Relay Infrastructure Integration #4990
Comments
|
cc @lgierth @diasdavid @Stebalien @dryajov @mgoelzer |
|
cc myself |
How would this be done? I always though we would have our bootstrap nodes be relays as well, it seems the most sensible way of doing it, unless I'm missing something. |
|
#4992 will also be needed |
There is the issue of separation of concern and scalability. We want relays to be dedicated nodes with fast network connections and no random connections/bitswapping. This will allow the relay nodes to keep their (passive) connections open for long periods of time and we also want them to be accessible with a multitude of transports (eg wss for browser nodes). And we really don't want to kill the bootstrap nodes by overloading with relay duties, imagine what will happen if 1M browser nodes hit them. |
|
Also related: libp2p/go-libp2p-swarm#57 This will allow us to start advertising relay addresses without interfering with direct dials. |
|
#4993 is very much an essential component. |
|
@vyzo we need a way not to depend on go-ipfs being shipped with the right set of relays. It is becoming a problem with bootstrap nodes right now. We will need a layer of indirection for this. |
|
@Kubuxu agreed We've been working on rendezvous as the long term solution:
Considerable thought in the design went towards engineering a long term solution for scalable relay infrastructure and open relay capacity pools. But we are not there yet! The fixed relays are intended as the bootstrap step towards a fully open relay infrastructure for the ipfs network. |
|
The way to add this I think, would be to make it an implicit default. So if the values are not set in the config file, use the default ones. this allows us to easily change the values across versions of ipfs, while still retaining the ability for users to specify their own relays. |
|
Curious if anything further has happened with this? I threw up a few nodes after cloudflare made their annoucement and I'm quite surprised at some of the traffic. There are a handful of hosts getting hit with several thousand connections per second. The connections themselves were very short, sometimes not even a single data packet. My hosts are on 10G but I have to wonder who else isn't so fortunate? The nodes settled quite nicely after blocking, |
|
We've added a bunch of DHT nodes.
Those may be parallel dials to different listeners on the same node. We currently dial in parallel as some transports/addresses work in some situations and others don't. However, I'd usually expect at least one data packet in most cases. |
|
Indeed there are some nodes with many listteners but I've yet to find one with a thousand :) To be clear, in the case with no data packets I simply see SYN,SYN/ACK,FIN. Perhaps the wrong place to ask (I'll edit this if so), but may be related is there are a lot of 0 byte packets on established connections. Not entirely sure why GO is defaulting to disabling nagle? Results in tiny packets. edit: I take that back, there are several. Couple are 10k+ (seriously?). One of them in China is advertising 15 thousand ports and is indeed blocked. None of the ports tested were open. |
Ideally, we'd handle this in userland.
Related: libp2p/libp2p#47. Is that a single peer or a single IP. If it's a single IP but multiple peers, it's probably a large NAT. Otherwise, it may be due to a bug we had where long-lived nodes never cleaned up old "observed" addresses (that likely never worked in the first place). However, that wouldn't explain your inbound connections (unless your node is also advertising a ton of addresses). |
Is that something already being worked on ? Was looking at how to set socket options in GO as a quick hack, couldn't find anything.
Both. it' was a single peer with one IP.
Just the public IP address is being advertised. Kinda surprised there are no default filters for private addresses but I added them. Though they are blocked / unrouteable at the edge, IPFS keeps trying relentlessly.. It cut back on a lot of crap trying to go out too. $ ipfs swarm filters |
We could enable it but that's not necessarily the correct choice. In fact, we create our own sockets (we needed to set an option we couldn't) so we mimicked go's choice here. When I said "in userspace", I meant "we should buffer up small writes before passing them to the kernel":
See: #4280
Sounds like that bug I was talking about.
You can enable the server profile ( |
Is that something I can add even as a test?
Not quite following. You would still do the MAC in userspace. A problem with doing push on everything is you can negate the kernels ability to buffer properly under high load. A simple test is to block a peer with an open connection. It will completely misbehave to the point it times out entirely too early (~10 seconds?). One interesting bug with that is something continues sending data on the socket despite having sent a FIN.
Is there any way to block peers that haven't updated?
Did not know about that! Likely use test if I can find what all it does. |
Sure. See the calls to (we're hoping to kill this module off in the near future).
My point is that, by doing our buffering in userspace, we can send less data and make fewer syscalls. For example, if we buffer before our security transport, we can MAC larger chunks of data, amortizing the size of the mac over these larger chunks of data. If we buffer before our stream multiplexer, we can pack multiple writes into a single stream data frame, saving the framing data. However, we obviously don't do enough buffering so it may make sense to turn on nagle's algorithm (but we'd have to test it). The downside of nagle's algorithm is that it can add latency. If we (in userspace) know that we're unlikely to send any additional data, we'd like the kernel to just send the packet immediately rather than waiting. Unfortunately, we do have some protocols that like to send one small latency sensitive packet periodically. Really, we just need to test more.
Not sure if I understand. What are you blocking and what times out?
From remote peers? That sounds like network reordering.
In theory but not easily. However, you can follow libp2p/libp2p#47. Basically, we're just going to start trimming these massive lists down. (sorry for entirely derailing this issue, this is just a good conversation to have and I don't want to stall it) |
Reuseport is a different thing though no? I can't find any reference to setNoDelay though that could 100% be me not understanding GO :)
Indeed, curse of any vpn and SSH. Such small packets however allow one to infer the type of data (timing attacks for example). You can amortize the latency and gain more efficiency by bursting. TCP_CORK defaults to a maximum 200ms window, certainly noticeable for time sensitive applications like ssh, but tcp itself purrs along nicely.
Simulating failures by blocking an established connection using iptables then watching how it responds with tcpdump. A properly functioning connection will detect the condtion and backoffl (congestion avoidance) until either their send/receive queue pops or a protocol specific watchdog kicks in (ie keepalive). What happens with ipfs (or GO itself?), is it gives up. ex IP's obfuscated, ext01 (remote) was blocked egress from ext02 (local). You can artificially cause this with tc and netem (would let you see the effect of various buffer sizes as a bounus). You'll likely need to increase the OS tcp buffers from their default (4096 is way too tiny).
Could be. Doesn't appear to happen with all peers.
It's a bit of a slipery slope becaus eon one hand by doing so you're determining abuse but also have very little detail as to what is abuse and say.. a misconfigured host. I could fully see someone spawning one process per CPU without understanding there are other technologies already handling that (GO directly for example). Or simply forgot to add the appropriate SNAT rules.
Honestly I didn't know where else to bring this up either with all the projects, lists, irc etc. It's still related to the performance of DHT and relaying. |
|
An update on recent progress: |
|
#5785 for autorelay integration. |
Over the last few weeks (months) we have witnessed deteriorating DHT performance:
We have reached a tipping point: Diagnosing the network with a dht crawler has revealed that 61% of the DHT is undialable.
The way forward, in the short/medium term, is to deploy relay capacity and integrate a set of known relays into the go-ipfs distribution itself.
This has that added benefit that it will greatly improve connectivity with the browser world, so it's not a shallow fix.
This issue is here to discuss and track progress towards relay infrastructure integration.
The text was updated successfully, but these errors were encountered: