What is I2P?

I2P, short for “Invisible Internet Project,” is open-source software designed to create a highly resilient, anonymous, encrypted overlay network. It is used for anonymous web browsing, hosting (such as creating anonymous websites, forums, chats, and file-sharing servers), instant messaging, blogging, file sharing (including P2P protocols like Torrent, eDonkey, Kad, Gnutella, etc.), email, VoIP, and much more. Website addresses within the I2P network use the pseudo-domain space .i2p.

Overview of I2P

I2P is an anonymous, self-organizing, distributed network that uses a modified Kademlia DHT. Unlike traditional networks, it stores hashed node addresses, encrypted AES IP addresses, and public encryption keys, with all network database connections also encrypted. The network provides applications with a transport mechanism for anonymous and secure message delivery. While I2P’s main function is to determine packet routing, its Streaming library ensures packets are delivered in the correct order without errors, loss, or duplication. This enables the use of IP telephony, internet radio, IPTV, video conferencing, and other streaming protocols and services within I2P.

Inside the I2P network, there are its own site directories, electronic libraries, and torrent trackers. There are also gateways that allow access to I2P from the regular internet, designed for users who cannot install the I2P software on their computers.

Network Features

I2P stands out for its use of encryption mechanisms, P2P architecture, and variable intermediaries (hops). This approach increases the difficulty of deanonymization, man-in-the-middle attacks, and makes transparent packet substitution impossible for users.

Currently, the network includes a unique implementation of DNS servers, which differ from traditional DNS in several ways:

• The recipient’s hash is determined using a local address book.
• The address book is periodically updated from name servers, unlike traditional DNS which resolves addresses on request (though some OS and browsers cache addresses).
• Subdomains are not tied to parent domains, but address subscription providers can restrict subdomain registration based on the parent domain’s permission.
• Multiple name servers can be used. In the official router implementation, conflicts are resolved on a “first come, first served” basis, but recipient hashes specified by the user in “privatehosts” and “userhosts” take precedence over subscriptions.
• Since the network is peer-to-peer, addresses are hashes that the sender’s hops use to route to the recipient’s intermediaries.
• Name servers are inside the peer-to-peer network, though technically the database can be updated from outside.
• Most name servers, unlike external domain registrars, currently do not charge for domain registration. The main criterion is the server’s availability by the recipient’s hash.
• After a data tunnel is created, its lifetime does not exceed 10 minutes.
• Each data tunnel is built with a unique sequence of nodes every time.

Because the network is peer-to-peer and decentralized, its speed and reliability directly depend on users participating in relaying others’ traffic.

To access I2P, you need to install a router program on your computer, which encrypts, decrypts, compresses, and decompresses traffic, then routes it into I2P. To browse internal I2P sites, you must configure your browser to direct HTTP packets to the router listening on a specific port. To access the external internet through I2P, you need to use outproxies from within I2P, though these are currently limited. Internal I2P sites can also be accessed from the regular internet via proxy servers.

Encryption in I2P

The network was designed from the start with the assumption that all intermediate nodes could be compromised or malicious, so several active countermeasures were implemented.

All traffic in the network is encrypted from sender to recipient. In total, four layers of encryption are used when sending messages (end-to-end, garlic, tunnel, and transport layer encryption). Before encryption, a small random number of random bytes is added to each network packet to further anonymize the data and make content analysis and packet blocking more difficult. Network addresses are cryptographic identifiers, which are public cryptographic keys. IP addresses are never used in I2P, making it impossible to determine the true address of any node. Each network application on your computer builds its own separate encrypted, anonymous tunnels. Tunnels are mostly one-way (outgoing traffic uses one set of tunnels, incoming uses another), and it is extremely difficult to determine the direction, length, or which application or service created them. All network packets can be routed through multiple different tunnels, making it pointless to try to sniff and analyze the data stream. Tunnels are also periodically changed (every 10 minutes) with new digital signatures and encryption keys, unique to each tunnel.

For these reasons, there is no need for applications to provide their own traffic encryption. If you do not trust the encryption of closed-source programs (like Skype), you can use open-source VoIP programs (like Ekiga) that transmit traffic in plain text. In any case, I2P will apply four layers of encryption to all packets, securing all data transmission and reception.

In I2P, all packets are encrypted on the sender’s side and decrypted only on the recipient’s side. None of the intermediate nodes can intercept decrypted data, nor do they know who the sender or recipient is. The node forwarding the packet could be the sender or just another intermediary, and the next node could be the recipient or another intermediary. It is impossible for an intermediate node to determine the endpoints or what happened to the packet after forwarding it.

I2P uses the following encryption and signature systems for different levels and protocols:

• 256-bit AES in CBC mode with PKCS#5
• 2048-bit ElGamal scheme
• 2048-bit Diffie–Hellman algorithm
• 1024-bit DSA
• 256-bit HMAC for strengthening other crypto algorithms
• 256-bit SHA256 hashing

History of the I2P Network

The I2P project began in 2003 to support those interested in a new, uncensorable, anonymous means of communication and information sharing. I2P aims to create a secure, decentralized, anonymous network with low latency, autonomy, fault tolerance, and scalability. The ultimate goal is to function even under pressure from organizations with significant financial or political resources. All aspects of the network are open source and free, allowing users to verify the software’s claims and enabling third-party developers to improve the network’s defenses against attempts to restrict free communication.

Many I2P developers previously worked on the IIP and Freenet projects. Unlike those, the Invisible Internet Project is an anonymous, peer-to-peer, distributed communication environment that supports both traditional network services and protocols (like email, IRC, HTTP, Telnet) and distributed applications (such as databases, Squid, and DNS).