raptorcast: wireauth integration

Author: dshulyak

Cargo.lock

@@ -22,6 +22,7 @@ use serde::Deserialize;
 pub struct NodeNetworkConfig {
     pub bind_address_host: Ipv4Addr,
     pub bind_address_port: u16,
+    pub authenticated_bind_address_port: Option<u16>,
 
     pub max_rtt_ms: u64,
     pub max_mbps: u16,

monad-node-config/src/network.rs

@@ -39,6 +39,7 @@ monad-updaters = { workspace = true, features = ["monad-triedb", "tokio"] }
 monad-validator = { workspace = true }
 monad-version = { workspace = true }
 monad-wal = { workspace = true }
+monad-wireauth = { workspace = true }
 
 agent = { workspace = true }
 alloy-rlp = { workspace = true }

monad-node/Cargo.toml

@@ -31,7 +31,7 @@ use monad_consensus_state::ConsensusConfig;
 use monad_consensus_types::{metrics::Metrics, validator_data::ValidatorSetDataWithEpoch};
 use monad_control_panel::ipc::ControlPanelIpcReceiver;
 use monad_crypto::certificate_signature::{
-    CertificateKeyPair, CertificateSignaturePubKey, CertificateSignatureRecoverable, PubKey,
+    CertificateSignaturePubKey, CertificateSignatureRecoverable, PubKey,
 };
 use monad_dataplane::DataplaneBuilder;
 use monad_eth_block_policy::EthBlockPolicy;
@@ -51,7 +51,7 @@ use monad_peer_discovery::{
 use monad_pprof::start_pprof_server;
 use monad_raptorcast::{
     config::{RaptorCastConfig, RaptorCastConfigPrimary},
-    RAPTORCAST_SOCKET,
+    AUTHENTICATED_RAPTORCAST_SOCKET, RAPTORCAST_SOCKET,
 };
 use monad_router_multi::MultiRouter;
 use monad_state::{MonadMessage, MonadStateBuilder, VerifiedMonadMessage};
@@ -507,9 +507,16 @@ fn build_raptorcast_router<ST, SCT, M, OM>(
     locked_epoch_validators: Vec<ValidatorSetDataWithEpoch<SCT>>,
     current_epoch: Epoch,
     current_round: Round,
-) -> MultiRouter<ST, M, OM, MonadEvent<ST, SCT, ExecutionProtocolType>, PeerDiscovery<ST>>
+) -> MultiRouter<
+    ST,
+    M,
+    OM,
+    MonadEvent<ST, SCT, ExecutionProtocolType>,
+    PeerDiscovery<ST>,
+    monad_raptorcast::auth::WireAuthProtocol,
+>
 where
-    ST: CertificateSignatureRecoverable,
+    ST: CertificateSignatureRecoverable<KeyPairType = monad_secp::KeyPair>,
     SCT: SignatureCollection<NodeIdPubKey = CertificateSignaturePubKey<ST>>,
     M: Message<NodeIdPubKey = CertificateSignaturePubKey<ST>>
         + Decodable
@@ -523,6 +530,10 @@ where
         IpAddr::V4(node_config.network.bind_address_host),
         node_config.network.bind_address_port,
     );
+    let authenticated_bind_address = node_config
+        .network
+        .authenticated_bind_address_port
+        .map(|port| SocketAddr::new(IpAddr::V4(node_config.network.bind_address_host), port));
     let Some(SocketAddr::V4(name_record_address)) = resolve_domain_v4(
         &NodeId::new(identity.pubkey()),
         &peer_discovery_config.self_address,
@@ -535,6 +546,7 @@ where
 
     tracing::debug!(
         ?bind_address,
+        ?authenticated_bind_address,
         ?name_record_address,
         "Monad-node starting, pid: {}",
         process::id()
@@ -554,18 +566,35 @@ where
         .with_tcp_rps_burst(
             network_config.tcp_rate_limit_rps,
             network_config.tcp_rate_limit_burst,
-        )
-        .extend_udp_sockets(vec![monad_dataplane::UdpSocketConfig {
-            socket_addr: bind_address,
-            label: RAPTORCAST_SOCKET.to_string(),
-        }]);
+        );
+
+    let mut udp_sockets = vec![monad_dataplane::UdpSocketConfig {
+        socket_addr: bind_address,
+        label: RAPTORCAST_SOCKET.to_string(),
+    }];
+    if let Some(auth_addr) = authenticated_bind_address {
+        udp_sockets.push(monad_dataplane::UdpSocketConfig {
+            socket_addr: auth_addr,
+            label: AUTHENTICATED_RAPTORCAST_SOCKET.to_string(),
+        });
+    }
+    dp_builder = dp_builder.extend_udp_sockets(udp_sockets);
 
