exchange signed routing records in identify

[yusefnapora]

This is still in progress & gomod is pointing at these PR branches:

• Signed envelopes & routing records go-libp2p-core#73
• Certified addresses go-libp2p-peerstore#98

TODO:

• test
• land dependency PRs and update gomod

@vyzo this should be good enough to start hacking on

[vyzo]

thank you!

[vyzo]

looks good at first glance, just a couple of minor issues.

[yusefnapora]

@vyzo how do you feel about my last commit (028fe98)?

I added a config option to disable sending or parsing signed address records so that we could test the behavior where one peer supports them but the other doesn't. It kind of bugs me though, since the flag is only really useful for testing and it clutters up the code. I couldn't figure out a better way to test it though, short of spinning up both versions for real in something like testground.

[vyzo]

Hrm, it's not ideal but we do need to test somehow.
Perhaps give it a more explicit name that indicates it's only used for testing?

[yusefnapora]

@vyzo I updated this branch based on @raulk's design blueprint. It points to a new commit from the -core PR that defines some new event types, and I rebased this branch and the -core PR onto master, since there were a few dependency updates since I opened the PRs.

The gist is that now BasicHost emits a new EvtLocalAddressesUpdated event when it detects addresses have changed, instead of directly calling ids.Push().

There's also a new routingStateManager component in the identify service that listens for EvtLocalAddressesUpdated events and builds a new SignedRoutingState record. It emits a LocalPeerRoutingStateUpdated event, which the main identify service listens for. When the id service gets that event, it triggers the identify/push.

This adds a bit more indirection, but it should give you a way to grab new routing state record in other places outside the ID service (e.g. peer exchange).

Unfortunately, the mock network tests seem to have gotten flakier - I had to re-run them on Travis, and they seem to fail pretty often on my laptop. I'm not sure if I actually made it worse, or if there's just more spam in the error log - there's a ton of error messages from boguskey ("this better be a test!"), since it's using bogus testing keys to sign/verify the routing records.

Since the mock net tests have some assertions about timing (e.g. "expected to take ~2 seconds, took x"), it's possible that I made performance regress enough to fail the tests. It's odd that they'd fail with the bogus keys though, since they don't actually do any expensive crypto. But perhaps the event bus messes with the timing, or just the overhead of marshaling / unmarshaling the records? I've had these tests fail before, so maybe it's unrelated, but they definitely spew out a lot more errors now, thanks to the bogus key thing.

Anyway, hopefully this helps with the peer exchange stuff you're working on - you should be able to listen for EvtLocalRoutingStateUpdated from anywhere and get the latest records.

I'm off next week, but you can ping me if you're blocked on this. I'm going to switch this PR to "ready for review", but we'll need to merge the -core and -peerstore PRs first and update gomod here before we can merge this one, since it's pinned to specific commits from those branches at the moment.

[vyzo]

Is Push still called somehow? We need this to propagate our address changes to our peers.

[yusefnapora]

@raulk, @vyzo, etc

I realized that I may be aiming a gun at our foot with respect to LAN-local addresses.

As it is now in the PR, the default behavior is to filter LAN and loopback addresses out of PeerRecords before we send them out in identify, etc. There's a flag that can change this behavior so that you can include local addresses, but at the moment it's only on the IDService; I was about to bubble the option up to the libp2p.New options when I stopped to think a moment.

There are two behaviors that are problematic in tandem:

• The Peerstore will replace any existing addrs for a peer with the addrs from a PeerRecord
• There's currently nothing stopping us from sending out empty PeerRecords. A peer with only local addrs will still send out a record with an empty Addrs list after filtering the local addrs out. The receiver will then drop the existing local addrs it knows for the peer and replace with the empty set from the PeerRecord.

This effectively means that if you don't set the option to include LAN addresses in PeerRecords, anyone that happens to find your LAN address out-of-band will forget it as soon as they talk to you :(

I'd rather not make interacting with LAN peers worse by default, which I think this does. I still need to write a test case to confirm that this is happening, btw. But I started to suspect that this was a problem based on some odd behavior in earlier tests, so I don't think I'm chasing a ghost.

I'm going to write that test, but in the meantime if anyone has ideas for addressing this let me know.

The simplest option that I can think of is to change the default, so that you have to opt-out of including local addrs in PeerRecords. That has us putting a lot of irrelevant addresses on the public DHT though...

Alternatively, we could prevent you from sending signed PeerRecords in identify with no addrs in them, and change the peerstore so that it ignores records with no addrs instead of removing existing addrs. That should force everyone to fallback to the unsigned addrs that are still being sent in identify alongside the peer record, and which aren't filtered.

A more involved and annoying solution would be to have multiple kinds of PeerRecord, one with local addrs and one for public sharing on the DHT. But we'd have to revisit some assumptions to make that work.

Other ideas?

[yusefnapora]

hmm, looks like I may have introduced a race condition, and/or my tests are buggy. will investigate :)

[yusefnapora]

Regarding the problem with LAN addresses above, @raulk and I discussed in a sync chat just now and agreed that changing the default (so that LAN addresses are included in peer records) is the best option for now. This essentially gives us the status quo, but with signatures, since we're exchanging LAN addrs in identify now.

In the future, we can add specialized peer records with different scope (e.g. LAN-only, public DHT, etc), so that we can keep LAN addrs out of the records that get published globally.

[raulk]

My main request is to version the identify and identify push protocols.

[raulk]

LGTM barring the usage of a pointer in the EvtLocalPeerRecordUpdated event.

Already spoke to @yusefnapora and he's going to fix that upstream, then update this PR. Approving in anticipation!

Excellent work!

[raulk]

Reminder: we need to make a go-libp2p-core release and update the go.mod here, before we merge this. Let's:

• Fix the EvtLocalPeerRecordUpdated event.
• Obtain sign-off from @aschmahmann and/or @Stebalien that all this work, in the current shape and form, is indeed easily integratable into go-libp2p-kad-dht.

[aarshkshah1992]

ping @yusefnapora @raulk .

[yusefnapora]

@aarshkshah1992 thanks again for taking this over the line - it won't let me "approve" since I opened the PR, but I like this branch much better now!

This looks good to merge, pending @raulk's review :)

[raulk]

Some comments. Will do a second and final pass tomorrow.

[raulk]

This is fine because the channel is buffered. If the event loop is firing, we will queue the next trigger. If the channel is full, the next iteration of the event loop will pick up the update we were intending to communicate.

[raulk]

Negate the condition to short-circuit instead, and outdent the block.

[aarshkshah1992]

Done.

[raulk]

This is racy. Capture the addresses and use them when emitting the event and setting lastAddrs?

[aarshkshah1992]

@raulk Even though this code is executed in a single dedicated go-routine, have refactored this to make it easier to reason about.

[raulk]

Racy. Capture, emit and set.

[aarshkshah1992]

Done.

[raulk]

Import order.

[aarshkshah1992]

Done.

[raulk]

Import order.

[aarshkshah1992]

Done.

[raulk]

Do we need this bump?

[aarshkshah1992]

No, we do not. This was the remanent of a previous eventbus change I made that we do not need anymore.

This has been fixed.

[raulk]

host.ID()

[aarshkshah1992]

Done.

[raulk]

Fatal must be called from the main goroutine: https://golang.org/pkg/testing/#T

[aarshkshah1992]

This code is being executed on the main goroutine, not on a separate one.

[raulk]

Shouldn’t this be == -1?

[aarshkshah1992]

Completely got rid of this code as we don't really need it.

[aarshkshah1992]

@Stebalien Please can I get a review of this so we can merge it ?

[Stebalien]

I'm not sure if this should be stateful. Are we doing this to get around the fact that we don't have some form of GetPeerRecord() method as described in #747 (comment)? If so, we should just add that method.

