zecfoundation
/
zebra
mirror of https://github.com/ZcashFoundation/zebra.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zebra/zebra-network/src/address_book.rs

451 lines
15 KiB
Rust
Raw Normal View History

Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
//! The `AddressBook` manages information about what peers exist, when they were
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
//! seen, and what services they provide.
use std::{
Rewrite AddressBook to use a BTreeSet. The previous implementation failed when timestamps were duplicated between peers, because there was not a 1-1 relationship between timestamps and peers.
2019-10-17 21:19:23 -07:00
collections::{BTreeSet, HashMap},
Implement Extend and Drain for AddressBook.
2019-10-17 17:54:08 -07:00
iter::Extend,
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
net::SocketAddr,
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
time::Instant,
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
};
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
use tracing::Span;
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers (#2276) * Always send our local listener with the latest time Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting. * Skip listeners that are not valid for outbound connections * Filter sanitized addresses Zebra based on address state This fix correctly prevents Zebra gossiping client addresses to peers, but still keeps the client in the address book to avoid reconnections. * Add a full set of DateTime32 and Duration32 calculation methods * Refactor sanitize to use the new DateTime32/Duration32 methods * Security: Use canonical SocketAddrs to avoid duplicate connections If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections. * Test that address books contain the local listener address Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-21 19:16:59 -07:00
use zebra_chain::serialization::canonical_socket_addr;
Gossip dynamic local listener ports to peers (#2277) * Gossip dynamically allocated listener ports to peers Previously, Zebra would either gossip port `0`, which is invalid, or skip gossiping its own dynamically allocated listener port. * Improve "no configured peers" warning And downgrade from error to warning, because inbound-only nodes are a valid use case. * Move random_known_port to zebra-test * Add tests for dynamic local listener ports and the AddressBook Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-22 14:59:06 -07:00
use crate::{meta_addr::MetaAddrChange, types::MetaAddr, PeerAddrState};
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
/// A database of peer listener addresses, their advertised services, and
/// information on when they were last seen.
///
/// # Security
///
/// Address book state must be based on outbound connections to peers.
///
/// If the address book is updated incorrectly:
/// - malicious peers can interfere with other peers' `AddressBook` state,
/// or
/// - Zebra can advertise unreachable addresses to its own peers.
///
/// ## Adding Addresses
///
/// The address book should only contain Zcash listener port addresses from peers
/// on the configured network. These addresses can come from:
/// - DNS seeders
/// - addresses gossiped by other peers
/// - the canonical address (`Version.address_from`) provided by each peer,
/// particularly peers on inbound connections.
///
/// The remote addresses of inbound connections must not be added to the address
/// book, because they contain ephemeral outbound ports, not listener ports.
///
/// Isolated connections must not add addresses or update the address book.
///
/// ## Updating Address State
///
/// Updates to address state must be based on outbound connections to peers.
///
/// Updates must not be based on:
/// - the remote addresses of inbound connections, or
/// - the canonical address of any connection.
Refactor and document correctness for std::sync::Mutex<AddressBook>
2021-04-18 23:04:24 -07:00
#[derive(Clone, Debug)]
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
pub struct AddressBook {
Reliability: send local listener address to peers When peers ask for peer addresses, add our local listener address to the set of addresses, sanitize, then truncate. Sanitize shuffles addresses, so if there are lots of addresses in the address book, our address will only be sent to some peers.
2021-05-06 18:08:06 -07:00
/// Each known peer address has a matching `MetaAddr`.
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
by_addr: HashMap<SocketAddr, MetaAddr>,
Reliability: send local listener address to peers When peers ask for peer addresses, add our local listener address to the set of addresses, sanitize, then truncate. Sanitize shuffles addresses, so if there are lots of addresses in the address book, our address will only be sent to some peers.
2021-05-06 18:08:06 -07:00
/// The local listener address.
local_listener: SocketAddr,
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
/// The span for operations on this address book.
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
span: Span,
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
Reliability: send local listener address to peers When peers ask for peer addresses, add our local listener address to the set of addresses, sanitize, then truncate. Sanitize shuffles addresses, so if there are lots of addresses in the address book, our address will only be sent to some peers.
2021-05-06 18:08:06 -07:00
/// The last time we logged a message about the address metrics.
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
last_address_log: Option<Instant>,
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
}
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
/// Metrics about the states of the addresses in an [`AddressBook`].
#[derive(Debug)]
pub struct AddressMetrics {
/// The number of addresses in the `Responded` state.
responded: usize,
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
/// The number of addresses in the `NeverAttemptedGossiped` state.
never_attempted_gossiped: usize,
/// The number of addresses in the `NeverAttemptedAlternate` state.
never_attempted_alternate: usize,
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
/// The number of addresses in the `Failed` state.
failed: usize,
/// The number of addresses in the `AttemptPending` state.
attempt_pending: usize,
/// The number of `Responded` addresses within the liveness limit.
recently_live: usize,
/// The number of `Responded` addresses outside the liveness limit.
recently_stopped_responding: usize,
}
Apply clippy fixes
2020-02-04 22:53:24 -08:00
#[allow(clippy::len_without_is_empty)]
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
impl AddressBook {
Gossip dynamic local listener ports to peers (#2277) * Gossip dynamically allocated listener ports to peers Previously, Zebra would either gossip port `0`, which is invalid, or skip gossiping its own dynamically allocated listener port. * Improve "no configured peers" warning And downgrade from error to warning, because inbound-only nodes are a valid use case. * Move random_known_port to zebra-test * Add tests for dynamic local listener ports and the AddressBook Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-22 14:59:06 -07:00
/// Construct an [`AddressBook`] with the given `local_listener` and
/// [`tracing::Span`].
pub fn new(local_listener: SocketAddr, span: Span) -> AddressBook {
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
let constructor_span = span.clone();
let _guard = constructor_span.enter();
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
let mut new_book = AddressBook {
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
by_addr: HashMap::default(),
Gossip dynamic local listener ports to peers (#2277) * Gossip dynamically allocated listener ports to peers Previously, Zebra would either gossip port `0`, which is invalid, or skip gossiping its own dynamically allocated listener port. * Improve "no configured peers" warning And downgrade from error to warning, because inbound-only nodes are a valid use case. * Move random_known_port to zebra-test * Add tests for dynamic local listener ports and the AddressBook Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-22 14:59:06 -07:00
local_listener: canonical_socket_addr(local_listener),
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
span,
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
last_address_log: None,
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
};
new_book.update_metrics();
new_book
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
}
Gossip dynamic local listener ports to peers (#2277) * Gossip dynamically allocated listener ports to peers Previously, Zebra would either gossip port `0`, which is invalid, or skip gossiping its own dynamically allocated listener port. * Improve "no configured peers" warning And downgrade from error to warning, because inbound-only nodes are a valid use case. * Move random_known_port to zebra-test * Add tests for dynamic local listener ports and the AddressBook Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-22 14:59:06 -07:00
/// Construct an [`AddressBook`] with the given `local_listener`,
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
/// [`tracing::Span`], and addresses.
///
/// This constructor can be used to break address book invariants,
/// so it should only be used in tests.
#[cfg(any(test, feature = "proptest-impl"))]
pub fn new_with_addrs(
Gossip dynamic local listener ports to peers (#2277) * Gossip dynamically allocated listener ports to peers Previously, Zebra would either gossip port `0`, which is invalid, or skip gossiping its own dynamically allocated listener port. * Improve "no configured peers" warning And downgrade from error to warning, because inbound-only nodes are a valid use case. * Move random_known_port to zebra-test * Add tests for dynamic local listener ports and the AddressBook Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-22 14:59:06 -07:00
local_listener: SocketAddr,
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
span: Span,
addrs: impl IntoIterator<Item = MetaAddr>,
) -> AddressBook {
Gossip dynamic local listener ports to peers (#2277) * Gossip dynamically allocated listener ports to peers Previously, Zebra would either gossip port `0`, which is invalid, or skip gossiping its own dynamically allocated listener port. * Improve "no configured peers" warning And downgrade from error to warning, because inbound-only nodes are a valid use case. * Move random_known_port to zebra-test * Add tests for dynamic local listener ports and the AddressBook Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-22 14:59:06 -07:00
let mut new_book = AddressBook::new(local_listener, span);
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
let addrs = addrs
.into_iter()
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers (#2276) * Always send our local listener with the latest time Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting. * Skip listeners that are not valid for outbound connections * Filter sanitized addresses Zebra based on address state This fix correctly prevents Zebra gossiping client addresses to peers, but still keeps the client in the address book to avoid reconnections. * Add a full set of DateTime32 and Duration32 calculation methods * Refactor sanitize to use the new DateTime32/Duration32 methods * Security: Use canonical SocketAddrs to avoid duplicate connections If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections. * Test that address books contain the local listener address Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-21 19:16:59 -07:00
.map(|mut meta_addr| {
meta_addr.addr = canonical_socket_addr(meta_addr.addr);
meta_addr
})
.filter(MetaAddr::address_is_valid_for_outbound)
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
.map(|meta_addr| (meta_addr.addr, meta_addr));
new_book.by_addr.extend(addrs);
new_book.update_metrics();
new_book
}
Reliability: send local listener address to peers When peers ask for peer addresses, add our local listener address to the set of addresses, sanitize, then truncate. Sanitize shuffles addresses, so if there are lots of addresses in the address book, our address will only be sent to some peers.
2021-05-06 18:08:06 -07:00
/// Get the local listener address.
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers (#2276) * Always send our local listener with the latest time Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting. * Skip listeners that are not valid for outbound connections * Filter sanitized addresses Zebra based on address state This fix correctly prevents Zebra gossiping client addresses to peers, but still keeps the client in the address book to avoid reconnections. * Add a full set of DateTime32 and Duration32 calculation methods * Refactor sanitize to use the new DateTime32/Duration32 methods * Security: Use canonical SocketAddrs to avoid duplicate connections If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections. * Test that address books contain the local listener address Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-21 19:16:59 -07:00
///
/// This address contains minimal state, but it is not sanitized.
Gossip dynamic local listener ports to peers (#2277) * Gossip dynamically allocated listener ports to peers Previously, Zebra would either gossip port `0`, which is invalid, or skip gossiping its own dynamically allocated listener port. * Improve "no configured peers" warning And downgrade from error to warning, because inbound-only nodes are a valid use case. * Move random_known_port to zebra-test * Add tests for dynamic local listener ports and the AddressBook Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-22 14:59:06 -07:00
pub fn local_listener_meta_addr(&self) -> MetaAddr {
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers (#2276) * Always send our local listener with the latest time Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting. * Skip listeners that are not valid for outbound connections * Filter sanitized addresses Zebra based on address state This fix correctly prevents Zebra gossiping client addresses to peers, but still keeps the client in the address book to avoid reconnections. * Add a full set of DateTime32 and Duration32 calculation methods * Refactor sanitize to use the new DateTime32/Duration32 methods * Security: Use canonical SocketAddrs to avoid duplicate connections If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections. * Test that address books contain the local listener address Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-21 19:16:59 -07:00
MetaAddr::new_local_listener_change(&self.local_listener)
.into_new_meta_addr()
.expect("unexpected invalid new local listener addr")
Reliability: send local listener address to peers When peers ask for peer addresses, add our local listener address to the set of addresses, sanitize, then truncate. Sanitize shuffles addresses, so if there are lots of addresses in the address book, our address will only be sent to some peers.
2021-05-06 18:08:06 -07:00
}
zebra-network tweaks. (#877) * network: move gossiped peer selection logic into address book. * network: return BoxService from init. * zebrad: add note on why we truncate thegossiped peer list Co-authored-by: Jane Lusby <jlusby42@gmail.com> * Remove unused .rustfmt.toml Many of these options are never actually loaded by our CI because of a channel mismatch, where they're not applied on stable but only on nightly (see the logs from a rustfmt job). This means that we can get different settings when running `cargo fmt` on the nightly and stable channels, which was causing a CI failure on this PR. Reverting back to the default rustfmt settings avoids this problem and keeps us in line with upstream rustfmt. There's no loss to us since we were using the defaults anyways. Co-authored-by: Jane Lusby <jlusby42@gmail.com>
2020-08-11 13:07:44 -07:00
/// Get the contents of `self` in random order with sanitized timestamps.
pub fn sanitized(&self) -> Vec<MetaAddr> {
use rand::seq::SliceRandom;
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
let _guard = self.span.enter();
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers (#2276) * Always send our local listener with the latest time Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting. * Skip listeners that are not valid for outbound connections * Filter sanitized addresses Zebra based on address state This fix correctly prevents Zebra gossiping client addresses to peers, but still keeps the client in the address book to avoid reconnections. * Add a full set of DateTime32 and Duration32 calculation methods * Refactor sanitize to use the new DateTime32/Duration32 methods * Security: Use canonical SocketAddrs to avoid duplicate connections If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections. * Test that address books contain the local listener address Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-21 19:16:59 -07:00
let mut peers = self.by_addr.clone();
// Unconditionally add our local listener address to the advertised peers,
// to replace any self-connection failures. The address book and change
// constructors make sure that the SocketAddr is canonical.
Gossip dynamic local listener ports to peers (#2277) * Gossip dynamically allocated listener ports to peers Previously, Zebra would either gossip port `0`, which is invalid, or skip gossiping its own dynamically allocated listener port. * Improve "no configured peers" warning And downgrade from error to warning, because inbound-only nodes are a valid use case. * Move random_known_port to zebra-test * Add tests for dynamic local listener ports and the AddressBook Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-22 14:59:06 -07:00
let local_listener = self.local_listener_meta_addr();
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers (#2276) * Always send our local listener with the latest time Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting. * Skip listeners that are not valid for outbound connections * Filter sanitized addresses Zebra based on address state This fix correctly prevents Zebra gossiping client addresses to peers, but still keeps the client in the address book to avoid reconnections. * Add a full set of DateTime32 and Duration32 calculation methods * Refactor sanitize to use the new DateTime32/Duration32 methods * Security: Use canonical SocketAddrs to avoid duplicate connections If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections. * Test that address books contain the local listener address Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-21 19:16:59 -07:00
peers.insert(local_listener.addr, local_listener);
// Then sanitize and shuffle
let mut peers = peers
.values()
.filter_map(MetaAddr::sanitize)
Rewrite MetaAddr::sanitize so it's harder to misuse `sanitize` could be misused in two ways: * accidentally modifying the addresses in the address book itself * forgetting to sanitize new fields added to `MetaAddr` This change prevents accidental modification by taking `&self`, and explicitly creates a new sanitized `MetaAddr` with all fields listed.
2021-03-25 00:47:25 -07:00
.collect::<Vec<_>>();
zebra-network tweaks. (#877) * network: move gossiped peer selection logic into address book. * network: return BoxService from init. * zebrad: add note on why we truncate thegossiped peer list Co-authored-by: Jane Lusby <jlusby42@gmail.com> * Remove unused .rustfmt.toml Many of these options are never actually loaded by our CI because of a channel mismatch, where they're not applied on stable but only on nightly (see the logs from a rustfmt job). This means that we can get different settings when running `cargo fmt` on the nightly and stable channels, which was causing a CI failure on this PR. Reverting back to the default rustfmt settings avoids this problem and keeps us in line with upstream rustfmt. There's no loss to us since we were using the defaults anyways. Co-authored-by: Jane Lusby <jlusby42@gmail.com>
2020-08-11 13:07:44 -07:00
peers.shuffle(&mut rand::thread_rng());
peers
}
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
/// Apply `change` to the address book, returning the updated `MetaAddr`,
/// if the change was valid.
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
///
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
/// # Correctness
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
///
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
/// All changes should go through `update`, so that the address book
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
/// only contains valid outbound addresses.
