mirror of https://github.com/vacp2p/rfc-index.git
Update and rename GOSSIPSUB-TOR-PUSH.md to gossipsub-tor-push.md
This commit is contained in:
parent
3a396b5fb1
commit
cd8c9f45f4
|
@ -9,7 +9,7 @@ editor: Daniel Kaiser <danielkaiser@status.im>
|
||||||
contributors:
|
contributors:
|
||||||
---
|
---
|
||||||
|
|
||||||
# Abstract
|
## Abstract
|
||||||
|
|
||||||
This document extends the [libp2p gossipsub specification](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/README.md)
|
This document extends the [libp2p gossipsub specification](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/README.md)
|
||||||
specifying gossipsub Tor Push,
|
specifying gossipsub Tor Push,
|
||||||
|
@ -22,7 +22,7 @@ Note: Gossipsub Tor Push does not have a dedicated protocol identifier.
|
||||||
It uses the same identifier as gossipsub and works with all [pubsub](https://github.com/libp2p/specs/tree/master/pubsub) based protocols.
|
It uses the same identifier as gossipsub and works with all [pubsub](https://github.com/libp2p/specs/tree/master/pubsub) based protocols.
|
||||||
This allows nodes that are oblivious to Tor Push to process messages received via Tor Push.
|
This allows nodes that are oblivious to Tor Push to process messages received via Tor Push.
|
||||||
|
|
||||||
# Background
|
## Background
|
||||||
|
|
||||||
Without extensions, [libp2p gossipsub](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/README.md)
|
Without extensions, [libp2p gossipsub](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/README.md)
|
||||||
does not protect sender identities.
|
does not protect sender identities.
|
||||||
|
@ -35,7 +35,7 @@ Basing our solution on Tor both inherits existing security research, as well as
|
||||||
Using the anonymization network approach, even the first gossipsub node that relays a given message cannot link the message to its sender (within a relatively strong adversarial model).
|
Using the anonymization network approach, even the first gossipsub node that relays a given message cannot link the message to its sender (within a relatively strong adversarial model).
|
||||||
Taking the low bandwidth overhead and the low latency overhead into consideration, Tor offers very good anonymity properties.
|
Taking the low bandwidth overhead and the low latency overhead into consideration, Tor offers very good anonymity properties.
|
||||||
|
|
||||||
# Functional Operation
|
## Functional Operation
|
||||||
|
|
||||||
Tor Push allows nodes to push messages over Tor into the gossipsub network.
|
Tor Push allows nodes to push messages over Tor into the gossipsub network.
|
||||||
The approach specified in this document is fully backwards compatible.
|
The approach specified in this document is fully backwards compatible.
|
||||||
|
@ -47,11 +47,11 @@ Tor Push uses a dedicated libp2p context to prevent information leakage.
|
||||||
To significantly increase resilience and mitigate circuit failures,
|
To significantly increase resilience and mitigate circuit failures,
|
||||||
Tor Push establishes several connections, each to a different randomly selected gossipsub node.
|
Tor Push establishes several connections, each to a different randomly selected gossipsub node.
|
||||||
|
|
||||||
# Specification
|
## Specification
|
||||||
|
|
||||||
This section specifies the format of Tor Push messages, as well as how Tor Push messages are received and sent, respectively.
|
This section specifies the format of Tor Push messages, as well as how Tor Push messages are received and sent, respectively.
|
||||||
|
|
||||||
## Wire Format
|
### Wire Format
|
||||||
|
|
||||||
The wire format of a Tor Push message corresponds verbatim to a typical [libp2p pubsub message](https://github.com/libp2p/specs/tree/master/pubsub#the-message).
|
The wire format of a Tor Push message corresponds verbatim to a typical [libp2p pubsub message](https://github.com/libp2p/specs/tree/master/pubsub#the-message).
|
||||||
|
|
||||||
|
@ -66,12 +66,12 @@ message Message {
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
## Receiving Tor Push Messages
|
### Receiving Tor Push Messages
|
||||||
|
|
||||||
Any node supporting a protocol with ID `/meshsub/1.1.0` (e.g. gossipsub), can receive Tor Push messages.
|
Any node supporting a protocol with ID `/meshsub/1.1.0` (e.g. gossipsub), can receive Tor Push messages.
|
||||||
Receiving nodes are oblivious to Tor Push and will process incoming messages according to the respective `meshsub/1.1.0` specification.
|
Receiving nodes are oblivious to Tor Push and will process incoming messages according to the respective `meshsub/1.1.0` specification.
|
||||||
|
|
||||||
## Sending Tor Push Messages
|
### Sending Tor Push Messages
|
||||||
|
|
||||||
In the following, we refer to nodes sending Tor Push messages as Tp-nodes (Tor Push nodes).
|
In the following, we refer to nodes sending Tor Push messages as Tp-nodes (Tor Push nodes).
|
||||||
|
|
||||||
|
@ -82,7 +82,7 @@ The Tp-context MUST NOT share any data, e.g. peer lists, with the default contex
|
||||||
|
|
||||||
Tp-peers are peers a Tp-node plans to send Tp-messages to.
|
Tp-peers are peers a Tp-node plans to send Tp-messages to.
|
||||||
Tp-peers MUST support `/meshsub/1.1.0`.
|
Tp-peers MUST support `/meshsub/1.1.0`.
|
||||||
For retrieving Tp-peers, Tp-nodes SHOULD use an ambient peer discovery method that retrieves a random peer sample (from the set of all peers), e.g. [33/WAKU2-DISCV5](/spec/33/).
|
For retrieving Tp-peers, Tp-nodes SHOULD use an ambient peer discovery method that retrieves a random peer sample (from the set of all peers), e.g. [33/WAKU2-DISCV5](../../waku/standards/core/33/discv5.md).
|
||||||
|
|
||||||
Tp-nodes MUST establish a connection as described in sub-section [Tor Push Connection Establishment](#connection-establishment) to at least one Tp-peer.
|
Tp-nodes MUST establish a connection as described in sub-section [Tor Push Connection Establishment](#connection-establishment) to at least one Tp-peer.
|
||||||
To significantly increase resilience, Tp-nodes SHOULD establish Tp-connections to `D` peers,
|
To significantly increase resilience, Tp-nodes SHOULD establish Tp-connections to `D` peers,
|
||||||
|
@ -94,13 +94,13 @@ To increase resilience, Tp-messages SHOULD be sent via the Tp-context over all a
|
||||||
|
|
||||||
Control messages of any kind, e.g. gossipsub graft, MUST NOT be sent via Tor Push.
|
Control messages of any kind, e.g. gossipsub graft, MUST NOT be sent via Tor Push.
|
||||||
|
|
||||||
### Connection Establishment
|
#### Connection Establishment
|
||||||
|
|
||||||
Tp-nodes establish a `/meshsub/1.1.0` connection to tp-peers via [SOCKS5](https://www.rfc-editor.org/rfc/rfc1928) over [Tor](https://www.torproject.org/).
|
Tp-nodes establish a `/meshsub/1.1.0` connection to tp-peers via [SOCKS5](https://www.rfc-editor.org/rfc/rfc1928) over [Tor](https://www.torproject.org/).
|
||||||
|
|
||||||
Establishing connections, which in turn establishes the respective Tor circuits, can be done ahead of time.
|
Establishing connections, which in turn establishes the respective Tor circuits, can be done ahead of time.
|
||||||
|
|
||||||
### Epochs
|
#### Epochs
|
||||||
|
|
||||||
Tor Push introduces epochs.
|
Tor Push introduces epochs.
|
||||||
The default epoch duration is 10 minutes.
|
The default epoch duration is 10 minutes.
|
||||||
|
@ -117,31 +117,31 @@ Both Tp-peer selection for the next epoch and establishing connections to the ne
|
||||||
and be completed before the new epoch starts.
|
and be completed before the new epoch starts.
|
||||||
This avoids adding latency to message transmission.
|
This avoids adding latency to message transmission.
|
||||||
|
|
||||||
# Security/Privacy Considerations
|
## Security/Privacy Considerations
|
||||||
|
|
||||||
## Fingerprinting Attacks
|
### Fingerprinting Attacks
|
||||||
|
|
||||||
Protocols that feature distinct patterns are prone to fingerprinting attacks when using them over Tor Push.
|
Protocols that feature distinct patterns are prone to fingerprinting attacks when using them over Tor Push.
|
||||||
Both malicious guards and exit nodes could detect these patterns
|
Both malicious guards and exit nodes could detect these patterns
|
||||||
and link the sender and receiver, respectively, to transmitted traffic.
|
and link the sender and receiver, respectively, to transmitted traffic.
|
||||||
As a mitigation, such protocols can introduce dummy messages and/or padding to hide patterns.
|
As a mitigation, such protocols can introduce dummy messages and/or padding to hide patterns.
|
||||||
|
|
||||||
## DoS
|
### DoS
|
||||||
|
|
||||||
### General DoS against Tor
|
#### General DoS against Tor
|
||||||
|
|
||||||
Using untargeted DoS to prevent Tor Push messages from entering the gossipsub network would cost vast resources,
|
Using untargeted DoS to prevent Tor Push messages from entering the gossipsub network would cost vast resources,
|
||||||
because Tor Push transmits messages over several circuits and the Tor network is well established.
|
because Tor Push transmits messages over several circuits and the Tor network is well established.
|
||||||
|
|
||||||
### Targeting the Guard
|
#### Targeting the Guard
|
||||||
|
|
||||||
Denying the service of a specific guard node blocks Tp-nodes using the respective guard.
|
Denying the service of a specific guard node blocks Tp-nodes using the respective guard.
|
||||||
Tor guard selection will replace this guard [TODO elaborate].
|
Tor guard selection will replace this guard [TODO elaborate].
|
||||||
Still, messages might be delayed during this window which might be critical to certain applications.
|
Still, messages might be delayed during this window which might be critical to certain applications.
|
||||||
|
|
||||||
### Targeting the Gossipsub Network
|
#### Targeting the Gossipsub Network
|
||||||
|
|
||||||
Without sophisticated rate limiting (for example using [17/WAKU2-RLN-RELAY](/spec/17)),
|
Without sophisticated rate limiting (for example using [17/WAKU2-RLN-RELAY](../../waku/standards/core/17/rln-relay.md)),
|
||||||
attackers can spam the gossipsub network.
|
attackers can spam the gossipsub network.
|
||||||
It is not enough to just block peers that send too many messages,
|
It is not enough to just block peers that send too many messages,
|
||||||
because these messages might actually come from a Tor exit node that many honest Tp-nodes use.
|
because these messages might actually come from a Tor exit node that many honest Tp-nodes use.
|
||||||
|
@ -149,7 +149,7 @@ Without Tor Push, protocols on top of gossipsub could block peers if they exceed
|
||||||
With Tor Push, this would allow the reputation-based DoS attack described in
|
With Tor Push, this would allow the reputation-based DoS attack described in
|
||||||
[Bitcoin over Tor isn't a Good Idea](https://ieeexplore.ieee.org/abstract/document/7163022).
|
[Bitcoin over Tor isn't a Good Idea](https://ieeexplore.ieee.org/abstract/document/7163022).
|
||||||
|
|
||||||
### Peer Discovery
|
#### Peer Discovery
|
||||||
|
|
||||||
The discovery mechanism could be abused to link requesting nodes to their Tor connections to discovered nodes.
|
The discovery mechanism could be abused to link requesting nodes to their Tor connections to discovered nodes.
|
||||||
An attacker that controls both the node that responds to a discovery query,
|
An attacker that controls both the node that responds to a discovery query,
|
||||||
|
@ -161,18 +161,18 @@ For instance if p% of the nodes in the network are malicious,
|
||||||
an attacker could manipulate the discovery to return malicious nodes with 2p% probability.
|
an attacker could manipulate the discovery to return malicious nodes with 2p% probability.
|
||||||
The discovery mechanism needs to be resilient against this attack.
|
The discovery mechanism needs to be resilient against this attack.
|
||||||
|
|
||||||
## Roll-out Phase
|
### Roll-out Phase
|
||||||
|
|
||||||
During the roll-out phase of Tor Push, during which only a few nodes use Tor Push,
|
During the roll-out phase of Tor Push, during which only a few nodes use Tor Push,
|
||||||
attackers can narrow down the senders of Tor messages to the set of gossipsub nodes that do not originate messages.
|
attackers can narrow down the senders of Tor messages to the set of gossipsub nodes that do not originate messages.
|
||||||
Nodes who want anonymity guarantees even during the roll-out phase can use separate network interfaces for their default context and Tp-context, respectively.
|
Nodes who want anonymity guarantees even during the roll-out phase can use separate network interfaces for their default context and Tp-context, respectively.
|
||||||
For the best protection, these contexts should run on separate physical machines.
|
For the best protection, these contexts should run on separate physical machines.
|
||||||
|
|
||||||
# Copyright
|
## Copyright
|
||||||
|
|
||||||
Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
|
Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
|
||||||
|
|
||||||
# References
|
## References
|
||||||
|
|
||||||
* [libp2p gossipsub](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/README.md)
|
* [libp2p gossipsub](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/README.md)
|
||||||
* [libp2p pubsub](https://github.com/libp2p/specs/tree/master/pubsub)
|
* [libp2p pubsub](https://github.com/libp2p/specs/tree/master/pubsub)
|
||||||
|
@ -180,6 +180,6 @@ Copyright and related rights waived via [CC0](https://creativecommons.org/public
|
||||||
* [libp2p switch](https://docs.libp2p.io/concepts/multiplex/switch)
|
* [libp2p switch](https://docs.libp2p.io/concepts/multiplex/switch)
|
||||||
* [SOCKS5](https://www.rfc-editor.org/rfc/rfc1928)
|
* [SOCKS5](https://www.rfc-editor.org/rfc/rfc1928)
|
||||||
* [Tor](https://www.torproject.org/)
|
* [Tor](https://www.torproject.org/)
|
||||||
* [33/WAKU2-DISCV5](/spec/33/)
|
* [33/WAKU2-DISCV5](../../waku/standards/core/33/discv5.md)
|
||||||
* [Bitcoin over Tor isn't a Good Idea](https://ieeexplore.ieee.org/abstract/document/7163022)
|
* [Bitcoin over Tor isn't a Good Idea](https://ieeexplore.ieee.org/abstract/document/7163022)
|
||||||
* [17/WAKU2-RLN-RELAY](/spec/17)
|
* [17/WAKU2-RLN-RELAY](../../waku/standards/core/17/rln-relay.md)
|
Loading…
Reference in New Issue