Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Network Time Security #4219

Open
burdges opened this issue Apr 19, 2024 · 3 comments
Open

Network Time Security #4219

burdges opened this issue Apr 19, 2024 · 3 comments
Labels
I10-unconfirmed Issue might be valid, but it's not yet known.

Comments

@burdges
Copy link

burdges commented Apr 19, 2024
edited

Network Time Security (NTS) should probably replace vanilla NTP. See rfc8915. We should look over the existing Implementations:

We should sample time from multiple sources too, which NTS should support since NTP always did. It's maybe worth looking at exactly how NTP/NTS combines multiple sources too: If they use a median then that's wonderful. We'll think about it if they do something else.

We need to chose the default list of secure time services too, so cloudflare, google, etc, but also some in Europe, Asia, South America, etc.

We know actual decentralized approximate time protocols, which likely make sense eventually, but they could still be attacked if all the validators have their NTP sources biased, so NTS remains important, and NTS alone gets us much of the way there. I'd expect they merely provide sanity checks on NTS in practice.
@github-actions github-actions bot added the I10-unconfirmed Issue might be valid, but it's not yet known. label Apr 19, 2024
@burdges
Copy link
Author

burdges commented Apr 19, 2024

We could likely solve this entirely outside substrate, just in the choice of recommended linux distribution, but it's still worth discussing the defaults like who we ask for times, and how they're combined.

@burdges
Copy link
Author

burdges commented Apr 19, 2024

Around "decentralized" sanity checks, we know three network strategies by which validators share their times:

  • Use babe/sassafras - Least precise sanity check, but very robust since babe/sassafras keep running if grandpa fails. Cardano proposed this, and Handan explored something very similar, so likely this suffices.
  • Use grandpa votes - It's more precise I guess, but maybe overkill based upon the analysis noted above.
  • Use some hardbeat sent over the existing direct connections between validators - This can avoid the delays of gossip, making it similar quality to NTP/NTS, and maybe even fits into NTP/NTS somehow.

Again NTS alone likely suffices for now.

@bkchr
Copy link
Member

bkchr commented Apr 22, 2024

We could likely solve this entirely outside substrate, just in the choice of recommended linux distribution, but it's still worth discussing the defaults like who we ask for times, and how they're combined.

This sounds like something that should be added to the validator guide. So, they activate it correctly etc.

  • Use babe/sassafras - Least precise sanity check, but very robust since babe/sassafras keep running if grandpa fails. Cardano proposed this, and Handan explored something very similar, so likely this suffices.

Yeah this is something we discussed already way back before genesis of Polkadot AFAIR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
I10-unconfirmed Issue might be valid, but it's not yet known.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@burdges @bkchr