</ul><p><code>WakuFilter</code> is a protocol that enables subscribing to messages that a peer receives. This is a more lightweight version of <code>WakuRelay</code> specifically designed for bandwidth restricted devices. This is due to the fact that light nodes subscribe to full-nodes and only receive the messages they desire.</p>
<p>Content filtering is a way to do <ahref="https://en.wikipedia.org/wiki/Publish%E2%80%93subscribe_pattern#Message_filtering">message-based
filtering</a>.
Currently the only content filter being applied is on <code>contentTopic</code>. This
corresponds to topics in Waku v1.</p>
<h2id="rationale">
Rationale
<aclass="anchor"href="#rationale">#</a>
</h2>
<p>Unlike the <code>store</code> protocol for historical messages, this protocol allows for
native lower latency scenarios such as instant messaging. It is thus
complementary to it.</p>
<p>Strictly speaking, it is not just doing basic request response, but performs
sender push based on receiver intent. While this can be seen as a form of light
pub/sub, it is only used between two nodes in a direct fashion. Unlike the
Gossip domain, this is meant for light nodes which put a premium on bandwidth.
No gossiping takes place.</p>
<p>It is worth noting that a light node could get by with only using the <code>store</code>
protocol to query for a recent time window, provided it is acceptable to do
frequent polling.</p>
<h1id="design-requirements">
Design Requirements
<aclass="anchor"href="#design-requirements">#</a>
</h1>
<p>The effectiveness and reliability of the content filtering service enabled by <code>WakuFilter</code> protocol rely on the <em>high availability</em> of the full nodes as the service providers. To this end, full nodes must feature <em>high uptime</em> (to persistently listen and capture the network messages) as well as <em>high Bandwidth</em> (to provide timely message delivery to the light nodes).</p>
<p>Note that while using <code>WakuFilter</code> allows light nodes to save bandwidth, it comes with a privacy cost in the sense that they need to disclose their liking topics to the full nodes to retrieve the relevant messages. Currently, anonymous subscription is not supported by the <code>WakuFilter</code>, however, potential solutions in this regard are sketched below in <ahref="#future-work">Future Work</a> section.</p>
<h2id="terminology">
Terminology
<aclass="anchor"href="#terminology">#</a>
</h2>
<p>The term Personally identifiable information (PII) refers to any piece of data that can be used to uniquely identify a user. For example, the signature verification key, and the hash of one’s static IP address are unique for each user and hence count as PII.</p>
<h1id="adversarial-model">
Adversarial Model
<aclass="anchor"href="#adversarial-model">#</a>
</h1>
<p>Any node running the <code>WakuFilter</code> protocol i.e., both the subscriber node and the queried node are considered as an adversary. Furthermore, we consider the adversary as a passive entity that attempts to collect information from other nodes to conduct an attack but it does so without violating protocol definitions and instructions. For example, under the passive adversarial model, no malicious node intentionally hides the messages matching to one’s subscribed content filter as it is against the description of the <code>WakuFilter</code> protocol.</p>
<p>The following are not considered as part of the adversarial model:</p>
<ul>
<li>An adversary with a global view of all the nodes and their connections.</li>
<li>An adversary that can eavesdrop on communication links between arbitrary pairs of nodes (unless the adversary is one end of the communication). In specific, the communication channels are assumed to be secure.</li>
<p>A node MUST send all Filter messages (<code>FilterRequest</code>, <code>MessagePush</code>) wrapped inside a
<code>FilterRPC</code> this allows the node handler to determine how to handle a message as the Waku
Filter protocol is not a request response based protocol but instead a push based system.</p>
<p>The <code>requestId</code> MUST be a uniquely generated string. When a <code>MessagePush</code> is sent
the <code>requestId</code> MUST match the <code>requestId</code> of the subscribing <code>FilterRequest</code> whose filters
matched the message causing it to be pushed.</p>
<h4id="filterrequest">
FilterRequest
<aclass="anchor"href="#filterrequest">#</a>
</h4>
<p>A <code>FilterRequest</code> contains an optional topic, zero or more content filters and
a boolean signifying whether to subscribe or unsubscribe to the given filters.
True signifies ‘subscribe’ and false signifies ‘unsubscribe’.</p>
<p>A node that sends the RPC with a filter request and <code>subscribe</code> set to ’true’
requests that the filter node SHOULD notify the light requesting node of messages
matching this filter.</p>
<p>A node that sends the RPC with a filter request and <code>subscribe</code> set to ‘false’
requests that the filter node SHOULD stop notifying the light requesting node
of messages matching this filter if it is currently doing so.</p>
<p>The filter matches when content filter and, optionally, a topic is matched.
Content filter is matched when a <code>WakuMessage</code><code>contentTopic</code> field is the same.</p>
<p>A filter node SHOULD honor this request, though it MAY choose not to do so. If
it chooses not to do so it MAY tell the light why. The mechanism for doing this
is currently not specified. For notifying the light node a filter node sends a
MessagePush message.</p>
<p>Since such a filter node is doing extra work for a light node, it MAY also
account for usage and be selective in how much service it provides. This
mechanism is currently planned but underspecified.</p>
<h4id="messagepush">
MessagePush
<aclass="anchor"href="#messagepush">#</a>
</h4>
<p>A filter node that has received a filter request SHOULD push all messages that
match this filter to a light node. These <ahref="./waku-message.md"><code>WakuMessage</code>’s</a> are likely to come from the
<code>relay</code> protocol and be kept at the Node, but there MAY be other sources or
protocols where this comes from. This is up to the consumer of the protocol.</p>
<p>A filter node MUST NOT send a push message for messages that have not been
requested via a FilterRequest.</p>
<p>If a specific light node isn’t connected to a filter node for some specific
period of time (e.g. a TTL), then the filter node MAY choose to not push these
messages to the node. This period is up to the consumer of the protocol and node
implementation, though a reasonable default is one minute.</p>
<hr>
<h1id="future-work">
Future Work
<aclass="anchor"href="#future-work">#</a>
</h1>
<!-- raw HTML omitted -->
<p><strong>Anonymous filter subscription</strong>: This feature guarantees that nodes can anonymously subscribe for a message filter (i.e., without revealing their exact content filter). As such, no adversary in the <code>WakuFilter</code> protocol would be able to link nodes to their subscribed content filers. The current version of the <code>WakuFilter</code> protocol does not provide anonymity as the subscribing node has a direct connection to the full node and explicitly submits its content filter to be notified about the matching messages. However, one can consider preserving anonymity through one of the following ways:</p>
<ul>
<li>By hiding the source of the subscription i.e., anonymous communication. That is the subscribing node shall hide all its PII in its filter request e.g., its IP address. This can happen by the utilization of a proxy server or by using Tor<!-- raw HTML omitted -->.
Note that the current structure of filter requests i.e., <code>FilterRPC</code> does not embody any piece of PII, otherwise, such data fields must be treated carefully to achieve anonymity.</li>
<li>By deploying secure 2-party computations in which the subscribing node obtains the messages matching a content filter whereas the full node learns nothing about the content filter as well as the messages pushed to the subscribing node. Examples of such 2PC protocols are <ahref="https://link.springer.com/referenceworkentry/10.1007%2F978-1-4419-5906-5_9#:~:text=Oblivious%20transfer%20%28OT%29%20is%20a,information%20the%20receiver%20actually%20obtains.">Oblivious Transfers</a> and one-way Private Set Intersections (PSI).</li>
<p>Initial draft version. Released <ahref="https://github.com/vacp2p/specs/commit/5ceeb88cee7b918bb58f38e7c4de5d581ff31e68">2020-10-28</a></p>
<ul>
<li>Fix: Ensure contentFilter is a repeated field, on implementation</li>
<li>Change: Add ability to unsubscribe from filters. Make <code>subscribe</code> an explicit boolean indication. Edit protobuf field order to be consistent with libp2p.</li>
<p>A filter client that sends a <code>FilterSubscribeRequest</code> with <code>filter_subscribe_type</code> set to <code>UNSUBSCRIBE_ALL</code>
requests that the service node SHOULD <em>stop</em> pushing messages matching <em>any</em> filter to the client.
The filter client SHOULD exclude any filter criteria from the request.
The filter service node SHOULD remove any existing subscriptions for this client.
