Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--netrestrict feature to enable IP filtering for Besu nodes used in key infrastructure #6620

Closed
non-fungible-nelson opened this issue Feb 27, 2024 · 6 comments · Fixed by #7168
Closed

--netrestrict feature to enable IP filtering for Besu nodes used in key infrastructure #6620

non-fungible-nelson opened this issue Feb 27, 2024 · 6 comments · Fixed by #7168
Assignees
@Gabriel-Trintinalia
Labels
enhancement New feature or request mainnet P1 Very High (ex: Security issues, unplanned backward incompatibility preventing network participation) peering

Comments

@non-fungible-nelson
Copy link
Contributor

Description

As an infrastructure provider, I want to be able to restrict my node to certain IP networks so that I can prevent and filter unwanted peering. I also want parity with Geth nodes with this option to better take advantage of existing configs and tooling.

Besu should enable restriction to peer-to-peer connectivity on an IP subnet. Doing so will further isolate the network and prevents cross-connecting with other blockchain networks in case the nodes are reachable from the Internet.

Acceptance Criteria

  • --netrestrict option exposed taking a string representing IP value
  • No external peering or connection to the internet is enabled
  • If this option is set to a non-nil value, only hosts which match one of the IP networks contained in the list are considered.

Reference code

Geth Codebase
@FlorianHuc
Copy link

Here is an example of how we configure geth:

netrestrict: "10.80.0.0/16"

@non-fungible-nelson non-fungible-nelson added the P1 Very High (ex: Security issues, unplanned backward incompatibility preventing network participation) label Mar 28, 2024
@pinges
Copy link
Contributor

pinges commented Apr 8, 2024
edited
Loading

I've had a quick look at this.
I assume that we want to support a list of comma separated CIDR strings (same as geth).
In geth netrestrict is used for discovery and p2p, I assume we want to do the same.
To implement this we need to create a new CLI option, parse the CIDR string (geth ignores additional commas and whitspace), and need to check whether the IP addresses are in the range.

@FlorianHuc
Copy link

Thanks for the analysis. If we can have a feature following geth's specs, I indeed believe it's the best.

@pinges
Copy link
Contributor

pinges commented Apr 18, 2024

For p2p we are using Netty. We can use a String to create an instance of the IpSubnetFilterRule class in Netty, which can be used in a ChannelInitializer, which can be used as a childHandler in the ServerBootstrap.
For discovery we are using vertx DatagramSocket. Not sure how to use vertx to do the filtering for us, but we could do the filtering manually as well.

@non-fungible-nelson
Copy link
Contributor Author

Is this blocked due to our internal resourcing needs or another reason?

@jframe
Copy link
Contributor

jframe commented May 8, 2024

@non-fungible-nelson It's blocked due to internal resourcing needs at the moment.

@Gabriel-Trintinalia Gabriel-Trintinalia mentioned this issue Jun 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Gabriel-Trintinalia Gabriel-Trintinalia

Labels
enhancement New feature or request mainnet P1 Very High (ex: Security issues, unplanned backward incompatibility preventing network participation) peering
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Subnet-Based Peer Permissions Gabriel-Trintinalia/besu
5 participants
@jframe @FlorianHuc @Gabriel-Trintinalia @pinges @non-fungible-nelson