Manual block-relay-only connections with addnode (rpc/rest/zmq, p2p)

https://github.com/bitcoin/bitcoin/pull/24170

Host: mzumsande  -  PR author: mzumsande

The PR branch HEAD was 629a6f4 at the time of this review club meeting.

Notes

  • Using Bitcoin Core on privacy networks such as Tor is good for enhancing the privacy of own transactions and not revealing identity in general. However, Tor-only mode is not without risks: Tor-only nodes may be susceptible to eclipse attacks, man-in-the-middle attacks and other types of attacks (see e.g. Biryukov, Pustogarov: Bitcoin over Tor isn’t a good idea (2015)).

  • To counter these downsides, some node operators might want to mainly be on a privacy network, but still have a few manually picked clearnet peers that help them stay on the best chain. Currently, this would lead to transactions and addresses being relayed over these connections and would also open up the possibility of fingerprinting attacks, e.g. connecting a node’s onion address to its clearnet IP.

  • Manual connections are additional outbound connections handpicked by the node operator. They are regarded as trusted, so that a misbehaving manual peer is not punished or disconnected in certain situations where an automatic peer would be.

  • After Issue #23763 was opened requesting this, PR #24170 introduces the option of specifying manual connections that are block-relay-only, i.e. don’t participate in transaction or address relay.

Questions

  1. Did you review the PR? Concept ACK, approach ACK, tested ACK, or NACK?

  2. Why could peers that are only active on privacy networks such as Tor be more susceptible to eclipse attacks compared to clearnet-only peers?

  3. What is the difference between the onetry and add modes in the addnode RPC?

  4. What are the different options of adding a manual-block-relay peer that this PR introduces? Did you try one out?

  5. The PR introduces a new connection type MANUAL_BLOCK_RELAY that combines the properties of MANUAL and BLOCK_RELAY peers. What are the advantages and disadvantages of having an extra connection type, as opposed to combining the logic of the existing ones?

  6. BIP324, encrypted p2p traffic, is another privacy-enhancing feature currently under development and review. What types of attacks that this PR tries to mitigate are fixed by BIP324? Which ones aren’t?

