Skip to content

Add commonprefix.com validator to UNL#18

Open
cabrilo wants to merge 1 commit into
XRPLF:mainfrom
commonprefix:add-commonprefix-validator
Open

Add commonprefix.com validator to UNL#18
cabrilo wants to merge 1 commit into
XRPLF:mainfrom
commonprefix:add-commonprefix-validator

Conversation

@cabrilo

@cabrilo cabrilo commented May 11, 2026

Copy link
Copy Markdown

Summary

This PR adds commonprefix.com validator to UNL.

  • Public Key: nHBgzYRyy9VstzSm3uqZC34Uk72aEsyAu9aT4ZCkxxWec9DdmMD7
  • Domain: commonprefix.com
  • Operator: Common Prefix
  • Contact: validator@commonprefix.com

Infrastructure

  • Hosting and Location: AWS in ap-south-1 (Mumbai), independent from any other clusters of rippled, providing regional distribution in underrepresented area
  • Server: 8 CPUs, 64 GiB of RAM, NVME SSD (z1d.2xlarge)
  • Networking: 10,000 Mbps per server, no cap.

Code for the infrastructure is open source and available at: https://github.com/commonprefix/xrpl-validator

Our validator is behind two proxies, also hosted in India. The validator runs in an isolated private subnet with no direct internet access; inbound peer traffic terminates at a cluster of proxy nodes in public subnets.

flowchart TD
    Internet((Internet))

    subgraph public["Public Subnet"]
        PublicNode1[Node<br/>proxy]
    end

    subgraph private["Public Subnet"]
        PublicNode2[Node<br/>proxy]
    end

    subgraph isolated["Isolated Private Subnet"]
        Validator[Validator<br/>proposing]
    end

    Internet <--> PublicNode1
    Internet <--> PublicNode2

    PublicNode1 --> Validator
    PublicNode2 --> Validator
Loading

The aim of the setup is to ensure secure environment and high availability, with ability to automatically recover from failures and quickly respond to unforeseen issues. Our track record is available at: https://livenet.xrpl.org/validators/nHBgzYRyy9VstzSm3uqZC34Uk72aEsyAu9aT4ZCkxxWec9DdmMD7/history

Infrastructure As Code

Our infrastructure allows quick deployment of new proxy nodes and migration of existing validator if needed. It also allows spinning up new testnet clusters that mimic our mainnet setup to explore optimizations and identify issues.

Security

Among others, we take the following security precautions:

  • Validator IP obfuscation: the validator is never directly reachable; peers see only the proxy cluster
  • Key management: secrets required for operation of rippled are stored in AWS Secrets Manager, with least privilege access and auditing of all access
  • Two factor authentication: all access to AWS enforces two factor authentication
  • No SSH: all administrative access goes through AWS Systems Manager Session Manager
  • Infra as code: entire stack provisioned via Terraform + Ansible is reproducible and auditable
  • Security patches: security patches are automatically updated to EC2 instances running the validator and nodes

Internal Networking

Validator has no access to the internet without going through a NAT Gateway, limiting it to ports common for system updates and debugging. There are no ports forwarded between the internet and the validator.

Nodes are in their separate subnets. Validator's subnet can only ever communicate to the rest of the network through proxy nodes.

The only ports opened are standard rippled networking nodes on proxy nodes. SSH ports are never open and two factor authentication is required to establish a connection to any server.

Monitoring & Alerting

We have continuous monitoring and alerting for:

  • Ledger age and number of missed validations on all instances
  • Peer count so we are alerted to any anomalies
  • Server state for all instances
  • Memory, CPU, network activity and other usual monitoring targets
  • System security patches are applied automatically and if any patch requires a system reboot, we are notified to monitor it.

Our logs are collected to CloudWatch and visualized for ease of access. Alerts on anomalies, securities breaches, and validator state are sent, based on severity, to AWS CloudTrail, mobile phone push notifications, Discord push notifications, SMS and phone calls.

Updates

We have historically responded quickly to rippled updates, performing a rolling update of our proxy nodes and validator to increase uptime.

Why Common Prefix

Common Prefix is deeply involved in the rippled codebase. We performed security audits, documentation of the payment engine and we are currently leading the formal verification efforts, disclosing a number of security reports and reporting bugs. We also brought XRPL to Axelar.

By including Common Prefix in the UNL, community gains our expertise and voting leadership; Common Prefix gains insights into peering, networking and consensus and ability to participate in debugging any liveness issues or bugs.

@cabrilo cabrilo marked this pull request as ready for review May 11, 2026 16:13
@Vjkhannaripple

Copy link
Copy Markdown

Details on the validator reports are listed below
https://data.xrpl.org/v1/network/validator/nHBgzYRyy9VstzSm3uqZC34Uk72aEsyAu9aT4ZCkxxWec9DdmMD7/reports

@realgrapedrop

Copy link
Copy Markdown

Glad to see you are meeting recommendations I have made in my authored Rippled Field Guide https://github.com/realgrapedrop/rippled-field-guide/blob/main/docs/RIPPLED-FIELD-GUIDE.md

@Panosmek

Copy link
Copy Markdown

I support this. Common Prefix would be a great and high-quality addition to the UNL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants