[Merged by Bors] - Separate BN for block proposals #4182

AgeManning · 2023-04-13T01:29:30Z

It is a well-known fact that IP addresses for beacon nodes used by specific validators can be de-anonymized. There is an assumed risk that a malicious user may attempt to DOS validators when producing blocks to prevent chain growth/liveness.

Although there are a number of ideas put forward to address this, there a few simple approaches we can take to mitigate this risk.

Currently, a Lighthouse user is able to set a number of beacon-nodes that their validator client can connect to. If one beacon node is taken offline, it can fallback to another. Different beacon nodes can use VPNs or rotate IPs in order to mask their IPs.

This PR provides an additional setup option which further mitigates attacks of this kind.

This PR introduces a CLI flag --proposer-only to the beacon node. Setting this flag will configure the beacon node to run with minimal peers and crucially will not subscribe to subnets or sync committees. Therefore nodes of this kind should not be identified as nodes connected to validators of any kind.

It also introduces a CLI flag --proposer-nodes to the validator client. Users can then provide a number of beacon nodes (which may or may not run the --proposer-only flag) that the Validator client will use for block production and propagation only. If these nodes fail, the validator client will fallback to the default list of beacon nodes.

Users are then able to set up a number of beacon nodes dedicated to block proposals (which are unlikely to be identified as validator nodes) and point their validator clients to produce blocks on these nodes and attest on other beacon nodes. An attack attempting to prevent liveness on the eth2 network would then need to preemptively find and attack the proposer nodes which is significantly more difficult than the default setup.

This is a follow on from: #3328

Fix closure lifetimes by cloning HTTP client

Fix closure lifetimes by using functions

Remove duplication in block service for `bn-proposer`

paulhauner

I've done a final review and I'm happy to merge after we address these two things!

beacon_node/network/src/subnet_service/attestation_subnets.rs

validator_client/src/lib.rs

paulhauner

Yay, a thing that is now done! 🎉

bors r+

It is a well-known fact that IP addresses for beacon nodes used by specific validators can be de-anonymized. There is an assumed risk that a malicious user may attempt to DOS validators when producing blocks to prevent chain growth/liveness. Although there are a number of ideas put forward to address this, there a few simple approaches we can take to mitigate this risk. Currently, a Lighthouse user is able to set a number of beacon-nodes that their validator client can connect to. If one beacon node is taken offline, it can fallback to another. Different beacon nodes can use VPNs or rotate IPs in order to mask their IPs. This PR provides an additional setup option which further mitigates attacks of this kind. This PR introduces a CLI flag --proposer-only to the beacon node. Setting this flag will configure the beacon node to run with minimal peers and crucially will not subscribe to subnets or sync committees. Therefore nodes of this kind should not be identified as nodes connected to validators of any kind. It also introduces a CLI flag --proposer-nodes to the validator client. Users can then provide a number of beacon nodes (which may or may not run the --proposer-only flag) that the Validator client will use for block production and propagation only. If these nodes fail, the validator client will fallback to the default list of beacon nodes. Users are then able to set up a number of beacon nodes dedicated to block proposals (which are unlikely to be identified as validator nodes) and point their validator clients to produce blocks on these nodes and attest on other beacon nodes. An attack attempting to prevent liveness on the eth2 network would then need to preemptively find and attack the proposer nodes which is significantly more difficult than the default setup. This is a follow on from: #3328 Co-authored-by: Michael Sproul <michael@sigmaprime.io> Co-authored-by: Paul Hauner <paul@paulhauner.com>

paulhauner · 2023-04-26T01:11:59Z

bors r-

(batching)

bors · 2023-04-26T01:12:01Z

Canceled.

paulhauner · 2023-04-26T01:12:17Z

bors r+

It is a well-known fact that IP addresses for beacon nodes used by specific validators can be de-anonymized. There is an assumed risk that a malicious user may attempt to DOS validators when producing blocks to prevent chain growth/liveness. Although there are a number of ideas put forward to address this, there a few simple approaches we can take to mitigate this risk. Currently, a Lighthouse user is able to set a number of beacon-nodes that their validator client can connect to. If one beacon node is taken offline, it can fallback to another. Different beacon nodes can use VPNs or rotate IPs in order to mask their IPs. This PR provides an additional setup option which further mitigates attacks of this kind. This PR introduces a CLI flag --proposer-only to the beacon node. Setting this flag will configure the beacon node to run with minimal peers and crucially will not subscribe to subnets or sync committees. Therefore nodes of this kind should not be identified as nodes connected to validators of any kind. It also introduces a CLI flag --proposer-nodes to the validator client. Users can then provide a number of beacon nodes (which may or may not run the --proposer-only flag) that the Validator client will use for block production and propagation only. If these nodes fail, the validator client will fallback to the default list of beacon nodes. Users are then able to set up a number of beacon nodes dedicated to block proposals (which are unlikely to be identified as validator nodes) and point their validator clients to produce blocks on these nodes and attest on other beacon nodes. An attack attempting to prevent liveness on the eth2 network would then need to preemptively find and attack the proposer nodes which is significantly more difficult than the default setup. This is a follow on from: #3328 Co-authored-by: Michael Sproul <michael@sigmaprime.io> Co-authored-by: Paul Hauner <paul@paulhauner.com>

bors · 2023-04-26T03:30:17Z

Pull request successfully merged into unstable.

Build succeeded:

It is a well-known fact that IP addresses for beacon nodes used by specific validators can be de-anonymized. There is an assumed risk that a malicious user may attempt to DOS validators when producing blocks to prevent chain growth/liveness. Although there are a number of ideas put forward to address this, there a few simple approaches we can take to mitigate this risk. Currently, a Lighthouse user is able to set a number of beacon-nodes that their validator client can connect to. If one beacon node is taken offline, it can fallback to another. Different beacon nodes can use VPNs or rotate IPs in order to mask their IPs. This PR provides an additional setup option which further mitigates attacks of this kind. This PR introduces a CLI flag --proposer-only to the beacon node. Setting this flag will configure the beacon node to run with minimal peers and crucially will not subscribe to subnets or sync committees. Therefore nodes of this kind should not be identified as nodes connected to validators of any kind. It also introduces a CLI flag --proposer-nodes to the validator client. Users can then provide a number of beacon nodes (which may or may not run the --proposer-only flag) that the Validator client will use for block production and propagation only. If these nodes fail, the validator client will fallback to the default list of beacon nodes. Users are then able to set up a number of beacon nodes dedicated to block proposals (which are unlikely to be identified as validator nodes) and point their validator clients to produce blocks on these nodes and attest on other beacon nodes. An attack attempting to prevent liveness on the eth2 network would then need to preemptively find and attack the proposer nodes which is significantly more difficult than the default setup. This is a follow on from: sigp#3328 Co-authored-by: Michael Sproul <michael@sigmaprime.io> Co-authored-by: Paul Hauner <paul@paulhauner.com>

AgeManning and others added 19 commits July 13, 2022 16:20

Initial draft, not finished VC yet

ea755b6

Mostly complete, still to handle closure lifetimes

a1cbf7c

Fix closure lifetimes by cloning HTTP client

88f22c3

Remove closures and clones

58de945

Merge pull request #2 from michaelsproul/bn-proposer

fbf533b

Fix closure lifetimes by cloning HTTP client

Merge pull request #3 from michaelsproul/bn-proposer-alt

55b3cfb

Fix closure lifetimes by using functions

fmt

a6bfd2d

Fix typo

8fb5473

Re-order target-peer cli config

f6d4345

Draft up a book topic

b339191

Remove CLI default for target-peers to allow override

c56496d

Produce block from default nodes before proposer-only

4277059

Temp simulator update

e76365e

Merge latest unstable

0aac29a

Merge branch 'unstable' into bn-proposer

5929b97

Refactor block service

23aa8e7

Add comments

74efa73

Merge pull request #4 from paulhauner/bn-proposer-paul

b78347c

Remove duplication in block service for `bn-proposer`

Production to publishing

c65eb9f

AgeManning added waiting-on-author The reviewer has suggested changes and awaits thier implementation. v4.1.0 Post-Capella minor release labels Apr 13, 2023

AgeManning changed the base branch from stable to unstable April 13, 2023 01:30

Merge latest unstable

eaf0e9a

paulhauner added v4.2.0 Q2 2023 and removed v4.1.0 Post-Capella minor release labels Apr 13, 2023

paulhauner requested changes Apr 20, 2023

View reviewed changes

beacon_node/network/src/subnet_service/attestation_subnets.rs Show resolved Hide resolved

validator_client/src/lib.rs Outdated Show resolved Hide resolved

Update validator_client/src/lib.rs

f1c7c40

paulhauner approved these changes Apr 26, 2023

View reviewed changes

paulhauner added ready-for-merge This PR is ready to merge. and removed waiting-on-author The reviewer has suggested changes and awaits thier implementation. labels Apr 26, 2023

bors bot changed the title ~~Separate BN for block proposals~~ [Merged by Bors] - Separate BN for block proposals Apr 26, 2023

bors bot closed this Apr 26, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Merged by Bors] - Separate BN for block proposals #4182

[Merged by Bors] - Separate BN for block proposals #4182

AgeManning commented Apr 13, 2023

paulhauner left a comment

paulhauner left a comment

paulhauner commented Apr 26, 2023

bors bot commented Apr 26, 2023

paulhauner commented Apr 26, 2023

bors bot commented Apr 26, 2023

[Merged by Bors] - Separate BN for block proposals #4182

[Merged by Bors] - Separate BN for block proposals #4182

Conversation

AgeManning commented Apr 13, 2023

paulhauner left a comment

Choose a reason for hiding this comment

paulhauner left a comment

Choose a reason for hiding this comment

paulhauner commented Apr 26, 2023

bors bot commented Apr 26, 2023

paulhauner commented Apr 26, 2023

bors bot commented Apr 26, 2023