Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers #2276

Merged
merged 17 commits into from
Jun 22, 2021

Conversation

teor2345
Copy link
Contributor

@teor2345 teor2345 commented Jun 10, 2021

Motivation

  1. Zebra's seed peers and local listener address can be non-canonical, leading to duplicate peer connections.

  2. In PR Security: stop gossiping failure and attempt times as last_seen times #2273, Zebra stopped gossiping its local listener address to peers, because it didn't have a last seen time.

  3. In PR Security: stop gossiping failure and attempt times as last_seen times #2273, Zebra applied its local listener to any existing entry for that address, which could skip the listener, or leak internal state.

  4. Since the listener was added to the cloned AddressBook, it was briefly included in the address book metrics.

These changes help test PRs #2273 and #2275.

Specifications

addr.time:

Nodes advertising their own IP address set this to the current time.

https://developer.bitcoin.org/reference/p2p_networking.html#addr

Solution

  1. Make Zebra always use canonical seed, listener, MetaAddr, and MetaAddrChange SocketAddrs
  2. Give the local listener address a last seen time
  3. Replace any existing address book entry for the local listener
  4. Get the peer list from the address book, rather than cloning it

As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting.

Testing

Adds proptests for the following properties:

  • regardless of any existing entry for a local listener MetaAddr, a sanitized address book contains a copy of the local listener with the current time
    • but listeners that are not valid for outbound connections should be skipped
  • Zebra doesn't share invalid listeners (IP addresses or client services) with its peers

Review

@jvff can review this change.

Reviewer Checklist

  • Code implements Specs and Designs
  • Tests for Expected Behaviour
  • Tests for Errors

Follow Up

Make MetaAddr.addr a private field #2357, so the constructors can make sure it's canonical

@teor2345 teor2345 added C-bug Category: This is a bug A-rust Area: Updates to Rust code P-Medium I-privacy Zebra discloses private information A-network Area: Network protocol updates or fixes labels Jun 10, 2021
@teor2345 teor2345 added this to the 2021 Sprint 11 - Zcon2 milestone Jun 10, 2021
@teor2345 teor2345 requested a review from jvff June 10, 2021 05:31
@teor2345 teor2345 self-assigned this Jun 10, 2021
@teor2345

This comment has been minimized.

@teor2345 teor2345 marked this pull request as ready for review June 10, 2021 05:38
@teor2345 teor2345 marked this pull request as draft June 10, 2021 05:38
@mpguerra mpguerra removed this from the 2021 Sprint 11 - Zcon2 milestone Jun 14, 2021
@teor2345 teor2345 force-pushed the limit-addr-reconnection-rate branch 2 times, most recently from 2954ba3 to 318a495 Compare June 15, 2021 03:34
@teor2345 teor2345 force-pushed the local-listener-fix branch from cc7bb3b to 5fe6efe Compare June 16, 2021 02:37
@teor2345 teor2345 force-pushed the local-listener-fix branch from af18c98 to 6fcf788 Compare June 16, 2021 10:47
@teor2345 teor2345 force-pushed the local-listener-fix branch 2 times, most recently from 80b68d5 to 1313f10 Compare June 18, 2021 09:23
Base automatically changed from limit-addr-reconnection-rate to main June 18, 2021 12:30
@teor2345 teor2345 force-pushed the local-listener-fix branch from 1313f10 to 87bfff9 Compare June 20, 2021 23:14
@teor2345 teor2345 mentioned this pull request Jun 21, 2021
2 tasks
@teor2345 teor2345 force-pushed the local-listener-fix branch from 87bfff9 to a3950e1 Compare June 21, 2021 03:11
Previously, whenever there was an inbound request for peers, we would
clone the address book and update it with the local listener.

This had two impacts:
- the listener could conflict with an existing entry,
  rather than unconditionally replacing it, and
- the listener was briefly included in the address book metrics.

As a side-effect, this change also makes sanitization slightly faster,
because it avoids some useless peer filtering and sorting.
teor2345 added 2 commits June 21, 2021 13:38
If we allow multiple variants for each peer address, we can make multiple
connections to that peer.

Also make sure sanitized MetaAddrs are valid for outbound connections.
@teor2345 teor2345 force-pushed the local-listener-fix branch from c644df2 to 4aa6b00 Compare June 21, 2021 03:39
@teor2345 teor2345 changed the title Always send our local listener with the latest time Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: send local listener to peers Jun 21, 2021
@teor2345 teor2345 added C-security Category: Security issues I-invalid-data Zebra relies on invalid or untrusted data, or sends invalid data I-remote-node-overload Zebra can overload other nodes on the network labels Jun 21, 2021
@teor2345 teor2345 marked this pull request as ready for review June 21, 2021 03:59
@teor2345 teor2345 changed the title Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: send local listener to peers Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers Jun 21, 2021
jvff
jvff previously approved these changes Jun 21, 2021
Copy link
Contributor

@jvff jvff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good! I added some minor suggestions, but they're all optional.

zebra-chain/src/serialization/date_time.rs Outdated Show resolved Hide resolved
zebra-chain/src/serialization/date_time.rs Outdated Show resolved Hide resolved
zebra-chain/src/serialization/date_time.rs Outdated Show resolved Hide resolved
zebra-chain/src/serialization/date_time.rs Outdated Show resolved Hide resolved
zebra-chain/src/serialization/date_time.rs Outdated Show resolved Hide resolved
zebra-chain/src/serialization/date_time.rs Outdated Show resolved Hide resolved
zebra-chain/src/serialization/date_time.rs Outdated Show resolved Hide resolved
zebra-network/src/meta_addr.rs Show resolved Hide resolved
zebra-network/src/meta_addr.rs Show resolved Hide resolved
zebra-network/src/address_book.rs Outdated Show resolved Hide resolved
teor2345 and others added 5 commits June 22, 2021 11:16
Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
@teor2345 teor2345 requested a review from jvff June 22, 2021 01:37
zebra-network/src/address_book.rs Outdated Show resolved Hide resolved
zebra-network/src/meta_addr.rs Show resolved Hide resolved
@teor2345 teor2345 enabled auto-merge (squash) June 22, 2021 02:10
@teor2345 teor2345 merged commit 1a57023 into main Jun 22, 2021
@teor2345 teor2345 deleted the local-listener-fix branch June 22, 2021 02:17
@mpguerra mpguerra mentioned this pull request Apr 11, 2023
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-network Area: Network protocol updates or fixes A-rust Area: Updates to Rust code C-bug Category: This is a bug C-security Category: Security issues I-invalid-data Zebra relies on invalid or untrusted data, or sends invalid data I-privacy Zebra discloses private information I-remote-node-overload Zebra can overload other nodes on the network
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants