15:00:18 #startmeeting 15:00:18 Meeting started Tue Sep 8 15:00:18 2020 UTC. The chair is jnewbery. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:18 Useful Commands: #action #agreed #help #info #idea #link #topic. 15:00:29 hello 15:00:31 hi 15:00:34 hi! 15:00:35 #bitcoin-core-dev P2P Meeting: wumpus sipa gmaxwell jonasschnelli morcos luke-jr sdaftuar jtimon cfields petertodd kanzure bluematt instagibbs phantomcircuit codeshark michagogo marcofalke paveljanik NicolasDorier jl2012 achow101 meshcollider jnewbery maaku fanquake promag provoostenator aj Chris_Stewart_5 dongcarl gwillen jamesob ken281221 ryanofsky gleb moneyball kvaciral ariard digi_james 15:00:36 hi 15:00:42 amiti fjahr jeremyrubin lightlike emilengler jonatack hebasto jb55 elichai2 15:00:48 hi folks 15:00:57 hi 15:00:57 topic suggestion: gleb's PR on netgroup diversity of outbound peers 15:01:22 sure :) 15:01:39 hi 15:01:44 hi 15:02:04 one proposed topic in https://github.com/bitcoin-core/bitcoin-devwiki/wiki/P2P-IRC-meetings: Follow-up on last meeting's "What would a good transaction propagation framework look like? See a first draw Transactions propagation design goals #19820 (ariard) 15:02:05 https://github.com/bitcoin/bitcoin/issues/19820 | Transactions propagation design goals · Issue #19820 · bitcoin/bitcoin · GitHub 15:02:10 hi 15:02:35 we can start by gleb's one np 15:02:51 ok, before we get started with those topics, does anyone have any general updates on what they're working on, or what they're prioritizing? Raise your hand if you want to give an update o/ 15:03:01 Over the last 10 days I opened 4 addr-related prs… I really think addr needs some attention, and my further work is blocked on this. I know addr is not the most well-known topic. I’m willing to provide any help to facilitate that review :) 15:03:08 hi 15:03:35 oh, sdaftuar said something other than hi! 15:03:40 holla 15:03:41 Some of them is refactoring, other have important implications and fix bugs 15:03:43 hi 15:03:51 aj: hi 15:04:02 sdaftuar: nack 15:04:30 ok, well if no-one else has any general updates, I'll just share one of mine, then we can go onto proposed topics? 15:04:39 jnewbery: ack 15:04:54 yes 15:04:58 I'd still encourage review of the remaining backport #19606 15:05:01 https://github.com/bitcoin/bitcoin/issues/19606 | Backport wtxid relay to v0.20 by jnewbery · Pull Request #19606 · bitcoin/bitcoin · GitHub 15:05:34 there was some confusion about Marco's comment a few weeks ago about merge order. Is MarcoFalke here? 15:06:13 Either way, I'd encourage review. It's not a totally clean backport, but it shouldn't be impossible to review 15:06:19 quick reminder to review the bip155 and bip324 implementation PRs 15:06:41 #topic netgroup diversity of outbound peers (gleb) 15:06:48 #19860 15:06:49 https://github.com/bitcoin/bitcoin/issues/19860 | Improve diversification of new connections: privacy and stability by naumenkogs · Pull Request #19860 · bitcoin/bitcoin · GitHub 15:07:17 i suggested that topic because some of the changes are non-obvious to me, and thought discussion would help 15:07:46 This PR has some obvious improvement: e.g. don't look at current feelers when make new persistent connection, because feelers are temporary so shold not affect I believe. 15:07:53 I guess there is one nuance that is not obvious. 15:08:30 I suggested to not look at the *existent* block-relay-only conns (2 conns we have) while making *new* full relay conns. 15:08:55 Because block-relay-conns should be more private (we rely on them for anti-eclipse). 15:09:36 And someone controlling our AddrMan (e.g. by occupying all our full relay slots) may deduce which netgroups are existent block-relay-o conns are taking. 15:10:10 The disadvantage of this change is that we will have a little less diversity as a whole 15:10:24 (new full-relay conns may be in same net group with existent block relay only conns) 15:10:49 That last point is the one that I thought should be the primary consideration, as that seems like it has the greatest effect on our partition-resistance -- more diversity seems better 15:10:51 So I guess it's questionable whether this privacy benefit worth sacrificing a bit of diversity. And whether this kind of privacy threat is real, in general. 15:10:58 if someone has taken over our addrman & we're trying to open block-relay-only conns, isn't the bigger concern that we would just be opening connections to the poisoned addresses? 15:11:39 amiti: I assume that at that time we still have 2 healthy block-relay-only conns, and I want to expose them as little as possible. 15:12:16 sdaftuar: does the design goal of block-relay-only connections was to mask better block-relay topology, thus masking netgroups of such peers should be in agreement? 15:12:57 sdaftuar: I was fine with sacrificing diversity here, because it has so little effect. The only difference will be that *just two* existing block-relay-only conns may overlap with new full relay conns. 15:13:11 whats the worst attack that could be carried out if an adversary knows the netgroups of the conns? 15:13:15 And if we have more than two in the future, we can make 2 of them private, and N-2 of them overlappable. 15:13:28 gleb: is it fair to say the effect is that we'll have the same level of diversity as we did prior to block-relay-only peers being introduced? 15:13:46 amiti: they can further deduce what are those peers in the network, and evict us from them. 15:13:56 gleb: how? 15:14:06 amiti: I think about looking among available public peers in this netgroup and open connection to them to try to evict inbound slot of your victim 15:14:07 jnewbery: Yes, I think it's fair. sdaftuar? 15:14:17 gleb: we do have keyed network groups, so i am curious what you have in mind there? 15:14:51 jnewbery: yes, i think that's likely true 15:14:59 ariard: thanks! 15:15:02 ariard: the goal of the connections is twofold: 15:15:30 - the main goal is to increase the difficulty/cost/power of an adversary required to carry out a network partitioning attack against a target node 15:16:09 and the specific motivation was that our existing full-relay connections leak topology information, and fixing that is sort of hopeless in the long run, though we certainly can and should make improvements where possible 15:16:27 the questions I'd ask are: was diversity a problem to block-relay-only peers being introduced? Did block-relay-only peers make it measurably better? I guess there aren't answers to those except "more is generally better" 15:16:51 - the second goal is a bit more nebulous, but my thinking is that it's easier to get the anti-DoS tradeoffs right if we focus on the different aspects of network traffic separately 15:17:06 so for instance i think the design goals around transaction relay may leads us to different peering strategies than the design goals around block relay 15:17:46 jnewbery: In my opinion, block-relay-only connections wasn't intended to improve diversity at all. I'd say it was a side-effect benefit we got for free. 15:18:27 gleb: i think i agree, but that benefit seems so substantial that i think taking it away for the sake of privacy is hard for me to imagine, without a concrete understanding of where the privacy would be lost 15:18:40 sdaftuar: an attacker just forces us to connect to a peer from some netgroup, sees that we refuses, and deduces that our block-relay-only is in that group. 15:18:42 sdaftuar: i think you're missing one point: block-only connections increase partition resistance without the bandwidth overhead that full connections have 15:18:51 sipa: yes, thank you 15:18:57 wrt to increase the difficulty/cost/power, I think you can achieve this by either more diversity and/or more non-observability of your peerings, what gleb's PR is underscoring IMO is a potential trade-off between them 15:19:20 gleb: how can they force us to connect somewhere? 15:20:01 sipa: have all our full relay slots, feed only selected addr records of their sybils, drop connections and see us connect to one of their sybils 15:20:25 gleb: 'just forces us to connect to a peer from some netgroup' sounds very difficult. If an attacker can already do that, I think we're in a lot of trouble already 15:20:41 gleb: that sounds like they've already succesfully pattitioned us? 15:20:52 I assume a scenario when we lost all our full relay slots, but still have 2 block-relay-only slots. 15:20:57 or are trivially able to do so as well 15:21:05 do we assume that our full-relay can be discovered through transaction relay in that way you can learn their netgroups and exclude block-relay-o to be there 15:21:10 b-r-o slots don't answer addr queries i believe, so they won't help to sanitize our addr man 15:21:28 correct, or rather we ignore addr messages from our block-relay peers 15:21:36 sipa: if we had (say) 10 blocks-only connectoins and 6 tx-relay connections, it might make sense to have separate netgroups for each blocks-only peer and separate netgroups for each tx-relay peer, but not worry about overlap between the two? 15:21:56 if you can learn the full-relay peers of your victim, you can try to influence peering of those full-relay by exploiting their inbound eviction logic 15:21:59 aj: isn't more diversity still better? 15:22:19 sdaftuar: separate design goals make sense to me as well given the very different characteristics of tx relay and block relay. for instance, from what i see, last tx is frequent, many/most peers, and often in seconds. last block is rare, comes from only a few peers, over minutes and hours. 15:22:53 my thinking (but i haven't thought/looked too much) is that you want to maximize diversity of (full+blockonly), and of (full) alone 15:23:08 sipa: that lines up with my intuition as well 15:23:16 aj: I agree with these logic, but as of today full-relay we have an overlap between connections types, that's more how we address this while moving in this direction 15:23:20 *this 15:23:41 the former for partition resistance, the second for actual short-term efficient connectivity 15:24:07 I just thought that the impact of dropping block-relay-only from the full relay diversity set would be fine. It's just 2 peers. And they still be diverse among themselves. 15:24:23 sdaftuar: i guess my gut feel is that once you have sufficient diversity, then having them be independent gets you more robustness as well since one network can't interfere with the other? 15:24:36 And block-relay-only will be diverse w.r.t existent full-relay conns. Just not vice versa :) 15:24:43 sdaftuar: (2 peers not being sufficiently diverse, 6-10 maybe being sufficiently diverse) 15:24:54 aj: that seems like a good end-goal. Totally separating logic for the connection types allows us to reason about each individually and prevents potentially privacy/exploitability by not allowing information to leak between the two. 15:25:01 gleb: that part of the logic is strange to me, because the peering logic is not symmetric depending on what order you connect in? 15:25:39 jnewbery: hmm, i see the appeal for that too 15:25:41 sdaftuar: I don't see symmetry as a good goal :) 15:26:37 aj: yeah so i guess there are two goals, one is how we minimize the likelihood of being partitioned, but then maybe once we're close enough on that point, we can choose other tradeoffs e.g. for robustness/design clarity as jnewbery suggested 15:26:39 Maybe we should keep this until more block-relay-only, and then make part of them private and part of them diverse? 15:27:18 I'm still trying to wrap my head around the attack vectors in the scenario (full-relay taken over, block-relay safe). I think ofc diversity is good, but the small decrease might be worthwhile if its offering protection. but I need to understand exactly what its protecting against in order to evaluate that tradeoff. 15:27:24 it does seem like we're a long way from truly separating connection types, as long as addrman is firmly in the middle here 15:27:25 sdaftuar: looking at full only when making a new full connection, and looking at both when making a blocksonly connection... isn't that how you'd implememt maximization of diversity for (blocksonly+full) and for (full) alone? 15:27:55 sdaftuar: non-observability of victim's connections likely minimizes the likelihood of being partitioned 15:28:14 sipa: this is my exact suggestion btw. 15:28:19 amiti: i'm not there is a concrete attack beyond "8 connections is easier to partition than 10" 15:28:25 sipa: i was going to point out that achieving maximum diversity for blocksonly+full is sufficient to achieve maximum diversity for full alone 15:28:53 sdaftuar: hmm! 15:29:04 of course 15:30:04 it seems like it's ok for information about full connections to leak into our blocksonly connection logic, since blocksonly are meant to be private? 15:30:34 i think this comes down to whether we think this attack -- can we observe keyed-netgroup collisions from observed outbound connections -- is practical for some kind of attacker we're concerned about? 15:30:45 jnewbery: yeah, I think so. Because there are probably better ways to learn full conns anyway 15:31:14 sdaftuar: do you accept the setting where we lost all our full conns, but 2 block-relay-only are still healthy? 15:31:25 or you think it's unrealistic 15:31:40 if our addrman starts off healthy, then i think we're probably ok in that scenario 15:32:00 if our addrman is already poisoned but for the two block-relay only connections, i think that's a very edge-case scenario to try to optimize for 15:32:17 (i think we're ok because of feelers, maybe that's wrong) 15:32:55 i see. 15:32:57 i have a hard time imagining how that's not a problem 15:33:10 gleb: when you assume addrman poisoning, do you scope knocking-out the feeler logic by an attacker? 15:33:26 does anchor connections make gleb's scenario more likely? 15:33:41 sipa: i guess one thing that goes wrong is that eventually nodes go offline, and so in the long run you lose all your honest peers? 15:33:43 because with all normal connections sybilled, the attacker can probably start poisoning addrman, and leave you no way to recover 15:33:54 jnewbery: was wondering that. I think so 15:33:57 jnewbery: I think it makes it easier to observe them as block-relay-o become more stable? 15:34:00 (#17428) 15:34:04 https://github.com/bitcoin/bitcoin/issues/17428 | p2p: Try to preserve outbound block-relay-only connections during restart by hebasto · Pull Request #17428 · bitcoin/bitcoin · GitHub 15:34:29 sipa: does this problem get solved if we introduce some level of rotation of tx-relay peers? 15:34:40 Yeah I don't have big faith in feelers once we lost all our full conns 15:34:54 We don't even send GETADDR to feelers iirc? 15:35:00 sorry, i don't mean feelers 15:35:07 what i mean is the tried-table-collision resolution algorithm 15:35:17 that's feelers, no? 15:35:26 oh, that's interesting. 15:35:28 that's done by feelers connection 15:35:29 no, feelers are for connecting to NEW table entries and trying to mive them to tried 15:35:32 Not sure how that thing is effective. 15:35:34 yes, we call them feelers too 15:35:36 but it's confusing 15:35:50 mive? 15:35:54 move* 15:35:56 I do like the concept of not allowing any information at all to leak from our blocksonly connections into our other connection logic. Even if this particular scenario is unlikely, it's still nice to be able to count out any such similar attacks. 15:35:56 ah, move 15:36:44 thinking ahout this, i wonder if we need addr-only connections too 15:36:56 The worst diversity degradation here btw: 2 newly selected full peers are from the same netgroup as 2 existent block-relay-only conns 15:37:03 sipa: working on that stuff. 15:37:05 sipa: yeah i was thinking about that a bit as well 15:37:15 it's blocked by my 4 addr-related prs :) 15:37:23 i'm not worried about information leakage of our selection of full/blockonly connections 15:37:49 but our partitition resistance gained (assuming blockonly is diverse wrt full) is only for block connectivity 15:37:53 not for addrmam health 15:38:04 which is valuable, but shorter term 15:38:15 sipa: maybe addr-only connections should mean occassionally requery dns-seeds too (once a day or once a week, poisson'ed eg) ? 15:38:31 maybe 15:38:37 sipa: you mean an attacker can't interfere with victim's blockonly connections if it learns their netgroups? 15:38:49 aj: that leaks different information that people are concerend about i think? 15:38:56 aj: this is a follow-up for #18421 15:38:59 https://github.com/bitcoin/bitcoin/issues/18421 | Periodically update DNS caches for better privacy of non-reachable nodes by naumenkogs · Pull Request #18421 · bitcoin/bitcoin · GitHub 15:39:07 I gave up on periodic DNS queries for now :) 15:39:30 ariard: i think that if all connections that convey addr informarion are sybilled, it's game over for addrman sanity 15:39:41 ariard: and blocksonly connections cannot help with that 15:39:55 sipa: but we're not eclipsed at least? 15:40:04 sipa: one alternate implementation idea i had for syncing our chain tip with more peers, was to couple that with addrman updates 15:40:13 gleb: not eclipsed wrt to block propagation 15:40:42 sipa: sure. 15:40:43 sipa: you might still be okay for a while more until your current block-relay-only are stable, and this is already a gain 15:40:47 gleb: but you are eclipsed wrt addr relay, which means addrman will (if the situation persists) become attacker controlled 15:40:48 sipa: so that we bump a peer's status (maybe just updating its times in the tried table) only if their tip was synced to something with as much work as ours, or something like that 15:42:13 so i think this means we want full connections, blockonly connections, addronly connections... and diversity of (full+blockonly) and of (full+addronly) ? 15:42:13 i think it would be helpful to run some simulations on that point 15:42:44 or just diversity of everything, really 15:42:49 sdaftuar: if you take this info for future peers selections, you might favor even more performant peers, and tight network topology ? 15:43:27 ariard: being more or less in sync isn't a very strong preference for.performamt peers 15:43:40 just an aversion for broken ones 15:44:03 right, we could put in a tolerance of being a block or two behind, that's very different from having no knowledge of their chain 15:44:13 sipa: aren't low-grades peers really likely to be late on tip view ? 15:44:15 [13bitcoin] 15ryanofsky opened pull request #19918: sync: Replace LockAssertion with WeaklyAssertLockHeld (06master...06pr/lockb) 02https://github.com/bitcoin/bitcoin/pull/19918 15:44:41 ariard: by a few seconds maybe 15:45:32 sipa: it seems a shame to not relay blocks on addronly links 15:45:37 (or at least headers) 15:45:47 sdaftuar: agree. 15:45:58 gleb: one of your concerns was about an attackers knowing about which netgroups you're connected to. Would it make sense for each node to have their own way of dividing the address space into netgroups (eg by clustering ASs differently) 15:46:12 jnewbery: we do that already, don't we? 15:46:19 jnewbery: we do! 15:46:25 oh! Good! 15:46:28 there is an addrman key for that 15:46:33 should we have a hierarchy of types of traffic, i.e it's okay to relay public informations like block on more private ones (tx/addr) but not the reverse ? 15:46:33 that's what i said before about keyed network groups 15:46:35 I should have reviewed the AS PRs 15:46:48 sdaftuar: got it. Thanks! 15:46:58 jnewbery: this was part of the original addrman :) 15:47:06 Yeah, this part makes it a bit less realistic. 15:47:17 question: how effective is -seednode/-addnode to trusted peers as an anti-eclipse tactic? 15:47:35 sipa: ah, ok. I guess I should just review more of the code in general then :) 15:47:43 jonatack: assuming no network-level attacker, addnode is great for that 15:47:57 well, hopefully your trusted peer is also not eclipsed :) 15:48:20 jonatack: really depends of the capabilites of your eclipse attacker 15:48:43 i see no reason why you wouldn't also send blocks over addr links, agree 15:48:58 sipa: so perhaps we should have two kinds of block-relay links then 15:48:59 thanks. i seem to recall matt tweeting about doing that a while back 15:49:21 sdaftuar: I'm lost. Which kinds? 15:49:51 gleb: blocksonly and addrplusblocksonly 15:50:01 is the idea that addr-relay nodes are long-lived or short-lived (like feelers) ? 15:50:21 long-lived, i'd say 15:50:25 aj: i think they could be long lived? they would be very low bandwidth 15:50:25 I have a branch with short-lived self-announcement addr links :) 15:50:35 even if they're short-lived you want to do headers-sync on them 15:50:40 But that's different from what was discussed. 15:51:22 hi - we probably can't rely much on our addr-links staying private, or can we? 15:51:28 so blocks-only is eclipse prevention, addr+blocks is low-bw extra diversity, tx-relay is tx relay? 15:51:39 i'm actually not sure if it's better to use a connection slot on a long-lived addr+block-relay peer, than it is to just rotate our full-relay peers some and get addrman updates from the getaddr message we send 15:51:43 We have 10 minutes left and one other topic (What would a good transaction propagation framework look like? See a first draw Transactions propagation design goals) 15:51:56 ariard: are you happy to punt that to the next meeting? 15:52:01 aj: being eclipsed at the tx-relay level is really bad for offchain stuff 15:52:12 jnewbery: I feel we need it better to end on this topics 15:52:27 ariard: not as bad as being eclipsed from the most-work chain though 15:52:38 lightlike: agreed, addr relay likely leaks topology 15:52:56 sipa: (what's the blocker for getting tx relay overhaul rebased/out-of-draft?) 15:53:15 sdaftuar: have you checked out caches yet? It's getting better! 15:53:26 ariard: parse error 15:53:28 ariard: does that mean punt to next meeting? 15:53:37 aj: in fact I think that's a bit more subtle, you can close your channels without knowing what the state chain is ? 15:53:41 gleb: no idea what you're referring to... 15:53:44 jnewbery: yes next meeting :) 15:54:02 sdaftuar: #18991 15:54:06 https://github.com/bitcoin/bitcoin/issues/18991 | Cache responses to GETADDR to prevent topology leaks by naumenkogs · Pull Request #18991 · bitcoin/bitcoin · GitHub 15:54:08 gleb: oh, addr-relay privacy leaks 15:54:10 great. Thanks. That'll also give people a bit more time to read your doc here: https://github.com/bitcoin/bitcoin/issues/19820 15:54:11 sipa: if a LN node can't broadcast its punishment transaction that's worthless to see a revoked commitment transaction on the most-valid PoW chain 15:55:09 ariard: you know my thinking on that 15:55:24 ariard: if you see the revoked commitment tx, you can aggressively try connecting to many peers to find one that relays honestly; if you don't see the commitment tx at all, your opportunity to do a punishment can time out 15:55:42 aj: i have a branch where it's half done, but i got preempted by bip340/taproot stuff 15:56:07 sipa: I know, I know that's the reason to talk about #19820 next time :) 15:56:07 https://github.com/bitcoin/bitcoin/issues/19820 | Transactions propagation design goals · Issue #19820 · bitcoin/bitcoin · GitHub 15:57:39 Alright, so I think i'll turn that PR into a harmless refactoring (don't diversify by current feeler or oneshot/addr_fetch), and keep the non-diverse/more-private idea for future. 15:57:57 gleb: that sounds good to me. thanks for the discussion! 15:58:01 gleb: sounds good 15:58:12 Thanks gleb! 15:58:13 aj: you can probalistically close your channel, if you don't see block for a hour, that's likely something is wrong (but more an open question how offchain stuff should react in case of block eclipse) 15:58:43 Any final topics before we end? Remember it's feature freeze in 5 weeks (https://github.com/bitcoin/bitcoin/issues/18947) so it's a great time to shill your PRs! 15:59:10 if we're shilling, i'd love review on #19858 15:59:13 https://github.com/bitcoin/bitcoin/issues/19858 | Periodically make block-relay connections and sync headers by sdaftuar · Pull Request #19858 · bitcoin/bitcoin · GitHub 15:59:24 sdaftuar: updated #19871 in the hope to clarify outbound eviction 15:59:25 https://github.com/bitcoin/bitcoin/issues/19871 | doc: Clarify scope of eviction protection of outbound block-relay peers by ariard · Pull Request #19871 · bitcoin/bitcoin · GitHub 15:59:37 ariard: thanks, i'll take a look 15:59:39 o/ 15:59:41 i have been succesfully shilled 15:59:43 any advances on one shilling? 15:59:46 going once 15:59:46 #17785 15:59:48 It would be great to have #19643 in master and it seems RFM 15:59:48 https://github.com/bitcoin/bitcoin/issues/17785 | p2p: Unify Send and Receive protocol versions by hebasto · Pull Request #17785 · bitcoin/bitcoin · GitHub 15:59:49 going twice 15:59:51 https://github.com/bitcoin/bitcoin/issues/19643 | Add -netinfo peer connections dashboard by jonatack · Pull Request #19643 · bitcoin/bitcoin · GitHub 15:59:54 super-easy little refactoring which will unlock my future work #19843 15:59:55 https://github.com/bitcoin/bitcoin/issues/19843 | Refactoring and minor improvement for self-advertisements by naumenkogs · Pull Request #19843 · bitcoin/bitcoin · GitHub 15:59:59 #endmeeting