MIME-Version: 1.0
Sender: earonesty@gmail.com
In-Reply-To: <CAOG=w-v8PnzLSKsZh1xcVpjXqtTczNBsh6qEjtQ-HqpoZQLoiA@mail.gmail.com>
References: <CAJowKgLXhS2SxwuJnfbHzKSzw+aZie5aO2EsC9qbwWJXMNDuRw@mail.gmail.com>
	<45BBAF76-CDB7-4D57-920C-70887CABFF48@jonasschnelli.ch>
	<CAOG=w-v8PnzLSKsZh1xcVpjXqtTczNBsh6qEjtQ-HqpoZQLoiA@mail.gmail.com>
From: Erik Aronesty <erik@q32.com>
Date: Mon, 14 Aug 2017 21:33:34 -0400
Message-ID: <CAJowKgLd4u4xZJiRW3uCh823zgcTvcM3Q31VkEjXAorS8=1SxQ@mail.gmail.com>
To: Mark Friedenbach <mark@friedenbach.org>
Content-Type: multipart/alternative; boundary="001a1144284c9024ab0556c0c46b"
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Would anyone object to adding a dlopen message
	hook system?
Precedence: list

--001a1144284c9024ab0556c0c46b
Content-Type: text/plain; charset="UTF-8"

Actually the more I think about it, the more I realize that all I need is
to listen on a new port, and use the RPC api to affect Bitcoin:

- ban a peer (# of hours)
- unban a peer (# of hours)

As long as I have those two functions, I can do everything I need.

On Sun, Aug 13, 2017 at 4:56 PM, Mark Friedenbach <mark@friedenbach.org>
wrote:

> Jonas, I think his proposal is to enable extending the P2P layer, e.g.
> adding new message types. Are you suggesting having externalized
> message processing? That could be done via RPC/ZMQ while opening up a
> much more narrow attack surface than dlopen, although I imagine such
> an interface would require a very complex API specification.
>
> On Sun, Aug 13, 2017 at 1:00 PM, Jonas Schnelli via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> > Hi Erik
> >
> > Thanks for your proposal.
> > In general, modularisation is a good thing, though proposing core to add
> modules wie dlopen() seems the wrong direction.
> > Core already has the problem of running to many things in the same
> process. The consensus logic, p2p system as well as the wallet AND the GUI
> do all share the same process (!).
> >
> > A module approach like you describe would be a security nightmare (and
> Core is currently in the process of separating out the wallet and the GUI
> into its own process).
> >
> > What does speak against using the existing IPC interfaces like RPC/ZMQ?
> > RPC can be bidirectional using long poll.
> >
> > /jonas
> >
> >> I was thinking about something like this that could add the ability for
> module extensions in the core client.
> >>
> >> When messages are received, modules hooks are called with the message
> data.
> >>
> >> They can then handle, mark the peer invalid, push a message to the peer
> or pass through an alternate command.  Also, modules could have their own
> private commands prefixed by "x:" or something like that.
> >>
> >> The idea is that the base P2P layer is left undisturbed, but there is
> now a way to create "enhanced features" that some peers support.
> >>
> >> My end goal is to support using lightning network micropayments to
> allow people to pay for better node access - creating a market for node
> services.
> >>
> >> But I don't think this should be "baked in" to core.   Nor do I think
> it should be a "patch".   It should be a linked-in module, optionally
> compiled and added to bitcoin conf, then loaded via dlopen().    Modules
> should be slightly robust to Bitcoin versions changing out from under them,
> but not if the network layer is changed.   This can be ensured by a)
> keeping a module version number, and b) treating module responses as if
> they were just received from the network.   Any module incompatibility
> should throw an exception...ensuring broken peers don't stay online.
> >
> >
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >
>

--001a1144284c9024ab0556c0c46b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Actually the more I think about it, the more I realiz=
e that all I need is to listen on a new port, and use the RPC api to affect=
 Bitcoin:</div><div><br></div><div>- ban a peer (# of hours)<br></div><div>=
- unban a peer (# of hours)<br><br></div><div>As long as I have those two f=
unctions, I can do everything I need.</div></div><div class=3D"gmail_extra"=
><br><div class=3D"gmail_quote">On Sun, Aug 13, 2017 at 4:56 PM, Mark Fried=
enbach <span dir=3D"ltr">&lt;<a href=3D"mailto:mark@friedenbach.org" target=
=3D"_blank">mark@friedenbach.org</a>&gt;</span> wrote:<br><blockquote class=
=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padd=
ing-left:1ex">Jonas, I think his proposal is to enable extending the P2P la=
yer, e.g.<br>
adding new message types. Are you suggesting having externalized<br>
message processing? That could be done via RPC/ZMQ while opening up a<br>
much more narrow attack surface than dlopen, although I imagine such<br>
an interface would require a very complex API specification.<br>
<div><div class=3D"h5"><br>
On Sun, Aug 13, 2017 at 1:00 PM, Jonas Schnelli via bitcoin-dev<br>
&lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@li=
sts.<wbr>linuxfoundation.org</a>&gt; wrote:<br>
&gt; Hi Erik<br>
&gt;<br>
&gt; Thanks for your proposal.<br>
&gt; In general, modularisation is a good thing, though proposing core to a=
dd modules wie dlopen() seems the wrong direction.<br>
&gt; Core already has the problem of running to many things in the same pro=
cess. The consensus logic, p2p system as well as the wallet AND the GUI do =
all share the same process (!).<br>
&gt;<br>
&gt; A module approach like you describe would be a security nightmare (and=
 Core is currently in the process of separating out the wallet and the GUI =
into its own process).<br>
&gt;<br>
&gt; What does speak against using the existing IPC interfaces like RPC/ZMQ=
?<br>
&gt; RPC can be bidirectional using long poll.<br>
&gt;<br>
&gt; /jonas<br>
&gt;<br>
&gt;&gt; I was thinking about something like this that could add the abilit=
y for module extensions in the core client.<br>
&gt;&gt;<br>
&gt;&gt; When messages are received, modules hooks are called with the mess=
age data.<br>
&gt;&gt;<br>
&gt;&gt; They can then handle, mark the peer invalid, push a message to the=
 peer or pass through an alternate command.=C2=A0 Also, modules could have =
their own private commands prefixed by &quot;x:&quot; or something like tha=
t.<br>
&gt;&gt;<br>
&gt;&gt; The idea is that the base P2P layer is left undisturbed, but there=
 is now a way to create &quot;enhanced features&quot; that some peers suppo=
rt.<br>
&gt;&gt;<br>
&gt;&gt; My end goal is to support using lightning network micropayments to=
 allow people to pay for better node access - creating a market for node se=
rvices.<br>
&gt;&gt;<br>
&gt;&gt; But I don&#39;t think this should be &quot;baked in&quot; to core.=
=C2=A0 =C2=A0Nor do I think it should be a &quot;patch&quot;.=C2=A0 =C2=A0I=
t should be a linked-in module, optionally compiled and added to bitcoin co=
nf, then loaded via dlopen().=C2=A0 =C2=A0 Modules should be slightly robus=
t to Bitcoin versions changing out from under them, but not if the network =
layer is changed.=C2=A0 =C2=A0This can be ensured by a) keeping a module ve=
rsion number, and b) treating module responses as if they were just receive=
d from the network.=C2=A0 =C2=A0Any module incompatibility should throw an =
exception...ensuring broken peers don&#39;t stay online.<br>
&gt;<br>
&gt;<br>
</div></div>&gt; ______________________________<wbr>_________________<br>
&gt; bitcoin-dev mailing list<br>
&gt; <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@l=
ists.<wbr>linuxfoundation.org</a><br>
&gt; <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-=
dev" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.<wb=
r>org/mailman/listinfo/bitcoin-<wbr>dev</a><br>
&gt;<br>
</blockquote></div><br></div>

--001a1144284c9024ab0556c0c46b--