Security: stop gossiping failure and attempt times as last_seen times #2273
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed
teor2345
added
C-bug
|
I still need to write proptests to ensure:
|
3 tasks
Also replace the MetaAddr Arbitrary impl with a derive.
MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
jvff
reviewed
Jun 11, 2021
|
I updated the PR description, changing |
7 tasks
Thanks for catching that! |
jvff
previously approved these changes
Jun 14, 2021
- make ready_outbound_strategy generate changes - update existing strategies based on the refactor - update newly added proptests based on the refactor
dconnolly
pushed a commit
that referenced
this pull request
Jun 15, 2021
…#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
dconnolly
pushed a commit
that referenced
this pull request
Jun 16, 2021
…#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
This was referenced Jun 16, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
Previously, Zebra had a single time field for each peer, which was updated every time a peer was attempted, sent a message, or failed.
This is a security issue, because the
last_seentime should be "the last time [a peer] connected to that node", so that"nodes can use the time field to avoid relaying old 'addr' messages".
So Zebra was sending incorrect peer times to other nodes, which is malicious behaviour.
Specifications
addr.time field description:
https://developer.bitcoin.org/reference/p2p_networking.html#addr
Designs
This PR uses the
DateTime32type introduced in PR #2210, see ticket #2171 for more details.Solution
Security Changes
Other Required Changes
Split the
last_seentime into the following fields:DateTime32DateTime32InstantInstantSend peer changes using a new
MetaAddrChangetype, so that senders don't accidentally overwrite peer fields with outdated data. (Due to concurrency, changes can be applied to the address book out of order.)Review
@jvff can review this PR. It's an important security fix, but it's not particularly urgent.
This PR should close #1868.
Reviewer Checklist
Follow Up Work
This PR is part of a series of MetaAddr refactors.
After #1867 is fixed, the network will be able to remove the unreachable addresses introduced by #2120.