Skip to content

Latest commit

 

History

History
120 lines (91 loc) · 6.27 KB

mitigations.md

File metadata and controls

120 lines (91 loc) · 6.27 KB

Mitigation Strategies Analysis for libp2p/go-libp2p

Mitigation Strategy: Strong Peer Identity Verification (using libp2p-pnet and libp2p-tls)

  • Mitigation Strategy: Implement a combination of Private Network Protector (libp2p-pnet) and TLS-based PeerID verification (libp2p-tls).

  • Description:

    1. libp2p-pnet (Private Network):
      • Generate a pre-shared key (PSK).
      • Configure the go-libp2p host using libp2p.PrivateNetwork(psk) during host creation, providing the PSK.
      • Ensure all nodes in your private network use the same PSK.
    2. libp2p-tls (TLS with PeerID Verification):
      • Configure go-libp2p to use libp2p-tls for transport security: libp2p.Security(libp2ptls.ID, libp2ptls.New).
      • Within your connection upgrade logic (e.g., a custom security upgrader), use libp2ptls.ExtractPeerID to get the PeerID from the presented TLS certificate.
      • Verify that the extracted PeerID matches the expected PeerID.
      • Reject connections if the certificate is invalid or the PeerID doesn't match.

  • Threats Mitigated:

    • Impersonation: (Severity: High)
    • Sybil Attacks: (Severity: High)
    • Man-in-the-Middle (MITM) Attacks: (Severity: Medium)

  • Impact:

    • Impersonation: Risk significantly reduced.
    • Sybil Attacks: Risk significantly reduced (within the private network).
    • MITM Attacks: Risk reduced (further mitigation with certificate pinning is recommended, but that's less directly go-libp2p).

  • Currently Implemented (Hypothetical Example):

    • libp2p-pnet is implemented in host.go.
    • libp2p-tls is enabled by default. Basic certificate validation is performed.

  • Missing Implementation (Hypothetical Example):

    • Strict PeerID verification is not consistently implemented.
    • Strong cipher suite enforcement is not explicitly configured.

Mitigation Strategy: Connection Gating and Resource Management

  • Mitigation Strategy: Use a ConnectionGater and the go-libp2p-resource-manager to control connections and limit resource consumption.

  • Description:

    1. ConnectionGater:
      • Implement the network.ConnectionGater interface.
      • Implement logic within the interface methods (InterceptPeerDial, InterceptAccept, InterceptSecured, InterceptUpgraded) to control connection establishment.
      • Use this logic to limit connections, block malicious peers, and prioritize connections.
      • Register the ConnectionGater with the host using libp2p.ConnectionGater(yourGater).
    2. go-libp2p-resource-manager:
      • Create a resource.Manager instance: rm, err := rcmgr.NewResourceManager(rcmgr.NewFixedLimiter(rcmgr.InfiniteLimits)) or use a rcmgr.NewDefaultResourceManager.
      • Configure limits using the resource.Manager API (e.g., rm.SetLimit(...)).
      • Register the resource.Manager with the host using libp2p.ResourceManager(rm).

  • Threats Mitigated:

    • Eclipse Attacks: (Severity: Medium)
    • Denial-of-Service (DoS) Attacks: (Severity: High)
    • Sybil Attacks: (Severity: Medium)

  • Impact:

    • Eclipse Attacks: Risk reduced.
    • DoS Attacks: Risk significantly reduced.
    • Sybil Attacks: Risk partially reduced.

  • Currently Implemented (Hypothetical Example):

    • A basic resource.Manager is configured.
    • No ConnectionGater is implemented.

  • Missing Implementation (Hypothetical Example):

    • ConnectionGater is entirely missing.
    • resource.Manager limits are not fine-tuned.

Mitigation Strategy: GossipSub Hardening

  • Mitigation Strategy: Configure GossipSub parameters to improve resilience.

  • Description:

    1. Review GossipSub Parameters: Understand options like WithPeerOutboundQueueSize, WithValidateQueueSize, WithMaxPendingConnections, WithPeerExchange, WithFloodPublish, WithHeartbeatInterval.
    2. Adjust Parameters: Use the pubsub.Options when creating the GossipSub instance (e.g., pubsub.NewGossipSub(ctx, host, pubsub.WithPeerExchange(true))). Adjust parameters based on your needs.

  • Threats Mitigated:

    • Eclipse Attacks: (Severity: Medium)
    • Denial-of-Service (DoS) Attacks: (Severity: Medium)
    • Message Suppression/Modification: (Severity: Medium)

  • Impact:

    • Eclipse Attacks: Risk reduced.
    • DoS Attacks: Risk reduced.
    • Message Suppression/Modification: Risk reduced.

  • Currently Implemented (Hypothetical Example):

    • GossipSub is used with default parameters.

  • Missing Implementation (Hypothetical Example):

    • No specific GossipSub hardening.

Mitigation Strategy: DHT Routing Table Protection (for libp2p-kad-dht)

  • Mitigation Strategy: Use libp2p-kad-dht securely and implement custom validators.

  • Description:

    1. Mode Selection:
      • Use dht.ModeServer only on trusted nodes.
      • Use dht.ModeClient on all other nodes. Set this using dhtopts.Mode(dht.ModeClient).
    2. Custom Validators (WithValidators):
      • Implement custom validation logic conforming to the record.Validator interface.
      • Use dhtopts.Validator(yourValidator) when creating the DHT instance.
    3. Redundancy: Query multiple peers for the same record.
    4. Refresh Routing Table: This happens automatically, but ensure reasonable refresh intervals.

  • Threats Mitigated:

    • Routing Table Poisoning: (Severity: High)

  • Impact:

    • Routing Table Poisoning: Risk significantly reduced.

  • Currently Implemented (Hypothetical Example):

    • Mixed ModeServer/ModeClient configuration.
    • No custom validators.

  • Missing Implementation (Hypothetical Example):

    • ModeServer on untrusted nodes.
    • No custom validators.