Bootstrapping the SAFE network via Bittorrent


#1

It occurred to me last night that we could use Bittorrent Mainline DHT to find nodes that implement the SAFE network during the bootstrap phase, without having to hardcode any public node address in the software, only a single hash value.

For that to work, we would have to extend the bittorrent protocol with a message to send SAFE bootstrap information on request. SAFE nodes would simply have to implement the bittorrent protocol and store a special file that all safe node would know a priori. For bootstrapping, a node simply downloads the file and ask the seeding peers for their SAFE bootstrap information.

In the web context, it seems pretty easy as webtorrent implements all the hard stuff, and the more it becomes used, the more robust the mechanism becomes. The main advantage is that the seeding peer set changes over time depending on which nodes are up, and therefore the bootstrap process is not tied to a physical server anymore.

There are also plans for webtorrent to implement its own Distributed Hash Table, I presume to not only store tracker information but also the content of the torrents themselves. Maybe we could leverage that in the future also.

These are exciting times!


#2

grate idea!!


#3

I think this is a great idea. I’m not sure of all the technical implications of doing this, but I like the idea of the entryway onto the Safe network NOT being dependent on any centralized server even one in Troon or by the PODs.


#4

One pertinent question that I have, not necessarily directed at this idea, but at the idea of bootstrapping in general, is how do we know that we are connecting to the actual Safe Network, and not a fork? Because of the obscure nature of the network and the limited information that any individual node will possess how do we confirm that we are participating in the same network?


#5

Logging in helps as it needs to retrieve actual validatable data. After that I think there are many ways to confirm its the real SAFE network (checking your safecoin balance, doing xfers etc.).


#6

Nice idea !

The code currently follows this logic to decide where to bootstrap off (see src/routing/bootstrap_utils.cc GetBootstrapContacts):

  1. if there is no bootstrap file given, it bootstraps off of the hardcoded (main SAFE network)
  2. after successfully bootstrapping, it will write its own bootstrap file with the details of the nodes it discovered.
  3. if on reconnecting it finds this self-written (ie on the default location) bootstrap file it will always add the hardcoded endpoints to ensure online/maintained nodes.

However, if you specify a specific bootstrap file (on a different then default location), it will not add the hardcoded (main SAFE) endpoints, and only try to bootstrap off of the given bootstrap file.

So it should be quite easy to set up a multitude of SAFE networks, not connected to each other or to the main SAFE network, by sharing a bootstrap file over a bittorrent network;

And as David already replied, the best way to validate what network you are connected to, is by attempting to log in; if your login data cannot be retrieved, you’re not on the right network. (And thanks to self-authentication, a man-in-the-middle network cannot do much more other than passing on your encrypted chunks)

I’ve already given some thought about whether an ID should be attached to the network, but the beauty of identifying a network by your own login details is precisely that even the knowledge of which network it is, is decentralized.


#7

I meant the very first time, when you go in and create an account.

The issue here is with the strength of Safecoin. If there is one network which mines Safecoins, then all effort all donation of resources will seek to mine that software. But if I join a network which is controlled by a single actor, or an unfair farming syndicate, and put my data on there, then I will be locked in to that network, but my Safecoins won’t be worth nearly as much.


#8

Yes I imagine this would be like joining another Internet. If you knew Google yahoo etc. were missing and wondered what everyone was talking about then you would soon realise :-). Of course it may be like Peter Todd chatted about and the attacker creates a whole new internet etc. then you wonder where your pals are as they want to chat, and the attacker creates them etc. and then you wonder why company X is not accepting you safecoins and the attacker creates company X and so on …

So given enough resources and omnipotence this Goggle attack thing can work. Its unlikely but makes for an awful good headline :wink:


#9

Also a cool movie plot hah


#10

Yeah, I think think you would realize it, but the question is how soon? I also think that there are a lot of people who will want to use SAFE for data storage, but will remain on the conventional internet for most communications.

So you are going along, using what is not the original safe network, is a much smaller, less secure, maybe controlled by a farming syndicate network.

Then you find out and you want to transfer over to the Safe network client side encryption means that you can just walk away from the old network and be fine, but all of your fakesafecoins are worthless, and so you have to start farming on the Safe network or buy safecoins on an exchange to put your data on the actual safe network.


#11

Maybe it could be possible to associate a particular node Public Key to a user using something like https://keybase.io/. Users could then join the network using a node that has been signed by someone they trust. Anybody could sign their own node independently so there would be no vetting process by MaidSafe or anyone else, but we could piggy back on the credibility some people have to build trust?


#12

Which is in no way desirable ?


#13

I thought even if a small Safenetwork was disconnected or separated in someway from the main network say physically when available it could reconnect so if that is true then it would be fine after it was reconnected but no way to tell if your data is closed off in a localized place which could make nodes and data vulnerable? Could this be an attack vector? Physically closing off sections of the network? If so I share @chrisfostertv feelings I believe


#14

Allowing seperated networks to rejoin can definitely be an attack vector, or at least an abuse vector. I could just create 100 vaults, seperate them from the real network, change the rules in my private network by adapting the code (like making storage free), store 100 terabytes of data in my private network, revert the rule changes I made, rejoin the real network, and gradually take my vaults offline which will cause churn events that transfer my 100 terabytes of data to real vaults in the real network.


#15

I don’t know enough about code but have wondered if the system could or will check code authenticity (not making any claims) as to avoid such problems. I could see a malicious network being created like you mention to do just that.


#16

We talked about it before here: No Ledger?

I think there really is no such thing as a “network” merge. If there are two seperated networks, all users of one have to leave theirs and rejoin the other one like any individual user would. If a vault switches networks like that, any data that comes exclusively from it’s old network wouldn’t be recognized as network data on the new one.


#17

I’m getting this idea from a talk I had heard where if part of the network was cut off ie Egypt during troubled times then the network would reconfigure to a smaller localized network if kept alive however like a mesh net and then remerge after the physical pipes were back online. You had a different spin on it that is very interesting but what I meant originally was if you corner off a piece of the network to a small enough size can you start to manipulate close groups and pick nodes off one by one?


#18

The address tool can show this, so if you get a split of 2000 nodes you could get a group by adding 6-7000 nodes, and wait on them getting rank, but the small network may not have much data. On re-connection the original nodes will join were they were and all the new nodes will very likely have their addresses re-allocated (as they now need to gain rank on the old network). So in a way they may be able to get a group on the segment, but the segment likely has little data in terms of logins etc. that the attack is not much use.

As for safecoin, the owners may be on the other network, they could not be manipulated or in very few cases spent, There is even more protection there I believe. Again though a continent segment would be pretty rare and as we move forward with multiple connections, satellite etc, the nodes will find their way to both networks. IT would require some kind of mega shield to keep all connections off both networks and any mesh connections etc. I think this improves over time.


#19

Interesting, so this was incorrect?


#20

Yes in a way, any immutable validated data would be preserved that was put up (perhaps). The attack vaults would not get onto the real network though as their keys are not stored there (crypto key is the access) and have to be re-requested so their best bet is they join the large network as new nodes with no rank. We are safe from this one :smile: