feat: rate limit for network messages

[Trisfald]

Implementation for rate limits of incoming network messages.
Original issue: #11617. Also supersedes #11618.

Note: rate limits are implemented but not defined with this PR; in practice, nothing should change for a node.

PR summary

This PR adds:

• A module to arbitrate rate limits using a token bucket algorithm (see token_bucket.rs)
• Convenience class to handle all rate limits of a network connection (see messages_limits.rs)
• Changes to peer_actor.rs to implement the rate limits on received messages
• Changes to the network configuration
• A new metric to count messages dropped due to rate limits
• Unit tests

Leftovers

• Make rate limits configurable, likely through config files with overrides done
• Use more accurate token allocation for some network messages, in particular the ones containing a dynamic number of elements. For reference: analysis to be done in a another PR

[Trisfald]

More boilerplate than I would like, but it make sure we don't forget to consider rate limits when adding new messages.

[codecov]

Codecov Report

Attention: Patch coverage is 97.26651% with 12 lines in your changes missing coverage. Please review.

Project coverage is 71.73%. Comparing base (af022d8) to head (f2a9246).

Files	Patch %	Lines
chain/network/src/rate_limits/messages_limits.rs	96.62%	7 Missing and 1 partial ⚠️
chain/network/src/config.rs	85.71%	1 Missing and 2 partials ⚠️
chain/network/src/rate_limits/token_bucket.rs	99.39%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11646      +/-   ##
==========================================
+ Coverage   71.66%   71.73%   +0.07%     
==========================================
  Files         788      790       +2     
  Lines      161300   161740     +440     
  Branches   161300   161740     +440     
==========================================
+ Hits       115589   116020     +431     
- Misses      40674    40681       +7     
- Partials     5037     5039       +2     

Flag	Coverage Δ
backward-compatibility	0.23% <0.00%> (-0.01%)	⬇️
db-migration	0.23% <0.00%> (-0.01%)	⬇️
genesis-check	1.35% <0.00%> (-0.01%)	⬇️
integration-tests	37.79% <11.61%> (-0.06%)	⬇️
linux	69.11% <96.35%> (+0.06%)	⬆️
linux-nightly	71.22% <97.26%> (+0.06%)	⬆️
macos	52.60% <20.49%> (-0.06%)	⬇️
pytests	1.59% <0.00%> (-0.01%)	⬇️
sanity-checks	1.38% <0.00%> (-0.01%)	⬇️
unittests	66.32% <95.89%> (+0.08%)	⬆️
upgradability	0.28% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Trisfald]

Added configuration of rate limits through overrides, in a fashion similar to existing network settings override.

[saketh-are]

Thanks Andrea, this looks great overall. I left one comment about the internals of TokenBucket for your thoughts.

[Trisfald]

I think this draft is now ready for review. IMO a good plan can be to merge this PR which has the rate limits implementation and then open another PR with the actual rate limits settings.

[saketh-are]

Looks great. The plan of adding the default limits in a separate PR sounds reasonable.

[saketh-are]

Food for thought, what purpose do you envision this log message serving?

I guess one thing it helps us to understand is which peer is sending the spam, something which the aggregate metrics (which are only labelled by variant) do not capture. Another way to check which peer is spamming us could be to look at the receive rate (in bytes) per connection, something which is reported via debug api and visible on debug pages. However, that would not be fine-grained by message variant.

Just trying to think through how this might be used and whether there might be a more efficient way to represent the same information.

[Trisfald]

Yes - the purpose would be to understanding which peer is spamming. As you said there are other ways to know know the source of the attack.

I think by default we ran at INFO level is that right? I don't think it hurts to have this debug but I don't think it brings a lot of value either

[saketh-are]

Nice

[saketh-are]

Props on thorough coverage

[saketh-are]

Maybe it would make sense to print some kind of warning if the override is lower than the default.

[Trisfald]

Changing this configuration is kinda tricky, I don't see many operators doing that - they need to know what they are doing. Is emitting warning for config changes a pattern we use in other places?

[saketh-are]

Oh hmm why do you say the configuration is tricky to change? If I want to bump up my receive rate for a certain message type, do I need to do more than adding a line to the config.json in the right place?

To answer your question, I didn't find an example of warns specifically but there are some examples here and here of checks on config values. Of course a bail! is impossible to miss (node won't start) while a warning may not even be seen, so if it's not super easy to add I wouldn't waste time on it.

[Trisfald]

Yes, it's easy once you know what to do, a simple addition to config.json.
It's just that if I put myself in the shoes of an average operator it might non-trivial to know what values to use. A knowledge problem rather than a technical one.

Personally, I think we can go without the warning and keep the bail! if validation fails, for now at least.

[tayfunelmas]

would it help to pass a Clock instance (clock.clone()) to RateLimits and call it for getting current time through different methods during the rate limiting?

[Trisfald]

I would prefer keeping the parameter an Instant which has less responsibility than a clock, because calling now() is all we do with the clock