It SHOULD respond with a success code if it successfully honored this request
or an error code if not.</p>
<h2id="filter-push">
Filter-Push
<aclass="anchor"href="#filter-push">#</a>
</h2>
<p>A filter client node MUST support the <em>filter-push</em> protocol
to allow filter service nodes to push messages matching registered subscriptions to this client.</p>
<p>A filter service node SHOULD push all messages
matching the filter criteria in a registered subscription
to the subscribed filter client.
These <ahref="./waku-message.md"><code>WakuMessage</code>s</a> are likely to come from <ahref="https://rfc.vac.dev/spec/11/"><code>11/WAKU2-RELAY</code></a>,
but there MAY be other sources or protocols where this comes from.
This is up to the consumer of the protocol.</p>
<p>If a message push fails,
the filter service node MAY consider the client node to be unreachable.
If a specific filter client node is not reachable from the service node for a period of time,
the filter service node MAY choose to stop pushing messages to the client and remove its subscription.
This period is up to the service node implementation.
We consider <code>1 minute</code> to be a reasonable default.</p>
<h3id="message-push">
Message Push
<aclass="anchor"href="#message-push">#</a>
</h3>
<p>Each message MUST be pushed in a <code>MessagePush</code> message.
Each <code>MessagePush</code> MUST contain one (and only one) <code>waku_message</code>.
If this message was received on a specific <code>pubsub_topic</code>,
it SHOULD be included in the <code>MessagePush</code>.
A filter client SHOULD NOT respond to a <code>MessagePush</code>.
Since the filter protocol does not include caching or fault-tolerance,
this is a best effort push service with no bundling
or guaranteed retransmission of messages.
A filter client SHOULD verify that each <code>MessagePush</code> it receives
originated from a service node where the client has an active subscription
and that it matches filter criteria belonging to that subscription.</p>
<p><strong>Anonymous filter subscription</strong>: This feature guarantees that nodes can anonymously subscribe for a message filter (i.e., without revealing their exact content filter). As such, no adversary in the <code>WakuFilter</code> protocol would be able to link nodes to their subscribed content filers. The current version of the <code>WakuFilter</code> protocol does not provide anonymity as the subscribing node has a direct connection to the full node and explicitly submits its content filter to be notified about the matching messages. However, one can consider preserving anonymity through one of the following ways:</p>
<ul>
<li>By hiding the source of the subscription i.e., anonymous communication. That is the subscribing node shall hide all its PII in its filter request e.g., its IP address. This can happen by the utilization of a proxy server or by using Tor<!-- raw HTML omitted -->.
Note that the current structure of filter requests i.e., <code>FilterRPC</code> does not embody any piece of PII, otherwise, such data fields must be treated carefully to achieve anonymity.</li>
<li>By deploying secure 2-party computations in which the subscribing node obtains the messages matching a content filter whereas the full node learns nothing about the content filter as well as the messages pushed to the subscribing node. Examples of such 2PC protocols are <ahref="https://link.springer.com/referenceworkentry/10.1007%2F978-1-4419-5906-5_9#:~:text=Oblivious%20transfer%20%28OT%29%20is%20a,information%20the%20receiver%20actually%20obtains.">Oblivious Transfers</a> and one-way Private Set Intersections (PSI).</li>
</ul>
<h1id="changelog">
Changelog
<aclass="anchor"href="#changelog">#</a>
</h1>
<h3id="next">
Next
<aclass="anchor"href="#next">#</a>
</h3>
<ul>
<li>Added initial threat model and security analysis.</li>
</ul>
<h3id="200-beta2">
2.0.0-beta2
<aclass="anchor"href="#200-beta2">#</a>
</h3>
<p>Initial draft version. Released <ahref="https://github.com/vacp2p/specs/commit/5ceeb88cee7b918bb58f38e7c4de5d581ff31e68">2020-10-28</a></p>
<ul>
<li>Fix: Ensure contentFilter is a repeated field, on implementation</li>
<li>Change: Add ability to unsubscribe from filters. Make <code>subscribe</code> an explicit boolean indication. Edit protobuf field order to be consistent with libp2p.</li>
</ul>
<h3id="200-beta1">
2.0.0-beta1
<aclass="anchor"href="#200-beta1">#</a>
</h3>
<p>Initial draft version. Released <ahref="https://github.com/vacp2p/specs/commit/31857c7434fa17efc00e3cd648d90448797d107b">2020-10-05</a></p>