Update and rename GOSSIPSUB-TOR-PUSH.md to gossipsub-tor-push.md

This commit is contained in:
Jimmy Debe 2024-02-01 22:53:07 -05:00 committed by GitHub
parent 3a396b5fb1
commit cd8c9f45f4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 23 additions and 23 deletions

View File

@ -9,7 +9,7 @@ editor: Daniel Kaiser <danielkaiser@status.im>
contributors: contributors:
--- ---
# Abstract ## Abstract
This document extends the [libp2p gossipsub specification](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/README.md) This document extends the [libp2p gossipsub specification](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/README.md)
specifying gossipsub Tor Push, specifying gossipsub Tor Push,
@ -22,7 +22,7 @@ Note: Gossipsub Tor Push does not have a dedicated protocol identifier.
It uses the same identifier as gossipsub and works with all [pubsub](https://github.com/libp2p/specs/tree/master/pubsub) based protocols. It uses the same identifier as gossipsub and works with all [pubsub](https://github.com/libp2p/specs/tree/master/pubsub) based protocols.
This allows nodes that are oblivious to Tor Push to process messages received via Tor Push. This allows nodes that are oblivious to Tor Push to process messages received via Tor Push.
# Background ## Background
Without extensions, [libp2p gossipsub](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/README.md) Without extensions, [libp2p gossipsub](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/README.md)
does not protect sender identities. does not protect sender identities.
@ -35,7 +35,7 @@ Basing our solution on Tor both inherits existing security research, as well as
Using the anonymization network approach, even the first gossipsub node that relays a given message cannot link the message to its sender (within a relatively strong adversarial model). Using the anonymization network approach, even the first gossipsub node that relays a given message cannot link the message to its sender (within a relatively strong adversarial model).
Taking the low bandwidth overhead and the low latency overhead into consideration, Tor offers very good anonymity properties. Taking the low bandwidth overhead and the low latency overhead into consideration, Tor offers very good anonymity properties.
# Functional Operation ## Functional Operation
Tor Push allows nodes to push messages over Tor into the gossipsub network. Tor Push allows nodes to push messages over Tor into the gossipsub network.
The approach specified in this document is fully backwards compatible. The approach specified in this document is fully backwards compatible.
@ -47,11 +47,11 @@ Tor Push uses a dedicated libp2p context to prevent information leakage.
To significantly increase resilience and mitigate circuit failures, To significantly increase resilience and mitigate circuit failures,
Tor Push establishes several connections, each to a different randomly selected gossipsub node. Tor Push establishes several connections, each to a different randomly selected gossipsub node.
# Specification ## Specification
This section specifies the format of Tor Push messages, as well as how Tor Push messages are received and sent, respectively. This section specifies the format of Tor Push messages, as well as how Tor Push messages are received and sent, respectively.
## Wire Format ### Wire Format
The wire format of a Tor Push message corresponds verbatim to a typical [libp2p pubsub message](https://github.com/libp2p/specs/tree/master/pubsub#the-message). The wire format of a Tor Push message corresponds verbatim to a typical [libp2p pubsub message](https://github.com/libp2p/specs/tree/master/pubsub#the-message).
@ -66,12 +66,12 @@ message Message {
} }
``` ```
## Receiving Tor Push Messages ### Receiving Tor Push Messages
Any node supporting a protocol with ID `/meshsub/1.1.0` (e.g. gossipsub), can receive Tor Push messages. Any node supporting a protocol with ID `/meshsub/1.1.0` (e.g. gossipsub), can receive Tor Push messages.
Receiving nodes are oblivious to Tor Push and will process incoming messages according to the respective `meshsub/1.1.0` specification. Receiving nodes are oblivious to Tor Push and will process incoming messages according to the respective `meshsub/1.1.0` specification.
## Sending Tor Push Messages ### Sending Tor Push Messages
In the following, we refer to nodes sending Tor Push messages as Tp-nodes (Tor Push nodes). In the following, we refer to nodes sending Tor Push messages as Tp-nodes (Tor Push nodes).
