zecfoundation
/
zebra
mirror of https://github.com/ZcashFoundation/zebra.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zebra/zebra-network/src/address_book.rs

505 lines
17 KiB
Rust
Raw Normal View History

Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
//! The `AddressBook` manages information about what peers exist, when they were
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
//! seen, and what services they provide.
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
use std::{cmp::Reverse, iter::Extend, net::SocketAddr, time::Instant};
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
use chrono::Utc;
use ordered_map::OrderedMap;
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
use tracing::Span;
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
Refactor addr v1 serialization using a separate AddrV1 type (#3021) * Implement addr v1 serialization using a separate AddrV1 type * Remove commented-out code * Split the address serialization code into modules * Reorder v1 and in_version fields in serialization order * Fix a missed search-and-replace * Explain conversion to MetaAddr Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-11-09 12:47:50 -08:00
use crate::{
meta_addr::MetaAddrChange, protocol::external::canonical_socket_addr, types::MetaAddr,
PeerAddrState,
};
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
Security: Zebra should stop gossiping unreachable addresses to other nodes, Action: re-deploy all nodes (#2392) * Rename some methods and constants for clarity Using the following commands: ``` fastmod '\bis_ready_for_attempt\b' is_ready_for_connection_attempt # One instance required a tweak, because of the ASCII diagram. fastmod '\bwas_recently_live\b' has_connection_recently_responded fastmod '\bwas_recently_attempted\b' was_connection_recently_attempted fastmod '\bwas_recently_failed\b' has_connection_recently_failed fastmod '\bLIVE_PEER_DURATION\b' MIN_PEER_RECONNECTION_DELAY ``` * Use `Instant::elapsed` for conciseness Instead of `Instant::now().saturating_duration_since`. They're both equivalent, and `elapsed` only panics if the `Instant` is somehow synthetically generated. * Allow `Duration32` to be created in other crates Export the `Duration32` from the `zebra_chain::serialization` module. * Add some new `Duration32` constructors Create some helper `const` constructors to make it easy to create constant durations. Add methods to create a `Duration32` from seconds, minutes and hours. * Avoid gossiping unreachable peers When sanitizing the list of peers to gossip, remove those that we haven't seen in more than three hours. * Test if unreachable addresses aren't gossiped Create a property test with random addreses inserted into an `AddressBook`, and verify that the sanitized list of addresses does not contain any addresses considered unreachable. * Test if new alternate address isn't gossipable Create a new alternate peer, because that type of `MetaAddr` does not have `last_response` or `untrusted_last_seen` times. Verify that the peer is not considered gossipable. * Test if local listener is gossipable The `MetaAddr` representing the local peer's listening address should always be considered gossipable. * Test if gossiped peer recently seen is gossipable Create a `MetaAddr` representing a gossiped peer that was reported to be seen recently. Check that the peer is considered gossipable. * Test peer reportedly last seen in the future Create a `MetaAddr` representing a peer gossiped and reported to have been last seen in a time that's in the future. Check that the peer is considered gossipable, to check that the fallback calculation is working as intended. * Test gossiped peer reportedly seen long ago Create a `MetaAddr` representing a gossiped peer that was reported to last have been seen a long time ago. Check that the peer is not considered gossipable. * Test if just responded peer is gossipable Create a `MetaAddr` representing a peer that has just responded and check that it is considered gossipable. * Test if recently responded peer is gossipable Create a `MetaAddr` representing a peer that last responded within the duration a peer is considered reachable. Verify that the peer is considered gossipable. * Test peer that responded long ago isn't gossipable Create a `MetaAddr` representing a peer that last responded outside the duration a peer is considered reachable. Verify that the peer is not considered gossipable.
2021-06-28 22:12:27 -07:00
#[cfg(test)]
mod tests;
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
/// A database of peer listener addresses, their advertised services, and
/// information on when they were last seen.
///
/// # Security
///
/// Address book state must be based on outbound connections to peers.
///
/// If the address book is updated incorrectly:
/// - malicious peers can interfere with other peers' `AddressBook` state,
/// or
/// - Zebra can advertise unreachable addresses to its own peers.
///
/// ## Adding Addresses
///
/// The address book should only contain Zcash listener port addresses from peers
/// on the configured network. These addresses can come from:
/// - DNS seeders
/// - addresses gossiped by other peers
/// - the canonical address (`Version.address_from`) provided by each peer,
/// particularly peers on inbound connections.
///
/// The remote addresses of inbound connections must not be added to the address
/// book, because they contain ephemeral outbound ports, not listener ports.
///
/// Isolated connections must not add addresses or update the address book.
///
/// ## Updating Address State
///
/// Updates to address state must be based on outbound connections to peers.
///
/// Updates must not be based on:
/// - the remote addresses of inbound connections, or
/// - the canonical address of any connection.
Refactor and document correctness for std::sync::Mutex<AddressBook>
2021-04-18 23:04:24 -07:00
#[derive(Clone, Debug)]
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
pub struct AddressBook {
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
/// Peer listener addresses, suitable for outbound connections,
/// in connection attempt order.
///
/// Some peers in this list might have open outbound or inbound connections.
///
/// We reverse the comparison order, because the standard library ([`BTreeMap`])
/// sorts in ascending order, but [`OrderedMap`] sorts in descending order.
by_addr: OrderedMap<SocketAddr, MetaAddr, Reverse<MetaAddr>>,
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
Reliability: send local listener address to peers When peers ask for peer addresses, add our local listener address to the set of addresses, sanitize, then truncate. Sanitize shuffles addresses, so if there are lots of addresses in the address book, our address will only be sent to some peers.
2021-05-06 18:08:06 -07:00
/// The local listener address.
local_listener: SocketAddr,
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
/// The span for operations on this address book.
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
span: Span,
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
Reliability: send local listener address to peers When peers ask for peer addresses, add our local listener address to the set of addresses, sanitize, then truncate. Sanitize shuffles addresses, so if there are lots of addresses in the address book, our address will only be sent to some peers.
2021-05-06 18:08:06 -07:00
/// The last time we logged a message about the address metrics.
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
last_address_log: Option<Instant>,
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
}
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
/// Metrics about the states of the addresses in an [`AddressBook`].
#[derive(Debug)]
pub struct AddressMetrics {
/// The number of addresses in the `Responded` state.
responded: usize,
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
/// The number of addresses in the `NeverAttemptedGossiped` state.
never_attempted_gossiped: usize,
/// The number of addresses in the `NeverAttemptedAlternate` state.
never_attempted_alternate: usize,
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
/// The number of addresses in the `Failed` state.
failed: usize,
/// The number of addresses in the `AttemptPending` state.
attempt_pending: usize,
/// The number of `Responded` addresses within the liveness limit.
recently_live: usize,
/// The number of `Responded` addresses outside the liveness limit.
recently_stopped_responding: usize,
}
Apply clippy fixes
2020-02-04 22:53:24 -08:00
#[allow(clippy::len_without_is_empty)]
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
impl AddressBook {
Gossip dynamic local listener ports to peers (#2277) * Gossip dynamically allocated listener ports to peers Previously, Zebra would either gossip port `0`, which is invalid, or skip gossiping its own dynamically allocated listener port. * Improve "no configured peers" warning And downgrade from error to warning, because inbound-only nodes are a valid use case. * Move random_known_port to zebra-test * Add tests for dynamic local listener ports and the AddressBook Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-22 14:59:06 -07:00
/// Construct an [`AddressBook`] with the given `local_listener` and
/// [`tracing::Span`].
pub fn new(local_listener: SocketAddr, span: Span) -> AddressBook {
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
let constructor_span = span.clone();
let _guard = constructor_span.enter();
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
let instant_now = Instant::now();
let chrono_now = Utc::now();
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
let mut new_book = AddressBook {
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
by_addr: OrderedMap::new(|meta_addr| Reverse(*meta_addr)),
Gossip dynamic local listener ports to peers (#2277) * Gossip dynamically allocated listener ports to peers Previously, Zebra would either gossip port `0`, which is invalid, or skip gossiping its own dynamically allocated listener port. * Improve "no configured peers" warning And downgrade from error to warning, because inbound-only nodes are a valid use case. * Move random_known_port to zebra-test * Add tests for dynamic local listener ports and the AddressBook Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-22 14:59:06 -07:00
local_listener: canonical_socket_addr(local_listener),
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
span,
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
last_address_log: None,
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
};
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
new_book.update_metrics(instant_now, chrono_now);
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
new_book
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
}
Gossip dynamic local listener ports to peers (#2277) * Gossip dynamically allocated listener ports to peers Previously, Zebra would either gossip port `0`, which is invalid, or skip gossiping its own dynamically allocated listener port. * Improve "no configured peers" warning And downgrade from error to warning, because inbound-only nodes are a valid use case. * Move random_known_port to zebra-test * Add tests for dynamic local listener ports and the AddressBook Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-22 14:59:06 -07:00
/// Construct an [`AddressBook`] with the given `local_listener`,
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
/// [`tracing::Span`], and addresses.
///
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
/// If there are multiple [`MetaAddr`]s with the same address,
/// an arbitrary address is inserted into the address book,
/// and the rest are dropped.
///
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
/// This constructor can be used to break address book invariants,
/// so it should only be used in tests.
#[cfg(any(test, feature = "proptest-impl"))]
pub fn new_with_addrs(
Gossip dynamic local listener ports to peers (#2277) * Gossip dynamically allocated listener ports to peers Previously, Zebra would either gossip port `0`, which is invalid, or skip gossiping its own dynamically allocated listener port. * Improve "no configured peers" warning And downgrade from error to warning, because inbound-only nodes are a valid use case. * Move random_known_port to zebra-test * Add tests for dynamic local listener ports and the AddressBook Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-22 14:59:06 -07:00
local_listener: SocketAddr,
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
span: Span,
addrs: impl IntoIterator<Item = MetaAddr>,
) -> AddressBook {
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
let constructor_span = span.clone();
let _guard = constructor_span.enter();
let instant_now = Instant::now();
let chrono_now = Utc::now();
Gossip dynamic local listener ports to peers (#2277) * Gossip dynamically allocated listener ports to peers Previously, Zebra would either gossip port `0`, which is invalid, or skip gossiping its own dynamically allocated listener port. * Improve "no configured peers" warning And downgrade from error to warning, because inbound-only nodes are a valid use case. * Move random_known_port to zebra-test * Add tests for dynamic local listener ports and the AddressBook Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-22 14:59:06 -07:00
let mut new_book = AddressBook::new(local_listener, span);
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
let addrs = addrs
.into_iter()
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers (#2276) * Always send our local listener with the latest time Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting. * Skip listeners that are not valid for outbound connections * Filter sanitized addresses Zebra based on address state This fix correctly prevents Zebra gossiping client addresses to peers, but still keeps the client in the address book to avoid reconnections. * Add a full set of DateTime32 and Duration32 calculation methods * Refactor sanitize to use the new DateTime32/Duration32 methods * Security: Use canonical SocketAddrs to avoid duplicate connections If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections. * Test that address books contain the local listener address Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-21 19:16:59 -07:00
.map(|mut meta_addr| {
meta_addr.addr = canonical_socket_addr(meta_addr.addr);
meta_addr
})
.filter(MetaAddr::address_is_valid_for_outbound)
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
.map(|meta_addr| (meta_addr.addr, meta_addr));
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
for (socket_addr, meta_addr) in addrs {
// overwrite any duplicate addresses
new_book.by_addr.insert(socket_addr, meta_addr);
}
new_book.update_metrics(instant_now, chrono_now);
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
new_book
}
Reliability: send local listener address to peers When peers ask for peer addresses, add our local listener address to the set of addresses, sanitize, then truncate. Sanitize shuffles addresses, so if there are lots of addresses in the address book, our address will only be sent to some peers.
2021-05-06 18:08:06 -07:00
/// Get the local listener address.
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers (#2276) * Always send our local listener with the latest time Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting. * Skip listeners that are not valid for outbound connections * Filter sanitized addresses Zebra based on address state This fix correctly prevents Zebra gossiping client addresses to peers, but still keeps the client in the address book to avoid reconnections. * Add a full set of DateTime32 and Duration32 calculation methods * Refactor sanitize to use the new DateTime32/Duration32 methods * Security: Use canonical SocketAddrs to avoid duplicate connections If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections. * Test that address books contain the local listener address Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-21 19:16:59 -07:00
///
/// This address contains minimal state, but it is not sanitized.
Gossip dynamic local listener ports to peers (#2277) * Gossip dynamically allocated listener ports to peers Previously, Zebra would either gossip port `0`, which is invalid, or skip gossiping its own dynamically allocated listener port. * Improve "no configured peers" warning And downgrade from error to warning, because inbound-only nodes are a valid use case. * Move random_known_port to zebra-test * Add tests for dynamic local listener ports and the AddressBook Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-22 14:59:06 -07:00
pub fn local_listener_meta_addr(&self) -> MetaAddr {
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers (#2276) * Always send our local listener with the latest time Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting. * Skip listeners that are not valid for outbound connections * Filter sanitized addresses Zebra based on address state This fix correctly prevents Zebra gossiping client addresses to peers, but still keeps the client in the address book to avoid reconnections. * Add a full set of DateTime32 and Duration32 calculation methods * Refactor sanitize to use the new DateTime32/Duration32 methods * Security: Use canonical SocketAddrs to avoid duplicate connections If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections. * Test that address books contain the local listener address Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-21 19:16:59 -07:00
MetaAddr::new_local_listener_change(&self.local_listener)
.into_new_meta_addr()
.expect("unexpected invalid new local listener addr")
Reliability: send local listener address to peers When peers ask for peer addresses, add our local listener address to the set of addresses, sanitize, then truncate. Sanitize shuffles addresses, so if there are lots of addresses in the address book, our address will only be sent to some peers.
2021-05-06 18:08:06 -07:00
}
zebra-network tweaks. (#877) * network: move gossiped peer selection logic into address book. * network: return BoxService from init. * zebrad: add note on why we truncate thegossiped peer list Co-authored-by: Jane Lusby <jlusby42@gmail.com> * Remove unused .rustfmt.toml Many of these options are never actually loaded by our CI because of a channel mismatch, where they're not applied on stable but only on nightly (see the logs from a rustfmt job). This means that we can get different settings when running `cargo fmt` on the nightly and stable channels, which was causing a CI failure on this PR. Reverting back to the default rustfmt settings avoids this problem and keeps us in line with upstream rustfmt. There's no loss to us since we were using the defaults anyways. Co-authored-by: Jane Lusby <jlusby42@gmail.com>
2020-08-11 13:07:44 -07:00
/// Get the contents of `self` in random order with sanitized timestamps.
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
pub fn sanitized(&self, now: chrono::DateTime<Utc>) -> Vec<MetaAddr> {
zebra-network tweaks. (#877) * network: move gossiped peer selection logic into address book. * network: return BoxService from init. * zebrad: add note on why we truncate thegossiped peer list Co-authored-by: Jane Lusby <jlusby42@gmail.com> * Remove unused .rustfmt.toml Many of these options are never actually loaded by our CI because of a channel mismatch, where they're not applied on stable but only on nightly (see the logs from a rustfmt job). This means that we can get different settings when running `cargo fmt` on the nightly and stable channels, which was causing a CI failure on this PR. Reverting back to the default rustfmt settings avoids this problem and keeps us in line with upstream rustfmt. There's no loss to us since we were using the defaults anyways. Co-authored-by: Jane Lusby <jlusby42@gmail.com>
2020-08-11 13:07:44 -07:00
use rand::seq::SliceRandom;
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
let _guard = self.span.enter();
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers (#2276) * Always send our local listener with the latest time Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting. * Skip listeners that are not valid for outbound connections * Filter sanitized addresses Zebra based on address state This fix correctly prevents Zebra gossiping client addresses to peers, but still keeps the client in the address book to avoid reconnections. * Add a full set of DateTime32 and Duration32 calculation methods * Refactor sanitize to use the new DateTime32/Duration32 methods * Security: Use canonical SocketAddrs to avoid duplicate connections If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections. * Test that address books contain the local listener address Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-21 19:16:59 -07:00
let mut peers = self.by_addr.clone();
// Unconditionally add our local listener address to the advertised peers,
// to replace any self-connection failures. The address book and change
// constructors make sure that the SocketAddr is canonical.
Gossip dynamic local listener ports to peers (#2277) * Gossip dynamically allocated listener ports to peers Previously, Zebra would either gossip port `0`, which is invalid, or skip gossiping its own dynamically allocated listener port. * Improve "no configured peers" warning And downgrade from error to warning, because inbound-only nodes are a valid use case. * Move random_known_port to zebra-test * Add tests for dynamic local listener ports and the AddressBook Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-22 14:59:06 -07:00
let local_listener = self.local_listener_meta_addr();
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers (#2276) * Always send our local listener with the latest time Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting. * Skip listeners that are not valid for outbound connections * Filter sanitized addresses Zebra based on address state This fix correctly prevents Zebra gossiping client addresses to peers, but still keeps the client in the address book to avoid reconnections. * Add a full set of DateTime32 and Duration32 calculation methods * Refactor sanitize to use the new DateTime32/Duration32 methods * Security: Use canonical SocketAddrs to avoid duplicate connections If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections. * Test that address books contain the local listener address Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-21 19:16:59 -07:00
peers.insert(local_listener.addr, local_listener);
// Then sanitize and shuffle
let mut peers = peers
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
.descending_values()
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers (#2276) * Always send our local listener with the latest time Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting. * Skip listeners that are not valid for outbound connections * Filter sanitized addresses Zebra based on address state This fix correctly prevents Zebra gossiping client addresses to peers, but still keeps the client in the address book to avoid reconnections. * Add a full set of DateTime32 and Duration32 calculation methods * Refactor sanitize to use the new DateTime32/Duration32 methods * Security: Use canonical SocketAddrs to avoid duplicate connections If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections. * Test that address books contain the local listener address Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-21 19:16:59 -07:00
.filter_map(MetaAddr::sanitize)
Security: Zebra should stop gossiping unreachable addresses to other nodes, Action: re-deploy all nodes (#2392) * Rename some methods and constants for clarity Using the following commands: ``` fastmod '\bis_ready_for_attempt\b' is_ready_for_connection_attempt # One instance required a tweak, because of the ASCII diagram. fastmod '\bwas_recently_live\b' has_connection_recently_responded fastmod '\bwas_recently_attempted\b' was_connection_recently_attempted fastmod '\bwas_recently_failed\b' has_connection_recently_failed fastmod '\bLIVE_PEER_DURATION\b' MIN_PEER_RECONNECTION_DELAY ``` * Use `Instant::elapsed` for conciseness Instead of `Instant::now().saturating_duration_since`. They're both equivalent, and `elapsed` only panics if the `Instant` is somehow synthetically generated. * Allow `Duration32` to be created in other crates Export the `Duration32` from the `zebra_chain::serialization` module. * Add some new `Duration32` constructors Create some helper `const` constructors to make it easy to create constant durations. Add methods to create a `Duration32` from seconds, minutes and hours. * Avoid gossiping unreachable peers When sanitizing the list of peers to gossip, remove those that we haven't seen in more than three hours. * Test if unreachable addresses aren't gossiped Create a property test with random addreses inserted into an `AddressBook`, and verify that the sanitized list of addresses does not contain any addresses considered unreachable. * Test if new alternate address isn't gossipable Create a new alternate peer, because that type of `MetaAddr` does not have `last_response` or `untrusted_last_seen` times. Verify that the peer is not considered gossipable. * Test if local listener is gossipable The `MetaAddr` representing the local peer's listening address should always be considered gossipable. * Test if gossiped peer recently seen is gossipable Create a `MetaAddr` representing a gossiped peer that was reported to be seen recently. Check that the peer is considered gossipable. * Test peer reportedly last seen in the future Create a `MetaAddr` representing a peer gossiped and reported to have been last seen in a time that's in the future. Check that the peer is considered gossipable, to check that the fallback calculation is working as intended. * Test gossiped peer reportedly seen long ago Create a `MetaAddr` representing a gossiped peer that was reported to last have been seen a long time ago. Check that the peer is not considered gossipable. * Test if just responded peer is gossipable Create a `MetaAddr` representing a peer that has just responded and check that it is considered gossipable. * Test if recently responded peer is gossipable Create a `MetaAddr` representing a peer that last responded within the duration a peer is considered reachable. Verify that the peer is considered gossipable. * Test peer that responded long ago isn't gossipable Create a `MetaAddr` representing a peer that last responded outside the duration a peer is considered reachable. Verify that the peer is not considered gossipable.
2021-06-28 22:12:27 -07:00
// Security: remove peers that:
// - last responded more than three hours ago, or
// - haven't responded yet but were reported last seen more than three hours ago
//
// This prevents Zebra from gossiping nodes that are likely unreachable. Gossiping such
// nodes impacts the network health, because connection attempts end up being wasted on
// peers that are less likely to respond.
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
.filter(|addr| addr.is_active_for_gossip(now))
Rewrite MetaAddr::sanitize so it's harder to misuse `sanitize` could be misused in two ways: * accidentally modifying the addresses in the address book itself * forgetting to sanitize new fields added to `MetaAddr` This change prevents accidental modification by taking `&self`, and explicitly creates a new sanitized `MetaAddr` with all fields listed.
2021-03-25 00:47:25 -07:00
.collect::<Vec<_>>();
zebra-network tweaks. (#877) * network: move gossiped peer selection logic into address book. * network: return BoxService from init. * zebrad: add note on why we truncate thegossiped peer list Co-authored-by: Jane Lusby <jlusby42@gmail.com> * Remove unused .rustfmt.toml Many of these options are never actually loaded by our CI because of a channel mismatch, where they're not applied on stable but only on nightly (see the logs from a rustfmt job). This means that we can get different settings when running `cargo fmt` on the nightly and stable channels, which was causing a CI failure on this PR. Reverting back to the default rustfmt settings avoids this problem and keeps us in line with upstream rustfmt. There's no loss to us since we were using the defaults anyways. Co-authored-by: Jane Lusby <jlusby42@gmail.com>
2020-08-11 13:07:44 -07:00
peers.shuffle(&mut rand::thread_rng());
peers
}
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
/// Look up `addr` in the address book, and return its [`MetaAddr`].
///
/// Converts `addr` to a canonical address before looking it up.
pub fn get(&mut self, addr: &SocketAddr) -> Option<MetaAddr> {
let addr = canonical_socket_addr(*addr);
// Unfortunately, `OrderedMap` doesn't implement `get`.
let meta_addr = self.by_addr.remove(&addr);
if let Some(meta_addr) = meta_addr {
self.by_addr.insert(addr, meta_addr);
}
meta_addr
}
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
/// Apply `change` to the address book, returning the updated `MetaAddr`,
/// if the change was valid.
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
///
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
/// # Correctness
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
///
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
/// All changes should go through `update`, so that the address book
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
/// only contains valid outbound addresses.
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
///
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers (#2276) * Always send our local listener with the latest time Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting. * Skip listeners that are not valid for outbound connections * Filter sanitized addresses Zebra based on address state This fix correctly prevents Zebra gossiping client addresses to peers, but still keeps the client in the address book to avoid reconnections. * Add a full set of DateTime32 and Duration32 calculation methods * Refactor sanitize to use the new DateTime32/Duration32 methods * Security: Use canonical SocketAddrs to avoid duplicate connections If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections. * Test that address books contain the local listener address Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-21 19:16:59 -07:00
/// Change addresses must be canonical `SocketAddr`s. This makes sure that
/// each address book entry has a unique IP address.
///
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
/// # Security
///
/// This function must apply every attempted, responded, and failed change
/// to the address book. This prevents rapid reconnections to the same peer.
///
/// As an exception, this function can ignore all changes for specific
/// [`SocketAddr`]s. Ignored addresses will never be used to connect to
/// peers.
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
pub fn update(&mut self, change: MetaAddrChange) -> Option<MetaAddr> {
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
let previous = self.get(&change.addr());
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
let _guard = self.span.enter();
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
let instant_now = Instant::now();
let chrono_now = Utc::now();
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
let updated = change.apply_to_meta_addr(previous);
Rewrite AddressBook to use a BTreeSet. The previous implementation failed when timestamps were duplicated between peers, because there was not a 1-1 relationship between timestamps and peers.
2019-10-17 21:19:23 -07:00
trace!(
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
?change,
?updated,
?previous,
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
total_peers = self.by_addr.len(),
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
recent_peers = self.recently_live_peers(chrono_now).count(),
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
);
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
if let Some(updated) = updated {
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
// Ignore invalid outbound addresses.
// (Inbound connections can be monitored via Zebra's metrics.)
if !updated.address_is_valid_for_outbound() {
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
return None;
}
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
// Ignore invalid outbound services and other info,
// but only if the peer has never been attempted.
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
//
Security: Limit reconnection rate to individual peers (#2275) * Security: Limit reconnection rate to individual peers Reconnection Rate Limit the reconnection rate to each individual peer by applying the liveness cutoff to the attempt, responded, and failure time fields. If any field is recent, the peer is skipped. The new liveness cutoff skips any peers that have recently been attempted or failed. (Previously, the liveness check was only applied if the peer was in the `Responded` state, which could lead to repeated retries of `Failed` peers, particularly in small address books.) Reconnection Order Zebra prefers more useful peer states, then the earliest attempted, failed, and responded times, then the most recent gossiped last seen times. Before this change, Zebra took the most recent time in all the peer time fields, and used that time for liveness and ordering. This led to confusion between trusted and untrusted data, and success and failure times. Unlike the previous order, the new order: - tries all peers in each state, before re-trying any peer in that state, and - only checks the the gossiped untrusted last seen time if all other times are equal. * Preserve the later time if changes arrive out of order * Update CandidateSet::next documentation * Update CandidateSet state diagram * Fix variant names in comments * Explain why timestamps can be left out of MetaAddrChanges * Add a simple test for the individual peer retry limit * Only generate valid Arbitrary PeerServices values * Add an individual peer retry limit AddressBook and CandidateSet test * Stop deleting recently live addresses from the address book If we delete recently live addresses from the address book, we can get a new entry for them, and reconnect too rapidly. * Rename functions to match similar tokio API * Fix docs for service sorting * Clarify a comment * Cleanup a variable and comments * Remove blank lines in the CandidateSet state diagram * Add a multi-peer proptest that checks outbound attempt fairness * Fix a comment typo Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com> * Simplify time maths in MetaAddr * Create a Duration32 type to simplify calculations and comparisons * Rename variables for clarity * Split a string constant into multiple lines * Make constants match rustdoc order Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-18 05:30:44 -07:00
// Otherwise, if we got the info directly from the peer,
// store it in the address book, so we know not to reconnect.
//
// TODO: delete peers with invalid info when they get too old (#1873)
if !updated.last_known_info_is_valid_for_outbound()
&& updated.last_connection_state.is_never_attempted()
{
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
return None;
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
}
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
self.by_addr.insert(updated.addr, updated);
std::mem::drop(_guard);
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
self.update_metrics(instant_now, chrono_now);
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
}
Refactor AddressBook::update, add contains, get. This also makes the quadratic `assert_consistency` check run only in test configs.
2019-10-18 11:04:38 -07:00
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
updated
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
}
/// Removes the entry with `addr`, returning it if it exists
///
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
/// # Note
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
///
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
/// All address removals should go through `take`, so that the address
/// book metrics are accurate.
Security: Use canonical SocketAddrs to avoid duplicate peer connections, Feature: Send local listener to peers (#2276) * Always send our local listener with the latest time Previously, whenever there was an inbound request for peers, we would clone the address book and update it with the local listener. This had two impacts: - the listener could conflict with an existing entry, rather than unconditionally replacing it, and - the listener was briefly included in the address book metrics. As a side-effect, this change also makes sanitization slightly faster, because it avoids some useless peer filtering and sorting. * Skip listeners that are not valid for outbound connections * Filter sanitized addresses Zebra based on address state This fix correctly prevents Zebra gossiping client addresses to peers, but still keeps the client in the address book to avoid reconnections. * Add a full set of DateTime32 and Duration32 calculation methods * Refactor sanitize to use the new DateTime32/Duration32 methods * Security: Use canonical SocketAddrs to avoid duplicate connections If we allow multiple variants for each peer address, we can make multiple connections to that peer. Also make sure sanitized MetaAddrs are valid for outbound connections. * Test that address books contain the local listener address Co-authored-by: Janito Vaqueiro Ferreira Filho <janito.vff@gmail.com>
2021-06-21 19:16:59 -07:00
#[allow(dead_code)]
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
fn take(&mut self, removed_addr: SocketAddr) -> Option<MetaAddr> {
let _guard = self.span.enter();
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
let instant_now = Instant::now();
let chrono_now = Utc::now();
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
trace!(
?removed_addr,
total_peers = self.by_addr.len(),
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
recent_peers = self.recently_live_peers(chrono_now).count(),
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
);
if let Some(entry) = self.by_addr.remove(&removed_addr) {
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
std::mem::drop(_guard);
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
self.update_metrics(instant_now, chrono_now);
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
Some(entry)
} else {
None
}
Extract `TimestampData` to `AddressBook`. This allows us to hide the `TimestampCollector` and to expose only the address book data required by the inbound request service. It also lets us have a common data structure (the `AddressBook`) for collecting peer information that can be used to manage information that other peers report to us.
2019-10-17 15:42:19 -07:00
}
Add iteration functions to `AddressBook`. The disconnected_peers() function allows us to prevent duplicate connections without maintaining shared state between the peerset and the dial-additional-peers task.
2019-10-17 16:25:24 -07:00
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
/// Returns true if the given [`SocketAddr`] is pending a reconnection
/// attempt.
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
pub fn pending_reconnection_addr(&mut self, addr: &SocketAddr) -> bool {
let meta_addr = self.get(addr);
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
let _guard = self.span.enter();
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
match meta_addr {
Apply clippy fixes
2020-02-04 22:53:24 -08:00
None => false,
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
Some(peer) => peer.last_connection_state == PeerAddrState::AttemptPending,
Add AddressBook::is_potentially_connected() This allows checking whether a SocketAddr could potentially be connected, based on the contents of the address book.
2019-10-18 09:54:34 -07:00
}
}
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
/// Return an iterator over all peers.
///
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
/// Returns peers in reconnection attempt order, including recently connected peers.
Fix some "needless lifetime" clippy lints These lints seem to be new in clippy nightly.
2020-10-11 15:32:05 -07:00
pub fn peers(&'_ self) -> impl Iterator<Item = MetaAddr> + '_ {
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
let _guard = self.span.enter();
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
self.by_addr.descending_values().cloned()
Add iteration functions to `AddressBook`. The disconnected_peers() function allows us to prevent duplicate connections without maintaining shared state between the peerset and the dial-additional-peers task.
2019-10-17 16:25:24 -07:00
}
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
/// Return an iterator over peers that are due for a reconnection attempt,
/// in reconnection attempt order.
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
pub fn reconnection_peers(
&'_ self,
instant_now: Instant,
chrono_now: chrono::DateTime<Utc>,
) -> impl Iterator<Item = MetaAddr> + '_ {
Add an explicit tracing span to each address book. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:56:16 -07:00
let _guard = self.span.enter();
Add iteration functions to `AddressBook`. The disconnected_peers() function allows us to prevent duplicate connections without maintaining shared state between the peerset and the dial-additional-peers task.
2019-10-17 16:25:24 -07:00
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
// Skip live peers, and peers pending a reconnect attempt.
// The peers are already stored in sorted order.
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
self.by_addr
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
.descending_values()
.filter(move |peer| peer.is_ready_for_connection_attempt(instant_now, chrono_now))
network: add AddressBook::potentially_connected_peers().
2020-09-03 10:09:25 -07:00
.cloned()
}
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
/// Return an iterator over all the peers in `state`,
/// in reconnection attempt order, including recently connected peers.
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
pub fn state_peers(&'_ self, state: PeerAddrState) -> impl Iterator<Item = MetaAddr> + '_ {
network: add AddressBook::potentially_connected_peers().
2020-09-03 10:09:25 -07:00
let _guard = self.span.enter();
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
self.by_addr
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
.descending_values()
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
.filter(move |peer| peer.last_connection_state == state)
Rewrite AddressBook to use a BTreeSet. The previous implementation failed when timestamps were duplicated between peers, because there was not a 1-1 relationship between timestamps and peers.
2019-10-17 21:19:23 -07:00
.cloned()
Add iteration functions to `AddressBook`. The disconnected_peers() function allows us to prevent duplicate connections without maintaining shared state between the peerset and the dial-additional-peers task.
2019-10-17 16:25:24 -07:00
}
Implement Extend and Drain for AddressBook.
2019-10-17 17:54:08 -07:00
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
/// Return an iterator over peers that might be connected,
/// in reconnection attempt order.
pub fn maybe_connected_peers(
&'_ self,
instant_now: Instant,
chrono_now: chrono::DateTime<Utc>,
) -> impl Iterator<Item = MetaAddr> + '_ {
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
let _guard = self.span.enter();
self.by_addr
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
.descending_values()
.filter(move |peer| !peer.is_ready_for_connection_attempt(instant_now, chrono_now))
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
.cloned()
Allow draining AddressBook entries oldest-first.
2019-10-18 09:27:28 -07:00
}
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
/// Return an iterator over peers we've seen recently,
/// in reconnection attempt order.
pub fn recently_live_peers(
&'_ self,
now: chrono::DateTime<Utc>,
) -> impl Iterator<Item = MetaAddr> + '_ {
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
let _guard = self.span.enter();
self.by_addr
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
.descending_values()
.filter(move |peer| peer.was_recently_live(now))
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
.cloned()
}
Initial work to add a crawl-and-dial task. This responds to peerset demand by connecting to additional peers. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:24:17 -07:00
/// Returns the number of entries in this address book.
pub fn len(&self) -> usize {
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
self.by_addr.len()
}
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
/// Returns metrics for the addresses in this address book.
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
pub fn address_metrics(&self, now: chrono::DateTime<Utc>) -> AddressMetrics {
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
let responded = self.state_peers(PeerAddrState::Responded).count();
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
let never_attempted_gossiped = self
.state_peers(PeerAddrState::NeverAttemptedGossiped)
.count();
let never_attempted_alternate = self
.state_peers(PeerAddrState::NeverAttemptedAlternate)
.count();
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
let failed = self.state_peers(PeerAddrState::Failed).count();
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
let attempt_pending = self.state_peers(PeerAddrState::AttemptPending).count();
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
let recently_live = self.recently_live_peers(now).count();
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
let recently_stopped_responding = responded
.checked_sub(recently_live)
.expect("all recently live peers must have responded");
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
AddressMetrics {
responded,
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
never_attempted_gossiped,
never_attempted_alternate,
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
failed,
attempt_pending,
recently_live,
recently_stopped_responding,
}
}
/// Update the metrics for this address book.
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
fn update_metrics(&mut self, instant_now: Instant, chrono_now: chrono::DateTime<Utc>) {
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
let _guard = self.span.enter();
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
let m = self.address_metrics(chrono_now);
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
// TODO: rename to address_book.[state_name]
metrics::gauge!("candidate_set.responded", m.responded as f64);
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
metrics::gauge!("candidate_set.gossiped", m.never_attempted_gossiped as f64);
metrics::gauge!(
"candidate_set.alternate",
m.never_attempted_alternate as f64
);
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
metrics::gauge!("candidate_set.failed", m.failed as f64);
metrics::gauge!("candidate_set.pending", m.attempt_pending as f64);
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
// TODO: rename to address_book.responded.recently_live
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
metrics::gauge!("candidate_set.recently_live", m.recently_live as f64);
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
// TODO: rename to address_book.responded.stopped_responding
metrics::gauge!(
"candidate_set.disconnected",
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
m.recently_stopped_responding as f64
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
);
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
std::mem::drop(_guard);
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
self.log_metrics(&m, instant_now);
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
}
/// Log metrics for this address book
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
fn log_metrics(&mut self, m: &AddressMetrics, now: Instant) {
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
let _guard = self.span.enter();
trace!(
Refactor AddressBook metrics into their own struct And provide an accessor function for address book metrics.
2021-03-15 04:52:58 -07:00
address_metrics = ?m,
Fix candidate set address state handling (#1709) Design: - Add a `PeerAddrState` to each `MetaAddr` - Use a single peer set for all peers, regardless of state - Implement time-based liveness as an `AddressBook` method, rather than a `PeerAddrState` variant - Delete `AddressBook.by_state` Implementation: - Simplify `AddressBook` changes using `update` and `take` modifier methods - Simplify the `AddressBook` iterator implementation, replacing it with methods that are more obviously correct - Consistently collect peer set metrics Documentation: - Expand and update the peer set documentation We can optimise later, but for now we want simple code that is more obviously correct.
2021-02-17 17:18:32 -08:00
);
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
if m.responded > 0 {
return;
}
// These logs are designed to be human-readable in a terminal, at the
// default Zebra log level. If you need to know address states for
// every request, use the trace-level logs, or the metrics exporter.
if let Some(last_address_log) = self.last_address_log {
// Avoid duplicate address logs
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
if now.saturating_duration_since(last_address_log).as_secs() < 60 {
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
return;
}
} else {
// Suppress initial logs until the peer set has started up.
// There can be multiple address changes before the first peer has
// responded.
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
self.last_address_log = Some(now);
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
return;
}
Stop doing thousands of time checks each time we connect to a peer (#3106) * Stop checking the entire AddressBook for each connection attempt * Stop redundant peer time checks within the address book * Stop calling `Instant::now` 3 times for each address book update * Only get the time once each time an address book method is called * Update outdated comment * Use an OrderedMap to efficiently store address book peers * Add address book order tests
2021-12-03 10:09:43 -08:00
self.last_address_log = Some(now);
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
// if all peers have failed
Security: stop gossiping temporary inbound remote addresses to peers - stop putting inbound addresses in the address book - drop address book entries that can't be used for outbound connections - distinguish between temporary inbound and permanent outbound peer addresses - also create variants to handle proxy connections (but don't use them yet) - avoid tracking connection state for isolated connections - document security constraints for the address book and peer set
2021-05-06 17:50:04 -07:00
if m.responded
+ m.attempt_pending
+ m.never_attempted_gossiped
+ m.never_attempted_alternate
== 0
{
Log address book metrics when peers aren't responding
2021-03-15 05:31:25 -07:00
warn!(
address_metrics = ?m,
"all peer addresses have failed. Hint: check your network connection"
);
} else {
info!(
address_metrics = ?m,
"no active peer connections: trying gossiped addresses"
);
}
Initial work to add a crawl-and-dial task. This responds to peerset demand by connecting to additional peers. Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
2019-10-21 15:24:17 -07:00
}
Add iteration functions to `AddressBook`. The disconnected_peers() function allows us to prevent duplicate connections without maintaining shared state between the peerset and the dial-additional-peers task.
2019-10-17 16:25:24 -07:00
}
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
impl Extend<MetaAddrChange> for AddressBook {
Implement Extend and Drain for AddressBook.
2019-10-17 17:54:08 -07:00
fn extend<T>(&mut self, iter: T)
where
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
T: IntoIterator<Item = MetaAddrChange>,
Implement Extend and Drain for AddressBook.
2019-10-17 17:54:08 -07:00
{
Security: stop gossiping failure and attempt times as last_seen times (#2273) * Security: stop gossiping failure and attempt times as last_seen times Previously, Zebra had a single time field for peer addresses, which was updated every time a peer was attempted, sent a message, or failed. This is a security issue, because the `last_seen` time should be "the last time [a peer] connected to that node", so that "nodes can use the time field to avoid relaying old 'addr' messages". So Zebra was sending incorrect peer information to other nodes. As part of this change, we split the `last_seen` time into the following fields: - untrusted_last_seen: gossiped from other peers - last_response: time we got a response from a directly connected peer - last_attempt: time we attempted to connect to a peer - last_failure: time a connection with a peer failed * Implement Arbitrary and strategies for MetaAddrChange Also replace the MetaAddr Arbitrary impl with a derive. * Write proptests for MetaAddr and MetaAddrChange MetaAddr: - the only times that get included in serialized MetaAddrs are the untrusted last seen and responded times MetaAddrChange: - the untrusted last seen time is never updated - the services are only updated if there has been a handshake
2021-06-14 20:31:16 -07:00
for change in iter.into_iter() {
self.update(change);
Implement Extend and Drain for AddressBook.
2019-10-17 17:54:08 -07:00
}
}
}