net: option to disallow v1 connection on ipv4 and ipv6 peers #30951
Conversation
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. Code Coverage & BenchmarksFor details see: https://corecheck.dev/bitcoin/bitcoin/pulls/30951. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
cd4f811 to
0cfc9fc
Compare
7c9e5a1 to
ab5f875
Compare
|
In #29618 and here, I don't see the motivation to forbid v1 connections. In other words, what is the purpose of this? In addition to the concerns expressed in #29618, there is one more - if V2-only is widespread, it may be hard to eclipse V2-only node, but then it becomes easy to eclipse a V1 node which has a problem of finding peers to connect to, so an attacker starts a lot of nodes that do accept V1 connections. I see possible downsides and 0 benefit of a v2only option. |
|
Concept ACK
Well, to gain the benefits of BIP324. For example if you are concerned about someone inspecting the traffic to your node it really doesn't matter how many BIP324 peers you have if you have just one unencrypted connection. You could also run tor-only in this case, but that has its own disadvantages and
that would be a problem, but |
Our docs address this to an extent here and here. As those docs point out,
Agree. My node, for instance, runs over tor/i2p/cjdns and makes manual connections to trusted clearnet peers.
Agree. With this change, clearnet node operators may need to accept v2, whether they wish to or not. We generally try to avoid forcing users to do things. I suppose my concept ack on this would depend on that tradeoff. |
True. Lets dive a bit deeper - what are the reasons to be concerned about somebody inspecting the traffic to my node? |
src/init.cpp
Outdated
| @@ -550,6 +550,7 @@ void SetupServerArgs(ArgsManager& argsman, bool can_listen_ipc) | |||
| argsman.AddArg("-i2pacceptincoming", strprintf("Whether to accept inbound I2P connections (default: %i). Ignored if -i2psam is not set. Listening for inbound I2P connections is done through the SAM proxy, not by binding to a local address and port.", DEFAULT_I2P_ACCEPT_INCOMING), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION); | |||
| argsman.AddArg("-onlynet=<net>", "Make automatic outbound connections only to network <net> (" + Join(GetNetworkNames(), ", ") + "). Inbound and manual connections are not affected by this option. It can be specified multiple times to allow multiple networks.", ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION); | |||
| argsman.AddArg("-v2transport", strprintf("Support v2 transport (default: %u)", DEFAULT_V2_TRANSPORT), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION); | |||
| argsman.AddArg("-v2onlyclearnet", strprintf("Disallow v1 connections on IPV4/IPV6 (default: %u). Enabling this is not recommended unless absolutely necessary, as it may risk network partitions if all users enable it.", false), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION); | |||
There was a problem hiding this comment.
Enabling this is not recommended unless absolutely necessary, as it may risk network partitions
This is unfortunately only one brigading campaign by one or more prominent bitcoiners on social media away from being potentially adopted by many nodes.
With -onlynet, the network partition risk is in practice opt-in, i.e. chosen by a minority subset for themselves. Whereas here, the network partitioning and the lack of peers risks could be imposed on a future minority of users that are running earlier versions of Bitcoin Core. This seems at odds with maintaining backward compatibility for that minority.
Some thoughts off the top my head:
In both of these cases, if you accept inbounds they could just connect to you as an alternative (but they would need to have a suspicion, whereas detection of bitcoin-related network data could be automated). So another alternative would be to only disallow v1 connections for outbound peers. In that case, if you don't want any v1 connections at all you'd have to run with |
This is what is worrying me - V2-only will not hide the fact that I am running a bitcoin node, but may give the false impression that it does. This is dangerous. My node will connect to publicly known bitcoin nodes and the mere fact that I have a TCP connection to an Another possible misunderstanding is that V2-only makes the traffic impossible to spy. I can imagine a blatant MITM, which is detectable because the session keys would differ, should somebody bother to check them. Once I detect this, whom am I going to complain to? My oppressive gov/ISP/whatever, same one that is doing the spying? Or the ISP can outright redirect my connections to
V2-only may give the false impression that it breaks the link between transaction origin and IP address / geolocation. Even with unspyable p2p encryption, I may have a connection to a spy bitcoin node which then sees my traffic. Like you said "it really doesn't matter how many BIP324 peers you have if you have just one unencrypted connection" I think this is the same as "it does not matter even if all your connections are encrypted, if you have just one (encrypted) connection to a spy node". |
|
@vasild V2 only doesn't protect against active attacks like the ones you've mentioned which require resources from the other party to run a node to spy the traffic. V2 only protects against a cheaper attack vectors possible because of passive inspection of network traffic flowing through different medium. They don't need the other party to run a node to spy.
Yes, for the same reason as wanting to encrypt network traffic in the first place and this just offers a stronger guarantee when running a node with v2 support that unencrypted clearnet bitcoin traffic is not being collected and sold by other parties. Deep packet inspection, keyword filtering are cheaper for ISPs/firewalls to pull off and v2 only would protect against this. |
|
A V2-only option will:
but it will give the false impression that it does those two things. Further, it will make it more difficult for old nodes to find peers to connect to. Concept NACK because of that. |
|
Concept ACK This option seems useful for users that want to:
Have you checked how diverse these ~60% of v2 supporting nodes are? An extreme example: if they are all on running on AWS then I don't think we should add the option at this time. |
How? Given that the spy does not need to inspect the traffic at all:
|
|
@vasild That assumes the attacker has sufficient monitoring infrastructure in place to maintain an accurate list of Bitcoin P2P ip:ports. That's obviously not impossible, but it is a significantly larger effort than stateless packet inspection looking for the string "\xf9\xbe\xb4\xd9version\x00\x00\x00\x00\x00". And yes, very little in BIP324 protects against an attacker deliberately targetting specific individuals - its goal is increasing costs for large-scale monitoring. From that perspective I agree there is a risk for a false sense of security when introducing options like these, but I think it's a stretch to say that that makes it pointless. I can very well imagine this makes it possible to run a node at all for some users. However, as I pointed out in the linked issue, I am somewhat concerned about a potential future where it becomes harder for other/older software to connect to the network if large swaths move to be v2-only. Because of that, I wonder if it isn't better to make this only apply to outbound connections, and advise people who want more private operation to not listen for inbound connections. |
Yes. I may be potentially concept/approach ack here if this proposal adopts the suggestion above / in #29618 (comment) or #29618 (comment). (Along with perhaps additional user documentation for node runners, maybe in the relevant config option helps and/or in |
This comment was marked as abuse.
This comment was marked as abuse.
|
A mutation testing report for this PR is available at: https://brunoerg.xyz/mutation-core-front |
i'm not advicating to send just transactions, v2 connections would have blocks+transactions, all of it. Not sending transactions over v1 makes sure that transactions aren't sent over the network in plaintext. In the long term, if the idea is to phase out P2P v1, i think demotiing it to a blocksonly-protocol makes sense. It holds the network together against eclipse attacks and accidental partitioning, but doesn't reveal anything privacy sensitive. Sure, passive attackers can still see packet sizes in the v2 connections, but that doesn't actually change if you refuse to accept and/or make v1 connections at all?