Meeting Log

  117:00 <lightlike> #startmeeting
  217:00 <lightlike> hi!
  317:00 <stickies-v> hi!
  417:00 <BlueMoon> Hello!!
  517:00 <svav> Hi
  617:00 <schmidty> hi
  717:01 <BlueMoon> Greetings from Mexico
  817:01 <lightlike> welcome to the review club!
  917:01 <brunoerg> hi!
 1017:01 <lightlike> anyone here for the first time?
 1117:02 <lightlike> seems not to be the case....
 1217:02 <lightlike> today's meeting is about #24170 - Manual block-relay-only connections with addnode
 1317:02 <larryruane> hi
 1417:03 <Bitcoin_Hodler> hello
 1517:03 <lightlike> who got the chance to look at this week's Pr (y/n)?
 1617:03 <Bitcoin_Hodler> n
 1717:03 <brunoerg> 0.7y
 1817:03 <schmidty> y
 1917:03 <stickies-v> mostly went over the notes
 2017:03 <svav> I read the notes
 2117:04 <BlueMoon> I did some reading
 2217:04 <lightlike> cool - and what was your impression?
 2317:04 <larryruane> y
 2417:04 <larryruane> 👍
 2517:04 <lightlike> I'm particularly interested in whether this is something people would actually consider using (since it's an optional feature)
 2617:06 <BlueMoon> Nodes using Tor may be susceptible to eclipse attacks.
 2717:06 <larryruane> I can't think that I would actually use it, because for one thing, I don't know what node IP I would add ... but I would think power users would find this useful
 2817:06 <brunoerg> larryruane: +1
 2917:06 <stickies-v> same as larryruane. I also think that as more of the people I know personally run full nodes, this may become really useful
 3017:07 <larryruane> I did have one quick question related to it being optional ... If a node is running Tor-enabled, would it be a good idea to automatically make one of the outbound block-relay-only nodes non-tor
 3117:07 <schmidty> lightlike: I had a similar question. Demand for such a feature and esp people that would use this and NOT use another privacy network per jonatack (https://github.com/bitcoin/bitcoin/issues/23763#issuecomment-1023500127)
 3217:07 <larryruane> (or i should say, by default, instead of automatically)
 3317:08 <lightlike> larryruane: that would be another option. however, it might not be what people expect who specify "onlynet=tor" (and maybe don't care that much about eclipse attacks)
 3417:09 <vnprc> lightlike: I like to run multiple nodes and bridge the various networks. I am definitely interested in this feature for improved privacy between these nodes.
 3517:10 <larryruane> "onlynet=tor" yes good point, I thought of that ... it may surprise people to see a non-tor connection if they've specified tor only
 3617:10 <lightlike> schmidty: I'm not sure about the state of bitcoin on additional privacy networks such as I2P or Tor. They seem to have a rather small userbase so far.
 3717:11 <lightlike> sorry, I meant i2P or CJDNS, not Tor, which has lots of nodes
 3817:12 <lightlike> vnprc: thanks, that's good to know!
 3917:12 <larryruane> at a very general level, I've noticed it's difficult for us to know how many users would use a new feature, or after it's released, how many are using it ... as compared to traditional corporate closed-source software (that i'm more used to), where the company has a customer list that they can just poll
 4017:12 <larryruane> (we don't have to talk about that, just an observation)
 4117:13 <lightlike> also, I think that there may be some inherent weaknesses that privacy network share as opposed to clearnet - which brings us to the first question:
 4217:13 <lightlike> Why could peers that are only active on privacy networks such as Tor be more susceptible to eclipse attacks compared to clearnet-only peers?
 4317:13 <larryruane> lightlike: With clearnet, a node can choose peers that it knows are "far apart" based on their IP addresses. With tor, we have no idea where our peers are, they could all be colocated and belong to an attacker.
 4417:14 <brunoerg> it's harder to identify the peers in Tor
 4517:15 <larryruane> (i put "far apart" in quotes because they may not be physically apart, but are likely owned by different orgs)
 4617:15 <lightlike> larryruane: yes, exactly. The connection making logic is based on the fact that we can establish some sort of "variety" by choosing peers from different netgroups. Onion addresses don't have that.
 4717:15 <larryruane> I was thinking this would be a great question for stackexchange!
 4817:15 <larryruane> (i looked there for this question or similar but didn't find anything)
 4917:16 <svav> Just the fact that there are fewer modes on Tor means there is increased vulnerability for an eclipse attack.
 5017:16 <lightlike> and while I'm not that knowledgable about I2P and CJDNS, I suspect it might be similar.
 5117:16 <svav> *nodes*
 5217:16 <larryruane> svav: +1
 5317:16 <stickies-v> I also read that it seems quite trivial to make a node blacklist non-attacker exit nodes, so that with sufficient iterations only/mostly attacker exit nodes remain - is that understanding correct?
 5417:16 <lightlike> svav: that is a good point about the smaller privacy networks, but I'm not sure it still applies to Tor:
 5517:17 <lightlike> svav: https://bitnodes.io/nodes/ tells me that of 15k reachable nodes, approximatle half of them are Tor nodes!
