mzumsande
commented at 8:32 pm on January 26, 2022:
contributor
This implements the suggestion from #23763 to introduce an option to establish block-relay-connections manually with the -addnode RPC.
Adding these can make sense for a node operator that wants to be connected to a anonymity networks like Tor or I2P, but also wants to have additional protection against eclipse attacks: Following the best chain can be more of an issue on anonymity networks because these are smaller and it can be easier to create a lot of sybil nodes there.
In that situation, manual block-relay-only connections to peers on clearnet networks can help us staying connected to the best chain, but in contrast to normal manual connections, transactions and addresses aren’t transmitted on these links - in particular not our own address or transaction from our wallet. This increases privacy and will also make it harder to perform fingerprinting attacks (connecting our identities over different networks).
Manual Block-Relay connections:
can be specified with -addnode RPC, both with the add and onetry command
can be specified with the -addnode bitcoind arg (or in bitcoin.conf) with <IP>=manual-block-relay
don’t participate in transaction and address relay
don’t get discouraged / punished for misbehavior (but will still get disconnected for sending TX/tx-INV as automatic block-relay-only peers do)
are not subject to outbound eviction logic (unlike automatic block-relay-only-peers)
mzumsande marked this as a draft
on Jan 26, 2022
mzumsande force-pushed
on Jan 26, 2022
DrahtBot added the label
GUI
on Jan 26, 2022
DrahtBot added the label
P2P
on Jan 26, 2022
DrahtBot added the label
RPC/REST/ZMQ
on Jan 26, 2022
DrahtBot
commented at 11:08 pm on January 26, 2022:
contributor
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.
Reviews
See the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.
Conflicts
Reviewers, this pull request conflicts with the following ones:
#27509 (Relay own transactions only via short-lived Tor or I2P connections by vasild)
#27467 (p2p: skip netgroup diversity follow-up by jonatack)
#27385 (net, refactor: extract Network and BIP155Network logic to node/network by jonatack)
#26621 (refactor: Continue moving application data from CNode to Peer by dergoegge)
#26366 (p2p, rpc, test: addnode improv + add test coverage for invalid command by brunoerg)
#25572 (refactor: Introduce EvictionManager and use it for the inbound eviction logic by dergoegge)
#25268 (refactor: Introduce EvictionManager by dergoegge)
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.
in
src/net_processing.cpp:1276
in
f2fc01fd5eoutdated
IsBlockOnlyConn and IsManualConn (below) should just return true for MANUAL_BLOCK_RELAY rather than additional checks every place
mzumsande
commented at 2:15 pm on January 31, 2022:
I didn’t do that because IsBlockOnlyConn() is used in several places (e.g. PeerManagerImpl::EvictExtraOutboundPeers, CConnman::GetExtraBlockRelayCount(), GetCurrentBlockRelayOnlyConns()) which would not apply to manual block-relay-only connections.
in
src/rpc/net.cpp:281
in
f2fc01fd5eoutdated
277@@ -278,6 +278,7 @@ static RPCHelpMan addnode()
278 {
279 {"node", RPCArg::Type::STR, RPCArg::Optional::NO, "The node (see getpeerinfo for nodes)"},
280 {"command", RPCArg::Type::STR, RPCArg::Optional::NO, "'add' to add a node to the list, 'remove' to remove a node from the list, 'onetry' to try a connection to the node once"},
281+ {"block_relay_only", RPCArg::Type::BOOL, RPCArg::Default{false}, "If set, treat as block-relay-only connection (deactivating transaction and addr relay on this connection)."},
This should be a connection_type String param, not a Boolean (see also #20551).
(Throw an exception if an unsupported value is passed, for this PR)
mzumsande
commented at 10:53 pm on April 13, 2022:
Done with the latest push.
in
src/net.h:906
in
f2fc01fd5eoutdated
902@@ -877,7 +903,7 @@ class CConnman
903 // Count the number of block-relay-only peers we have over our limit.
904 int GetExtraBlockRelayCount() const;
905906- bool AddNode(const std::string& node);
907+ bool AddNode(const std::string& node, bool block_relay_only);
mzumsande
commented at 10:54 pm on April 13, 2022:
done
luke-jr changes_requested
mzumsande
commented at 2:17 pm on January 31, 2022:
contributor
I’d be really interested in opinions whether the use case (as outlined in OP and linked issue) is important enough to justify the added complexity of adding another connection type (and also adding more complexity to -addnode).
DrahtBot added the label
Needs rebase
on Feb 4, 2022
mzumsande force-pushed
on Apr 13, 2022
mzumsande
commented at 10:55 pm on April 13, 2022:
contributor
Rebased and addressed feedback.
mzumsande force-pushed
on Apr 13, 2022
DrahtBot removed the label
Needs rebase
on Apr 14, 2022
mzumsande force-pushed
on Apr 17, 2022
mzumsande marked this as ready for review
on Apr 17, 2022
Hmm, I’m a bit undecided about that: I think avoiding a struct is not really a good argument for switching form vector to map: We would need to switch to a pair or struct if we’d ever need to add another member, plus there is a case for introducing a struct even if we’d switch to a map, as was recently done in PruneLocks example.
Performance-wise, this doesn’t seem important at all since the container cannot have more than 8 entries (MAX_ADDNODE_CONNECTIONS).
in
src/net_processing.cpp:1233
in
99154c5c31outdated
See #24170 (review) - there are several placed that use IsBlockOnlyConn() with logic specific to automatic block-relay-only connections that have logic that does not apply to manual ones. So if I did that, we’d need additional logic in these places to distinguish between manual and automatic connections.
I have changed the logic now such that IsBlockRelayConn is used when both connection types are meant, where as IsManualBlockRelayConn and IsAutomaticBlockRelayConn are used in spots where only one is meant.
Since you’re adding IsManualBlockRelayConn(), consider renaming IsBlockOnlyConn() to IsAutomaticBlockRelayConn(), otherwise that function name is misleading (it returns false for connections that are block relay only connections but were created manually).
I know that this is maybe a bit of a stretch for this PR, but I really don’t like the addnode/addednode terminology, and would much prefer this to be named something like ManualConnectionEntry, which much more precisely describes the nature of these connections.
The downside of ManualConnectionEntry is that it is not a connection, just a name of a node we’ll try to connect to (which may succeed or not). I didn’t really like the name AddedNodeEntry either though, but couldn’t think of anything better. Maybe ManualNodeEntry?
Be consistent with the m_ prefix (either m_node_address and m_conn_type or node_address and conn_type). I prefer naming all members of structs with the m_ prefix, but opinions vary.
Good idea! Used ConnectionTypeAsString() here and in the last commit (also rearranged the rpc processing code a bit).
jnewbery
commented at 8:54 am on April 29, 2022:
contributor
Concept ACK. This seems like a reasonable feature request.
I’ve left a few comments, mostly around naming.
I wonder if in future, we could change the net/net_processing responsibilities such that net_processing is unaware of whether a connection is manual or not. The only places that net_processing uses that information are in MaybeDiscourageAndDisconnect() (before this PR), and EvictExtraOutboundPeers() (in this PR). If disconnection and eviction logic is moved out of net_processing (cc @cfields), then net_processing won’t need to be aware of the difference between manual and automatic connections.
in
src/init.cpp:469
in
99154c5c31outdated
439@@ -440,7 +440,7 @@ void SetupServerArgs(ArgsManager& argsman)
440 " If <type> is not supplied or if <type> = 1, indexes for all known types are enabled.",
441 ArgsManager::ALLOW_ANY, OptionsCategory::OPTIONS);
442443- argsman.AddArg("-addnode=<ip>", strprintf("Add a node to connect to and attempt to keep the connection open (see the addnode RPC help for more info). This option can be specified multiple times to add multiple nodes; connections are limited to %u at a time and are counted separately from the -maxconnections limit.", MAX_ADDNODE_CONNECTIONS), ArgsManager::ALLOW_ANY | ArgsManager::NETWORK_ONLY, OptionsCategory::CONNECTION);
444+ argsman.AddArg("-addnode=<ip>[=manual-block-relay]", strprintf("Add a node to connect to and attempt to keep the connection open (see the addnode RPC help for more info). This option can be specified multiple times to add multiple nodes; connections are limited to %u at a time and are counted separately from the -maxconnections limit. Append =manual-block-relay to disable transaction and address relay.", MAX_ADDNODE_CONNECTIONS), ArgsManager::ALLOW_ANY | ArgsManager::NETWORK_ONLY, OptionsCategory::CONNECTION);
-blocksonly is a global startup option (applying to all connections) -block-relay-only is connection-specific
A node in -blocksonly mode participates in address relay, we never send out addresses on -block-relay-only connections (and ignore incoming ones).
A node in -blocksonly signals not to receive any transactions (fRelay) and will disconnect if that is breached, but it may in special cases send out transactions itself (if submitted via RPC). We’ll never send a tx over a block-relay-only connection.
A node in -blocksonly mode still has two of their outbound connections as -block-relay-only (for which then the block-relay-only rules apply).
luke-jr changes_requested
in
src/net.cpp:2585
in
99154c5c31outdated
2821 {
2822 LOCK(m_added_nodes_mutex);
2823- for (const std::string& it : m_added_nodes) {
2824- if (strNode == it) return false;
2825+ for (const auto& it : m_added_nodes) {
2826+ if (strNode == it.m_node_address) return false;
www222fff
commented at 10:14 pm on April 29, 2022:
Supposed option modify case need not be handled?
If add node firstly with setting manual and then setting manual block relay.
No, a modify option is not supported, especially since it is not possible to change the connection connection type of an existing connection. A user could instead use the ‘remove’ option and then re-add with another connection type (which would not change existing connections though).
willcl-ark
commented at 1:29 pm on January 16, 2023:
It might be an option to use std::any_of here if using standard library algorithms is preferable, but personally I think it might end up a little less readable.
in
src/net.cpp:1082
in
99154c5c31outdated
1259@@ -1258,6 +1260,7 @@ bool CConnman::AddConnection(const std::string& address, ConnectionType conn_typ
1260 switch (conn_type) {
1261 case ConnectionType::INBOUND:
1262 case ConnectionType::MANUAL:
1263+ case ConnectionType::MANUAL_BLOCK_RELAY:
www222fff
commented at 10:16 pm on April 29, 2022:
Addconnection rpc should not support manual block relay, so seems here need not check?
It’s true that it doesn’t support this, just as it doesn’t support INBOUND or MANUAL. But leaving it out her would result in a compiler warning for the switch, see comment below:
// no default case, so the compiler can warn about missing cases
mzumsande force-pushed
on May 1, 2022
mzumsande force-pushed
on May 2, 2022
mzumsande
commented at 5:24 pm on May 2, 2022:
contributor
I wonder if in future, we could change the net/net_processing responsibilities such that net_processing is unaware of whether a connection is manual or not. The only places that net_processing uses that information are in MaybeDiscourageAndDisconnect() (before this PR), and EvictExtraOutboundPeers() (in this PR). If disconnection and eviction logic is moved out of net_processing (cc @cfields), then net_processing won’t need to be aware of the difference between manual and automatic connections.
Yes, that sounds like a nice side-effect of moving the eviction logic out of net_processing.
Should this assert or return false if conn_type != ConnectionType::MANUAL && conn_type != ConnectionType::MANUAL_BLOCK_RELAY? What would it mean to have a non-manual connection type in the m_added_nodes container?
If this is changed to an assert you’d need to also update the test in fuzz/connman.
jnewbery
commented at 5:30 pm on May 4, 2022:
contributor
Code review ACK6d75df749d
jonatack
commented at 5:59 am on May 9, 2022:
contributor
It seems to me the linked issue would be solved in the general case by #24545 (or alternatively since v22 by adding manual connections to other non-clearnet networks).
In that situation, manual block-relay-only connections to peers on clearnet networks can help us staying connected to the best chain, but in contrast to normal manual connections, transactions and addresses aren’t transmitted on these links - in particular not our own address or transaction from our wallet. This increases privacy and will also make it harder to perform fingerprinting attacks (connecting our identities over different networks).
Manual connections are to trusted peers, so if I understand correctly, the specific threat model here is that of a trusted peer fingerprinting us?
vasild
commented at 9:02 am on May 10, 2022:
contributor
Manual connections are to trusted peers, so if I understand correctly, the specific threat model here is that of a trusted peer fingerprinting us?
My understanding is that the problem being addressed here is a passive MITM observing that a particular transaction originated from our node when we send it to our trusted peer, added with -addnode (over clearnet).
jonatack
commented at 9:50 am on May 10, 2022:
contributor
Manual connections are to trusted peers, so if I understand correctly, the specific threat model here is that of a trusted peer fingerprinting us?
My understanding is that the problem being addressed here is a passive MITM observing that a particular transaction originated from our node when we send it to our trusted peer, added with -addnode (over clearnet).
Overall I think this is a useful addition, if it ends up being used. I’m a bit concerned it’s too obscure for people to decide to configure links like this. Weak concept ACK.
@mzumsande / @dhruv It seems both this PR and #24545 add a way to associate flags with manually configured connections. Perhaps it’s worth seeing if the interfaces can be made the same?
@vasild Maybe just a terminology note, but a MitM is by definition an active attacker that inserts themselves in the connection. I think perhaps you mean more something like an eavesdropper / large scale surveillance (which just observes without interfering)?
@jonatack Even BIP324, and even when combined with some mechanism of authentication, cannot fully prevent information about transaction origin to a global surveillant due to traffic patterns. We do intend to include affordances for dummy traffic / traffic shaping in BIP324, but actually making use of that to hide transaction propagation patterns is out of scope.
vasild
commented at 6:33 am on May 11, 2022:
contributor
@sipa, yes, by passive man in the middle, I mean eavesdropping or spying. Btw, wikipedia MITM reads “… attacker secretly relays and possibly alters the communications between two parties …”
mzumsande
commented at 12:39 pm on May 11, 2022:
contributor
Manual connections are to trusted peers, so if I understand correctly, the specific threat model here is that of a trusted peer fingerprinting us?