@ -82,7 +82,7 @@ The Tp-context MUST NOT share any data, e.g. peer lists, with the default contex
Tp-peers are peers a Tp-node plans to send Tp-messages to. Tp-peers are peers a Tp-node plans to send Tp-messages to.
Tp-peers MUST support `/meshsub/1.1.0`. Tp-peers MUST support `/meshsub/1.1.0`.
For retrieving Tp-peers, Tp-nodes SHOULD use an ambient peer discovery method that retrieves a random peer sample (from the set of all peers), e.g. [33/WAKU2-DISCV5](/spec/33/). For retrieving Tp-peers, Tp-nodes SHOULD use an ambient peer discovery method that retrieves a random peer sample (from the set of all peers), e.g. [33/WAKU2-DISCV5](../../waku/standards/core/33/discv5.md).
Tp-nodes MUST establish a connection as described in sub-section [Tor Push Connection Establishment](#connection-establishment) to at least one Tp-peer. Tp-nodes MUST establish a connection as described in sub-section [Tor Push Connection Establishment](#connection-establishment) to at least one Tp-peer.
To significantly increase resilience, Tp-nodes SHOULD establish Tp-connections to `D` peers, To significantly increase resilience, Tp-nodes SHOULD establish Tp-connections to `D` peers,
@ -94,13 +94,13 @@ To increase resilience, Tp-messages SHOULD be sent via the Tp-context over all a
Control messages of any kind, e.g. gossipsub graft, MUST NOT be sent via Tor Push. Control messages of any kind, e.g. gossipsub graft, MUST NOT be sent via Tor Push.
### Connection Establishment #### Connection Establishment
Tp-nodes establish a `/meshsub/1.1.0` connection to tp-peers via [SOCKS5](https://www.rfc-editor.org/rfc/rfc1928) over [Tor](https://www.torproject.org/). Tp-nodes establish a `/meshsub/1.1.0` connection to tp-peers via [SOCKS5](https://www.rfc-editor.org/rfc/rfc1928) over [Tor](https://www.torproject.org/).
Establishing connections, which in turn establishes the respective Tor circuits, can be done ahead of time. Establishing connections, which in turn establishes the respective Tor circuits, can be done ahead of time.
### Epochs #### Epochs
Tor Push introduces epochs. Tor Push introduces epochs.
The default epoch duration is 10 minutes. The default epoch duration is 10 minutes.
@ -117,31 +117,31 @@ Both Tp-peer selection for the next epoch and establishing connections to the ne
and be completed before the new epoch starts. and be completed before the new epoch starts.
This avoids adding latency to message transmission. This avoids adding latency to message transmission.
# Security/Privacy Considerations ## Security/Privacy Considerations
## Fingerprinting Attacks ### Fingerprinting Attacks
Protocols that feature distinct patterns are prone to fingerprinting attacks when using them over Tor Push. Protocols that feature distinct patterns are prone to fingerprinting attacks when using them over Tor Push.
Both malicious guards and exit nodes could detect these patterns Both malicious guards and exit nodes could detect these patterns
and link the sender and receiver, respectively, to transmitted traffic. and link the sender and receiver, respectively, to transmitted traffic.
As a mitigation, such protocols can introduce dummy messages and/or padding to hide patterns. As a mitigation, such protocols can introduce dummy messages and/or padding to hide patterns.
## DoS ### DoS
### General DoS against Tor #### General DoS against Tor
Using untargeted DoS to prevent Tor Push messages from entering the gossipsub network would cost vast resources, Using untargeted DoS to prevent Tor Push messages from entering the gossipsub network would cost vast resources,
because Tor Push transmits messages over several circuits and the Tor network is well established. because Tor Push transmits messages over several circuits and the Tor network is well established.
### Targeting the Guard #### Targeting the Guard
Denying the service of a specific guard node blocks Tp-nodes using the respective guard. Denying the service of a specific guard node blocks Tp-nodes using the respective guard.
Tor guard selection will replace this guard [TODO elaborate]. Tor guard selection will replace this guard [TODO elaborate].
Still, messages might be delayed during this window which might be critical to certain applications. Still, messages might be delayed during this window which might be critical to certain applications.
### Targeting the Gossipsub Network #### Targeting the Gossipsub Network
Without sophisticated rate limiting (for example using [17/WAKU2-RLN-RELAY](/spec/17)), Without sophisticated rate limiting (for example using [17/WAKU2-RLN-RELAY](../../waku/standards/core/17/rln-relay.md)),
attackers can spam the gossipsub network. attackers can spam the gossipsub network.
It is not enough to just block peers that send too many messages, It is not enough to just block peers that send too many messages,
because these messages might actually come from a Tor exit node that many honest Tp-nodes use. because these messages might actually come from a Tor exit node that many honest Tp-nodes use.
@ -149,7 +149,7 @@ Without Tor Push, protocols on top of gossipsub could block peers if they exceed
With Tor Push, this would allow the reputation-based DoS attack described in With Tor Push, this would allow the reputation-based DoS attack described in
[Bitcoin over Tor isn't a Good Idea](https://ieeexplore.ieee.org/abstract/document/7163022). [Bitcoin over Tor isn't a Good Idea](https://ieeexplore.ieee.org/abstract/document/7163022).
### Peer Discovery #### Peer Discovery
The discovery mechanism could be abused to link requesting nodes to their Tor connections to discovered nodes. The discovery mechanism could be abused to link requesting nodes to their Tor connections to discovered nodes.
An attacker that controls both the node that responds to a discovery query, An attacker that controls both the node that responds to a discovery query,
@ -161,18 +161,18 @@ For instance if p% of the nodes in the network are malicious,
an attacker could manipulate the discovery to return malicious nodes with 2p% probability. an attacker could manipulate the discovery to return malicious nodes with 2p% probability.
The discovery mechanism needs to be resilient against this attack. The discovery mechanism needs to be resilient against this attack.
## Roll-out Phase ### Roll-out Phase
During the roll-out phase of Tor Push, during which only a few nodes use Tor Push, During the roll-out phase of Tor Push, during which only a few nodes use Tor Push,
attackers can narrow down the senders of Tor messages to the set of gossipsub nodes that do not originate messages. attackers can narrow down the senders of Tor messages to the set of gossipsub nodes that do not originate messages.
Nodes who want anonymity guarantees even during the roll-out phase can use separate network interfaces for their default context and Tp-context, respectively. Nodes who want anonymity guarantees even during the roll-out phase can use separate network interfaces for their default context and Tp-context, respectively.
For the best protection, these contexts should run on separate physical machines. For the best protection, these contexts should run on separate physical machines.
# Copyright ## Copyright
Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/). Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
# References ## References
* [libp2p gossipsub](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/README.md) * [libp2p gossipsub](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/README.md)
* [libp2p pubsub](https://github.com/libp2p/specs/tree/master/pubsub) * [libp2p pubsub](https://github.com/libp2p/specs/tree/master/pubsub)
@ -180,6 +180,6 @@ Copyright and related rights waived via [CC0](https://creativecommons.org/public
* [libp2p switch](https://docs.libp2p.io/concepts/multiplex/switch) * [libp2p switch](https://docs.libp2p.io/concepts/multiplex/switch)
* [SOCKS5](https://www.rfc-editor.org/rfc/rfc1928) * [SOCKS5](https://www.rfc-editor.org/rfc/rfc1928)
* [Tor](https://www.torproject.org/) * [Tor](https://www.torproject.org/)
* [33/WAKU2-DISCV5](/spec/33/) * [33/WAKU2-DISCV5](../../waku/standards/core/33/discv5.md)
* [Bitcoin over Tor isn't a Good Idea](https://ieeexplore.ieee.org/abstract/document/7163022) * [Bitcoin over Tor isn't a Good Idea](https://ieeexplore.ieee.org/abstract/document/7163022)
* [17/WAKU2-RLN-RELAY](/spec/17) * [17/WAKU2-RLN-RELAY](../../waku/standards/core/17/rln-relay.md)