github.com/geph-official/geph2@v0.22.6-0.20210211030601-f527cb59b0df/libs/niaucchi4/README.md

github.com/geph-official/geph2@v0.22.6-0.20210211030601-f527cb59b0df/libs/niaucchi4/README.md (about)

     1  # niaucchi4: the 3rd generation Geph obfuscation protocol
     2  
     3  ## Architecture
     4  
     5  Unlike previous iterations, `niaucchi4` presents an unreliable transport to upper layers. This allows it to work around environments where TCP sessions are unreliable (mobile network switching etc), letting hours-long upper-layer sessions become practical. It can also use multiple UDP sessions, automatically converging on the best path.
     6  
     7  ```
     8  [Authentication, encryption]
     9  [        niaucchi4         ]
    10  [  UDP  ][  UDP   ][  UDP  ]
    11  ```
    12  
    13  Like previous versions, though, intermediate hosts are still identified by `host:port` and `cookie`.
    14  
    15  ## Opening a tunnel
    16  
    17  To open a new tunnel the client sends the intermediary a packet like the following from a fresh source port:
    18  
    19  ```
    20  [32-byte nonce][encrypted pubkey || rhost:rport][arbitrary garbage]
    21  ```
    22  
    23  The ed25519 pubkey can either be encrypted with chacha20-poly1305 or aes256-gcm. In either case the encryption nonce is null, the tag precedes the ciphertext, and the key is `HMAC-SHA256(cookie, nonce)`.
    24  
    25  The server should respond with a similar message. A shared secret `sharedsec` is derived.
    26  
    27  ## Tunnel wire format
    28  
    29  The tunnel wire format is simply RLP:
    30  
    31  ```
    32  [body padding]
    33  ```
    34  
    35  encrypted with `HMAC-SHA256(sharedsec, "up")` or `"down"` depending on the direction. Undecodeable packets should be silently discarded and can be used as padding.
    36  
    37  An empty-padding packet is to be considered a ping packet, and should be returned to the sender unchanged. This allows measuring latency. Ping packets should be created at a randomly sampled size.
    38  
    39  ## Rekeying
    40  
    41  Every `2^16` packets we send, we rekey by setting `sharedsec = SHA256(sharedsec)` and recompute the sending key. This ensures that we can safely use AEADs with short nonces. When receivers get an undecryptable packet, they try to decode it with the "next" key too.
    42  
    43  ## What does the intermediary do
    44  
    45  The intermediary keeps a NAT-like table of incoming tunnels by `host:port` of the client, mapping them to tunnel state structures and outgoing UDP sockets. The tunnels are cleared only under memory pressure and should not be timed out unless absolutely necessary.
    46  
    47  ## End-to-end wire format
    48  
    49  The end-to-end format is simply a 64-bit sessid and then the body.