p2p-circuit v2

[vyzo]

v2 of the protocol and Limited Relays.

Depends on:

• add support for transient connections go-libp2p-core#175
• Treat transient connections as opt-in when opening new streams go-libp2p-swarm#236
• Expose underlying transport connection stat where available go-libp2p-transport-upgrader#71

TBD:

• spec (duh!)
• reservation vouchers
• godocs
• unit tests
• Update and propagate released versions of deps.
• test in the wild

---

An Overview of the p2p-circuit/v2 Protocol

The relay protocol has been split into two protcols: the Hop protocol and the Stop protocol.

• the Hop protocol governs communication with the relay for reservations and circuit connection initiation.
• the Stop protocol governs termination of circuit connections.

Establishing a relayed connection

Let's suppose that a peer A wants to connect to peer B through relay peer R.

Reservations

Peer B must first establish a reservation by connecting (and maintaining a connection) to R.

This is done using the Hop protocol and sending a Reserve message. The relay responds with OK if the reservation is accepted and has a specific TTL, after which the reservation will dissipate.

Peer B is responsible for refreshing its reservation when it reaches the end of the TTL.
In the relay logic, reservations are governed by strict resource limits and ACLs.

Connection Establishment

Peer A connects to Relay R, opens a Hop protocol stream and sends a CONNECT message.

Relay R must have a reservation and connection to peer B. Active relay has been deprecated in the code, but the protocol allows for implementation without any change in the wire protocol.

Once R receives the CONNECT message, it opens a Stop protocol stream to B and sends a CONNECT message.
Peer B responds with OK; the relay R responds with OK to peer A and bridges the two streams in order to establish the relayed connection.

Connection Limits

Relays are allowed (and encouraged! the relay implementation sets strict limits by default) to limit the relayed connection, by time and bytes relayed in each direction.
The limits are conveyed to both sides of a relayed connection; relayed connections are marked as transient by the transport.

Implementation Details

Implementation lives under v2.

The Stop protocol implementation lives in v2/client and provides a Transport suitable for attachment to a host. The implementation mounts the v1 protocol and provides backwards compatibility in dialing v1 peers and accepting relayed connections from v1 peers through v1 relays.

The Hop protocol implementation lives in v2/relay and provides a Relay object that can be instantiated on deman. When instantiated, the Relay registers a stream handler from the v2 hop protocol.

The two are completely independent. The client package implements the transport and is the point of integration with go-libp2p. The relay package is the actual relay and can be used in dedicated relays and (as planned for Project Flare) public DHT servers. The default resource limits are very much constrained which makes it safe for public nodes.

[vyzo]

Summoning @Stebalien @raulk @yusefnapora @aarshkshah1992 -- this is ready for (initial) review!

[vyzo]

Added tests and godocs.

[aarshkshah1992]

@vyzo

Did a first pass on the Relay code. Will move to the client now.

Awesome stuff man !

[aarshkshah1992]

Need to write unit tests for this file.

[vyzo]

meh.... if I have nothing better to do.

[aarshkshah1992]

@vyzo Finished first pass of client too.

Will give all this one more in-depth look tomorrow. But looking amazing so far.

[aarshkshah1992]

This should happen in AutoRelay, right ?

[vyzo]

that's a different topic -- it is for explicit relay address listening, when/if we ever support it.

[aarshkshah1992]

Please can we add a unit test for this one function ?

[vyzo]

ugh.... maybe, I am not inclined to do it right now.

[aarshkshah1992]

Some more changes.

Need to do one last round of an intense review including all tests and I'll be done.

[aarshkshah1992]

Finished last round of review.

Will take a look at the tests tomorrow but looks great otherwise.

[aarshkshah1992]

We should definitely add reference counting for all go-routines we are spawning here and ensure they all finish before we return from Close to ensure proper cleanup for the caller.

[vyzo]

that's just not worth it and also the goroutines may never finish because it's an unlimited relay.
So, no.

[aarshkshah1992]

I am not sure this is the right approach to take. We can easily stop relaying on unlimited relays by closing connections to all peers we have opened circuits for.

When Close returns, the caller expects that the subsystem has cleaned-up after it itself. Not doing so can leak go-routines if the caller dosen't know this implementation detail.

cc @Stebalien Isn't this in-line with what Close does for other sub-systems in libp2p.

[vyzo]

If you insist on closing the connections it is much easier to tag the Hop/Stop streams and go and reset them; there is no tracking needed and it is much easier to implement (and doesn't suffer from the problem of unlimited relay conns which will never exit).

Waiting for the goroutines is irrelevant.

[vyzo]

Actually, we don't even have to tag streams, which could be a little problematic with the current APIs; we can just look for incoming Hop streams and outgoing Stop streams and reset them.

[aarshkshah1992]

we probably don't need to export any of these

[vyzo]

Yeah, the only reason I exported them is so that the test could could live together with the other tests in the test directory.
It felt odd to have just one test in here.

[mxinden]

How about splitting Status into a HopMessage specific Status and a StopMessage specific Status like done with Type? The split would enforce protocol semantics at the datastructure level. E.g. it encodes the semantic that one could not receive a RESERVATION_REFUSED when sending a StopMessage.

[vyzo]

We could I guess, but there would be a lot of duplication; I don't feel strong about it nonetheless.

[Stebalien]

Relay R must have a reservation and connection to peer B. Active relay has been deprecated in the code, but the protocol allows for implementation without any change in the wire protocol.

Can we include a flag in the reservation response that specifies whether or not the relay supports active relays? That way the peer can disconnect if it sees that active relay is supported.

We can also just punt this and do it later as it should be backwards compatible.

[Stebalien]

1. Attacker connects.
2. Attacker reserves.
3. Attacker uses entire budget.
4. Attacker disconnects.
5. Attacker re-rolls their peer ID and starts at 1.

I think we need:

1. A bit of local history (i.e., a per-peer/ip range cooldown period).
2. A global rate-limit.
3. Ideally, some form of "uses less than X bits/s" that can prevent large spikes.

[Stebalien]

👍 (but I can still just repeatedly reconnect)

[Stebalien]

It would be nice if we had some form of rate-limit as well instead of just an absolute limit.

[vyzo]

agreed, although not exactly clear how to do that.

[Stebalien]

Discussed offline. The current limit is 128KiB (or something like that). That should be low enough as it is.

[Stebalien]

We should reset both streams if there's an error here, not close them.

[vyzo]

limit reached is not an error, but yes, we should check if there is one.

[Stebalien]

It's not an error, but we should still reset. If we send a close, it'll look like a clean close. We should only send an EOF if we receive an EOF.

[mxinden]

How about requiring at least one address? As far as I can tell a reservation without a single address of the relay node is useless as one could not announce its relayed address to anyone else, correct?

[marten-seemann]

Changed the merge target from master to circuit-v2. Further development will happen in this feature branch.