network: connection deduplication

[AlgoAxel]

Summary

What

Introduces "Identity Challenge" exchange during peering. This is a process in which two peers exchange signed challenges to register one another with public keys that validate their identities. This validated identity is then used as the mechanism to prevent duplicate and bidirectional connections between peers on the network.

Why

Today, Algorand nodes connect outwardly to a number of peers on the network (default of 4). Peer selection strategies within the node will regularly drop the worst connection, and seek a random new peer. This means that over time, nodes will select highly performant connections. However, it also means the likelihood of peers connecting to one another bidirectionally is high, since highly performant connections would tend to be mutually preferred.

Why can't we simply deduplicate against addresses, Telemetry ID, or other basic node information? Because Algorand is distributed, nodes need a way to trust the identity being presented as secure. A bad faith actor could impersonate a node's identity, and "claim" connections to all relay peers, which is a denial of service vector. Instead, we need to be able to validate a connection against a secret identity on the node. A cryptographic solution is the obvious one, where peers exchange signed messages.

How

From the package comment:

// netidentity.go implements functionality to participate in an "Identity Challenge Exchange"
// with the purpose of identifying redundant connections between peers, and preventing them.
// The identity challenge exchange protocol is a 3 way handshake that exchanges signed messages.
//
// Message 1 (Identity Challenge): when a request is made to start a gossip connection, an
// identityChallengeSigned message is added to HTTP request headers, containing:
// - a 32 byte random challenge
// - the requester's "identity" PublicKey
// - the PublicAddress of the intended recipient
// - Signature on the above by the requester's PublicKey
//
// Message 2 (Identity Challenge Response): when responding to the gossip connection request,
// if the identity challenge is valid, an identityChallengeResponseSigned message is added
// to the HTTP response headers, containing:
// - the original 32 byte random challenge from Message 1
// - a new "response" 32 byte random challenge
// - the responder's "identity" PublicKey
// - Signature on the above by the responder's PublicKey
//
// Message 3 (Identity Verification): if the identityChallengeResponse is valid, the requester
// sends a NetIDVerificationTag message over websockets to verify it owns its PublicKey, with:
// - Signature on the response challenge from Message 2, using the requester's PublicKey
//
// Upon receipt of Message 2, the requester has enough data to consider the responder's identity "verified".
// Upon receipt of Message 3, the responder has enough data to consider the requester's identity "verified".
// At each of these steps, if the peer's identity was verified, wsNetwork will attempt to add it to the
// identityTracker, which maintains a single peer per identity PublicKey. If the identity is already in use
// by another connected peer, we know this connection is a duplicate, and can be closed.
//
// Protocol Enablement:
// This exchange is optional, and is enabled by setting the configuration value "PublicAddress" to match the
// node's public endpoint address stored in other peers' phonebooks (like "r-aa.algorand-mainnet.network:4160").
//
// Protocol Error Handling:
// Message 1
// - If the Message is not included, assume the peer does not use identity exchange, and peer without attaching an identityChallengeResponse
// - If the Address included in the challenge is not this node's PublicAddress, peering continues without identity exchange.
//   this is so that if an operator misconfigures PublicAddress, it does not decline well meaning peering attempts
// - If the Message is malformed or cannot be decoded, the peering attempt is stopped
// - If the Signature in the challenge does not verify to the included key, the peering attempt is stopped
//
// Message 2
// - If the Message is not included, assume the peer does not use identity exchange, and do not send Message 3
// - If the Message is malformed or cannot be decoded, the peering attempt is stopped
// - If the original 32 byte challenge does not match the one sent in Message 1, the peering attempt is stopped
// - If the Signature in the challenge does not verify to the included key, the peering attempt is stopped
//
// Message 3
// - If the Message is malformed or cannot be decoded, the peer is disconnected
// - If the Signature in the challenge does not verify peer's assumed PublicKey and assigned Challenge Bytes, the peer is disconnected
// - If the Message is not received, no action is taken to disconnect the peer.

Additional Testing Feature: Public Address: auto

Note: use only for local networks and performance tests.
Thank you very much @brianolson for this idea -- in order to enable IdentityExchange, nodes must have set their PublicAddress to what they expect the DNS knows them to be. This can be tricky in test scenarios (or even live scenarios) where the exact Public Address wouldn't be easily determined -- if "auto" is specified, the PublicAddress value is set once the listener is up. This allows for simpler tests, and could also have utility for node operators who maybe don't want to explicitly set Public Address.

Test Plan

Unit Tests:

Identity Challenges and Responses:

• Tests across Encode / Decode and Verify of Challenge Objects

Identity Tracker Tests:

• SetIdentity and RemoveIdentity positive and negative testing

wsNetwork

• "Happy Path" test where two networks connect with identity and we confirm that deduplication works as indended
• "Single Sided" tests where only the sender (or receiver) is set for identity, identity challenge participation stops and the peers connect normally
• "Incorrect Address" tests where two peers connect to one another, but the "Address" field is incorrect for one of them. Peers should be able to connect without identity.
• Protocol Error Handling: all of the above error handling above is tested via wsNetwork tests which use a mockedIdentityScheme which accepts overloaded behavior for one or more of the handshake steps. Confirms that for each type of incorrect behavior the correct outcome (in terms of number of peers for each node) is correct

Manual Testing

(last done Jan17)

• Confirmed that on a 3 node network, if no node has a ConnectionDeduplicationName set, nodes connect to one another as usual and no identity challenge exchange prevents connection.
• Confirmed that on a 3 node network, if one node does have a ConnectionDeduplicationName set, it will construct an ID Challenge when doing tryConnect. If the receiver does not have a ConectionDeduplicationName, the header payload is never even checked, and all peering continues without identity, as expected.
• Confirmed that on a 3 node network, if two nodes both have ConnectionDeduplicationName set, but the specified "Address" of the challenge is wrong, the ID challenge is inspected and the peer does not participate in identity challenge once this mismatch is discovered. peers connect as intended without identity.
• Overloaded the ConnectionDeduplicationName check (because the gossip names have random ports in local testing) and peered with both sides having ConnectionDeduplicationName set. Observed the whole exchange, including final WS verification from the initiating side. Peers were added to the maps as expected.
• Further Overloaded the setPeersByID method to return false (indicating the key is in use) and observed that the connection is disconnected at the point that the peer has a verified identity, as expected.

Potential outcomes:

1. Lower bandwidth from less duplicate messages
2. Better connected graph for less hops across the network (txn latency)

[brianolson]

I should re-read netidentity.go more carefully, but a couple early notes

[codecov]

Codecov Report

Merging #4695 (5d9c380) into master (7f7939d) will increase coverage by 0.19%.
The diff coverage is 95.93%.

@@            Coverage Diff             @@
##           master    #4695      +/-   ##
==========================================
+ Coverage   53.42%   53.62%   +0.19%     
==========================================
  Files         431      432       +1     
  Lines       54372    54541     +169     
==========================================
+ Hits        29050    29249     +199     
+ Misses      23062    23039      -23     
+ Partials     2260     2253       -7     

Impacted Files	Coverage Δ
config/localTemplate.go	63.26% <ø> (ø)
network/connPerfMon.go	84.13% <ø> (ø)
network/phonebook.go	83.49% <ø> (ø)
network/requestTracker.go	70.81% <ø> (ø)
network/topics.go	97.91% <ø> (ø)
network/wsNetwork.go	68.80% <88.52%> (+3.64%)	⬆️
network/netidentity.go	100.00% <100.00%> (ø)
network/wsPeer.go	71.26% <100.00%> (+3.44%)	⬆️
ledger/blockqueue.go	82.25% <0.00%> (-2.69%)	⬇️
crypto/merkletrie/trie.go	66.42% <0.00%> (-2.19%)	⬇️
... and 10 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[brianolson]

LGTM. I think that got everything.

[iansuvak]

Looks good to me in general, my comments and questions are minor and not-blocking

[iansuvak]

nit, feel free to drop: I'd prefer the attach variable name to be something like attachTo or baseHeaders. To me attach is ambiguous and the first parse of it sounds like the attachment itself rather than the target.

[AlgoAxel]

Easy enough! consider it done.

[iansuvak]

Would it make sense to add a short named field for reason instead of having that information in the Message string itself?

It's a low cardinality value and it would make looking at the breakdown of reasons for identity related disconnects easier without breaking out the telemetry metric

[AlgoAxel]

When a wsNetwork disconnects a peer, it has either the exported Disconnect(peer) method, or the internal disconnect(peer, reason) method. Since we are using the internal, I added a reason "disconnectDuplicateConnection". So, the accounting should already be handled.

Plus, all non-connections (due to duplicate or error) trigger metric counter increments.

[cce]

that made me think, what do you think of changing all the Disconnect(peer) calls added in this file where we disconnect due to identity failures to use a new disconnectReason like disconnect(peer, disconnectBadIdentityData)?

[cce]

I did it: 5d9c380

[iansuvak]

That's partially what I was thinking but even more granular on the reason for what went wrong in the identity. It's findable right now though via the message field in Elastic Search though so that's good enough.

[iansuvak]

looks like it's not hurting but do we actually need to generate methods for this type or is it safe to msgp:ignore it?

[AlgoAxel]

No clue, my goal was to get msgp working for the networking package. As others start using msgp in networking, they'll need to make sure the generated files work as intended for them.

[iansuvak]

My guess is not if you are not using it and network didn't run msgp:generate prior to your commit. nbd but you can msgp:ignore it which will cut down a few tests and remove unnecessary interface implementation

[cce]

Agreed, disconnectReason should be internal only and can be ignored

[cce]

You're testing for ok || true here but I assume this really means require.True(t, ok)?

[cce]

Actually it means you don't need to call tryConnectReserveAddr at all, right? Since the A->B conn is already connected, ok will always be false

[AlgoAxel]

That's right. I wrote it like this for a couple reasons:

• All the tests I wrote that use tryConnect attempt a tryConnectReserveAddr because it's how tryConnect gets used in the wsNetwork. In this case I really don't care about the value, but I would rather explicitly overload it and demonstrate/explain the difference than simply not include it.

• At the original time of writing, I was unsure of the potential side effects that tryConnectReserveAddr would have on the upcoming tryConnect, so I wanted to make sure it matched the real-world code.

[cce]

In this case it seems like you would want to assert that ok is false to assert the behavior that tryConnectReserveAddr wouldn't let you connect twice to the same address, and that it didn't lose track of the first conn's address.

[cce]

nit: identityVerified is zero so it doesn't need to be listed here (and the other wsPeer struct you fill out an identity: peerID below doesn't have the zero value initialized)

[algorandskiy]

nit

Suggested change

	type identityChallengeValue [32]byte
	type identityChallengeValue crypto.Digest

[algorandskiy]

use named error created with errors.New(...)
we are trying to eliminate errors literals and new code should not add more

[algorandskiy]

named errors

[algorandskiy]

named errors

[algorandskiy]

why disconnecting right here instead of returning Action=Disconnect as other handler do?

[algorandskiy]

modifying config that has constant/read only semantic in random parts of codebase is not good at all. Why not a local var since all the usage of it is right here?