Security: rate-limit outbound messages, Credit: Equilibrium

[teor2345]

TODO before starting

Find good rate-limits, and work out if the rates should be fixed or dynamic.

Motivation

Zebra's message handling code is complex, so it might be possible for it to get stuck in a request-response loop. To limit the impact of these loops, we should rate-limit Zebra's outbound messages to each peer.

A similar issue was reported by Niklas Long of Equilibrium.

Analysis

There are some tricky engineering tradeoffs here:

• if the limit is too low, then Zebra is very slow to sync
• if the limit is too high, we're not protected from denial of service
• the best limit can be different for different message types, depending on how large or important they are

So we need to find good rate-limits, and work out if the rates should be fixed or dynamic.

Suggested Solution

• Analyse the maximum message rate per peer that Zebra reaches in optimal syncing conditions (Testnet, local network)
• Calculate a reasonable per-peer rate limit that won't slow down syncing too much
• Add a rate limit layer to each Client's outbound message queue

Alternatives

We could restrict rate-limiting to identical messages. We'd need to store message contents, hashes, or types.

We could also rate limit inbound messages - they're currently limited via load-shedding.

We could make rate limits dynamic.

We could use different rate-limits for different message types, or for requests and responses.

[teor2345]

Before we start this ticket, we need to find good rate-limits, and work out if the rates should be fixed or dynamic.

[teor2345]

Network behaviour is good enough for now.