blockchain: pool.maxPeerHeight is not updated when a peer is removed

[ebuchman]

In the Blockchain Reactor, peers self report their height and we track the highest one, but we can't validate it until we try to receive that block from that peer. Meanwhile, when we disconnect a peer, we don't update the max height. This means a rogue peer could tell us a ridiculously high height, then disconnect, and we will forever be stuck trying to sync to that height, and never switch to consensus.

We need to either update the pool.maxPeerHeight to the next highest reported height when we disconnect from the peer that reported the max height, or we need a different strategy for deciding to switch to consensus.

Note we should also check what happens when a rogue peer reports a high height, and then we try to get blocks that don't exist yet from good peers. Is there an attack here that could cause us to disconnect good peers?

Thanks @milosevic for catching this in #2621 (comment)

[james-ray]

I'm sorry but I think we already handle this?

func (pool *BlockPool) IsCaughtUp() bool {
pool.mtx.Lock()
defer pool.mtx.Unlock()

// Need at least 1 peer to be considered caught up.
if len(pool.peers) == 0 {
	pool.Logger.Debug("Blockpool has no peers")
	return false
}

// some conditions to determine if we're caught up
receivedBlockOrTimedOut := (pool.height > 0 || time.Since(pool.startTime) > 5*time.Second)
ourChainIsLongestAmongPeers := pool.maxPeerHeight == 0 || pool.height >= pool.maxPeerHeight
isCaughtUp := receivedBlockOrTimedOut && ourChainIsLongestAmongPeers
return isCaughtUp

}

this code time.Since(pool.startTime) > 5*time.Second has already thought about that?
We will not

forever be stuck trying to sync to that height, and never switch to consensus.

?

[melekes]

this code time.Since(pool.startTime) > 5*time.Second has already thought about that?

It would have if it was receivedBlockOrTimedOut || ourChainIsLongestAmongPeers. Right now it will keep trying to sync up to maxPeerHeight.

[melekes]

We need to either update the pool.maxPeerHeight to the next highest reported height when we disconnect from the peer that reported the max height

Does this solve the problem though? Can't peer pretend to be normal? In the meantime we will be disconnecting from the good nodes because they can't send us blocks with height = {real height} + 1.

What if we stop syncing when receivedBlockOrTimedOut && ourChainIsLongestAmongPeers && {none of the peers can send / send invalid blocks (we must check blocks) with height = lastSuccessHeight + 1}?

[ebuchman]

Can't peer pretend to be normal?

Right ... this is what I meant with:

Note we should also check what happens when a rogue peer reports a high height, and then we try to get blocks that don't exist yet from good peers. Is there an attack here that could cause us to disconnect good peers?

I think the solution, as suggested by @ValarDragon, might be to actually track the highest height reported for each peer, and only request blocks from that peer up to the highest height they've reported.

[milosevic]

I don't understand how tracking highest height per peer (which is great idea) helps us to decide when to stop fast sync mode. I like what @melekes suggested, i.e., to basically stop fast sync mode if no successful block validation has happened within some configurable time frame. This is probably the closest to estimating that no correct peer has additional blocks to send us.

[ValarDragon]

I don't understand how tracking highest height per peer (which is great idea) helps us to decide when to stop fast sync mode.

The idea is that you'd only ask for blocks from that peer up to the height they've stated. From that peer you'd accept fast-sync data, but from everyone else you'd expect full blocks. This may be complicated to implement, as you'd have to remain fast syncing between one set of peers, and being a normal node with other peers. (But since only the same block is getting committed, it may not be too bad)

The configurable time frame approach AFAIU only really works when block time is significantly higher than reasonable network delay. Otherwise I can give a really high height, and then give the normal blocks as they come in. This can perhaps be solved by requiring some batch of blocks per message (perhaps 10). Its not clear to me if thats feasible, mostly since I'm unclear what our fast sync is. (Is it just headers, full blocks, or a set of IAVL leaf transitions?)

[ebuchman]

This may be complicated to implement, as you'd have to remain fast syncing between one set of peers, and being a normal node with other peers.

Fast-sync is all or none - either we're behind our peers, or we're caught up and can participate in consensus.

I'm unclear what our fast sync is.

We send full blocks.

[ValarDragon]

Hrmm. The configurable time frame approach may require performance tuning then and/or may not work under what I understand as our current network assumptions. Our network architecture model has blocks gossiped in parts, which kind of implies that we don't assume a peer can tell you a full block that fast, but that instead you'd be receiving multiple block parts from different peers simultaneously during consensus. In the ideal case this would be sped up linearly by the number of block parts there were. (Lets say there are n block parts) The ideal case is absolutely not met in practice, but to illustrate the concern lets assume it is.

Thus if it takes time t to receive a block over the normal gossip network, you could anticipate it taking time t * n for this peer to gossip the block to you for fast syncing since they must send you all the parts. Thus if you said "send me 10 blocks within one block time for fast syncing", it is quite possible that its not possible for this "average case" honest peer to send these blocks to you. This is because you're expecting 10 blocks worth of data in time t, but you'd actually expect it to take time 10 * t * n. For this timeout approach to work, we must require that a peer send multiple blocks per normal single block time though, while simultaneously not violating that above speedup relation due to p2p gossiping. This is to ensure that they didn't just say a block time far in the future and keep relaying things from normal consensus, and that normal honest nodes can also meet the time req't. We'd have to fiddle with the constants here (10, t and n), but I'm not fully convinced that we can create a robust solution there, and it may be that every peer has to configure this manually.

Another alternative is we could explicitly state that we expect fast syncing nodes to support larger bandwidth per peer, to avoid the expected t * n time delay. This is a change of network assumption, but probably a reasonable one. If we go with this approach, then a solution may be to just stop syncing at the point where none of the peers can keep up with the higher rate you've set (i.e. 10 blocks in time t).

An approach I kinda like better is that we can have fast sync first pre-fetch the headers. This sidesteps the problem I was citing with the block part assumption, and lets you be convinced that those blocks already exist. Since headers are small this evidence can come much more quickly than blocks get produced on chain. Then since you already have the block headers, you can ask different peers for different block parts, to reduce redundant p2p load!

[ebuchman]

I don't quite follow the analysis - we don't use block parts for the fast sync; block parts are only used for gossipping blocks in consensus. In fast sync, peers send whole blocks at once. But see #2456

We could pre-fetch headers, but I don't see it having much value, since headers can be forged. Probably the correct thing to do would be a full lite-client proof for the peer's highest height.

Actually, if the lite-client works, this shouldn't be too hard to do at all.

Until then, using a "time since last block" might be hard to tune, but maybe we can use the rate of receipt of blocks, and if that has gone down significantly since the max (eg. 10x) then we can switch to consensus. Ideally fast sync is ~100x (or more) the speed of normal consensus.

[ValarDragon]

We could pre-fetch headers, but I don't see it having much value, since headers can be forged. Probably the correct thing to do would be a full lite-client proof for the peer's highest height.

A full lite client proof for the peers current height seems like a great idea! (With associated header chain to the header you trust within the unbonding period)

block parts are only used for gossipping blocks in consensus.
Ideally fast sync is ~100x (or more) the speed of normal consensus.

The point I was moreso making is that in consensus, we make assumptions about gossip speed based off these block parts. It then doesn't immediately follow that if you normally send 1 or 2 block parts per block time, that you can send a full block during that same time period for the fast syncer. If there is a belief that the block parts increases over-all speed, then this must be a property that holds to some factor.

I didn't account for when I posted the above but theres also a lot of "dead time", i.e. theres 2 rounds for consensus in addition to the block gossiping, so thats an additional amount of time per block time not spent gossiping a block. (And thereby makes the fast syncing block gossip rate potentially higher than consensus speed gossip rate)

I think the more optimal method would be getting headers first, and then requesting different block parts from different peers, to again reduce redundant data transmission. (You also only sync up to the latest header you've received)

[ebuchman]

Note we should also check what happens when a rogue peer reports a high height, and then we try to get blocks that don't exist yet from good peers. Is there an attack here that could cause us to disconnect good peers?

We already track the self-reported highest height for each peer, and only request blocks from a peer if it's below their self reported height. So if a rogue peer reports a non-existent high height, we won't ask peers for it unless they claim to be above it, so this won't make us disconnect from good peers.

basically stop fast sync mode if no successful block validation has happened within some configurable time frame. This is probably the closest to estimating that no correct peer has additional blocks to send us.

My concern here is the time frame needs to be shorter than the time to make consensus blocks. Since making blocks is fast, it could occasionally take longer to get a block in fast-sync than to make them in consensus, so I'm afraid there could be lots of false positive switching to consensus.

I think we can continue with the current mechanism, but we have to update the maxHeight when a peer is removed (eg. by looping through all peers and finding the new max height, or keeping the heights in a heap).

---

Given that this issue won't make us disconnect from good peers, and the attack is at most a nuisance where we will have to manually restart tendermint with fast_sync=false when we're caught up so we can switch to consensus, I think we can remove it from the launch milestone.

We should still address the issue, and write tests, though test writing needs some work (#2897)