Closed sergstesh closed 3 years ago
richvdh
commented
3 years ago IP addresses are valid in matrix IDs today. You just need to get hold of a TLS cert for that IP address (and avoid all of the rooms that have banned users on IP-address-only servers due to the potential for ban evasion).
sergstesh
commented
3 years ago IP addresses are valid in matrix IDs today. You just need to get hold of a TLS cert for that IP address (and avoid all of the rooms that have banned users on IP-address-only servers due to the potential for ban evasion).
I tried to log in into matrix using my actual user ID and matrix.org IP address. I failed. Is syntax the same ?
And regarding "You just need to get hold of a TLS cert for that IP address" - how in particular do I get matrix.org TLS certificate ?
t3chguy
commented
3 years ago The issue is @user:104.20.20.236 is different to @user:matrix.org as they could be different services, :matrix.org includes looking at DNS for the delegation of where to connect to for client/federation, IP cannot do that due to lack of DNS so would end up going to a different box potentially. Just because they point in the same place now doesn't mean they will do tomorrow, and that sort of divergence cannot happen.
sergstesh
commented
3 years ago The issue is
@user:104.20.20.236is different to@user:matrix.orgas they could be different services,:matrix.orgincludes looking at DNS for the delegation of where to connect to for client/federation, IP cannot do that due to lack of DNS so would end up going to a different box potentially. Just because they point in the same place now doesn't mean they will do tomorrow, and that sort of divergence cannot happen.
Regarding "IP cannot do that due to lack of DNS" - I do not understand why. When user specifies @username:matrix.org for the whole query whether such a user at given server (in this case the server is matrix.org) first matrix.org should be connected into IP address. Internet works with IP addresses - not server names. I.e. TCP/IP and UDP protocols have source and destination IP addresses in packets. See, for example, https://en.wikipedia.org/wiki/IPv4#Packet_structure .
In other words what I'm saying that in the example of @username:matrix.org information simply can not reach the matrix.org server unless/until matrix.org server name is converted into the corresponding IP address. When client initiates communications with in this example matrix.org server, matrix.org server IP address will be destination IP address.
What I am suggesting is that end user can himself provide the destination (home server) IP address. For example, I may decide to run home server at my physical residence, and I would not want to use any DNS service at all, and I would tell my friends using other means what server they should log in. I.e. each of my friends wishing to participate in the chart would try to log in using @FriendUserIDProper:MyHomeServerIPAddress ID.
For that matter, also have a look at https://i2pd.website/ -> https://geti2p.net/en/about/intro ->
" I see IP addresses of all other I2P nodes in the router console. Does that mean my IP address is visible by others?
Yes, this is how a fully distributed peer-to-peer network works. Every node participates in routing packets for others, so your IP address must be known to establish connections. While the fact that your computer runs I2P is public, nobody can see your activities in it. You can't say if a user behind this IP address is sharing files, hosting a website, doing research or just running a node to contribute bandwidth to the project. ".
On a side note it would be nice to have matrix on I2P, but it's a separate issue.
The point I'm trying to make is that physical reality is IP addresses - not server names, and I would like end user to be able to specify IP addresses directly.
I understand that the same IP address can run hosts with several names, but it should be user's problem. For example, using https://www.yougetsignal.com/tools/web-sites-on-web-server/ one can see that 104.20.20.236 IP address hosts five domains. Maybe port name should optionally be specified if user wants to to run something else along with matrix homeserver on his IP address.
t3chguy
commented
3 years ago I do not understand why
IP Addresses cannot have SRV records.
When user specifies @username:matrix.org for the whole query whether such a user at given server (in this case the server is matrix.org) first matrix.org should be connected into IP address. Internet works with IP addresses - not server names.
But then you lose the possibilities of delegation.
Take email as an example, you might want your users to be foo@emaildomain.com
but your server to be smtp1.emaildomain.com
The same happens in Matrix with delegation and it includes DNS SRV records. (In email it uses DNS MX records)
The other issue is that the servers won't have TLS certificates for their IP addresses, so if you try to go to https://$IP you will have no way to trust the certificate and prevent MITM attacks based on an IP alone.
