FrankSzendzielarz
commented
5 years ago Was thinking about this today.
Given the following....
-
Some types of light client want to be able to participate in the discovery protocol (even though it might be suboptimal) and to do so the discovery protocol will need to operate over different transports.
-
There are other full nodes under development that operate under unusual network constraints, eg: UDP is blocked, TOR etc.
-
Discv5 also recommends certain implementation strategies for mitigating risks around validation of node information. When a Kademlia 'find neighbours' request results in a Neighbours message containing new information, those new ENRs need validation, with the how and when of that validation being a tricky task (see link).
….we need to consider these impacts:
If nodes heterogeneously implemented/enabled discovery transports, we'd have a situation where some nodes were unable to validate node information (because the newly discovered peer would be available on an unsupported transport).
In order for the node to prevent attacks and protect its own 'reputation' (reputation in quotes because the recommendation in the spec is more about limits on nodeids per IP per learned from source) , the node would have to make sure that it only accepts nodes it can validate.
However, this would lead to network partitioning . Let's say we have TransportX and TransportY (eg: UDP and WebRTC). Some nodes can only communication over TransportX. Some nodes only over TransportY. Some nodes communicate over both. Over time the network would evolve to resemble a Venn diagram, where the smaller number of bridge nodes would be in between.
This immediately raises some questions:
- If the ENR is from a light client, should it be redistributed at all? For light clients, should the light ENR be omitted from the Kad DHT?
- What happens if an intersection node passes an ENR containing id information for TransportX and Y to a node that only supports TransportY, for example? Does the recipient declare that the endpoint information cannot be validated for TransportX and reject the ENR? In this case, the subnetworks cannot be bridged.
- If the recipient validates TransportX , cannot validate TransportY, but then redistributes the ENR back to a TransportY node, it is itself potentially involved in an attack where TransportX credibility is used to fake TransportY nodes to DoS a TransportY victim.
- How does an intersection node carry out a lookup from a TransportY node? The incoming FindNode would need to to filter results to only return neighbours with TransportY ability, which could lead to lookup process stalling if the numbers are insufficient. In effect, we would have multiple parallel DHTs, but with the k-bucket sizes being restricted to single k. It would be more appropriate perhaps to treat each transport as its own Kademlia network, and nodes would need to maintain a per-transport DHT.
So, it begins to look like that if heterogenous transports are implemented, there should probably be per transport DHTs, with ENRs being transport/DHT-specific. (By DHT I mean a Kademlia system instance or routing table)
In that case though, implementations that support multiple transports would need to populate multiple DHTs. Assuming a common discovery protocol, a mechanism for doing would be an optimal re-use of keys/handshake established over one transport, with a FindNeigbours request over a common (eg: UDP) transport resulting in Neighbours responses for multiple DHTs. i.e A total of 2k neighbours received over UDP, with k being for UDP and k for WebRTC, for example. This approach would perhaps be an added benefit compared to parallel bootstrapping as it would allow WebRTC nodes to be discovered indirectly via the UDP network
The alternative to all the above would be to guarantee that implementations agree to maintain a commonly available set of transports.
Thoughts?
dryajov
fjl
Browsers, have become powerful and full featured runtimes, but due to various security considerations, browsers don't allow direct access to low level networking primitives such as sockets. This restriction makes common operations involving UDP or TCP impossible,for example, programmatic domain name resolution is not possible, as well as NAT techniques involving UDP based interactions, such as hole punching or standard UDP based protocols such as PMP and UpNP. It also restricts listening for direct connections, with the only exception being WebRTC, but even then, a direct connection is not guaranteed.
Nevertheless, this should not prevent browser's direct access to the devp2p protocols such as eth/*, les, pip and possibly others, and should allow non-browser clients to communicate directly with browser clients, such that browser clients are first class citizens in the underlying p2p network.
In addition, enabling browser runtimes would lower the bar of entry for other less capable devices, such as IoT. In this regard, this issue isn't constrained to browsers only, but should be used as a good baseline to target other runtimes.
For more context please take a look at https://github.com/ethereum/devp2p/issues/71 and in particular to https://github.com/ethereum/devp2p/issues/71#issuecomment-482796738.
The high level requirements for such a stack would be:
Some additional considerations brought up by @FrankSzendzielarz: