Comments (4)
Peers are authenticated when they perform the TLS like handshake between each other. That isn't audited yet but it will be.
PS: This question would fit the ipfs/faq repo best
from specs.
@diasdavid so in discovery you get a mappings of publicKey to peerinfo objects, correct? The attack I'm worried about is a malicious actor trying to poison the peer table. So it would start broadcasting know/trusted publicKeys but with bad endpoints.. possible with to endpoints it controlled. If the bad actor was an authoritarian regime it could use this to locate the ip all the nodes that trusted a given set of publicKeys.
The way to prevent this is not to broadcast publicKeys but to broadcast signature(peerObject): peerObject. And each node would derive the publicKey from the signature with the guarantee that only that id could have produced it
from specs.
@wanderer the solution you describe is what happens in the TLS/secio handshake, a challenge is created, a nounce has to be signed and only the node able to sign(nounce, privKey) that verify(signedNounce, pubKey) validates, is the owner of the key pair that leads to peer-Id QmABCDEFHASH. Note that the Id of a peer is always a multihash of its public key
from specs.
TLS/secio handshake
Right @diasdavid I'm not concerned about the actual connection here. I'm concerned about poisoning the peer table. An attacker may only want to locate peers. Not connect to them, so a failed handshake would be fine from the attacker's point of view.
But you can have verfication in the peer table. All you have to do though is add a signature to the peer routing/ peer table. so for example findPeers
would give you a list of ids:endpoints that also contained a signature by the id (publickey). If you were a security focused node you might only have a whitelist of ids that you would connect to, therefore thwarting any attempt to reveal your IP by poising the peer table Does this make sense? Does this concern make sense?
from specs.
Related Issues (20)
- Create a document license spec HOT 1
- specs.ipfs.tech should link to github sources HOT 2
- gateway: CORS and `Cache-Control: only-if-cached` HOT 1
- Specialized Subset(s) of the Public IPFS Swarm HOT 6
- Mismatch with spec on casing HOT 2
- Shared / Multisig / Sharded IPNS Keys HOT 2
- website: monitor site availability over HTTP and IPFS HOT 1
- Feature: optional routing hints in gateway requests HOT 1
- gateway: add CORS to specs
- gateway: CDN-Loop
- gateway: batching raw block requests (AKA userland traversal of DAGs with unknown codecs)
- IPNS Publisher Key Seed Phrases
- Add specification for Web Pathing
- Gateway: define a protocol.ID for the gateway protocol. HOT 2
- Remove Kubo (userland) specifications
- WebSeed specifications HOT 1
- specs.ipfs.tech uses absolute URLs for links, assets
- New IPNS key types HOT 3
- _redirects spec clarification
- website: link to conformance.ipfs.tech from specs.ipfs.tech
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from specs.