Authenticate identities of TIER2 peers by implementing a 3-way handshake

[saketh-are]

Core team Q2'2023 initiative.

In TIER2 network there is no real authentication of peers, except for the Edge signature: to establish a connection both peers have to sign a (peer_a,peer_b,nonce) tuple. It easy to imagine a situation in which a malicious node C:

• C advertises to B the IP of C as an endpoint of peer A
• C waits for peer B to connect to C, and send (A,B,nonce) signed by B to C
• C connects to A, and sends the send (A,B,nonce) signed by B to A
• A mistakes C for B and a C<->A connection gets established

We can prevent offline attacks as above having some variation of a 3way handshake:

• A connects to B
• A sends a random nonce nA to B
• B sends a random nonce nB to A + signed nA
• A sends signed nB to B

[saketh-are]

Code pointers:

• PeerActor is responsible for managing connections. Every connection is maintained by two PeerActor instances sending messages back and forth, one instance running in each node: https://github.com/near/nearcore/blob/master/chain/network/src/peer/peer_actor.rs. The lifetime of the PeerActor is the same as the lifetime of the connection.
• You will want to understand the existing handshake process by looking into the send_handshake and process_handshake functions in PeerActor, and where those functions are called from.
• Also take a quick look at edge verification (checking signatures from both endpoints), and exactly where those signatures are collected to produce the signed edge: https://github.com/near/nearcore/blob/master/chain/network/src/network_protocol/edge.rs#L168

For this task we are only concerned with changing the handshake process. Edges will still be advertised to the rest of the network in the same way; that is, by sharing an (A, B, nonce) tuple signed by both nodes A and B. The goal of this task is to make the handshake process which produces those signatures more secure.

[ghost]

note that the details are in this internal only design doc that will be publicly shared later after all nodes have deployed the fix instead of now as it's security issue.

• https://docs.google.com/document/d/1LDvaA39XhJ26NwjQRxPA9p1UaWIddwzKE8xYdrtXSLQ

[ghost]

Code merged, thanks saketh@ for reviewing!

• https://github.com/near/nearcore/pull/9100

[ghost]

On hold as waiting to complete migration deployment for this task

[ghost]

From our internal testing, the existing design only works with private networks (e.g. unit tests, internal integration tests) where there is no notion of private / public ip address / VPC / NAT / VPN. Cloud providers such as GCP automatically enforces these separations of public/private ip. Hence, the code will have to be updated to work with these notions.

Reverting due to https://near.zulipchat.com/#narrow/stream/297663-pagoda.2Fnetwork/topic/network.20stall.20during.20mocknet.20test/near/365948241

• https://github.com/near/nearcore/pull/9191

Will have to re-implement to account for NAT

[walnut-the-cat]

Had to revert. Postmortem is scheduled on July 18th and will re-tackle afterward (in July and August)