Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Disconnect outbound peers on invalid chains #11568
Alternate to #11446.
Disconnect outbound (non-manual) peers that serve us block headers that are already known to be invalid, but exempt compact block announcements from such disconnects.
We restrict disconnection to outbound peers that are using up an outbound connection slot, because we rely on those peers to give us connectivity to the honest network (our inbound peers are not chosen by us and hence could all be from an attacker/sybil). Maintaining connectivity to peers that serve us invalid headers is sometimes desirable, eg after a soft-fork, to protect unupgraded software from being partitioned off the honest network, so we prefer to only disconnect when necessary.
Compact block announcements are exempted from this logic to comply with BIP 152, which explicitly permits nodes to relay compact blocks before fully validating them.
referenced this pull request
Oct 27, 2017
ryanofsky left a comment
utACK 8ca0ffa. Confirmed moveonly commit and that the change does seem to "Only disconnect outbound (non-manual) peers that serve us invalid blocks, and exempt compact block announcements from such disconnects." I do think it would be nice if the reasoning was explained more or the logic simplified as other reviewers suggested. It would also be nice to have a unit test to make sure this doesn't break in the future, especially if there's going to be a refactoring like Matt mentioned.
Somewhat tested ACK 4cde638.
I have a test case that proves a peer gets kicked for sending an invalid header here: https://github.com/jnewbery/bitcoin/tree/pr11568.2 so I can verify that this PR works in the positive case (ie it disconnects when it's supposed to). I don't think that there are corner cases where this PR might cause other changes in existing behaviour, but I haven't been able to convince myself of that.
The test case in https://github.com/jnewbery/bitcoin/tree/pr11568.2 should be reviewed and merged separately and shouldn't hold up merging or backporting this PR. It builds on #10160 which isn't yet merged, and the test itself is potentially racey so could be improved.