Reject p2p message #3185

pull gavinandresen wants to merge 5 commits into bitcoin:master from gavinandresen:reject changing 9 files +172 −70
  1. gavinandresen commented at 7:50 am on October 30, 2013: contributor

    Send “reject” messages to peers if their transactions or blocks are rejected.

    See https://gist.github.com/gavinandresen/7079034 and the discussion on the bitcoin-development mailing list.

    Tested by running three -regtest -debug=net -printtoconsole nodes, one of which was running with -fuzzmessagestest=11 to generate garbled blocks/transactions, and verified that reject messages were sent and reported correctly as new blocks were generated and transactions sent between them.

  2. petertodd commented at 2:06 pm on October 31, 2013: contributor
    Can you explain what actions you expect implementations to take in response to a block rejection message?
  3. gavinandresen commented at 9:22 pm on October 31, 2013: contributor

    @petertodd: once an implementation is mature, I expect it would do nothing in response to a block rejection message, because false-positives (attackers being annoying) will be more common than true positives.

    While an implementation is being developed, I expect the developers will investigate every rejection message.

    I thought I was pretty clear in the gist that is the purpose of this message:

    “In short, giving peers feedback about why their blocks or transactions are dropped or why they are being banned should help interoperability between different implementations”

  4. mikehearn commented at 2:25 pm on November 1, 2013: contributor
    Looks good to me. Thanks for doing this.
  5. jgarzik commented at 2:28 pm on November 1, 2013: contributor
    Looks easy to fill up the disk with a stream of remote ‘reject’ messages.
  6. mikehearn commented at 2:40 pm on November 1, 2013: contributor
    If you’re thinking of logs, they’re rotated anyway, I thought (or could be). Anyway making log rotation work nicely is an unrelated change.
  7. jgarzik commented at 3:03 pm on November 1, 2013: contributor
    That’s a dodge. There’s no rate limiting, you’re still streaming from remote -> local disk.
  8. petertodd commented at 3:07 pm on November 1, 2013: contributor

    @gavinandresen Right, so you’re basically saying block rejection messages could be useful for an alt-implementation that’s being used for mining. We know that the state of computer science isn’t close to the point where we can do that safely; I personally a half-dozen forking bugs across a few alt-implementations the other week after an hour or two of work spent auditing them. We don’t want to encourage that, and giving them handy rejection messages does.

    When it comes to blocks, the only useful feedback you can give them is “stop doing that”. We don’t need rejection messages for that; blocks get orphaned says that just fine already.

  9. petertodd commented at 3:09 pm on November 1, 2013: contributor
    @jgarzik Looks to me like you could dump a 32MiB rejection message into your remotes logs, and what’s worse is that I don’t see anything stopping you from making fake logs by putting newlines in that rejection message. Ugh.
  10. mikehearn commented at 3:11 pm on November 1, 2013: contributor

    @jgarzik It’s not a dodge. You can fill up the logs just by connecting repeatedly as well, or sending messages that cause a Misbehaving(0) to be hit, or lots of other things. That’s just not something that’s currently in our threat model. If you want to strengthen the bitcoind threat model to include “attacker filling up logs” then go ahead and do that on a new set of changes. It’s just irrelevant to this change. But I’d suggest working on the more problematic DoS attacks first.

    Being able to make fake logs is perhaps more of an issue, but that can be resolved just by forbidding newline characters (or heck, spaces) in the messages.

  11. petertodd commented at 3:21 pm on November 1, 2013: contributor
    @mikehearn @gavinandresen Should be forbidding anything non-ascii-standard, newline and carriage return, and limit messages to, say, 256 characters. (we did something similar with alert messages right?)
  12. gavinandresen commented at 6:34 pm on November 1, 2013: contributor

    @jgarzik @petertodd : Reject messages are only logged if you are running -debug=net (or -debug which means “everything”). I am assuming that you will only run -debug=net when you are, you know, debugging, and probably controlling who you are connecting to.

    I’ll add a “print out only the first 111 bytes”, that should be sufficient belt-and-suspenders.

  13. petertodd commented at 6:47 pm on November 1, 2013: contributor

    @gavinandresen I run all my nodes with -debug=net all the time so that if something odd happens with the network (e.g. the chain fork) I can debug it; I’ve got stacks of disk space and io bandwidth. Filtering out garbage, especially newlines, is an absolute must.

    Also, still NACK on block messages.

  14. gavinandresen commented at 6:53 pm on November 1, 2013: contributor

    @petertodd: duly noted.