i still don't believe there is any hiding like that. There's so many tells for passive attackers: using the DNS seeds, connecting to certain nodes, using port 8333 (in and/or out), using P2P address gossip. Sure, if you manage to avoid all of those, it's less apparent, but that's so much work and easy to screw up with a small mistake. |
|
Before I could see the purpose of the full v2only option: 1. to hide the fact that a bitcoin node is running and 2. hide its own transactions. However I think it would achieve neither of those, but I could see how it looked like it would. Now it is changed:
Does it still have the same motivation: 1. and 2.? I think the idea in #29618 is that v1 connections are somehow harmful and we must not have any of them. Now with this PR we would allow v1 inbound connections? @iotamega, do you think this would resolve #29618? Once the node has e.g. 30 connections and some of them are v1 and some v2, I think it is irrelevant which are inbound and which are outbound. Consider outbound v1 connections to clearnet but via the Tor proxy (via the Tor network and Tor exit nodes), if |
b434583 to
4d4f809
Compare
4d4f809 to
5e3fa67
Compare
a boolean option `disable_v1conn_clearnet` is introduced in CConman which will (in a later commit) store if the user wishes to disable outbound v1 connections on IPV4 and IPV6 networks since they are unencrypted. this option is accessible outside CConman using `DisableV1OnClearnet()` function with the network we're trying to connect to passed as an argument. Github-Pull: bitcoin#30951 Rebased-From: 88ca9ac
if this option is set by the user, v1 connections on unencrypted networks like IPV4/IPV6 will be disallowed. Only users with real need are recommended to turn this on because it could risk network partitioning in the unlikely scenario that everyone turns it on. Github-Pull: bitcoin#30951 Rebased-From: 9d23891
if `-v2onlyclearnet` is turned on, - v1 addresses from addrman aren't selected and manual connections aren't attempted for outbound connections if it's from IPV4/IPV6 networks. - v1 downgrade mechainm is not attempted if v2 connection wasn't successful Github-Pull: bitcoin#30951 Rebased-From: 25eb4d0
when `-v2onlyclearnet` is turned on: - v1 connections to clearnet peers don't work - v2 connections to clearnet peers work - v1 conneections to tor/i2p/cjdns peer works a proxy is used because otherwise NET_UNROUTABLE is the default network in the tests. Github-Pull: bitcoin#30951 Rebased-From: 5e3fa67
a boolean option `disable_v1conn_clearnet` is introduced in CConman which will (in a later commit) store if the user wishes to disable outbound v1 connections on IPV4 and IPV6 networks since they are unencrypted. this option is accessible outside CConman using `DisableV1OnClearnet()` function with the network we're trying to connect to passed as an argument.
if this option is set by the user, v1 connections on unencrypted networks like IPV4/IPV6 will be disallowed. Only users with real need are recommended to turn this on because it could risk network partitioning in the unlikely scenario that everyone turns it on.
if `-v2onlyclearnet` is turned on, - v1 addresses from addrman aren't selected and manual connections aren't attempted for outbound connections if it's from IPV4/IPV6 networks. - v1 downgrade mechainm is not attempted if v2 connection wasn't successful
when `-v2onlyclearnet` is turned on: - v1 connections to clearnet peers don't work - v2 connections to clearnet peers work - v1 conneections to tor/i2p/cjdns peer works a proxy is used because otherwise NET_UNROUTABLE is the default network in the tests.
5e3fa67 to
27e9000
Compare
a boolean option `disable_v1conn_clearnet` is introduced in CConman which will (in a later commit) store if the user wishes to disable outbound v1 connections on IPV4 and IPV6 networks since they are unencrypted. this option is accessible outside CConman using `DisableV1OnClearnet()` function with the network we're trying to connect to passed as an argument. Github-Pull: bitcoin#30951 Rebased-From: 1d445c9
if this option is set by the user, v1 connections on unencrypted networks like IPV4/IPV6 will be disallowed. Only users with real need are recommended to turn this on because it could risk network partitioning in the unlikely scenario that everyone turns it on. Github-Pull: bitcoin#30951 Rebased-From: d166ed7
if `-v2onlyclearnet` is turned on, - v1 addresses from addrman aren't selected and manual connections aren't attempted for outbound connections if it's from IPV4/IPV6 networks. - v1 downgrade mechainm is not attempted if v2 connection wasn't successful Github-Pull: bitcoin#30951 Rebased-From: 19d1bc2
when `-v2onlyclearnet` is turned on: - v1 connections to clearnet peers don't work - v2 connections to clearnet peers work - v1 conneections to tor/i2p/cjdns peer works a proxy is used because otherwise NET_UNROUTABLE is the default network in the tests. Github-Pull: bitcoin#30951 Rebased-From: 27e9000
resolves #29618.
This PR adds a config flag option
-v2onlyclearnetwhich disallows outbound v1 connections on ipv4 and ipv6 networks since they're unencrypted. outbound v1 connections are still possible from tor/i2p/cjdns peers since they're encrypted networks.-v2onlyclearnetis switched on)Currently 35 - 39% of reachable nodes in network supporting v2 (according to https://21.ninja/reachable-nodes/node-service-share/ and https://bitnodes.io/nodes). Also found 41-45 % of addresses supporting v2 in the addrman of nodes I checked - personal node and the nodes in peer.observer. (You can use this branch to check the % of v2 addresses in a node's addrman.)