-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers #2276
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment has been minimized.
This comment has been minimized.
This was referenced Jun 10, 2021
teor2345
force-pushed
the
limit-addr-reconnection-rate
branch
2 times, most recently
from
June 15, 2021 03:34
2954ba3
to
318a495
Compare
teor2345
force-pushed
the
local-listener-fix
branch
from
June 16, 2021 02:37
cc7bb3b
to
5fe6efe
Compare
teor2345
commented
Jun 16, 2021
teor2345
commented
Jun 16, 2021
teor2345
commented
Jun 16, 2021
teor2345
force-pushed
the
local-listener-fix
branch
from
June 16, 2021 10:47
af18c98
to
6fcf788
Compare
3 tasks
teor2345
force-pushed
the
local-listener-fix
branch
2 times, most recently
from
June 18, 2021 09:23
80b68d5
to
1313f10
Compare
teor2345
force-pushed
the
local-listener-fix
branch
from
June 20, 2021 23:14
1313f10
to
87bfff9
Compare
2 tasks
teor2345
force-pushed
the
local-listener-fix
branch
from
June 21, 2021 03:11
87bfff9
to
a3950e1
Compare
Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting.
If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections.
teor2345
force-pushed
the
local-listener-fix
branch
from
June 21, 2021 03:39
c644df2
to
4aa6b00
Compare
This was referenced Jun 21, 2021
teor2345
changed the title
Always send our local listener with the latest time
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: send local listener to peers
Jun 21, 2021
teor2345
added
C-security
Category: Security issues
I-invalid-data
Zebra relies on invalid or untrusted data, or sends invalid data
I-remote-node-overload
Zebra can overload other nodes on the network
labels
Jun 21, 2021
teor2345
changed the title
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: send local listener to peers
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers
Jun 21, 2021
jvff
previously approved these changes
Jun 21, 2021
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good! I added some minor suggestions, but they're all optional.
9 tasks
Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
jvff
approved these changes
Jun 22, 2021
2 tasks
6 tasks
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
A-network
Area: Network protocol updates or fixes
A-rust
Area: Updates to Rust code
C-bug
Category: This is a bug
C-security
Category: Security issues
I-invalid-data
Zebra relies on invalid or untrusted data, or sends invalid data
I-privacy
Zebra discloses private information
I-remote-node-overload
Zebra can overload other nodes on the network
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
Zebra's seed peers and local listener address can be non-canonical, leading to duplicate peer connections.
In PR Security: stop gossiping failure and attempt times as last_seen times #2273, Zebra stopped gossiping its local listener address to peers, because it didn't have a last seen time.
In PR Security: stop gossiping failure and attempt times as last_seen times #2273, Zebra applied its local listener to any existing entry for that address, which could skip the listener, or leak internal state.
Since the listener was added to the cloned
AddressBook
, it was briefly included in the address book metrics.These changes help test PRs #2273 and #2275.
Specifications
addr.time:
https://developer.bitcoin.org/reference/p2p_networking.html#addr
Solution
MetaAddr
, andMetaAddrChange
SocketAddr
sAs a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting.
Testing
Adds proptests for the following properties:
MetaAddr
, a sanitized address book contains a copy of the local listener with the current timeReview
@jvff can review this change.
Reviewer Checklist
Follow Up
Make MetaAddr.addr a private field #2357, so the constructors can make sure it's canonical