks from China did try it at that time

@blurHY
Copy link
Author

blurHY commented Oct 28, 2019

No they can't, except blocking everything (that's what you mean?), like ws, webrtc, or fingerprinting tor over it

Can you try the link :-) ? That's a 5mn test, circuits created=success,. It was bypassing easily the GFW years ago (as well as node-Tor nodes), some folks from China did try it at that time

Uh, I will try it tomorrow.
But why they can't block it ?
They can block all IPs of users, i.e. all p2p connections, with a whitelist for enterprises
It seems all p2p connections are blocked, here, in Shanghai.

@Ayms
Copy link

Ayms commented Oct 28, 2019

The question is more "why they should block it", of course they can block whatever they like, easy, collect whatever p2p ips, etc, block, easy again, block ws, webrtc, easy too, then finally block everything (I don't know what they consider commerce related or not)? Years ago it was not blocked, would be interesting to see what happens now (I don't know how things work in China but change your ip before the test if you can)

@TheZ4ro
Copy link

TheZ4ro commented Mar 26, 2020

the only way to anti censor is to built a in place bootstrap node function, which can:
1, works based on DHT or KAD like protocal, and obfs like STP/KCP.
2, build in GFW bootstrap node, or totally distributed. no center node.
3, if someone want to become gateway, then he need to register a public IP or port. this is for his own risk.

@blurHY
Copy link
Author

blurHY commented Mar 26, 2020

I wonder if normal nodes with public IPs can be bootstrap nodes.
If yes, keeping discovered nodes after shutdown must be enough, like i2p.

I met a friend recently, who said the characteristics of p2p protocols are very obvious, obfs or whatever can be the solution.

Howerver the ultimate question is what China would think about IPFS and the decentralized web.

Will they simply block all the p2p by a whitelist, or do nothing. (the background is i will be working a zeronet-like stuff based on multiple protocols including ipfs)
btw, it won't be 'i', but a new identity.
I'm not very sure if commerce is really a important thing to China when p2p is out of their control, as the polity differs.
Hopefully, applied blockchains, like filecoin, may be irreplacable

Here I can get about 200 to 800 peers (China Mobile, with relay enabled or using ipv6). Is this too less or just normal ?

@Ayms
Copy link

Ayms commented Mar 26, 2020

China will for sure not be a fan of decentralized p2p, another concept that I proposed here is that peers can introduce themselves outside of a DHT/registration system (ie you connect to a known peer that can introduce unknow peers connected to it, this works also for WebRTC where you don't have to ask a central point for peers introduction), but as we can see this is not a priority for now for IPFS

@blurHY
Copy link
Author

blurHY commented Mar 26, 2020

Yeah, p2p makes it too hard to censor.

But I don't think that easy to ban p2p, although most Chinese p2p users are restricted by NAT.

  • There're massive ips outside of GFW
  • China cares about normal international commerce outside of GFW, so they don't use a whitelist.
  • We can break through the GFW by some obfuscating protocols, like v2ray

Now the only problem is just bootstrapping

  • Use github, which is a absolutely irreplaceable, to provide nodes.
  • Steganography, can be encoded by AI against detection (data can be transferred by meme pics, lol)

@bertrandfalguiere
Copy link

bertrandfalguiere commented Mar 26, 2020

Some other leads on bootstraping: ipfs/kubo#3908 (comment)

@jessicaschilling
Copy link

jessicaschilling commented Mar 26, 2020

Note: Discussion on applications of IPFS are happening over in the IPFS Forums now ... please continue the discussion there!

This issue is being moved over to the archived repo https://github.com/ipfs/apps/ for reference.

@blurHY
Copy link
Author

blurHY commented Mar 27, 2020

Is this about applications ?

@jessicaschilling
Copy link

jessicaschilling commented Mar 27, 2020

Applications as in "uses", not applications as in "apps" ... but in any case, we're trying to move discussion of this sort over to the forums. See you there 😊

@jessicaschilling jessicaschilling transferred this issue from ipfs/ipfs Mar 27, 2020
@Ayms
Copy link

Ayms commented Mar 27, 2020

@blurHY
Copy link
Author

blurHY commented Mar 28, 2020

So, is there any progress made on this ?

@Stebalien Stebalien transferred this issue from ipfs/apps Mar 28, 2020
@Stebalien
Copy link
Member

Stebalien commented Mar 28, 2020

(moved to ipfs/notes as this is a discussion about the IPFS protocol itself)

@blurHY bootstrapping without relying on the default bootstrappers is slated for go-ipfs 0.6.0 (May-ish). However, that won't fix the problem of collecting IP addresses.

Unfortunately, it's prohibitively difficult to completely hide the fact that a computer is running an IPFS node without, e.g., tunneling all the traffic out of the country. I believe the best we can do is gain enough adoption of the underlying protocols such that blocking the entire protocol is infeasible.

@blurHY blurHY changed the title Censorship resistance Censorship resistance, especially in China Mar 28, 2020
@Ayms
Copy link

Ayms commented Mar 28, 2020

@blurHY if the question is for me, no, this is on hold, see the previous link

@blurHY
Copy link
Author

blurHY commented Mar 28, 2020

Yeah, partly.
To make ipfs resistant in China, we need obfuscating protocols, like v2ray, to break through GFW.
I don't know if your protocols can be resistant to GFW.


btw, i'm not working on this these months, and i won't use this identity in the future

@RubenKelevra
Copy link

RubenKelevra commented Apr 1, 2020

This ticket is somewhat related...

ipfs/kubo#7066

@RubenKelevra
Copy link

RubenKelevra commented Apr 1, 2020

This one is too, those nodes with a lot of connection points ARE probably the GFW.

ipfs/kubo#7040

@jhonalino
Copy link

jhonalino commented May 29, 2021

whats the point of calling this decentralization if it doesn't work in china?

@grepsuzette
Copy link

grepsuzette commented Oct 3, 2021

"Inter-planetary", save for China...

@chompomonim
Copy link

chompomonim commented Nov 15, 2021

whats the point of calling this decentralization if it doesn't work in china?

Decentralised is not equal censorship resistant.

@anonmate
Copy link

anonmate commented Nov 24, 2021

I suggest anybody interested could look at using something like https://www.masq.ai – a decentralised multi-hop routing protocol that's shown to work through the GFW

@bertrandfalguiere
Copy link

bertrandfalguiere commented Nov 24, 2021

I suggest anybody interested could look at using something like https://www.masq.ai – a decentralised multi-hop routing protocol that's shown to work through the GFW

How is it better than Tor with a bridge?

@blurHY blurHY closed this as completed Mar 15, 2022
@olanod
Copy link

olanod commented Mar 15, 2022

Is it solved? if not why not keep it open?

@TheRook
Copy link

TheRook commented Nov 23, 2022

IPFS can be accessed over Tor and the Tor project is clearly taking this issue more seriously than IPFS:
https://support.torproject.org/censorship/connecting-from-china/

It would be good to see IPFS adopt similar infrastructure to keep the network from being censored. It seems IPFS has done the opposite with having IPFS censorship as a feature: (https://twitter.com/peterktodd/status/653784515874299904)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests