Refactor network message deserialization (net processing)
- Today’s PR under review is part of on-going work by
on BIP 324: Version 2 Peer-to-Peer Message Transport Protocol. Here are some
resources to learn more about it, or as a refresher:
- BIP 324 draft proposal by Jonas Schnelli
- P2P Encryption presentation at CoreDev by Jonas Schnelli, transcript by Bryan Bishop (kanzure)
- BIP 324 keynote presentation at Breaking Bitcoin by Jonas Schnelli (43 slides)
- BIP 324 presentation at Chaincode Labs by Jon Atack (8 slides, a quick summary if you are short on time)
- BIP 324 PRs that have been merged:
- A short follow-up PR you can review after this one:
- PR 16562 Refactor message transport packaging — refactors packaging logic, versus deserialization in today’s PR
- If you add any tests, assertions or logs while reviewing today’s PR, please save the diff in a public gist! We can share links to see what we tested.
Did you review the PR? Concept ACK, approach ACK, tested ACK, or NACK?
Why was this PR written and considered high-priority?
Which roles and classes are being separated in the first commit?
Why is a unique_ptr used rather than a shared_ptr? What are the trade-offs? Is this mentioned in the Bitcoin Core developer notes?
Describe the Adapter pattern in 1-2 sentences. What is another frequent name for it? What are two general kinds of adapters? Which of the two kinds is more flexible, and what might be the trade-off? Which kind is used in this PR, and who are the participants (target, client, adaptee, adapter)?
Any other comments, feedback, or questions?
19:00 <jonatack> Hi all! Welcome to this week's episode of the Bitcoin Core PR Review club. 19:00 <fjahr> hi 19:00 <pinheadmz> hi 19:00 <sebastiavstaa> hi 19:00 <jonatack> We usually start Bitcoin Core IRC meetings with a 'hi' so it's clear who's at keyboard. Feel free to say hi here! 19:00 <gorazdko> hi 19:01 <michaelfolkson> Holla 19:01 <jonatack> This week, we're talking about PR16202 - "Refactor network message deserialization" by jonasschnelli. 19:01 <jonatack> The PR is part of on-going work by jonasschnelli on BIP 324: Version 2 Peer-to-Peer Message Transport Protocol. 19:01 <lightlike> hi 19:01 <zenogais> hi all 19:02 <sosthene> hi 19:02 <jonatack> jonasschnelli: By any chance, are you here? Would you like to say anything about this PR or the next steps for BIP 324? Feel free to jump in. 19:03 <jonatack> Let's get started. Did you review the PR? What are your thoughts... Concept ACK, approach ACK, tested ACK, NACK? 19:03 <fjahr> tested ACK although I did not have much time to look at the code 19:04 <zenogais> Tested ACK. I was able to review the whole PR as well as test it. 19:04 <lightlike> concept ack, haven't understood the code yet completely. 19:04 <jonatack> fjahr: Excellent. 19:04 <jonatack> etscrivner: jkczyz: Great to see your reviews of the PR on GitHub! 19:04 ⚡ zenogais is etscrivner btw 19:04 <jonatack> zenogais: thanks! 19:05 <jonatack> How did you all test the changes? 19:05 <sebastiavstaa> built and ran the tests. 19:05 <zenogais> I ran the unit and functional tests. Also used my own P2P library in C to run some manual tests and make sure things worked as I expected. 19:05 <jonatack> Did anyone add any tests, assertions, or custom logging to test the PR? 19:06 <pinheadmz> built and tested, broke the test and tested the test :-) 19:06 <pinheadmz> just the one test that was altered, the error message is changed 19:06 <pinheadmz> I assume because its a refactor, the existing tests cover and protect against regression. 