You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Added a new method, VerifySourceAddress(net.Addr) bool, to the Resource Manager interface.
For more details see the Source Address Verification section.
For custom implementation which want to opt out of Source Address Verification and keep the existing behavior, return false from the method.
🔦 Highlights
Per Address Reachability via AutoNAT v2
libp2p hosts can now determine reachability for individual addresses using AutoNATV2. To opt in to reachability checking use the EnableAutoNATV2 libp2p option. Using this nodes can now determine their IPv4, IPv6, and browser address reachability separately. In a future release, AutoRelay will use this information and make appropriate relay reservations accordingly.
There's a new method on the basic host, ConfirmedAddrs() (reachable, unreachable, unknown []ma.Multiaddr) that provides Reachability information per host address.
There's a new event which is sent on Address Reachability changes event.EvtHostReachableAddrsChanged
Rate Limiting
We've introduced the package github.com/libp2p/go-libp2p/x/rate for rate limiting. The struct rate.Limiter provides Global, Network Specific, and Subnet Specific rate limiting. The Subnet specific rate limits allows for better DoS Protection by rate limiting malicious IPs.
Use Limit(f func(s network.Stream)) func(s network.Stream) on Limiter to limit specific stream handlers. For example, within libp2p, the Identify Service uses this as ids.Host.SetStreamHandler(IDPush, ids.rateLimiter.Limit(ids.handlePush)) to rate limit the number of times peers can perform identify push.
For non Stream use cases use the Allow(ip) method on the limiter.
Connection Rate Limiting
New connection requests are now rate limited per IP. By default we allow 1 connection every 5 seconds from an IP address with a burst of 16 connections per IP. The burst is high enough that this should only block malicious peers.
To configure the connection rate limits, use the WithConnRateLimiters option on the Resource Manager.
We are now gating incoming QUIC connections before the handshake is started. This further improves DoS protection by not wasting CPU on handshaking QUIC connections which would have been dropped by the Resource Manager.
Refactored the addressing code within BasicHost and moved it into Address Manager. In a future release, this will be exposed to users with an improved Address API for the libp2p Host.
Changelog
< changelog generated by scripts/mkreleaselog >
✅ Release Checklist
Stage 0 - Finishing Touches
Go through relevant libp2p repos looking for unreleased changes that should make it into the release. If you find any, cut releases.
Run go get -u ./... to see if there are any out-of-date deps that look important. If there are, bubble them. Try to avoid directly updating indirect deps in go-libp2p's go.mod when possible.
Stage 1 - Release
Publish the release through the GitHub UI, adding the release notes. Some users rely on this to receive notifications of new releases.
🗺 What's left for release
<List of items with remaining PRs and/or Issues to be considered for this release>
Deferred
⚠ Breaking Changes
Added a new method,
VerifySourceAddress(net.Addr) bool, to the Resource Manager interface.For more details see the Source Address Verification section.
For custom implementation which want to opt out of Source Address Verification and keep the existing behavior, return
falsefrom the method.🔦 Highlights
Per Address Reachability via AutoNAT v2
libp2p hosts can now determine reachability for individual addresses using AutoNATV2. To opt in to reachability checking use the
EnableAutoNATV2libp2p option. Using this nodes can now determine their IPv4, IPv6, and browser address reachability separately. In a future release, AutoRelay will use this information and make appropriate relay reservations accordingly.There's a new method on the basic host,
ConfirmedAddrs() (reachable, unreachable, unknown []ma.Multiaddr)that provides Reachability information per host address.There's a new event which is sent on Address Reachability changes
event.EvtHostReachableAddrsChangedRate Limiting
We've introduced the package
github.com/libp2p/go-libp2p/x/ratefor rate limiting. The structrate.Limiterprovides Global, Network Specific, and Subnet Specific rate limiting. The Subnet specific rate limits allows for better DoS Protection by rate limiting malicious IPs.Use
Limit(f func(s network.Stream)) func(s network.Stream)onLimiterto limit specific stream handlers. For example, within libp2p, the Identify Service uses this asids.Host.SetStreamHandler(IDPush, ids.rateLimiter.Limit(ids.handlePush))to rate limit the number of times peers can perform identify push.For non Stream use cases use the
Allow(ip)method on the limiter.Connection Rate Limiting
New connection requests are now rate limited per IP. By default we allow 1 connection every 5 seconds from an IP address with a burst of 16 connections per IP. The burst is high enough that this should only block malicious peers.
To configure the connection rate limits, use the
WithConnRateLimitersoption on the Resource Manager.Source Address Verification for QUIC
This release introduces Source Address Verification for QUIC, preventing DoS attacks by spoofing IP addresses. See: https://www.rfc-editor.org/rfc/rfc9000.html#section-8 for details.
We are now gating incoming QUIC connections before the handshake is started. This further improves DoS protection by not wasting CPU on handshaking QUIC connections which would have been dropped by the Resource Manager.
Other changes
Changelog
< changelog generated by scripts/mkreleaselog >
✅ Release Checklist
go get -u ./...to see if there are any out-of-date deps that look important. If there are, bubble them. Try to avoid directly updating indirect deps in go-libp2p'sgo.modwhen possible.