    Everybody else: any objections? If pull tester is happy, I’m going to pull.

  15. gmaxwell commented at 7:12 pm on November 1, 2013: contributor

    We probably shouldn’t allow control characters in printfs from the network. I don’t believe we do anywhere else (and I’d looked some back when the OSX unicode crasher happened). Beyond log entry emulation free access lets you trash peoples’ terminals.

    Running the text through a URL encode would probably be a trivial way to avoid trouble.

  16. gavinandresen commented at 7:35 pm on November 1, 2013: contributor

    @gmaxwell : good point RE: -printtoconsole.

    Two commits now– the first refactors the code we have in alert for sanitizing a string into a util.h SanitizeString method. Please don’t suggest super-optimizing it with a lookup table, this is not performance-critical code.

    The second limits the text printed to debug.log if -debug or -debug=net to 111 safe characters. @petertodd : I’d get less annoyed if you made helpful observations like “don’t we do something like that processing alerts…” up front. Maybe it is just me, but I constantly get the feeling you are trying to torpedo other people’s ideas instead of trying to work together to be helpful.

  17. petertodd commented at 7:38 pm on November 1, 2013: contributor

    @gavinandresen I hadn’t read the code until today.

    Also, limit the string to 111 characters first, then sanitize it.

  18. in src/main.h: in 6e5fe78b09 outdated 
    69+static const unsigned char REJECT_OBSOLETE = 0x11;
70+static const unsigned char REJECT_DUPLICATE = 0x12;
71+static const unsigned char REJECT_NONSTANDARD = 0x40;
72+static const unsigned char REJECT_DUST = 0x41;
73+static const unsigned char REJECT_INSUFFICIENTFEE = 0x42;
74+static const unsigned char REJECT_CHECKPOINT = 0x43;
    sipa commented at 7:47 pm on November 1, 2013:
    I dislike having codes in the protocol that correspond to implementation-specific details (nonstandard, dust, insufficient fee, and checkpoint). I’d prefer just encoding the class of problem (p2p protocol violatiom, network rule violation, local client policy) in the code, and use the message to further describe as necessary. Otherwise we’ll end up with many extensions over time, and obsolete codes.
    sipa commented at 7:54 pm on November 1, 2013:
    It seems REJECT_OBSOLETE can both be used for an obsolete P2P protocol number, and an obsolete block version.
    gavinandresen commented at 8:01 pm on November 1, 2013:
    Yes, REJECT_OBSOLETE can be used for both. You get “reject” “block” OBSOLETE or “reject” “version” OBSOLETE.
    gavinandresen commented at 8:05 pm on November 1, 2013:

    RE: encoding class and letting the string encode the detail:

    Meh. Either we’ll get obsolete codes or we’ll have peers trying to parse strings to figure out if their transactions are rejected because they don’t have enough fees or because they have a dusty output.

    I vote for obsolete codes as the lesser of the two evils.

    sipa commented at 8:05 pm on November 1, 2013:
    I would certainly not confuse a protocol problem with a consensus rule violation.
  19. in src/main.cpp: in 6e5fe78b09 outdated 
    3771@@ -3723,8 +3772,12 @@ bool static ProcessMessage(CNode* pfrom, string strCommand, CDataStream& vRecv)
3772             mapAlreadyAskedFor.erase(inv);
3773         int nDoS = 0;
3774         if (state.IsInvalid(nDoS))
3775+        {
3776+            pfrom->PushMessage("reject", strCommand, state.GetRejectCode(),
3777+                               state.GetRejectReason(), inv.hash);
    sipa commented at 7:47 pm on November 1, 2013:
    Why just the inv.hash, and not the whole actual inv?
    gavinandresen commented at 7:59 pm on November 1, 2013:
    Because the only thing serializing a CInv would add would be the MSG_TX byte, and strCommand already encodes that information.
    sipa commented at 8:08 pm on November 1, 2013:
    But it can come as a response to both a transaction or a block, and we identify relayed objects by their CInv.
    sipa commented at 8:15 pm on November 1, 2013:
    Sorry, I completely missed the strCommand. Ignore my comment.
  20. in src/main.cpp: in 6e5fe78b09 outdated 
    3970@@ -3918,6 +3971,29 @@ bool static ProcessMessage(CNode* pfrom, string strCommand, CDataStream& vRecv)
3971     }
3972 
3973 
3974+    else if (strCommand == "reject")
    sipa commented at 7:49 pm on November 1, 2013:
    Adding a new P2P message certainly warrants a PROTOCOL_VERSION bump and a corresponding BIP.
    gavinandresen commented at 7:54 pm on November 1, 2013:

    Happy to write a BIP after we’re sure we’re happy with how it is working.

    PROTOCOL_VERSION bump: disagree:

    “Sending “reject” messages to old nodes does no harm– unknown commands are ignored for extensibility (in the reference implementation, at least– other implementations should do the same). So there is no need to bump the protocol version.”

    … but don’t really care and will sway to consensus.

    sipa commented at 8:09 pm on November 1, 2013:
    Increasing the protocol version is easy and cheap, and it allows discovery of nodes with certain features.
    petertodd commented at 8:15 pm on November 1, 2013:
    @mikehearn Do you see bitcoinj actually trying to find nodes that support rejection messages and connect to them preferentially?
    mikehearn commented at 4:18 pm on November 2, 2013:
    Seeking them out, not right now. Preferring them for tx broadcast vs monitoring, yes. But I vote for a bump anyway - if you know you can expect a reject message in case of a problem, then you can use that to improve the user experience by eliminating arbitrary timeouts and giving the user instant feedback if there was a problem. So we can plumb it through to the UI layers.
    petertodd commented at 0:35 am on November 3, 2013:

    @mikehearn Sounds pretty reasonable to me.

    I vote for a bump too - use 70002 and I’ll update the NODE_BLOOM patch to 70003.

  21. gavinandresen commented at 8:16 pm on November 1, 2013: contributor
    @jgarzik @sipa : I think I’ve addressed all your concerns, I’d really like to move on to bigger and better things (almost have a relay-first-doublespend pull ready), can I get “good enough to pull” ACKs ?
  22. gavinandresen commented at 4:21 am on November 4, 2013: contributor

    Rebased to fix conflicts with mempool refactor.

    Fixed the alert unit tests so bumping protocol version doesn’t make them break any more, and bumped the protocol version to 70002.

  23. laanwj commented at 10:06 am on November 4, 2013: member

    ACK

    Implementation nit: in all call sites the reject reason message is kind of duplicated in the logged error message, the the point of both simply being reworded versions of each other. It may make sense to reuse the same message except where two different messages are really needed (ie for privacy/security concerns).

  24. mikehearn commented at 10:18 am on November 4, 2013: contributor
    Looks good to me
  25. Diapolo commented at 11:39 am on November 4, 2013: none
    @laanwj I thought the same, many strings seem just to be small modifications and tend to be dups even in some cases.
  26. Improve logging of failed connections 0f90613cbe
  27. Refactor: pull alert string sanitization into util 17faf56262
  28. New reject p2p message 358ce2664d
  29. Test alerts high at high PROTOCOL_VERSIONs 
    I regenerated the alert test data; now alerts are tested
against a protocol version way above the current protocol
version.

So we won't have to regenerate them every time we bump
PROTOCOL_VERSION in the future.
    feaec80cb0
  30. Bump protocol version to 70002 69aada346f
  31. gavinandresen commented at 0:36 am on November 11, 2013: contributor

    Rebased.

    RE: duplicating strings for debug.log and the reject message: I decided a fix would be worth than the disease.

    Can’t resist: “A foolish consistency is the hobgoblin of little minds, adored by little statesmen and philosophers and divines.” – Ralph Waldo Emerson

  32. BitcoinPullTester commented at 0:54 am on November 11, 2013: none
    Automatic sanity-testing: PASSED, see http://jenkins.bluematt.me/pull-tester/69aada346f74c978b5d8be59a5d7c79be966ef8c for binaries and test log. This test script verifies pulls every time they are updated. It, however, dies sometimes and fails to test properly. If you are waiting on a test, please check timestamps to verify that the test.log is moving at http://jenkins.bluematt.me/pull-tester/current/ Contact BlueMatt on freenode if something looks broken.
  33. gavinandresen referenced this in commit 16d5f2c5e0 on Nov 11, 2013
  34. gavinandresen merged this on Nov 11, 2013
  35. gavinandresen closed this on Nov 11, 2013
  36. laanwj commented at 6:58 am on November 11, 2013: member
    @gavinandresen right, if it were translated messages it’d be different
  37. gavinandresen deleted the branch on Nov 12, 2013
  38. DrahtBot locked this on Sep 8, 2021


gavinandresen petertodd mikehearn jgarzik gmaxwell sipa laanwj Diapolo BitcoinPullTester

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-09-28 22:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me