 5617:17 <larryruane> stickies-v: oh wow, that's subtle! (not sure how that would work)
 5717:17 <lightlike> I found this really surprising
 5817:18 <larryruane> yeah I'm running a RPi mynode, and have tor enabled ... (I tried to have tor enabled during IBD but it was super slow, so turned it off until it synced)
 5917:18 <stickies-v> larryruane it's explained in "D. Banning Tor Exit nodes" of the paper linked in the notes: https://www.ieee-security.org/TC/SP2015/papers-archived/6949a122.pdf
 6017:20 <lightlike> I don't know whether this still applies today (the paper is quite old, 2005)
 6117:20 <yashraj> That might be 2015
 6217:20 <lightlike> oops yes, of course :-)
 6317:20 <BlueMoon> I did the same as larryruane turned it off until it synced.
 6417:20 <BlueMoon> I thought the same thing is from 2015
 6517:21 <stickies-v> (was just submitting a PR to fix the 2005 typo haha)
 6617:23 <lightlike> larryruane: do you run tor-only? Or do you also have some connections via IPv4 or Ipv6?
 6717:23 <yashraj> stickies-v: beat me to it lol
 6817:23 <evanlinjin> How do we determine whether the paper is still relevant?
 6917:25 <yashraj> evanlinjin: agree, and/or that sipa etc haven't addressed the concerns already?
 7017:25 <lightlike> evanlinjin: we'd probably have to ask tor experts. Maybe asking on stackoverflow would be a good idea for this too.
 7117:26 <lightlike> Ok, let's move to the next question:
 7217:26 <lightlike> What is the difference between the onetry and add modes in the addnode RPC?
 7317:27 <stickies-v> lightlike would you agree that if the 2015 paper attack vector is not applicable anymore, the eclipse attack vector for tor-only connections seems quite limited, since it doesn't allow for a *targeted* attack?
 7417:27 <larryruane> lightlike: the mynode that I'm running is tor-only, but to test this PR, I added a manual block-relay-only, and it's clearnet (not tor), so the PR is working! (I'm running the PR branch on the RPi mynode)
 7517:28 <BlueMoon> I saw that with onetry you only use it to connect it once.
 7617:28 <lightlike> larryruane: That's great!
 7717:29 <lightlike> BlueMoon: Yes, correct!
 7817:29 <larryruane> onetry calls `connman.OpenNetworkConnection()` on the specified address https://github.com/bitcoin/bitcoin/pull/24170/files#diff-2ae094f9329ce9498e1b4a9cb7767945b54a33b4ee9fed4f0ba401a98e1683c1R322 which either works or it doesn't
 7917:30 <larryruane> addnode add calls `connman.AddNode()` which adds the node address to m_added_nodes. ... then there's a separate thread,
 8017:30 <larryruane> CConnman::ThreadOpenAddedConnections()`, repeatedly tries `OpenNetworkConnection()` on each item on this list. So it keeps retrying. https://github.com/bitcoin/bitcoin/pull/24170/files#diff-00021eed586a482abdb09d6cdada1d90115abe988a91421851960e26658bed02R2268
 8117:31 <lightlike> larryruane: Yes, great answer!
 8217:32 <lightlike> Next q: What are the different options of adding a manual-block-relay peer that this PR introduces?
 8317:32 <BlueMoon> Thanks!! very comprehensive response
 8417:33 <stickies-v> blatantly copying from your notes:
 8517:33 <stickies-v> - can be specified with -addnode RPC, both with the add and onetry command
 8617:33 <stickies-v> - can be specified with the -addnode bitcoind arg (or in bitcoin.conf) with <IP>=manual-block-relay
 8717:34 <larryruane> stickies-v: +1 ... and when you use the command line arg (or config file), `onetry` isn't an option
 8817:34 <larryruane> addnode: https://github.com/bitcoin/bitcoin/pull/24170/files#diff-2ae094f9329ce9498e1b4a9cb7767945b54a33b4ee9fed4f0ba401a98e1683c1R281
 8917:34 <larryruane> arg (or config): https://github.com/bitcoin/bitcoin/pull/24170/files#diff-b1e19192258d83199d8adaa5ac31f067af98f63554bfdd679bd8e8073815e69dR445
 9017:35 <lightlike> Right. It's a bit strange that "addnode" is both a RPC and a command line arg, because you can't just add additional parameters to it and need to do some string parsing instead...
 9117:36 <larryruane> (oops sorry I think that second link references the wrong line number.. but it's close to there)
 9217:36 <schmidty> That’s helpful, thanks larryruane
 9317:36 <lightlike> On the other hand, the startup option is probably more important than the RPC, because people might want to have a fixed list of manually added peers in their bitcoin.conf
 9417:38 <lightlike> larryruane: Yes, "onetry" probably doesn't make a lot of sense as a bitcoind arg.
 9517:39 <lightlike> Next question: The PR introduces a new connection type MANUAL_BLOCK_RELAY that combines the properties of MANUAL and BLOCK_RELAY peers. What are the advantages and disadvantages of having an extra connection type, as opposed to combining the logic of the existing ones?
 9617:40 <svav> You can give it specific properties for security purposes, e.g. does not broadcast addresses.
 9717:40 <lightlike> (I originally considered to not have an extra connection type)
 9817:41 <BlueMoon> <3
 9917:41 <yashraj> we don't want to punish MANUAL_BLOCK_RELAY peers for certain behaviour we would punish BLOCK_RELAY peers?
10017:42 <larryruane> I think an advantage of having a type, instead of just a bool (to enable block-relay) is that having a type makes it more extensible, in case we want to add more manual connection types in the future
