-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure that peers can't change IP of known nodes #5136
Conversation
👋 Thanks for creating a PR! Before we can merge this PR, please make sure that all the following items have been
Thank you for your contribution to Tendermint! 🚀 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💯
Thanks for fixing this @ValarDragon!
What do you think about modifying addToNewBucket to return an error
tendermint/p2p/pex/addrbook.go
Line 520 in 8cdb53c
func (a *addrBook) addToNewBucket(ka *knownAddress, bucketIdx int) { |
Sure I can change that! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dope!
⛩ 🎄 🎲 🍘
require.Nil(t, err) | ||
|
||
// Try changing ip but keeping the same node id. (change 1.1.1.1 to 2.2.2.2) | ||
// This should just be ignored, and not error. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe sending you peer's with the same ID but different IP should be deemed as malicious behaviour / worth lowering your peer score for?
Its tricky since you can't tell which peer sent you the correct IP. Maybe its worth a debug message at least? If so I can go ahead and add one
Figured I should flag this in case its worth further discussion
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sounds more suited to be discussed outside of this PR, maybe open up an issue with the open question?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like there may have been some initial motivation to allow the IP address associated with an ID to change. One could imaging rebooting a node eg on AWS or otherwise and keeping the same config data (ie. ID) but getting a new IP. Would such a case still be accounted for? Would such a peer now be treated as malicious?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is definitely tricky to handle correctly. (I've been having trouble writing the issue, due to me having unclear thoughts on any particular solution idea)
In the code as of this PR, AddAddress would ignore the new node with a different IP. I think this means it would only send messages to the old IP. However noone is marked malicious.
If we wanted to support this, we'd have to authenticate the incoming connection via secret connection before updating the IP, and maybe have an update methon on the address book.
Codecov Report
@@ Coverage Diff @@
## master #5136 +/- ##
==========================================
- Coverage 62.60% 62.59% -0.02%
==========================================
Files 256 256
Lines 27172 27175 +3
==========================================
- Hits 17012 17010 -2
- Misses 8665 8677 +12
+ Partials 1495 1488 -7
|
Co-authored-by: Anton Kaliaev <[email protected]>
Co-authored-by: Anton Kaliaev <[email protected]>
Closes #1581
This fixes the error in #1581, and also documents the purpose of this line. It ensures that if a peer tells us an address we know about, whose ID is the same as our current ID, we ignore it.
This removes the previous case where the ID's matched, but the IP's did not, which could yield a potential overwrite of the IP associated with the address later on. (This then would yield an eclipse attack)
This was not a vulnerability before though, thanks to a defensive check here https://github.com/tendermint/tendermint/blob/master/p2p/pex/addrbook.go#L522)
I did not include a test with this code, because the relevant defensive test did not return an error but instead logged an error.
The code which one can use to manually test this against the previous code is:
If you see a logged error after running
pex$ go test -run 1581 -v
a few times, the error is present.