feat: Allowlist

[MarcoPolo]

This adds the Allowlist to Resource manager. See docs/allowlist.md for the design doc and more details.

This change requires changes to be merged first in go-libp2p-core and go-multiaddr (to support the ipcidr protocol in the multiaddr).

After this is merged, go-libp2p will need to be plumbed with these changes as well.

Before Merge:

• Update resource manager interface in go-libp2p-core
  • Add endpoint parameter to the OpenConnection method for ResourceManager go-libp2p-core#257
• Update go-multiaddr + multiaddr repo with ipcidr
  • Add ipcidr support multiformats/go-multiaddr#177
  • Add ipcidr multiformats/multiaddr#129

After Merge:

• Another PR for the config input to define an allowlist. The allowlist supports dynamic updating, but it's not exposed yet.
• Update go-libp2p to pass in the endpoint information

[MarcoPolo]

@marten-seemann / @vyzo this is ready to review. Please take a look.

Before merging I'll make sure to finish this checkboxed things in the PR description.

[marten-seemann]

Is my understanding correct, that we allow two types of addresses to be whitelisted?

1. /ip{4,6}/<ip>/
2. /ip{4,6}/<ip>/p2p/<peerid>
   But not /p2p/<peerid>?

We also need to add configurable limits for the newly introduced allowlist scopes, right?

[marten-seemann]

Have you considered unifying these into a single map? map[net.IPNet]struct{ allowsAll bool; map[peer.ID]struct{} }
allowsAll would be set if a multiaddr without /p2p is added.

[MarcoPolo]

Can I use net.IPNet as a key? The struct holds two byteslices, so I don't think I can.

[marten-seemann]

Just checked, you can't. That's annoying. You could use net.IPNet.String(), but not sure if that's nicer.

[MarcoPolo]

I don’t think so because:

1. allow checking is harder. you have to convert between the string and bytes.
2. You need to allocate the string on insertion.
3. you need to allocate at least once when doing an allowlist check.
4. (Depending on check implementation) you lose the quick lookup by peerid. Which may be a pretty common use case.

[marten-seemann]

Nit: isAllowListed. Or newAllowlist instead of newAllowList.

[MarcoPolo]

I meant to call this allowlist or Allowlist. Purposely not capitalizing the l. I realize I should change newAllowList to newAllowlist to be consistent.

[marten-seemann]

Requesting a review from @vyzo. Can you check how the scopes are getting shifted around?

[MarcoPolo]

We also need to add configurable limits for the newly introduced allowlist scopes, right?

Yep! Thank you for reminding me. I just added those with the same limits as the standard scopes.

Is my understanding correct, that we allow two types of addresses to be whitelisted?

1. `/ip{4,6}/<ip>/`

2. `/ip{4,6}/<ip>/p2p/<peerid>`
   But not `/p2p/<peerid>`?

Correct. I'm not sure what value the /p2p/<peerid> would give you since we'd have no way of knowing a connection was for this peerid until after we get the peerid information. Maybe if we knew that this address was signed by the <peerid> then we could allowlist the connection attempt. But I think you can do that with this by Adding the addresses you discover are signed by the peer you trust to the allowlist with the peer's peer id appended.

[marten-seemann]

Correct. I'm not sure what value the /p2p/ would give you since we'd have no way of knowing a connection was for this peerid until after we get the peerid information.

I agree. I was misled by the ipNet != nil check into assuming that we can have addresses that don't have an IP address.

[MarcoPolo]

Friendly ping @vyzo :)

[marten-seemann]

@MarcoPolo Do you want to include the config changes in this PR, or are you planning to create a follow-up PR for that?

[MarcoPolo]

@MarcoPolo Do you want to include the config changes in this PR, or are you planning to create a follow-up PR for that?

My plan was after this (see pr description). Since this will work fine without it and the config change is pretty small. And you have some changes around config in #48 in progress.

[vyzo]

We need a public interface and accessor in the rcmgr for the allowlist, plus an allowlist option to initialize.

[vyzo]

Can we have an interface type assertion for this, right after the def?
Or is there no public interface?

[vyzo]

I think we need to make a public interface for it in extapi, and provide an accessor so that users can modify after initialization.
The RWMutex is a must in this case.

[MarcoPolo]

I don't follow the reason for a public interface? I thought generally interfaces belonged to the caller.

Interfaces declare the behaviour the caller requires not the behaviour the type will provide. Let callers define an interface that describes the behaviour they expect. The interface belongs to them, the consumer, not you.

From: https://dave.cheney.net/practical-go/presentations/gophercon-israel.html#_let_callers_define_the_interface_they_require

[MarcoPolo]

ah is it because we return an interface and we can't have an interface function return this unexported type?

What's the downside of exporting this type then?

[vyzo]

Another important consideration here: we should only check the allow list if and only if a regular connection reservation fails.
This way it only triggers at the limit and we avoid the computational cost in the happy path.

[MarcoPolo]

We need a public interface and accessor in the rcmgr for the allowlist, plus an allowlist option to initialize.

I exported the Allowlist type, added an accessor to rcmgr, and added the WithAllowlistedMultiaddrs option.

[marten-seemann]

Can we use ma.MultiaddrToIPNet here?

[marten-seemann]

Probably not, if we want to extract the p2p component at the same time, right? We could get that one without iterating again by splitting off the last component though.

[MarcoPolo]

I also need the isIPV4 to save some time below

[marten-seemann]

Any reason not to use for i, ipnet := range ipNetList? Do we gain anything from going through the list in reverse order?

[MarcoPolo]

For swap remove. If we go through in normal order then we would skip an entry after swap remove or do some other messy logic that I think boils down to reverse iterating

[marten-seemann]

That only applies if you're trying to make multiple deletions from the list. Should be fine if you're breaking after the first deletion, right?

[MarcoPolo]

ah that's true. Although I'm a bit hesitant to change this so that instead of working for N removals it only works for 1 removal and would subtly break if you try to remove more than 1.

And the only reason to make the change is so that we use the syntactic sugar of for ... range. Is there any other benefit?

[marten-seemann]

Fair enough. I'd consider range more idiomatic (makes it harder to produce out-of-bounds access). No need to change it here.

[MarcoPolo]

@marten-seemann anything left?