19:06 <jonatack> On my end, I added some logging for sanity checks https://gist.github.com/jonatack/d6a228878e6ef5f582ff75c974f2d6c3 19:06 <jonatack> and would like to run the changes through gdb tomorrow for my review, since p2p can be a risky area. 19:06 <sosthene> I do have a question that is more about the whole BIP than this PR. I remember some time ago evoskuil criticizing the BIP on Twitter I think, but I couldn't find the thread again. So what could be controversial about it? 19:06 <sosthene> (if anyone knows what I'm talking about and can link to evoskuil arguments I would be very grateful) 19:07 <jonatack> sosthene: I wasn't aware of controversy regarding BIP 324. 19:08 <zenogais> Might be useful to have some sort of P2P fuzzing also (if it doesn't already exist). 19:08 <pinheadmz> jonatack: that's cool - these properties i.e. `msg.m_command` are new to this PR right? 19:08 <sosthene> jonatack: I guess that's evoskuil vs the rest of the world then 19:09 <jonatack> pinheadmz: yeah, I want to see the values as a sanity check 19:09 <jonatack> sosthene: if you have a link please share! 19:09 <michaelfolkson> Nor me, sorry sosthene. Perhaps contact him? 19:10 <jonatack> zenogais: Fuzzing is one area I think the maintainers would be very happy to see additional tests or data for. 19:10 <jonatack> MarcoFalke is the primary contact for that. See also doc/fuzzing.md. 19:10 <michaelfolkson> I didn't stumble on any conceptual downsides to this BIP 19:11 <zenogais> jonatack: Thanks, will give it a look. Have been thinking about P2P fuzzing specifically for a couple of weeks now. 19:12 <jonasschnelli> hi 19:12 <jkczyz> hi 19:12 ⚡ zenogais waves 19:12 <jonatack> jonasschnelli: Hi, thanks for coming by! 19:13 <jonasschnelli> Sorry for being late 19:13 <jonatack> jkczyz: Hi, and thank you for reviewing the PR. 19:13 ⚡ jonasschnelli is reading back 19:13 ⚡ next-defection thumbs up to fuzzing 19:13 <jonasschnelli> Should I explain why I did this PR (PR16202)? 19:13 <jonatack> jonasschnelli: Would you like to say anything about this PR, or the next steps for BIP 324? 19:13 <jonatack> jonasschnelli: Yes, please! 19:13 <lightlike> here is a link to the points by evoskuil: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-March/016810.html 19:14 <sosthene> I found it https://twitter.com/evoskuil/status/825089930221064192 19:14 <jonasschnelli> PR16202 is just about adding flexibility for allowing multiple transport protocol 19:14 <jonatack> jkczyz: (we were discussing how people tested the PR, if you would like to share what you did to test it) 19:15 <sosthene> and this wrt BIP151 https://github.com/bitcoin/bips/wiki/Comments:BIP-0151 19:15 <jonasschnelli> It is necessary for any forms of protocol upgrades and also a nice refactor if nothing gets added (which we don't hope). 19:15 <jonasschnelli> evoskuil's points are valid,... not sure if the overall desire (or dislike) of encryption is something we should discuss here. 19:15 <jonasschnelli> But we can... 19:15 <jonatack> jonasschnelli: What are the next BIP324 PRs we should review after this one is hopefully in? 19:16 <jonatack> jonasschnelli: and after PR #16562: Refactor message transport packaging https://github.com/bitcoin/bitcoin/pull/16562 19:16 <jonasschnelli> Yes... that one is in alignment with the deserialization. 19:16 <jonasschnelli> I have a branch I'd like to open after those two PRs have been merged. 19:17 <jonasschnelli> Both PRs are pretty much straightforward with little to no impact. 19:18 <michaelfolkson> What was the thinking behind separating the serialization and deserialization into two PRs? Safety or just cleaner? 19:18 <pinheadmz> jonasschnelli: how often would a node generate a new key for DH? every new peer connection? every restart? just once? 19:18 <jonasschnelli> michaelfolkson: I always try to make PRs as small as possible if they allow to be splitted. 19:18 <jkczyz> jonatack: Wasn't able to test, only reviewied this morning. Busy last week on the job. :) 19:19 <jonatack> michaelfolkson: Not to speak for jonasschnelli but it's usually easier for smaller changes to get review and merged quickly. 19:19 <jonasschnelli> pinheadmz: it's described in the BIP. The DH key is generated once during the encryption handshake. 19:19 <jonasschnelli> But we do rekey every <1GB 19:19 <jonatack> michaelfolkson: it's generally good to keep PRs focused. 19:20 <michaelfolkson> Makes sense. The deserialization PR isn't much use without the serialization PR though, is it? 19:20 <jonasschnelli> large PRs in risky areas (like the p2p field) tend to loop forever in rebase limbo. :) 19:20 <jonatack> jkczyz: I understand :) 19:20 <jonasschnelli> michaelfolkson: They are independent. 19:20 <jonasschnelli> But for BIP324, we need both in the end 19:20 <jonasschnelli> But they are both refactors that are valid on their own 19:20 <michaelfolkson> Ok thanks 19:21 <jonatack> jonasschnelli: Is this PR still a prerequisite for https://github.com/bitcoin/bitcoin/pull/14032 19:22 <jonatack> "Add p2p layer encryption with ECDH/ChaCha20Poly1305 #14032" ... on the road to implementing BIP324? 19:22 <zenogais> One comment: Separating serialization from message data structure is I'm thinking cleaner overall, even if this wasn't in order to add V2 serialization I still think it's a good refactor. 19:22 <jonasschnelli> jonatack: yes. Somehow. But they need refactor once 16202 lands. 19:22 <jonatack> jonasschnelli: right. 19:23 <jonatack> As the review club improves over time, it would be great to see us tackle the high priority PRs more often. 19:23 <jonasschnelli> in general, the criticism about no need for encryption (voskuli) since it's all public anyways looks valid at first sight,... but 19:24 <jonasschnelli> BIP324 eliminates passive observing and adds detectability of a MITM 19:24 <jonasschnelli> its opportunistic encryption and therefore a building block 19:25 <zenogais> jonasschnelli: It sounds like MITM detection is optional and must be done manually by peers though via side-channel? 19:25 <sosthene> It seems Eric is arguing that MITM detection would hard in practice, since nodes would need to exchange session ID over safe channels. 19:26 <jonasschnelli> zenogais: yes. BIP324 has no MITM detectability next to manual comparison of session IDs... 19:26 <jonasschnelli> but.... 19:26 <jonasschnelli> An attacker needs to take the risk of being detected... which is a big difference to the current status quo. 19:26 <zenogais> Protection against passive observability is still probably a pretty big win for most users. 19:26 <jonasschnelli> he cannot know if an authentication happens after he has mitm-led the encryption 19:27 <jonasschnelli> usually detectable observing and tampering is much less valuable for an attacker 19:27 <next-defection> I disagree with the critiques brought up by evoskuli, P2P encryption increase observation costs (undeniable) 19:27 <zenogais> Yeah, and optional MITM detection is still better than V1. 19:28 <jonasschnelli> right now,... everyone on the network between two peers can delay a block... peers cannot detect that and the attacker can be sure of that. 19:28 <next-defection> even if "but MITM is still possible" "better is the enemy of good" situations are present 19:29 <jonasschnelli> Yes. And there are schemes (Pieter Wuille's for example) building on top of BIP324, that would broad scale detect MITMs. 19:29 <next-defection> the blockchain stores a limited set of information, it doesn't store the transport information which is highly valuable to well-funded attackers 19:30 <jonasschnelli> Yes. The p2p traffic is in general not considered public. 19:30 <jonasschnelli> But chain analysis will still be possible with BIP324. 19:31 <jonasschnelli> (since this is very likely active listening) 19:31 <sosthene> Does it still make sense to use Tor with this "native" encryption? 19:31 <sosthene> I mean, does it bring any extra security or is it negligible? 19:31 <jonasschnelli> Tor is an alternative,.. though a slightly different threat model (mostly censorship) 19:31 <jonasschnelli> But... the great thing is, we can run BIP324 through tor 19:31 <jonasschnelli> at no cost 19:31 <jonasschnelli> (faster, less bandwidth) 19:32 <jonatack> sosthene: IIRC, BIP 324 makes targeting more difficult for SPV nodes and those not using a VPN or Tor, but Tor is still valid with it. 19:32 <jonasschnelli> BIP324 is our own encryption with no dependencies. Simple and effective. 19:33 <jonasschnelli> Additionally, you can circumvent censorship or connectivity issues with tor. 19:34 <jonasschnelli> Right now,... there are a bunch of people connecting their mobile wallets (Green, BRD, Schildbach) to their nodes with a IPv4 19:34 <jonasschnelli> Which is _absolutely_ not secure. 19:34 <sosthene> jonatack: (I just finished running all the tests, finally! all passed :) 19:34 <jonasschnelli> (and those users assume to preserve privacy) 19:35 <jonasschnelli> however, to solve that non-tor connection, we need BIP150 19:35 <jonasschnelli> (which may follow after BIP324) 19:36 <jonatack> BIP150: https://github.com/bitcoin/bips/blob/master/bip-0150.mediawiki 19:36 <jonatack> "This BIP describes a way for peers to authenticate to other peers to guarantee node ownership and/or allow peers to access additional or limited node services, without the possibility of fingerprinting." 19:37 <jonasschnelli> But one thing after another. :) PR16202 is a baby step forwards. 19:38 <michaelfolkson> Re the new message structure. Variable size message is big win. You also got rid of the magic bytes? 19:38 <jonasschnelli> Yes. 19:39 <michaelfolkson> Why? Not needed? 19:40 <michaelfolkson> I suppose not. 19:40 <jonasschnelli> I don't think it's needed. We have port for specific network. And it would fail anyways quickly. 19:40 <jonatack> jonasschnelli: When working on changes to the p2p network, are there any particular ways you test that the changes are working as intended? 19:41 <jonatack> We don't really have a framework yet for p2p simulation. 19:41 <jonasschnelli> jonatack: I think the test framework covers a lot. Though, running such PRs for a while (couple of days) on a node may reveal more details. 19:41 <zenogais> So net magic isn't needed to avoid peering with wrong network peers? 19:41 <jonasschnelli> zenogais: yes... I think that was the intention. 19:42 <jonasschnelli> But the cost of 4 bytes per every message (and ~50% are less then 64 bytes) is quite high. 19:42 <zenogais> Right, I suppose it could just be part of the handshake. 19:43 <jonasschnelli> Yes. Maybe this is not a bad idea. 19:44 <jonatack> Shorter INVs are a win since they make up so many of the messages. 19:44 <jonasschnelli> Yes. 19:44 <zenogais> Without seeing the network magic bytes at least once, I could see scenarios where nodes incorrectly peer - especially if they're sync from scratch. 19:44 <jonasschnelli> The network magic could maybe be added to the HKDF 19:44 <jonasschnelli> https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52#symmetric-encryption-cipher-keys 19:44 <jonasschnelli> instead of `PRK = HKDF_EXTRACT(hash=SHA256, salt="BitcoinSharedSecret||INITIATOR_32BYTES_PUBKEY||RESPONDER_32BYTES_PUBKEY", ikm=ECDH_KEY)` 19:44 <jonasschnelli> make `PRK = HKDF_EXTRACT(hash=SHA256, salt="NETWORK_MAGIC||BitcoinSharedSecret||INITIATOR_32BYTES_PUBKEY||RESPONDER_32BYTES_PUBKEY", ikm=ECDH_KEY)` 19:45 <jonasschnelli> A handshake on the wrong network would just fail. 19:45 <zenogais> Ah nice, yeah that would work perfectly. 19:45 <jonasschnelli> Good point zenogais. I'll add others for feedback on that idea. 19:45 <jkczyz> jonatack: High priority because it allows two separate transport implementations would be my educated guess. 19:46 <jonasschnelli> High priority is a per-developer thing. I consider it high-prio/blocker for my work. 19:46 <jonasschnelli> Since we have no central planning, every active developer can add stuff to the high-prio list 19:46 <jonasschnelli> (to avoid central planning) 19:46 <michaelfolkson> It is a blocker to other PRs yeah 19:47 <michaelfolkson> And for a direction that seems to have broad consensus, bar Eric. 19:48 <jonasschnelli> I think most people agree that it is a useful thing. 19:48 <jonasschnelli> We have also already merged the cryptographic primitives (chacha20, poly1305, hkdf) as well as the AEAD 19:48 <jonasschnelli> (which are less risky since they are only used in tests). 19:50 <jonatack> Improving privacy is so essential. A thousand thank you's, Jonas, for your work on this. 19:50 <jonasschnelli> Thanks for reviewing guys! 19:50 <zenogais> Yeah, this is great work, really looking forward to the V2 transport stuff. 19:50 <jonatack> The best way each of us can help jonasschnelli move BIP 324 forward, is to review these PRs. 19:50 <jonatack> Let's all get our review in tomorrow for those who haven't yet. 19:51 <sosthene> jonasschnelli: Thanks, it was great to have you here. 19:51 <jonatack> Ten minutes left. I'm glad we've been able to discuss these important issues. Any other comments, feedback, or questions? 19:51 <michaelfolkson> In terms of future work, jonatack you referred to 64 byte public keys and randomizing ports. Can you elaborate? 19:52 <michaelfolkson> Also found it interesting that there could be different authentication schemes. 19:52 <lightlike> do you think that v2 will take over completely, or do you think both v1 and v2 will coexist for a long time? 19:52 <jonasschnelli> I think so. 19:52 <jonatack> michaelfolkson: You mean in my slides? They were only a quick summary of jonasschnelli's complete slides. 19:52 <jonatack> michaelfolkson:, lightlike: Great questions. 19:53 <michaelfolkson> Ah ok. I'll look back at Jonas' slides. 19:53 <jonasschnelli> I think randomising ports would go into the direction of censorship resistance which is very complicated and I think this should be done on other layers like tor 19:54 <jonasschnelli> even with randomised ports, by looking at the package size and burst-characteristics, identifying bitcoin traffic is trivial. 19:55 <jonasschnelli> lightlike: back to the v1/v2 question. I think, when there are enough peers supporting v2, people may disable v1 19:55 <jonasschnelli> but sadly its a slow transition 19:56 <jonasschnelli> (unless v1 gets exploited which is unlikely). 19:57 <jonatack> jonasschnelli: Would you see v2 on by default in future releases? Or after a certain level of v2 adoption? 19:57 <jonasschnelli> I hope... I guess this is the plan. Though time will show and it needs enough people willing to run v2. 19:58 <jonatack> Privacy may turn out to be a good motivation. 19:58 <michaelfolkson> Less systemic risk if half the network is running v1 and half is running v2 rather than everyone running v2 :) 19:58 <jonatack> If anyone wants to continue with other questions after we wrap up, I'll hang around. 19:59 <jkczyz> jonasschnelli: I have a suggestion regarding TransportDeserializer's interface but will leave a new comment on the PR. 19:59 <jonasschnelli> thanks jkczyz 19:59 <jonasschnelli> I'll try to tackle the comments by tomorrow 20:00 <jonatack> Thanks, everyone, for participating this week! 20:00 <jonatack> Thanks jonasschnelli for coming by! 20:00 <michaelfolkson> Thanks both 20:00 <lightlike> thanks jonatack, jonasschnelli! 20:00 <jonasschnelli> thanks all 20:00 <zenogais> Thanks all, appreciate you fielding our questions jonasschnelli 20:00 <sebastiavstaa> thanks all
At 19:52 in the meeting log, I wrote that more information about the 64-byte public keys and port randomisation mentioned in my presentation could be found in Jonas Schnelli’s slides. More precisely, those discussions are from Jonas Schnelli’s P2P Encryption presentation at CoreDev in June 2019. I added a link to that resource to the notes above. Cheers - Jon Atack