For example, I may decide to run home server at my physical residence, and I would not want to use any DNS service at all
Yup you can do this. Just specify your Synapse server_name as your IP address.
For federation to work you will need to have a TLS certificate issues for your server name (IP Address).
Keep in mind also that a LOT of rooms have a Server ACL rule to disallow users joining from server_names of IP addresses as VDH said earlier
(and avoid all of the rooms that have banned users on IP-address-only servers due to the potential for ban evasion)
MTRNord
commented
3 years ago Internet works with IP addresses - not server names. I.e. TCP/IP and UDP protocols have source and destination IP addresses in packets. See, for example, https://en.wikipedia.org/wiki/IPv4#Packet_structure .
So you also dont use domains anywhere? How do you even reach github.com?
t3chguy
commented
3 years ago each of my friends wishing to participate in the chart would try to log in using @FriendUserIDProper:MyHomeServerIPAddress ID.
You can do this too, if you enter that in Element it'll use https://MyHomeServerIPAddress - your issue will be the https:// - you'll once again need a valid certificate.
@FriendUserIDProper:104.20.20.236
As you can see the request was rejected due to TLS error by the browser.
sergstesh
commented
3 years ago Internet works with IP addresses - not server names. I.e. TCP/IP and UDP protocols have source and destination IP addresses in packets. See, for example, https://en.wikipedia.org/wiki/IPv4#Packet_structure .
So you also dont use domains anywhere? How do you even reach github.com?
As I wrote in my initial post: "The rationale for this proposal is that DNS service might be disabled by natural disaster and/or evil doers, so the proposal improves resilience/decreases fragility of the whole ecosystem.". Again, I want a solution that depends as little as possible on external service providers. For example, my home IP address is de-facto constant for years. So I can notify my friends what it is even using snail mail. Or a phone call. Or an insecure messenger which still works and otherwise is evil.
Besides that at https://geti2p.net/en/about/intro one can read:
" About Decentralization and I2P
The I2P network is almost completely decentralized, with exception to what are called "Reseed Servers," which is how you first join the network. This is to deal with the DHT ( Distributed Hash Table ) bootstrap problem. Basically, there's not a good and reliable way to get out of running at least one permanent bootstrap node that non-network users can find to get started. Once you're connected to the network, you only discover peers by building "exploratory" tunnels, but to make your initial connection, you need to get a peer set from somewhere. The reseed servers, which you can see listed on http://127.0.0.1:7657/configreseed in the Java I2P router, provide you with those peers. You then connect to them with the I2P router until you find one who you can reach and build exploratory tunnels through. Reseed servers can tell that you bootstrapped from them, but nothing else about your traffic on the I2P network. ".
sergstesh
commented
3 years ago By the way, how about reopening this issue ? Reopening it does not mean the developers will implement the proposal, but, anyway, we are having a lively discussion.
t3chguy
commented
3 years ago The issue is closed because Matrix user IDs can contain IP addresses. It is solved, your issue for why it isn't working is a TLS one.
At the moment matrix user ID has the following syntax: @: , for example: @username:matrix.org .
In the example 'matrix.org' should ultimately be resolved to point to actual IP address. At the moment of writing we have:
. I think it should also be possible to specify user ID as @: , for example: @username:104.20.20.236 .
The rationale for this proposal is that DNS service might be disabled by natural disaster and/or evil doers, so the proposal improves resilience/decreases fragility of the whole ecosystem.
The proposal should be trivial to implement - simple additional parsing of user ID and in case the proposed form with IP address is detected host name resolution is bypassed and supplied by user IP address is used instead.
Instead of the proposed syntax (though IMO it's unambiguous even for IPV6 addresses) somewhat different syntax may be used, e.g. @username:::104.20.20.236 . It doesn't really matter.
If the proposal is accepted home server should store user IDs without the home server name - probably it's the way things are now, but I don't know.