     let self_id = NodeId::new(identity.pubkey());
-    let self_record = NameRecord::new(
-        *name_record_address.ip(),
-        name_record_address.port(),
-        peer_discovery_config.self_record_seq_num,
-    );
+    let self_record = match network_config.authenticated_bind_address_port {
+        Some(auth_port) => NameRecord::new_with_authentication(
+            *name_record_address.ip(),
+            name_record_address.port(),
+            network_config.bind_address_port,
+            auth_port,
+            peer_discovery_config.self_record_seq_num,
+        ),
+        None => NameRecord::new(
+            *name_record_address.ip(),
+            network_config.bind_address_port,
+            peer_discovery_config.self_record_seq_num,
+        ),
+    };
     let self_record = MonadNameRecord::new(self_record, &identity);
     assert!(
         self_record.signature == peer_discovery_config.self_name_record_sig,
@@ -658,10 +687,14 @@ where
         rng: ChaCha8Rng::from_entropy(),
     };
 
+    let shared_key = Arc::new(identity);
+    let wireauth_config = monad_wireauth::Config::default();
+    let auth_protocol = monad_raptorcast::auth::WireAuthProtocol::new(wireauth_config, &shared_key);
+
     MultiRouter::new(
         self_id,
         RaptorCastConfig {
-            shared_key: Arc::new(identity),
+            shared_key,
             mtu: network_config.mtu,
             udp_message_max_age_ms: network_config.udp_message_max_age_ms,
             primary_instance: RaptorCastConfigPrimary {
@@ -677,6 +710,7 @@ where
         peer_discovery_builder,
         current_epoch,
         epoch_validators,
+        auth_protocol,
     )
 }
 

monad-node/src/main.rs

@@ -30,6 +30,12 @@ struct Args {
     #[arg(long)]
     address: SocketAddrV4,
 
+    #[arg(
+        long,
+        help = "Optional authenticated UDP port. If provided, will create name record with authenticated UDP port"
+    )]
+    authenticated_udp_port: Option<u16>,
+
     /// Sequence number for the name record
     #[arg(long)]
     self_record_seq_num: Option<u64>,
@@ -69,12 +75,25 @@ fn main() {
             .unwrap_or_else(|| panic!("Either node_config or self_record_seq_num must be provided"))
     };
     let self_address = args.address;
-    let name_record = NameRecord::new(*self_address.ip(), self_address.port(), self_record_seq_num);
+    let name_record = if let Some(authenticated_udp_port) = args.authenticated_udp_port {
+        NameRecord::new_with_authentication(
+            *self_address.ip(),
+            self_address.port(),
+            self_address.port(),
+            authenticated_udp_port,
+            self_record_seq_num,
+        )
+    } else {
+        NameRecord::new(*self_address.ip(), self_address.port(), self_record_seq_num)
+    };
     let signed_name_record: MonadNameRecord<SecpSignature> =
         MonadNameRecord::new(name_record, &keypair);
 
     println!("self_address = {:?}", self_address.to_string());
     println!("self_record_seq_num = {}", self_record_seq_num);
+    if let Some(authenticated_udp_port) = args.authenticated_udp_port {
+        println!("authenticated_udp_port = {}", authenticated_udp_port);
+    }
     println!(
         "self_name_record_sig = {:?}",
         hex::encode(signed_name_record.signature.serialize())

monad-peer-discovery/examples/sign-name-record.rs

@@ -21,6 +21,7 @@ monad-raptor = { workspace = true }
 monad-secp = { workspace = true }
 monad-types = { workspace = true }
 monad-validator = { workspace = true }
+monad-wireauth = { workspace = true }
 
 alloy-rlp = { workspace = true }
 bitvec = { workspace = true }
@@ -36,7 +37,8 @@ rand = { workspace = true }
 rand_chacha = { workspace = true }
 thiserror = { workspace = true }
 tracing = { workspace = true }
-tokio = { workspace = true }
+tokio = { workspace = true, features = ["macros"] }
+zerocopy = { workspace = true }
 
 [dev-dependencies]
 monad-testutil = { workspace = true }
@@ -49,11 +51,15 @@ eyre = { workspace = true }
 futures-util = { workspace = true }
 humantime = { workspace = true }
 insta = { workspace = true }
+opentelemetry = { workspace = true }
+opentelemetry_sdk = { workspace = true, features = ["rt-tokio"] }
+opentelemetry-otlp = { workspace = true, features = ["metrics", "grpc-tonic"] }
+opentelemetry-semantic-conventions = { workspace = true }
 rand_distr = { workspace = true }
 rstest = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 tikv-jemallocator = { workspace = true }
-tokio = { workspace = true, features = ["macros", "rt-multi-thread", "sync"] }
+tokio = { workspace = true, features = ["macros", "rt-multi-thread", "sync", "test-util"] }
 toml = { workspace = true }
 tracing-subscriber = { workspace = true, features = ["env-filter"] }