P2P: Add gossip of BP peers

[heifner]

Adds new gossip_bp_peers_message message to P2P protocol for gossip of available "BP" peers. Normally these peers would be canary relay nodes to the block producer and block finalizer nodeos.

• Gossip connection information is only shared with nodes that are connected to another "BP" node that has a peer key registered on-chain.

• Block producers should register a new peer key on chain. See Add support for storing public keys on-chain that will be used to validate a network peer's identity. VaultaFoundation/system-contracts#185

• Block producers then run the canary relay node(s) with the private key of the peer key and their block producer account.

• For example, block producer defproducera.

  • Register a public peer key on change via regpeerkey with values: defproducera EOS6y94JK7Dsg3iJCrnvdbyLPZJvaAhfBSU44eU8jkPd4VHX9CJzp
  • Add the following to their canary relay node.

       p2p-producer-peer = defproducera
       signature-provider = EOS6y94JK7Dsg3iJCrnvdbyLPZJvaAhfBSU44eU8jkPd4VHX9CJzp=KEY:5J6Z64Jqexample
       p2p-auto-bp-peer = p2p.peer.com:9876

The p2p-producer-peer matches the producer-name of the BP. The key provided to signature-provider is the public/private key of the on-chain key specified with regpeerkey. The p2p-auto-bp-peer is a known BP peer. This is not technically needed if another BP peer has your endpoint listed in their p2p-auto-bp-peer list.

p2p-auto-bp-peer can be specified for as many known bp peers. These will be used along with gossip peers as producers rotate into the producer schedule. They are not gossiped out to other peers. Only this nodes connection info along with other received gossip BP info is gossiped to other peers.

Resolves #1245

[spoonincode]

good call I didn't think of this when reviewing other PR

[spoonincode]

I don't think it was changed in this PR but looking through the code I see it creates and verifies canonical signatures. Maybe consider turning that off (passing false) now from the start of this feature

[spoonincode]

I think we want to immediately kick out SIG_WA. We did make the contract disallow PUB_WA.

[heifner]

f816643

[greg7mdp]

I don't think we need to exit the loop early if fatal_error is true (it is after all an optimization for a very unlikely case).

And if we don't, we can use std::erase instead of that for loop which makes the code clearer I feel.

But up to you what you prefer!

[greg7mdp]

nit: Maybe invalid_message would be more descriptive than fatal_error.

[heifner]

I think it is important to exit early on a bad public_key. Seems like those could be crafted to be expensive to evaluate. As soon as one is determined to be invalid, don't bother trying to verify signature on any others.

[heifner]

75c63e3

[greg7mdp]

Seems like those could be crafted to be expensive to evaluate.

I don't think it is a very likely attack vector from one of the top-50 producers, but OK.

[heifner]

If the message is not from one of the top-50 we know about then we will not consider that a valid message and will disconnect.

[greg7mdp]

So this means that the attack with invalid signatures is not very likely, right. Not advocating for a change, but just that these messages are among a trusted group (all trusted to see the IP of all block producers, so if there was a rogue element it could probably do more damage by ddos'ing producers as they are scheduled to produce than by forging public keys that take time to validate).

[heifner]

Well anyone could send a crafted gossip_bp_peers_message we have to validate to know it is from a valid producer.

This conversation did make me realize that it was a bit too strict. Just because a peer is no longer in the top producers does not mean we should fatal disconnect from them.

[greg7mdp]

Well anyone could send a crafted gossip_bp_peers_message we have to validate to know it is from a valid producer.

Hum, I wonder if the whole message (the std::vector<bp_peer> + sender's name) should not be signed by the peer sending it. Then the first thing we could do is validate that the signature matches the public key of one of the IPs registered for that producer, so we authenticate that it comes from one of the current top-50 producers.

[heifner]

We could certainly do that. Not sure it is worth the extra processing. Open to what others think.