Ignore unknown messages before VERACK #19723
Conversation
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsNo conflicts as of last run. |
|
I've withdrawn my BIP proposal relating to this change, but I think it's worth considering making this change anyway. My thought is that if other software on the network deploys changes similar to BIP 339 in the future (where a new message is included between version and verack) that we don't want to support in our project, then it's easier to ignore all such messages than it is to add support for specifically ignoring each such message as it is proposed. If we were to overlook someone's optional p2p protocol change and then bumped our protocol version at a later date in support of some other change, we would risk needlessly disconnecting other peers. Note that if a peer never sends a verack, we still disconnect them after 60 seconds, so I think the only downside from this change is that we'd tolerate 60 seconds worth of garbage from a peer before they disconnect. Given that a peer can waste our bandwidth anyway by sending the verack and spamming us with (eg) bogus transactions, this bandwidth issue seems like an orthogonal concern. If we want to address the bandwidth issue somehow, I think we could do so for both pre-verack and post-verack messages at a later time. |
|
Concept ACK - I am almost up to date with the mailing list discussion. |
|
I think there's a kind of elegance in doing the negotiation at that stage. It allows the peers to commit to certain features before the P2P connection goes into normal use. Current signaling messages can be sent at any point which can causes unnessecary complication because the switch can happen later, at any time. |
jnewbery
left a comment
There was a problem hiding this comment.
Concept ACK. We already tolerate up to 99 unsupported messages prior to a verack, so in almost all cases this is not a behavior change. Explicitly dropping the message and continuing rather than incrementing the misbehaving score seems like an improvement.
c4fb703 to
675e55e
Compare
|
Concept ACK |
|
Pinging reviewers -- the code change here is pretty simple, so if there are concept ACKs on this I hope we can get actual ACKs as well? I think it would make logical sense to deploy this in 0.21 (at the same time we are deploying wtxid-relay), though there is no code-dependency that requires it. |
|
utACK 675e55e I think it makes sense to ignore unknown messages before VERACK. It's the obvious place to negotiate optional features, and if there is no problem having them after VERACK, I don't see why there should be punishment for it before that point. |
|
ACK 675e55e: patch looks correct |
|
ACK 675e55e It would be nice if the tests were updated at the same time:
You may use this diff freely: diff --git a/test/functional/p2p_leak.py b/test/functional/p2p_leak.py
index 4b32d60db0..68e2bd4a8b 100755
--- a/test/functional/p2p_leak.py
+++ b/test/functional/p2p_leak.py
@@ -5,7 +5,7 @@
"""Test message sending before handshake completion.
A node should never send anything other than VERSION/VERACK until it's
-received a VERACK.
+received a VERACK, except for feature negotiation of wtxidrelay.
This test connects to a node and sends it a few messages, trying to entice it
into sending us something it shouldn't."""
@@ -91,6 +91,7 @@ class P2PVersionStore(P2PInterface):
class P2PLeakTest(BitcoinTestFramework):
def set_test_params(self):
self.num_nodes = 1
+ self.extra_args = [['-peertimeout=4']]
def run_test(self):
# Peer that never sends a version. We will send a bunch of messages
@@ -125,6 +126,9 @@ class P2PLeakTest(BitcoinTestFramework):
# Expect this peer to be disconnected for misbehavior
assert not no_version_disconnect_peer.is_connected
+ # Expect peers to be disconnected due to timeout
+ assert not no_version_idle_peer.is_connected
+ assert not no_verack_idle_peer.is_connected
self.nodes[0].disconnect_p2ps()
|
|
Note that the test I suggest passes on master, as the patch in this pull is not a behaviour change for peers that send less than 100 messages prior to finishing the handshake. So I am happy to create a separate pull, but I think the changes here are a nice excuse to shove in the test as well. |
hebasto
left a comment
There was a problem hiding this comment.
Approach ACK 675e55e. I agree that this change will make easier the introducing of new protocol features without version coordination burden, and without risk of network partition.
The only suggestion is to ignore unknown messages, i.e., when receiving a message that must go after verack, the node should keep current (unchanged) behavior.
Can you explain one benefit of keeping the behavior exactly the same for those messages? I can only see downsides. |
If a peer sends known messages in wrong order it obviously is broken or violates protocol intentionally. The downside I see is more complicated code. What others downsides? |
|
Yes, if a peer sends us 99 non-verack messages before the version handshake is complete, it is obviously broken. Though, no version of Bitcoin Core with default settings would disconnect it for that. Nor would this pull request change that. I don't see the point of the additional code complexity to keep a theoretical behaviour that isn't observed in practise and confusing/arbitrary anyway. |
675e55e Ignore unknown messages before VERACK (Suhas Daftuar) Pull request description: This allows for feature negotiation to take place with messages between VERSION and VERACK in the future, without requiring additional software changes to specifically ignore messages for features that are unimplemented by our software. ACKs for top commit: sipa: utACK 675e55e practicalswift: ACK 675e55e: patch looks correct MarcoFalke: ACK 675e55e hebasto: ACK 675e55e, the offender peer will be eventually disconnected due to the timeout. Tree-SHA512: 8d2b1d8b9843f2ee26b2c30f7c5ff0bfcfbe3f46b32cd0369c48ece26624151091237e83ce3f18c6da004099026602cfab1642ac916db777f047d170b365c007
a061a29 test: bring p2p_leak.py up to date. (Martin Zumsande) Pull request description: After the introduction of wtxidrelay and sendaddrv2 messages during version handshake, extend p2p_leak.py test to reflect this. Also, some minor fixes and doc improvements. I also added a test that peers not completing the version handshake will be disconnected for timeout, as suggested by MarcoFalke in bitcoin/bitcoin#19723 (comment). ACKs for top commit: brunoerg: Tested ACK a061a29 theStack: Tested ACK a061a29 Tree-SHA512: 26c601491fa8710fc972d1b8f15da6b387a95b42bbfb629ec4c668769ad3824b6dd6a33d97363bca2171e403d8d1ce08abf3e5c9cab34f98d53e0109b1c7a0e5
a061a29 test: bring p2p_leak.py up to date. (Martin Zumsande) Pull request description: After the introduction of wtxidrelay and sendaddrv2 messages during version handshake, extend p2p_leak.py test to reflect this. Also, some minor fixes and doc improvements. I also added a test that peers not completing the version handshake will be disconnected for timeout, as suggested by MarcoFalke in bitcoin#19723 (comment). ACKs for top commit: brunoerg: Tested ACK a061a29 theStack: Tested ACK a061a29 Tree-SHA512: 26c601491fa8710fc972d1b8f15da6b387a95b42bbfb629ec4c668769ad3824b6dd6a33d97363bca2171e403d8d1ce08abf3e5c9cab34f98d53e0109b1c7a0e5
This allows for feature negotiation to take place with messages between VERSION and VERACK in the future, without requiring additional software changes to specifically ignore messages for features that are unimplemented by our software.