ENR Client Identifier

[jrhea]

Tracking the distribution of client types/versions is difficult; however, this could be made much easier if we simply added a client identifier field to the ENR. The benefits mainly fall under the category of network health monitoring and the downside is that this makes it easier for attackers to target nodes by client/version. I am opening this issue so that we can discuss the pros and cons.

My opinion is that this is identifier is probably only advantageous for an attacker targeting a zero-day vulnerability. If they are targeting a known vulnerability that is fixed in a newer version of the client, then we will also know that there are vulnerable clients on the network and we can campaign to have people update their clients. In other words, i don't think this gives an attacker much (or any) of an edge, but it does give us useful information that we can use to monitor network health.

cc: @ralexstokes, @dankrad, @djrtwo, @protolambda, @mkalinin, @AgeManning, @arnetheduck, @Nashatyrev

Client implementations can always identify themselves by default on the network, but have a private sort of flag for the security aware individuals running their clients.

[AgeManning]

I've also thought about this. I'm leaning to there's more risk than reward here.

Just to add potential cons to the list:

• Attacks can then target peers via client - Maybe not a zero-day, but things like DoS all nodes of one client.
  If there is a vulnerability in one client, an attacker would now to easily find all the peers of the effected version and perform the attack (it would be much harder to find these (especially we disable identify) without id'ing nodes in ENRs).
• It opens the chance of implementers to skew discovery. For example, I might like a particular client because of its rpc response times or larger rate limits (making my client sync faster) and then favour a particular client in discovery (which at large scale may skew/partition networks).

I've also be considering disabling identify in Lighthouse for mainnet. We didn't spec it, and originally it was used to to help for debugging etc. Was thinking it could be nice to have anonymous clients (terrible for debugging tho),

If we want metrics and health, would it be better to get users to optionally subscribe to ethstats? I guess the participation is low and sample sizes could be small to use that.

Do we know how Eth1 monitors this?

[nisdas]

Attacks can then target peers via client - Maybe not a zero-day, but things like DoS all nodes of one client.
If there is a vulnerability in one client, an attacker would now to easily find all the peers of the effected version and perform the attack (it would be much harder to find these (especially we disable identify) without id'ing nodes in ENRs).

How realistic would a threat like something like this be in practice ? Assuming the threat is known before time, we would release the patch and only disclose the actual issue after a certain amount of time so that all live nodes can be updated with the fix. Even if we did remove all identifying client information outdated nodes would still be at risk as an attacker could just randomly ping nodes in the network until they find a vulnerable one.

In all the current live networks(ex: bitcoin, ethereum 1), client data is baked into the node's identity.

https://github.com/bitcoin/bitcoin/blob/fc895d7700f9092d519b43000f412c1283e44d25/src/clientversion.cpp#L15
https://github.com/ethereum/devp2p/blob/master/rlpx.md#hello-0x00

and hasn't had any adverse effect as far as I know.

If we want metrics and health, would it be better to get users to optionally subscribe to ethstats? I guess the participation is low and sample sizes could be small to use that.

This might be too low to get any valuable data from. Also users who do run ethstats are more likely to keep their nodes up to date and may not be an accurate gauge of the network.

If we do go with the anonymity option for all clients, along with removing any identifying client/version information we would
need to come to consensus on the common ports to be used by all clients here. As in the current state it is pretty easy to identify a client based on their default ports.

[jrhea]

It opens the chance of implementers to skew discovery. For example, I might like a particular client because of its rpc response times or larger rate limits (making my client sync faster) and then favour a particular client in discovery (which at large scale may skew/partition networks).

I hear what you are saying, but wouldn't this require a deliberate modification? I doubt it would be worth the effort. if I was that desperate for faster syncing, then I'd look into possibly bootstrapping my database similar to how people do with Bitcoin.

Consider this, with eth1 we essentially have 1 client. if we can't encourage and monitor client diversity, then we are in the same situation as eth1. we will have a single client dominating the network and people won't have to guess what client type it is bc everyone is using the same one. so what's the harm?

[arnetheduck]

I'd generally not want to have this in discovery - it is not essential information for discovery to function correctly and comes at a cost - discovery tables get larger, bandwidth usage increases, there's less space in the ENR record for more valuable information.

When clients talk to each other directly, such as when setting up a p2p connection, this cost doesn't multiply over the network, but with discovery it does: all nodes must now keep track of the field while not deriving any functional benefit.

As is, it's possible to build a libp2p crawler that connects to the client and runs identify - for those clients that want to participate, they can support identify and the burden is correctly placed on them, and on whoever is interested in these statistics.

[jrhea]

As is, it's possible to build a libp2p crawler that connects to the client and runs identify

There are was to make the client identifier small enough in size to make it a trivial matter

I have crawled the network a fair amount and fed the crawls to rumor to connect to and call identify on... this isn't exactly free bandwidth wise and has led to many more unanswered questions.

[mkalinin]

In all the current live networks(ex: bitcoin, ethereum 1), client data is baked into the node's identity.

https://github.com/bitcoin/bitcoin/blob/fc895d7700f9092d519b43000f412c1283e44d25/src/clientversion.cpp#L15
https://github.com/ethereum/devp2p/blob/master/rlpx.md#hello-0x00

and hasn't had any adverse effect as far as I know.

I tend to agree. But these are PoW networks where knocking out particular node doesn't matter that much for network liveness wrt PoS where a node could serve a validator that is about to produce a block. This fact worth considering.

discovery tables get larger, bandwidth usage increases, there's less space in the ENR record for more valuable information.

ENR is not supposed to be updated frequently, thus not supposed to be exchanged frequently as well, we can set the max size for client id field to take a control over table size. But then updating a client version will cause an update of ENR, though it should not happen too often.

As @jrhea said otherwise you will have to crawl DHT and make a trial connection with a peer to read its client id which causes more network traffic than extra piece of data in ENR (If there is an option to get this info anyhow)

I think, first of all, we should decide whether reading remote client id is safe in Eth2. On one hand we can justify on the health of the network, on the other, particular peer can be knocked out if its version contains a vulnerability.

Btw, will client id be valuable if it cut to the client name only with no particular version in it?

[AgeManning]

How realistic would a threat like something like this be in practice ? Assuming the threat is known before time, we would release the patch and only disclose the actual issue after a certain amount of time so that all live nodes can be updated with the fix. Even if we did remove all identifying client information outdated nodes would still be at risk as an attacker could just randomly ping nodes in the network until they find a vulnerable one.

I think it is very realistic. I think your assumption here is that we find bugs before attackers (which isn't necessarily true).

I hear what you are saying, but wouldn't this require a deliberate modification? I doubt it would be worth the effort. if I was that desperate for faster syncing, then I'd look into possibly bootstrapping my database similar to how people do with Bitcoin.

I was thinking more generally. Like parity introduced warp sync and supported different protocols. In these cases a client would want to find more of itself to perform some extra-spec protocol. Maybe a client introduces an extra layer to gossip slashings amongst itself, or faster/extra attestation propagation etc. I think Prysm use relays, so (if I understand correctly) its probably better for a prysm peer to find and connect more Prysm relay peers for connectivity).
EDIT: I realise my point here is moot. If a client wants to do this, they can just add their own field into their ENR to discover themselves. Ignore me on this one :).

As it stands, with enough effort, someone can crawl through the DHT and identify peers (with or without identify). I think this just alleviates some of the hurdle of doing this.

I agree with @mkalinin that we should first decide whether this knowledge is considered safe. And even so, having a difficult barrier to obtain the knowledge isn't really securing it, but I guess its a slight deterrent.