[aarshkshah1992]

@Stebalien We have a GetPeerRecord(p peer.ID) on the peerstore now.

However, calling that when you get a EvtLocalAddressChanged event could be racy as the address you see on the event could be different fro the signed record you get from the peerstore.

This avoids that race.

[aarshkshah1992]

@Stebalien

Hmm.. we probably want to imitate this logic for the signed addresses ? Currently, we put all our addresses on the signed record which dosen't sound right.

[willscott]

it's probably also worth filtering manet.IsIPUnspecified() records in both cases.

[Stebalien]

Ideally, we'd have multiple records with different scopes. But we can tackle that later.

[aarshkshah1992]

@Stebalien Could you point me to an issue/discussion/PR to better understand the idea and scope of the address scoping work ?

[willscott]

@aarshkshah1992 I would imagine the intention would be to split record/addresses along the same policy distinction as in https://github.com/libp2p/go-libp2p-kad-dht/blob/master/dht_filters.go - a public scope for addresses the peer thinks might be valid for remote peers and is willing to drop on the public DHT, and separately the set of addresses valid for LAN peers.

[Stebalien]

#793

[aarshkshah1992]

ping @Stebalien .

[aarshkshah1992]

@Stebalien

I'm not sure if this should be stateful. Are we doing this to get around the fact that we don't have some form of GetPeerRecord() method as described in #747 (comment)? If so, we should just add that method.

Based on the new design we discussed, I think we can add /use this method because we plan to ignore the contents on the event for Identify now.

However, I'd like to merge this as is and do that change in the next PR if that's okay with you. Please can you give this one last review ?

[Stebalien]

My one concern is that we might want to change the protocol slightly when we add address scopes. I'm wondering if we should put this protocol behind a simple ExperimentSignedIdentify global variable flag so we can merge this and start testing it without accidentally deploying it on the network before we're ready.

[Stebalien]

That is, could we get this error because someone sent us a bad record? If so, we shouldn't log an error.

[Stebalien]

Ideally, we'd have multiple records with different scopes. But we can tackle that later.

[Stebalien]

Can we make this repeated? That way, we can have one record per scope (and we can add scope info to the signed peer record itself).

[Stebalien]

Note: we can also do this in a new protocol version.

[aarshkshah1992]

@Stebalien

If we do this in a new protocol version, will we make a "breaking" protocol change for it or add a new field for the multiple scoped records ?

[Stebalien]

I'd make a breaking protocol change.

[aarshkshah1992]

@Stebalien

I've addressed your comments. Just have some questions to better understand the address scoping work and the protocol changes we will need though they probably don't block this PR.

My one concern is that we might want to change the protocol slightly when we add address scopes. I'm wondering if we should put this protocol behind a simple ExperimentSignedIdentify global variable flag so we can merge this and start testing it without accidentally deploying it on the network before we're ready.

I'm not sure I understand what you mean. Do we want to block on the address scoping work before doing a full fledged release ?

[Stebalien]

I'm not sure I understand what you mean. Do we want to block on the address scoping work before doing a full fledged release ?

Eh, not really. I guess I just wanted a way to play around with this first before we made it the default.

But honestly, it's fine. If we find we don't like something, we can always introduce a new protocol version.

[Stebalien]

Naming:

ID1_1_0
ID1_0_0

?

[Stebalien]

Because we're going to add more in the future.

[Stebalien]

Nit: mutex-hat (lock goes above the record)

[aarshkshah1992]

@Stebalien We will anyways get rid of this once we have the GetRecord function in the next PR.

[Stebalien]

#793

[Stebalien]

Thank you for your patience! LGTM!

[raulk]

This does not compile, and master is broken:

⟩ go build ./...
go: downloading github.com/libp2p/go-libp2p-core v0.5.2
go: downloading github.com/miekg/dns v1.1.28
# github.com/libp2p/go-libp2p/p2p/protocol/identify
p2p/protocol/identify/id.go:207:14: cannot use &rec (type **record.Envelope) as type *record.Envelope in assignment