There are different levels of trust and I think that it is quite typical that users would just choose a peer with a good uptime and no past misbehaviour as a “trusted” addnode peer without actually being able to vouch for its operator completely.
But even if the peer is indeed good, there is still the possibility of indirect attempts to infer this connection, where a third party would connect to us (on the privacy network where we accept connections) and also to our suspected addnode peer (via clearnet). In this situation, I think it would be possible to infer the existence of this connection with a reasonable degree of confidence using addr relay probing, and probably some tricks exist within tx relay as well. I think that there is a much larger attack surface if you participate in addr and tx relay, and part of the reason block-relay-only connections were introduced is to just disable these attack vectors completely on these connections instead of trying to solve all relevant issues with addr and tx relay.
It seems both this PR and #24545 add a way to associate flags with manually configured connections. Perhaps it’s worth seeing if the interfaces can be made the same?
Yes, this should be easily possible. I had a look at an older version of this (#23900), and I think that the changes in net are quite similar already. I will soon take a closer look and possibly change some nomenclature/details here to make them more compatible.
I’m a bit concerned it’s too obscure for people to decide to configure links like this.
Yes, that’s definitely a valid point, I was unsure about this myself. It seems really hard to gauge what features users will actually use.
DrahtBot added the label
Needs rebase
on May 16, 2022
mzumsande force-pushed
on May 18, 2022
mzumsande
commented at 3:19 pm on May 18, 2022:
contributor
6d75df7 to c348172:
Rebased and made the approach analogous to the one by @dhruv in #24545 by renaming AddedNodeEntry to AddedNodeParams and and making it a member of AddedNodeInfo.
DrahtBot removed the label
Needs rebase
on May 18, 2022
DrahtBot added the label
Needs rebase
on May 19, 2022
mzumsande force-pushed
on May 19, 2022
mzumsande
commented at 2:44 pm on May 19, 2022:
contributor
Rebased after the merge of #22778 - this meant adding a couple more calls to IsBlockRelayConn(), that used to be m_tx_relay == nullptr checks before #22778 and therefore apply for both manual and automatic block-relay-only connections.
DrahtBot removed the label
Needs rebase
on May 19, 2022
jnewbery
commented at 7:37 am on May 20, 2022:
contributor
reACK8af5283992
maflcko removed the label
GUI
on May 20, 2022
jonatack
commented at 2:21 pm on May 20, 2022:
contributor
LarryRuane
commented at 0:07 am on June 15, 2022:
contributor
6d75df7 to c348172: Rebased and made the approach analogous to the one by @dhruv in #24545 by renaming AddedNodeEntry to AddedNodeParams and and making it a member of AddedNodeInfo.
Suggestion, if possible do the rebase and PR changes in separate force-pushes, to make it easier for reviewers to see just the PR changes. I think I’ve seen GitHub combine the two force-pushes if they’re close in time, so it may be advisable to wait a bit between the force-pushes.
DrahtBot added the label
Needs rebase
on Jun 15, 2022
mzumsande force-pushed
on Jun 15, 2022
mzumsande
commented at 2:22 pm on June 15, 2022:
contributor
Suggestion, if possible do the rebase and PR changes in separate force-pushes, to make it easier for reviewers to see just the PR changes.
Ok, I’ll try to think of that next time!
DrahtBot removed the label
Needs rebase
on Jun 15, 2022
in
src/rpc/net.cpp:291
in
629a6f4040outdated
277@@ -278,6 +278,7 @@ static RPCHelpMan addnode()
278 {
279 {"node", RPCArg::Type::STR, RPCArg::Optional::NO, "The node (see getpeerinfo for nodes)"},
280 {"command", RPCArg::Type::STR, RPCArg::Optional::NO, "'add' to add a node to the list, 'remove' to remove a node from the list, 'onetry' to try a connection to the node once"},
281+ {"connection_type", RPCArg::Type::STR, RPCArg::Default{"manual"}, "Type of connection to open ('manual' or 'manual-block-relay')"},
LarryRuane
commented at 11:28 pm on June 21, 2022:
We’re not checking that the connection type string is valid here, as we are in the addnode rpc handler. It’s understandable because it’s actually too late to check it here. I recommend checking it in AppInitMain() where many other config / arg parameters are checked. If it’s not one of the valid types, call InitError(). You may want to refactor the connection type string checking logic out of the rpc handler into a separate function (probably should be a static CConnman method), and then call it from there and from AppInitMain().
I added a check to init - in doing so, I realized that if I check for invalid connection types anyway, I might as well do therest of the parsing of the string there as well - so I changed it to pass a vector of AddedNodeParams structs already in CConnman::Options and removed the CConnman::GetAddedNodeParams function. Let me know if that makes sense to you!
Addressed feedback to validate the connection type when passing via bitcoind arg. Note that the node name is not being validated, like before.
Added a commit with a relase note.
I also extended the test coverage of the RPC -addnode to cover manual-block-relay connections (rpc_net.py).
DrahtBot added the label
Needs rebase
on Jul 7, 2022
in
src/net.h:188
in
20b6e75ddcoutdated
179@@ -188,6 +180,30 @@ enum class ConnectionType {
180 * AddrMan is empty.
181 */
182 ADDR_FETCH,
183+
184+ /**
185+ * Manual-block-relay connections are manually added nodes (via -addnode)
186+ * that behave like BLOCK_RELAY connections in that they don't participate in
187+ * transaction and address relay, and also share the properties of MANUAL
188+ * connections. When connected to a privacy network such as
0 * connections. When the node is connected to a privacy network such as
Otherwise, the “connected to…” clause seems like it’s attached to the “manual block-relay-only connection” (equivalent to “when the manual block-relay-only connections are connected to a privacy network…)
in
src/net_processing.cpp:421
in
20b6e75ddcoutdated
412@@ -413,7 +413,7 @@ struct CNodeState {
413 * Both are only in effect for outbound, non-manual, non-protected connections.
414 * Any peer protected (m_protect = true) is not chosen for eviction. A peer is
415 * marked as protected if all of these are true:
416- * - its connection type is IsBlockOnlyConn() == false
417+ * - its connection type is IsAutomaticBlockRelayConn() == false
I think it’s very strange to say “connection type is IsAutomaticBlockRelayConn() == false”, when the logic for setting m_protect is pfrom.IsFullOutboundConn(). I know this line is only touched by the scripted diff, but since it’s being touched perhaps updated to say “its connection type is OUTBOUND_FULL_RELAY.
(in general I don’t think it’s useful to have comments that simply restate the programming logic in english so would prefer to see this removed, but that’s out of scope for this PR).
Good point, I changed this in the commit where the manual-block-relay connections are introduced.
in
doc/release-notes.md:114
in
20b6e75ddcoutdated
103@@ -104,6 +104,11 @@ Low-level changes
104 RPC
105 ---
106107+- The RPC `addnode` and the `-addnode` bitcoind startup option now
108+optionally support adding manual peers that are block-relay-only.
109+On these connections, the node doesn't participate in transaction or
110+address relay. (#24170)
DrahtBot removed the label
Needs rebase
on Sep 19, 2022
DrahtBot added the label
Needs rebase
on Oct 13, 2022
mzumsande force-pushed
on Oct 18, 2022
DrahtBot removed the label
Needs rebase
on Oct 18, 2022
brunoerg
commented at 6:25 pm on October 18, 2022:
contributor
Concept ACK
Should we consider the manual block-relay-only connections as anchors? E.g I added 2 manual block-relay-only connections in addition to the 2 outbound block-relay-only ones and I’d like to consider the manual ones as my anchors. so, when my node starts it would connect to that 2 peers. Could it make sense?
DrahtBot added the label
Needs rebase
on Oct 21, 2022
mzumsande force-pushed
on Oct 21, 2022
mzumsande
commented at 6:43 pm on October 21, 2022:
contributor
Rebased
Should we consider the manual block-relay-only connections as anchors? E.g I added 2 manual block-relay-only connections in addition to the 2 outbound block-relay-only ones and I’d like to consider the manual ones as my anchors. so, when my node starts it would connect to that 2 peers. Could it make sense?
This PR allows to add the manual block-relay-only connections as addnode peers to bitcoin.conf - I think if we do this, it’s essentially the same behavior as if it was an anchor, we’ll connect to them with each new restart.
DrahtBot removed the label
Needs rebase
on Oct 21, 2022
DrahtBot added the label
Needs rebase
on Nov 2, 2022
mzumsande force-pushed
on Nov 21, 2022
DrahtBot removed the label
Needs rebase
on Nov 21, 2022
willcl-ark approved
willcl-ark
commented at 2:07 pm on January 16, 2023:
member
ACK3eb8c42368a6e059b1842cbcec478815d947a341
If you touch again (to kick the CI.) you might consider also amending this comment to clarify that that manual-block-relay peers are not excluded from the protection, only automatic-block-relay peers are?
mzumsande
commented at 10:00 pm on February 17, 2023:
Not sure about this: Currently, the help for “addnode” states that only =manual-block-relay is possible (manual is the default). Adding this to the help might only complicate things for the user, because there would be no difference between =manual and no argument at all?
I prefer not having =manual, it would add more stuff to the code and I believe it might complicate for the user, it’s the default behavior, not sure why someone would want to specify it.
aureleoules approved
aureleoules
commented at 4:08 pm on January 16, 2023:
member
Light ACK3eb8c42368a6e059b1842cbcec478815d947a341
The code looks good and I verified that the tests correctly test the new behavior.