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
///
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers (#2276) * Always send our local listener with the latest time Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting. * Skip listeners that are not valid for outbound connections * Filter sanitized addresses Zebra based on address state This fix correctly prevents Zebra gossiping client addresses to peers, but still keeps the client in the address book to avoid reconnections. * Add a full set of DateTime32 and Duration32 calculation methods * Refactor sanitize to use the new DateTime32/Duration32 methods * Security: Use canonical SocketAddrs to avoid duplicate connections If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections. * Test that address books contain the local listener address Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-21 19:16:59 -07:00
/// Change addresses must be canonical `SocketAddr`s. This makes sure that
/// each address book entry has a unique IP address.
///
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
/// # Security
///
/// This function must apply every attempted, responded, and failed change
/// to the address book. This prevents rapid reconnections to the same peer.
///
/// As an exception, this function can ignore all changes for specific
/// [`SocketAddr`]s. Ignored addresses will never be used to connect to
/// peers.
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
pub fn update(&mut self, change: MetaAddrChange) -> Option<MetaAddr> {
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
let _guard = self.span.enter();
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
let previous = self.by_addr.get(&change.addr()).cloned();
let updated = change.apply_to_meta_addr(previous);
Rewrite AddressBook to use a BTreeSet. The previous implementation failed when timestamps were duplicated between peers, because there was not a 1-1 relationship between timestamps and peers.
2019-10-17 21:19:23 -07:00
trace!(
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
?change,
?updated,
?previous,
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
total_peers = self.by_addr.len(),
recent_peers = self.recently_live_peers().count(),
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
);
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
if let Some(updated) = updated {
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
// Ignore invalid outbound addresses.
// (Inbound connections can be monitored via Zebra's metrics.)
if !updated.address_is_valid_for_outbound() {
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
return None;
}
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
// Ignore invalid outbound services and other info,
// but only if the peer has never been attempted.
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
//
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
// Otherwise, if we got the info directly from the peer,
// store it in the address book, so we know not to reconnect.
//
// TODO: delete peers with invalid info when they get too old (#1873)
if !updated.last_known_info_is_valid_for_outbound()
&& updated.last_connection_state.is_never_attempted()
{
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
return None;
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
}
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
self.by_addr.insert(updated.addr, updated);
std::mem::drop(_guard);
self.update_metrics();
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
}
Refactor AddressBook::update, add contains, get. This also makes the quadratic `assert_consistency` check run only in test configs.
2019-10-18 11:04:38 -07:00
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
updated
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
}
/// Removes the entry with `addr`, returning it if it exists
///
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
/// # Note
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
///
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
/// All address removals should go through `take`, so that the address
/// book metrics are accurate.
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers (#2276) * Always send our local listener with the latest time Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting. * Skip listeners that are not valid for outbound connections * Filter sanitized addresses Zebra based on address state This fix correctly prevents Zebra gossiping client addresses to peers, but still keeps the client in the address book to avoid reconnections. * Add a full set of DateTime32 and Duration32 calculation methods * Refactor sanitize to use the new DateTime32/Duration32 methods * Security: Use canonical SocketAddrs to avoid duplicate connections If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections. * Test that address books contain the local listener address Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-21 19:16:59 -07:00
#[allow(dead_code)]
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
fn take(&mut self, removed_addr: SocketAddr) -> Option<MetaAddr> {
let _guard = self.span.enter();
trace!(
?removed_addr,
total_peers = self.by_addr.len(),
recent_peers = self.recently_live_peers().count(),
);
if let Some(entry) = self.by_addr.remove(&removed_addr) {
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
std::mem::drop(_guard);
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
self.update_metrics();
Some(entry)
} else {
None
}
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
}
Add iteration functions to `AddressBook`. The disconnected_peers() function allows us to prevent duplicate connections without maintaining shared state between the peerset and the dial-additional-peers task.
2019-10-17 16:25:24 -07:00
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
/// Returns true if the given [`SocketAddr`] has recently sent us a message.
pub fn recently_live_addr(&self, addr: &SocketAddr) -> bool {
let _guard = self.span.enter();
match self.by_addr.get(addr) {
None => false,
// NeverAttempted, Failed, and AttemptPending peers should never be live
Some(peer) => {
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
peer.last_connection_state == PeerAddrState::Responded && peer.was_recently_live()
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
}
network: add AddressBook::potentially_connected_peers().
2020-09-03 10:09:25 -07:00
}
}
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
/// Returns true if the given [`SocketAddr`] is pending a reconnection
/// attempt.
pub fn pending_reconnection_addr(&self, addr: &SocketAddr) -> bool {
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
let _guard = self.span.enter();
Add AddressBook::is_potentially_connected() This allows checking whether a SocketAddr could potentially be connected, based on the contents of the address book.
2019-10-18 09:54:34 -07:00
match self.by_addr.get(addr) {
Apply clippy fixes
2020-02-04 22:53:24 -08:00
None => false,
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
Some(peer) => peer.last_connection_state == PeerAddrState::AttemptPending,
Add AddressBook::is_potentially_connected() This allows checking whether a SocketAddr could potentially be connected, based on the contents of the address book.
2019-10-18 09:54:34 -07:00
}
}
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
/// Return an iterator over all peers.
///
/// Returns peers in reconnection attempt order, then recently live peers in
/// an arbitrary order.
Fix some "needless lifetime" clippy lints These lints seem to be new in clippy nightly.
2020-10-11 15:32:05 -07:00
pub fn peers(&'_ self) -> impl Iterator<Item = MetaAddr> + '_ {
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
let _guard = self.span.enter();
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
self.reconnection_peers()
.chain(self.maybe_connected_peers())
Add iteration functions to `AddressBook`. The disconnected_peers() function allows us to prevent duplicate connections without maintaining shared state between the peerset and the dial-additional-peers task.
2019-10-17 16:25:24 -07:00
}
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
/// Return an iterator over peers that are due for a reconnection attempt,
/// in reconnection attempt order.
pub fn reconnection_peers(&'_ self) -> impl Iterator<Item = MetaAddr> + '_ {
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
let _guard = self.span.enter();
Add iteration functions to `AddressBook`. The disconnected_peers() function allows us to prevent duplicate connections without maintaining shared state between the peerset and the dial-additional-peers task.
2019-10-17 16:25:24 -07:00
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
// TODO: optimise, if needed, or get rid of older peers
// Skip live peers, and peers pending a reconnect attempt, then sort using BTreeSet
self.by_addr
.values()
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
.filter(|peer| peer.is_ready_for_attempt())
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
.collect::<BTreeSet<_>>()
.into_iter()
network: add AddressBook::potentially_connected_peers().
2020-09-03 10:09:25 -07:00
.cloned()
}
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
/// Return an iterator over all the peers in `state`, in arbitrary order.
pub fn state_peers(&'_ self, state: PeerAddrState) -> impl Iterator<Item = MetaAddr> + '_ {
network: add AddressBook::potentially_connected_peers().
2020-09-03 10:09:25 -07:00
let _guard = self.span.enter();
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
self.by_addr
.values()
.filter(move |peer| peer.last_connection_state == state)
Rewrite AddressBook to use a BTreeSet. The previous implementation failed when timestamps were duplicated between peers, because there was not a 1-1 relationship between timestamps and peers.
2019-10-17 21:19:23 -07:00
.cloned()
Add iteration functions to `AddressBook`. The disconnected_peers() function allows us to prevent duplicate connections without maintaining shared state between the peerset and the dial-additional-peers task.
2019-10-17 16:25:24 -07:00
}
Implement Extend and Drain for AddressBook.
2019-10-17 17:54:08 -07:00
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
/// Return an iterator over peers that might be connected, in arbitrary
/// order.
pub fn maybe_connected_peers(&'_ self) -> impl Iterator<Item = MetaAddr> + '_ {
let _guard = self.span.enter();
self.by_addr
.values()
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
.filter(|peer| !peer.is_ready_for_attempt())
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
.cloned()
Allow draining AddressBook entries oldest-first.
2019-10-18 09:27:28 -07:00
}
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
/// Return an iterator over peers we've seen recently, in arbitrary order.
pub fn recently_live_peers(&'_ self) -> impl Iterator<Item = MetaAddr> + '_ {
let _guard = self.span.enter();
self.by_addr
.values()
.filter(move |peer| self.recently_live_addr(&peer.addr))
.cloned()
}
Initial work to add a crawl-and-dial task. This responds to peerset demand by connecting to additional peers. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:24:17 -07:00
/// Returns the number of entries in this address book.
pub fn len(&self) -> usize {
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
self.by_addr.len()
}
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
/// Returns metrics for the addresses in this address book.
pub fn address_metrics(&self) -> AddressMetrics {
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
let responded = self.state_peers(PeerAddrState::Responded).count();
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
let never_attempted_gossiped = self
.state_peers(PeerAddrState::NeverAttemptedGossiped)
.count();
let never_attempted_alternate = self
.state_peers(PeerAddrState::NeverAttemptedAlternate)
.count();
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
let failed = self.state_peers(PeerAddrState::Failed).count();
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
let attempt_pending = self.state_peers(PeerAddrState::AttemptPending).count();
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
let recently_live = self.recently_live_peers().count();
let recently_stopped_responding = responded
.checked_sub(recently_live)
.expect("all recently live peers must have responded");
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
AddressMetrics {
responded,
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
never_attempted_gossiped,
never_attempted_alternate,
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
failed,
attempt_pending,
recently_live,
recently_stopped_responding,
}
}
/// Update the metrics for this address book.
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
fn update_metrics(&mut self) {
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
let _guard = self.span.enter();
let m = self.address_metrics();
// TODO: rename to address_book.[state_name]
metrics::gauge!("candidate_set.responded", m.responded as f64);
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
metrics::gauge!("candidate_set.gossiped", m.never_attempted_gossiped as f64);
metrics::gauge!(
"candidate_set.alternate",
m.never_attempted_alternate as f64
);
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
metrics::gauge!("candidate_set.failed", m.failed as f64);
metrics::gauge!("candidate_set.pending", m.attempt_pending as f64);
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
// TODO: rename to address_book.responded.recently_live
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
metrics::gauge!("candidate_set.recently_live", m.recently_live as f64);
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
// TODO: rename to address_book.responded.stopped_responding
metrics::gauge!(
"candidate_set.disconnected",
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
m.recently_stopped_responding as f64
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
);
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
std::mem::drop(_guard);
self.log_metrics(&m);
}
/// Log metrics for this address book
fn log_metrics(&mut self, m: &AddressMetrics) {
let _guard = self.span.enter();
trace!(
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
address_metrics = ?m,
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
);
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
if m.responded > 0 {
return;
}
// These logs are designed to be human-readable in a terminal, at the
// default Zebra log level. If you need to know address states for
// every request, use the trace-level logs, or the metrics exporter.
if let Some(last_address_log) = self.last_address_log {
// Avoid duplicate address logs
if Instant::now().duration_since(last_address_log).as_secs() < 60 {
return;
}
} else {
// Suppress initial logs until the peer set has started up.
// There can be multiple address changes before the first peer has
// responded.
self.last_address_log = Some(Instant::now());
return;
}
self.last_address_log = Some(Instant::now());
// if all peers have failed
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
if m.responded
+ m.attempt_pending
+ m.never_attempted_gossiped
+ m.never_attempted_alternate
== 0
{
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
warn!(
address_metrics = ?m,
"all peer addresses have failed. Hint: check your network connection"
);
} else {
info!(
address_metrics = ?m,
"no active peer connections: trying gossiped addresses"
);
}
Initial work to add a crawl-and-dial task. This responds to peerset demand by connecting to additional peers. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:24:17 -07:00
}
Add iteration functions to `AddressBook`. The disconnected_peers() function allows us to prevent duplicate connections without maintaining shared state between the peerset and the dial-additional-peers task.
2019-10-17 16:25:24 -07:00
}
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
impl Extend<MetaAddrChange> for AddressBook {
Implement Extend and Drain for AddressBook.
2019-10-17 17:54:08 -07:00
fn extend<T>(&mut self, iter: T)
where
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
T: IntoIterator<Item = MetaAddrChange>,
Implement Extend and Drain for AddressBook.
2019-10-17 17:54:08 -07:00
{
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
for change in iter.into_iter() {
self.update(change);
Implement Extend and Drain for AddressBook.
2019-10-17 17:54:08 -07:00
}
}
}