Don't help evil Nodes so muchΒ #819
Description
Background:
In neighborhood::GossipProducer.produce(), there's a comment on some code around line 70 or so (at the time of this writing).
When Gossip is generated for sending to a target Node, the decision must be made, for each Node in the outgoing Gossip, whether to include the IP address for that Node (assuming we know that IP address).
Current policy (around line 70) is to check and see if the Node under consideration is a next-door neighbor (according to our neighborhood database) to the target Node, and if it is, to include its IP address in the Gossip we're generating. The idea is that in that case, the target Node must already know that IP address anyway, so it can't be a security issue to tell it: and it might have changed! Surely the target Node would want to know that.
Counterarguments: first, when a Node's IP address changes, it's that Node's responsibility, not ours, to notify its neighbors of the new IP. Second, what if we have been duped somehow into thinking that the target Node know IP addresses it doesn't really know? If it's an evil Node, it can claim a half-neighborship to any Node it wants, and then every Node that knows the IP address of the false half-neighborship target will helpfully provide that address to the target Node.
Alternatives:
Here is a list of possible solutions to this problem. There may be others that we haven't thought of yet; those should be considered as well.
- Don't ever send IP addresses in Gossip under any circumstances except Debut, Introduction, and Pass Gossip.
- Change the half-neighborship requirement that's in the code now to a full-neighborship requirement. That way, the Node whose IP address is being transmitted has to agree with the target Node that the two are neighbors. However, this may disturb the processing of Debut, Introduction, and Pass Gossip, whose generation might have to be specialized, if it's not already.
Note: Theoretically, it's unnecessary to send IP addresses in Debut Gossip. Currently, one of the requirements for processing Debut Gossip is that the IP address of the Node in the Gossip is the same as the IP address from which the Gossip arrived. If the Gossip protocol were modified to remove the IP address from Debut Gossip, then the receiving Node could just use the IP address from which the Gossip arrived, rather than having to cross-check. However, making this change would require a migration in Gossip protocol, because it would break all existing Nodes.
Task:
Experiment and choose the best solution to this problem. Make sure all the tests pass and there aren't any unintended consequences. If you think of possible consequences that don't have tests, write tests for them.
Once you have a working best solution, decide whether it's production-ready or not (given that it started out as an experiment). If it is, then this card is complete. If it's not, and it can't easily be made production-ready, then this card is a spike: its output should be another card meticulously describing the solution you chose so that it can be implemented from scratch in a production-ready manner.