Be wary I am not familiar with net processing.
brunoerg
commented at 4:28 pm on January 16, 2023:
contributor
This PR allows to add the manual block-relay-only connections as addnode peers to bitcoin.conf - I think if we do this, it’s essentially the same behavior as if it was an anchor, we’ll connect to them with each new restart.
Not sure if I was clear, just to clarify. If I use -addnode=ip=manual-block-relay in CLI, not putting it in bitcoin.conf, when I shutdown my node, this peer is not gonna be dump into anchors.dat, right?
in
src/net.h:989
in
3eb8c42368outdated
987@@ -972,7 +988,7 @@ class CConnman
988 /**
989 * Return vector of current BLOCK_RELAY peers.
rajarshimaitra
commented at 1:11 pm on January 19, 2023:
If we are changing the name of the functions to AutomaticBlockRelayConns would it make sense to call the connection BLOCK_RELAY type also to AUTOMATIC_BLOCK_RELAY?
Then comments like this and the connection type returned would be consistent and could be less confusing for future readers.
For example this call only returns automatic block relays, not all block relays..
LarryRuane
commented at 7:13 pm on February 10, 2023:
If we are changing the name of the functions to AutomaticBlockRelayConns would it make sense to call the connection BLOCK_RELAY type also to AUTOMATIC_BLOCK_RELAY?
Doing this rename would touch 20 lines of code in 8 files, but could be done with a scripted diff. I agree it would be more consistent, so personally, I’m in favor, but I’d also understand not wanting to increase the diff that much.
mzumsande
commented at 10:01 pm on February 17, 2023:
I agree that it would be more consistent and added a commit to do this - I’ll check how many additional conflicts this introduces…
in
src/net.h:457
in
3eb8c42368outdated
427@@ -424,6 +428,7 @@ class CNode
428 case ConnectionType::MANUAL:
429 case ConnectionType::ADDR_FETCH:
430 case ConnectionType::FEELER:
431+ case ConnectionType::MANUAL_BLOCK_RELAY:
432 return false;
rajarshimaitra
commented at 1:35 pm on January 19, 2023:
I might be confused, but why don’t we wanna consider MANUAL_BLOCK_RELAY as Outbound and BlockRelay?
mzumsande
commented at 10:03 pm on February 17, 2023:
It’s used in net_processing in places suchas ConsiderEviction() where we wouldn’t want to consider manual connections.
I think the name “IsOutboundOrBlockRelayConn” isn’t ideal (even before this PR, because manual connections are also outbound connections), maybe the name “IsAutomaticOutboundOrBlockRelayConn” would be better. I added a commit to do that.
in
test/functional/rpc_net.py:236
in
3eb8c42368outdated
rajarshimaitra
commented at 4:26 pm on January 19, 2023:
We had this question in our review club:
along with testing addnode, does it also makes sense to connect with self.nodes[1] in manual-blocks-only mode and assert that only block data is received and not other types of data?
If that makes sense, maybe it could be a nice follow-up after adding the new category. perhaps can be done in p2p_add_connections.py?
mzumsande
commented at 10:05 pm on February 17, 2023:
Yes, I think it makes sense as a follow-up! Though, if I’m not missing something we don’t even support regular MANUAL connections there, so adding support for these would make sense as well?
rajarshimaitra
commented at 5:02 pm on January 19, 2023:
contributor
I think this is a reasonable addition, though share the concern about how much it would actually be used in public. Mostly seems to be not hurting much, modulo the code complexity added due to a new type.
Below are a few nonblocking comments and questions.
achow101
commented at 5:18 pm on January 31, 2023:
member
Any net people want to take a look here?
jonatack
commented at 5:46 pm on January 31, 2023:
contributor
As mentioned in the issue #23763, perhaps I’m missing something but this seems somewhat redundant with
using a VPN, and/or
running bitcoind over multiple encrypted networks (Tor, I2P, CJDNS), and/or
BIP324 v2 encrypted p2p in the future
achow101
commented at 6:03 pm on January 31, 2023:
member
As mentioned in the issue #23763, perhaps I’m missing something but this seems somewhat redundant with
using a VPN, and/or
running bitcoind over multiple encrypted networks (Tor, I2P, CJDNS), and/or
I don’t see how any of those are relevant. Privacy networks and VPNs are generally bandwidth constrained and have a much smaller pool of nodes to connect to, therefore making it easier for an attacker to eclipse you. Being able to add manual blocksonly connections allows nodes to add connections to clearnet nodes for public data that they are unlikely to originate - blocks. Any transactions would still be relayed through connections made on the privacy networks so their origins are masked.
BIP324 v2 encrypted p2p in the future
Since we’re talking about active attackers rather than passive listening, BIP 324 doesn’t help.
jonatack
commented at 6:56 pm on January 31, 2023:
contributor
Privacy networks and VPNs are generally bandwidth constrained
I’ve been running bitcoind over VPNs and all of our encrypted networks since years without bandwidth issues, and currently since 3 months from rural Central America on slow/flakey connections. Even when GitHub takes a long time to load a page, bitcoind thankfully runs well in making peer connections under adverse conditions from what I can see between the debug log and a live -netinfo 4 dashboard. Most of the time it’s running onlynet=tor/i2p/cjdns, e.g. all three without clearnet.
and have a much smaller pool of nodes to connect to, therefore making it easier for an attacker to eclipse you
This may have evolved with a significant increase in Tor and I2P nodes. As one example, my little dev node on my laptop out here currently knows 14k Tor peers and 1100 I2P peers after the IsTerrible filter. 15k seems like a pretty decent amount of peers to connect to – there are significantly more of them nowadays relative to a year ago; for I2P in particular the number seems to have grown quite a lot recently.
mzumsande
commented at 10:06 pm on February 17, 2023:
I think I prefer the more concise version here, especially when most of the args are just defaults that are set to their actual values in the following lines. Also see below.
in
src/net.cpp:2588
in
3eb8c42368outdated
2535+ for (const auto& it : m_added_nodes) {
2536+ if (strNode == it.m_node_address) return false;
2537 }
25382539- m_added_nodes.push_back(strNode);
2540+ m_added_nodes.push_back({strNode, conn_type});
LarryRuane
commented at 7:02 pm on February 10, 2023:
LarryRuane
commented at 7:21 pm on February 10, 2023:
clang-format says (also below)
0 } else if (connection_type_name == manual_name) {
mzumsande
commented at 10:06 pm on February 17, 2023:
done
LarryRuane
commented at 7:24 pm on February 10, 2023:
contributor
re-ACK9e953f1134fe4b752868f519f12d8dee5c1cef52
Code suggestions are advisory.
Suggestion for PR description, maybe include an RPC (or config) example so reviewers can try it out manually quickly without having to look at the code or help to figure out the syntax, something like
DrahtBot requested review from jnewbery
on Feb 10, 2023
DrahtBot requested review from LarryRuane
on Feb 10, 2023
mzumsande
commented at 7:18 pm on February 13, 2023:
contributor
I was busy with other things in the last weeks, but I will get back to address feedback later this week!
mzumsande force-pushed
on Feb 17, 2023
mzumsande
commented at 10:13 pm on February 17, 2023:
contributor
Sorry for the delay
I addressed the outstanding comments, rebased and pushed an update.
Major changes are two scripted-diff commits renaming the function.
IsOutboundOrBlockRelayConn to IsAutomaticOutboundOrBlockRelayConn
and the connection type
BLOCK_RELAY to AUTOMATIC_BLOCK_RELAY
If you touch again (to kick the CI.) you might consider also amending this comment to clarify that that manual-block-relay peers are not excluded from the protection, only automatic-block-relay peers are?
Since the protection only applies to Full Outbound connections (and nothing else), manual block-relay peers are also excluded from it (just like all other manual peers). It just makes most sense naming (automatic) block-relay-only peers here.
Not sure if I was clear, just to clarify. If I use -addnode=ip=manual-block-relay in CLI, not putting it in bitcoin.conf, when I shutdown my node, this peer is not gonna be dump into anchors.dat, right?
yes, that is correct, anchors are only chosen from automatic block-relay-only connections. I think it makes sense not to mix automatic and manual connections that way:
If the node operator wants to be permanently connected to a given manual connection, they can add this to their permanent config.
mzumsande force-pushed
on Feb 17, 2023
mzumsande force-pushed
on Feb 17, 2023
mzumsande
commented at 10:50 pm on February 17, 2023:
contributor
As mentioned in the issue #23763, perhaps I’m missing something but this seems somewhat redundant with
using a VPN, and/or
running bitcoind over multiple encrypted networks (Tor, I2P, CJDNS), and/or
BIP324 v2 encrypted p2p in the future
I’m not only thinking about a third party monitoring your connections, but also about about the information you’d give the clearnet outbound peers you connect to.
I think there are good reasons to have a connection to clearnet (getting blocks quickly, eclipse attack resistance), and a way to do that which ensures you don’t send your wallet transactions over these connections makes sense to me
(especially since rebroadcast still has privacy issues).
