zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9288 Commits
183 Branches
291 MiB
Tree: 7983f9cc36
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7983f9cc36'
${ noResults }
tendermint/docs/tendermint-core/pex/README.md

177 lines
7.1 KiB
Raw Normal View History

docs: add reactor sections (backport #6510) (#7151)
3 years ago
 
  1. ---
  2. order: 1
  3. parent:
  4.   title: Peer Exchange
  5.   order: 5
  6. ---
  7. 

  8. # Peer Strategy and Exchange

  9. 

  10. Here we outline the design of the PeerStore
  11. and how it used by the Peer Exchange Reactor (PEX) to ensure we are connected
  12. to good peers and to gossip peers to others.
  13. 

  14. ## Peer Types

  15. 

  16. Certain peers are special in that they are specified by the user as `persistent`,
  17. which means we auto-redial them if the connection fails, or if we fail to dial
  18. them.
  19. Some peers can be marked as `private`, which means
  20. we will not put them in the peer store or gossip them to others.
  21. 

  22. All peers except private peers and peers coming from them are tracked using the
  23. peer store.
  24. 

  25. The rest of our peers are only distinguished by being either
  26. inbound (they dialed our public address) or outbound (we dialed them).
  27. 

  28. ## Discovery

  29. 

  30. Peer discovery begins with a list of seeds.
  31. 

  32. When we don't have enough peers, we
  33. 

  34. 1. ask existing peers
  35. 2. dial seeds if we're not dialing anyone currently
  36. 

  37. On startup, we will also immediately dial the given list of `persistent_peers`,
  38. and will attempt to maintain persistent connections with them. If the
  39. connections die, or we fail to dial, we will redial every 5s for a few minutes,
  40. then switch to an exponential backoff schedule, and after about a day of
  41. trying, stop dialing the peer. This behavior is when `persistent_peers_max_dial_period` is configured to zero.
  42. 

  43. But If `persistent_peers_max_dial_period` is set greater than zero, terms between each dial to each persistent peer
  44. will not exceed `persistent_peers_max_dial_period` during exponential backoff.
  45. Therefore, `dial_period` = min(`persistent_peers_max_dial_period`, `exponential_backoff_dial_period`)
  46. and we keep trying again regardless of `maxAttemptsToDial`
  47. 

  48. As long as we have less than `MaxNumOutboundPeers`, we periodically request
  49. additional peers from each of our own and try seeds.
  50. 

  51. ## Listening

  52. 

  53. Peers listen on a configurable ListenAddr that they self-report in their
  54. NodeInfo during handshakes with other peers. Peers accept up to
  55. `MaxNumInboundPeers` incoming peers.
  56. 

  57. ## Address Book

  58. 

  59. Peers are tracked via their ID (their PubKey.Address()).
  60. Peers are added to the peer store from the PEX when they first connect to us or
  61. when we hear about them from other peers.
  62. 

  63. The peer store is arranged in sets of buckets, and distinguishes between
  64. vetted (old) and unvetted (new) peers. It keeps different sets of buckets for
  65. vetted and unvetted peers. Buckets provide randomization over peer selection.
  66. Peers are put in buckets according to their IP groups.
  67. 

  68. IP group can be a masked IP (e.g. `1.2.0.0` or `2602:100::`) or `local` for
  69. local addresses or `unroutable` for unroutable addresses. The mask which
  70. corresponds to the `/16` subnet is used for IPv4, `/32` subnet - for IPv6.
  71. Each group has a limited number of buckets to prevent DoS attacks coming from
  72. that group (e.g. an attacker buying a `/16` block of IPs and launching a DoS
  73. attack).
  74. 

  75. [highwayhash](https://arxiv.org/abs/1612.06257) is used as a hashing function
  76. when calculating a bucket.
  77. 

  78. When placing a peer into a new bucket:
  79. 

  80. ```md
  81. hash(key + sourcegroup + int64(hash(key + group + sourcegroup)) % bucket_per_group) % num_new_buckets
  82. ```
  83. 

  84. When placing a peer into an old bucket:
  85. 

  86. ```md
  87. hash(key + group + int64(hash(key + addr)) % buckets_per_group) % num_old_buckets
  88. ```
  89. 

  90. where `key` - random 24 HEX string, `group` - IP group of the peer (e.g. `1.2.0.0`),
  91. `sourcegroup` - IP group of the sender (peer who sent us this address) (e.g. `174.11.0.0`),
  92. `addr` - string representation of the peer's address (e.g. `174.11.10.2:26656`).
  93. 

  94. A vetted peer can only be in one bucket. An unvetted peer can be in multiple buckets, and
  95. each instance of the peer can have a different IP:PORT.
  96. 

  97. If we're trying to add a new peer but there's no space in its bucket, we'll
  98. remove the worst peer from that bucket to make room.
  99. 

  100. ## Vetting

  101. 

  102. When a peer is first added, it is unvetted.
  103. Marking a peer as vetted is outside the scope of the `p2p` package.
  104. For Tendermint, a Peer becomes vetted once it has contributed sufficiently
  105. at the consensus layer; ie. once it has sent us valid and not-yet-known
  106. votes and/or block parts for `NumBlocksForVetted` blocks.
  107. Other users of the p2p package can determine their own conditions for when a peer is marked vetted.
  108. 

  109. If a peer becomes vetted but there are already too many vetted peers,
  110. a randomly selected one of the vetted peers becomes unvetted.
  111. 

  112. If a peer becomes unvetted (either a new peer, or one that was previously vetted),
  113. a randomly selected one of the unvetted peers is removed from the peer store.
  114. 

  115. More fine-grained tracking of peer behaviour can be done using
  116. a trust metric (see below), but it's best to start with something simple.
  117. 

  118. ## Select Peers to Dial

  119. 

  120. When we need more peers, we pick addresses randomly from the addrbook with some
  121. configurable bias for unvetted peers. The bias should be lower when we have
  122. fewer peers and can increase as we obtain more, ensuring that our first peers
  123. are more trustworthy, but always giving us the chance to discover new good
  124. peers.
  125. 

  126. We track the last time we dialed a peer and the number of unsuccessful attempts
  127. we've made. If too many attempts are made, we mark the peer as bad.
  128. 

  129. Connection attempts are made with exponential backoff (plus jitter). Because
  130. the selection process happens every `ensurePeersPeriod`, we might not end up
  131. dialing a peer for much longer than the backoff duration.
  132. 

  133. If we fail to connect to the peer after 16 tries (with exponential backoff), we
  134. remove from peer store completely. But for persistent peers, we indefinitely try to
  135. dial all persistent peers unless `persistent_peers_max_dial_period` is configured to zero
  136. 

  137. ## Select Peers to Exchange

  138. 

  139. When we’re asked for peers, we select them as follows:
  140. 

  141. - select at most `maxGetSelection` peers
  142. - try to select at least `minGetSelection` peers - if we have less than that, select them all.
  143. - select a random, unbiased `getSelectionPercent` of the peers
  144. 

  145. Send the selected peers. Note we select peers for sending without bias for vetted/unvetted.
  146. 

  147. ## Preventing Spam

  148. 

  149. There are various cases where we decide a peer has misbehaved and we disconnect from them.
  150. When this happens, the peer is removed from the peer store and black listed for
  151. some amount of time. We call this "Disconnect and Mark".
  152. Note that the bad behaviour may be detected outside the PEX reactor itself
  153. (for instance, in the mconnection, or another reactor), but it must be communicated to the PEX reactor
  154. so it can remove and mark the peer.
  155. 

  156. In the PEX, if a peer sends us an unsolicited list of peers,
  157. or if the peer sends a request too soon after another one,
  158. we Disconnect and MarkBad.
  159. 

  160. ## Trust Metric

  161. 

  162. The quality of peers can be tracked in more fine-grained detail using a
  163. Proportional-Integral-Derivative (PID) controller that incorporates
  164. current, past, and rate-of-change data to inform peer quality.
  165. 

  166. While a PID trust metric has been implemented, it remains for future work
  167. to use it in the PEX.
  168. 

  169. See the [trustmetric](https://github.com/tendermint/tendermint/blob/master/docs/architecture/adr-006-trust-metric.md)
  170. and [trustmetric useage](https://github.com/tendermint/tendermint/blob/master/docs/architecture/adr-007-trust-metric-usage.md)
  171. architecture docs for more details.
  172. 

  173. 

  174. 

  175. 

  176. 

  177. <!-- todo: diagrams!!! -->