10117:43 <lightlike> yashraj: Yes, that's correct. But that could have been coded in as well, without extending the ConnectionType Enum, just by combining the features of the existing MANUAL and BLOCK RELAY connection types.
10217:45 <lightlike> My reason was that this makes the code easier to read and argue about. The "flattened" enum of connection types was introduced in https://github.com/bitcoin/bitcoin/pull/19316 , which simplified the logic a lot (it was really convoluted before, if I remember correctly).
10317:46 <lightlike> I think one downside is that if we decide to combine more connection types over time, this enum could become too long (there are many combinatorial possibilities, even if most don't make sense).
10417:47 <sipa> I think the underlying theory behind that enum is exactly that we expect that newly added features in the connection logic will not result in combinatorial explosions in it.
10517:47 <stickies-v> I think John summarizes the essence of the problem quite well in #19316: "I think we definitely don't want a bitmask of different connection capabilities. That leads to an combinatorial explosion of connection types that you need to either test or explicitly disallow."
10617:47 <stickies-v> oh well it's been summarized here already too, sorry
10717:48 <larryruane> I think flatter is better in general! even if (I guess this is the disadvantage) you have to test for (for example) `MANUAL` _or_ `MANUAL_BLOCK_RELAY` in many places ... but you can hide that in a single function (which I think you did)
10817:49 <lightlike> larryruane: yes, that's correct, "IsBlockRelayConn()"
10917:49 <lightlike> ok, let's move on to the last question:
11017:49 <lightlike> BIP324, encrypted p2p traffic, is another privacy-enhancing feature currently under development and review. What types of attacks that this PR tries to mitigate are fixed by BIP324? Which ones aren’t?
11117:50 <lightlike> (there is some discussion in the PR on whether BIP324 makes this obsolete)
11217:51 <larryruane> just so I'm clear, the alternative would have been to _not_ add `MANUAL_BLOCK_RELAY` but instead store a "block-relay" boolean with the connection object (which is only meaningful if the type is `MANUAL`?
11317:51 <larryruane> (oh sorry I'm too late with that question, feel free to ignore)
11417:52 <lightlike> larryruane: yes, something like this was my first idea. But it seemed to go against the spirit of the #19316 refactoring, so I decided against it.
11517:54 <larryruane> not to provide too much of a cheat :) but did sipa: answer the last question here? https://github.com/bitcoin/bitcoin/pull/24170#issuecomment-1122470916
11617:55 <vnprc> I'm not very familiar with BIP324 but it looks like it might prevent an attacker from eavesdropping on ADDR messages, which can be used to draw a P2P connection graph. ADDR messages are not relayed over block-relay-only connections so this mitigation would be redundant over an encrypted block-relay-only connection.
11717:55 <larryruane> he explains what this PR (24170) fixes that BIP324 doesn't
11817:55 <lightlike> yes, I think so, to a great part :-)
11917:56 <lightlike> But I also think that there some things this PR helps with that are completely orthogonal to BIP324.
12017:56 <sipa> also just to make sure this isn't misunderstood: the advantage of encryption as such is very limited, as attackers can just spin up their own nodes
12117:56 <sipa> (in this context)
12217:57 <lightlike> While manual nodes are "trusted" I think that even if I trust a node not to DOS me or withhold blocks, I may still don't want them to send my transactions over clearnet.
12317:58 <BlueMoon> I am reading the documents, thank you, I have learned a lot, next time I will read everything in full, you are very kind.
12417:58 <lightlike> *may still not want them to know about my transactions, sry
12517:59 <larryruane> sipa: so I understand... with BIP324, an attacker who watches the traffic in and out of a node doesn't know what's being sent and received, but if the attacker connects to that node as a normal peer, then he gets a pretty good idea
12617:59 <lightlike> hopefully, there'll be some review clubs about BIP324 in the future, I'd be very interested!
12718:00 <sipa> right exactly; bip324 is opportunistic encryption with whomever you're connected to, preventing others from reading the traffic. It doesn't (by itself) have any means of ascertaining that who you're talking is (a) who you intend to talk to or (b) is honest
12818:00 <svav> Does BIP324 fix eclipse attacks?
12918:00 <lightlike> Time's up. Thanks everyone for participating!
13018:00 <stickies-v> thank you for hosting lightlike!
13118:00 <sipa> svav: no
13218:00 <larryruane> thank you lightlike: !! this was great
13318:01 <svav> Ok thanks sipa
13418:01 <Bitcoin_Hodler> thank you... till next time!
13518:01 <svav> Thanks all
13618:01 <evanlinjin> thank you! I will try to turn up consistenty
13718:01 <M4rcus> Thanks!!
13818:01 <BlueMoon> Thanks!! :]
13918:02 <vnprc> lightlike: ty for implementing this feature and hosting this meeting.
14018:07 <larryruane> #endmeeting