For me, the critical question is still if this opt-in feature will find enough users to justify the added complexity in net - I honestly don’t know that, and I wouldn’t have a problem closing this for now if people think there isn’t enough demand for this use case currently.
stratospher
commented at 10:02 am on February 22, 2023:
contributor
For me, the critical question is still if this opt-in feature will find enough users to justify the added complexity in net - I honestly don’t know that, and I wouldn’t have a problem closing this for now if people think there isn’t enough demand for this use case currently.
if it helps, i found some related issues: (but i don’t know this either)
there’s an issue in raspiblitz where they talk about wanting to connect their tor node to clearnet to speed up IBD and and not lose privacy. they ended up using i2p peers.
in the very unlikely scenario that everyone likes this connection and all bitcoin nodes on tor connect with clearnet only using this option - that wouldn’t be good for the network right? (assuming an average tor user wouldn’t want their addresses/transactions relayed to their clearnet peers)
mzumsande
commented at 9:23 pm on February 23, 2023:
contributor
in the very unlikely scenario that everyone likes this connection and all bitcoin nodes on tor connect with clearnet only using this option - that wouldn’t be good for the network right? (assuming an average tor user wouldn’t want their addresses/transactions relayed to their clearnet peers)
We’d need enough inbound capacity on clearnet to accomodate the additional manual connections to it, and also some users relaying transactions on both networks, otherwise txns submitted through tor wouldn’t make it into clearnet and vice versa. I think that there are many nodes with a lesser need for privacy (e.g. because they don’t submit transactions regularly) that don’t have the need for something like and would be fine having full connections to both networks.
Yes, thanks, that’s a bit simpler and should be equivalent, so I took your suggestion!
DrahtBot added the label
Needs rebase
on Mar 19, 2023
scripted-diff: Rename IsBlockOnlyConn to IsAutomaticBlockRelayConn
This is in preparation for the addition of manual block-relay-only
connections.
-BEGIN VERIFY SCRIPT-
ren() { sed -i "s:\<$1\>:$2:g" $(git grep -l "\<$1\>" ./src ./test); }
ren IsBlockOnlyConn IsAutomaticBlockRelayConn
ren GetCurrentBlockRelayOnlyConns GetCurrentAutomaticBlockRelayConns
-END VERIFY SCRIPT-
2fc6e2c9ef
p2p: add MANUAL_BLOCK_RELAY Connection type
This commit implements the p2p behaviour, but the new
connection type is not used yet.
53be444ffd
mzumsande force-pushed
on Apr 26, 2023
mzumsande
commented at 11:53 am on April 26, 2023:
contributor
b36db717b50de318e22461141f5c0135263beee4 to c13c986: rebased (will address the oustanding review comments soon!)
DrahtBot removed the label
Needs rebase
on Apr 26, 2023
net, rpc: add block-relay-only option to addnode rpc
This applies to both add mode and onetry mode
Co-authored-by: dhruv <856960+dhruv@users.noreply.github.com>
Co-authored-by: brunoerg <brunoely.gc@gmail.com>
e1aec804fb
net, init: Add manual-block-relay option to bitcoind addnode
This allows to specify manual-block-relay peers per
command arg or bitcoin.conf
7de6f89e50
scripted-diff: Rename IsOutboundOrBlockRelayConn to IsAutomaticOutboundOrBlockRelayConn
to make it clearer that manual connections are not included
-BEGIN VERIFY SCRIPT-
ren() { sed -i "s:\<$1\>:$2:g" $(git grep -l "\<$1\>" ./src ./test); }
ren IsOutboundOrBlockRelayConn IsAutomaticOutboundOrBlockRelayConn
-END VERIFY SCRIPT-
826643287b
scripted-diff: rename BLOCK_RELAY to AUTOMATIC_BLOCK_RELAY
to better distinguish from MANUAL_BLOCK_RELAY
-BEGIN VERIFY SCRIPT-
ren() { sed -i "s:\<$1\>:$2:g" $(git grep -l "\<$1\>" ./src ./test); }
ren BLOCK_RELAY AUTOMATIC_BLOCK_RELAY
-END VERIFY SCRIPT-
bbd047b69b
doc: add release note for manual block-relay connections41ce31289f
mzumsande force-pushed
on May 15, 2023
mzumsande
commented at 8:48 pm on May 15, 2023:
contributor
DrahtBot added the label
CI failed
on May 31, 2023
DrahtBot removed the label
CI failed
on May 31, 2023
mzumsande
commented at 7:11 pm on June 4, 2023:
contributor
Seems like other proposals such as #27213 and #27509 that rely on improving automatic behavior have more support compared to this one (which needs manual setup by the node operator). Closing for now.
This is a metadata mirror of the GitHub repository
bitcoin/bitcoin.
This site is not affiliated with GitHub.
Content is generated from a GitHub metadata backup.
generated: 2024-12-19 09:12 UTC
This site is hosted by @0xB10C More mirrored repositories can be found on mirror.b10c.me