Skip to content

integrate authentication #2544

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 23 commits into
base: master
Choose a base branch
from
Draft

integrate authentication #2544

wants to merge 23 commits into from
+13,441 −857

Conversation

@dshulyak
Copy link
Contributor

@dshulyak dshulyak commented Nov 11, 2025
edited
Loading

dependencies: #2417 #2458 #2538

test plan

  • performance evaluation

auth overhead is 32 bytes per datagram and 200ns per encrypt/decrypt operation.
the expected latency degradation should be ~2%.

  • longevity testing with disruption (using chaos-mesh)

the goal is to verify that protocol doesn't enter broken state and can recover after
expected disruptions (one sided restarts/crashes, prolonged connectivity loss, packet loss)

i will use the same same workload as in the previous test and automate those disruptions with https://github.com/chaos-mesh/chaos-mesh

running this setup https://github.com/dshulyak/monad-testing/ , everything as expected so far

  • worst case dos attacks on authentication protocol

  • handshake spamming should hit rate limits and not cause raptorcast thread starvation

  • smallest (32bytes) unauthenticated messages with sub-1Gbps rate should not be able to cause raptorcast thread starvation

  • upgrades sanity testing on stressnet

it is possible to run auth/non-auth nodes at the same time, and should not cause any disruptions to normal operations.

performance evaluation

i am using latency.rs 100 nodes cluster with simulation toolkit on an aws c6a.48xlarge instance with 192vcpus.
for latency simulatation nodes are divided into 10 buckets, with 20ms incremental latency.
workload sends 2MB raptorcast payload every 1s, latency captures time for encoding, decoding and network propagation

Overall Statistics Summary (g1 excluded):
================================================================================
         Config  Count  Mean  Std   P50   p70   P90   P95   P99
  AUTH 2MB 20ms 28,631 261.2 31.8 261.8 279.8 300.2 307.8 326.2
NOAUTH 2MB 20ms 51,033 259.4 31.1 260.9 279.4 299.1 306.2 321.3

p99 is somewhat around 2% and in lower percentiles auth overhead is less noticeable.

image

dos attacks

i tested handshake spamming at 2000-3000-4000 handshakes per second and after 2000 they don't increase cpu/memory usage. the limits in place are affective, at the peak such spam utilizes 60% and can't starve raptorcast thread.

cpu usage in raptorcast threads peak at ~20% with 60MB of working set size.

with 500mbps and 1000mbps dataplane thread gets completely starved, raptorcast peaks at 60%.

@dshulyak dshulyak force-pushed the dmitry/wireauth-integration branch 7 times, most recently from 6d6b9a5 to a6a9ce8 Compare November 16, 2025 06:31
@dshulyak
authentication protocol for udp
1fb16e6
@dshulyak
address feedback
ed0f8dd
@dshulyak
wireauth: refactor dispatch with typed packet enums and plaintext wra…
22b429f 
…pper
@dshulyak
wireauth: switch to monad-secp crate
fb4f672
@dshulyak
wireauth-api: refactored benchmarks to use criterion
4c932c6
@dshulyak
wireauth: merge crates
0e2e748
@dshulyak
wireauth: various cleanups
b674939
@dshulyak
wireauth: record metrics for all failure points in api
b4b067b
@dshulyak
wireauth: added is_connected_socket and is_connected_public_key methods
2b84f04
@dshulyak
wireauth: changed next_deadline to return Instant instead of Duration
96922d4
@dshulyak
wireauth: changes from integration branch
56ca12b
@dshulyak
wireauth: add license
3f4207d
@dshulyak
wireauth: cleanup deps
34e3b1c
@dshulyak
wpr feedback
88b12ff
@dshulyak
cargo: added monad-wireauth to cargo-shear ignored list and removed u…
eca4ab9 
…nused divan
@dshulyak
cargo shear fix
d3139e9
@dshulyak
clippy errors after updates
3372b25
@dshulyak
more cleanups and docs
3895d03
@dshulyak
channges from raptorcast integration
2959235
@dshulyak
docs for metrics/config and renewed timer bugfix
1c4fc4c
@dshulyak
dataplane: refactor to use socket handles
88b11ee
@dshulyak
monad-peer-discovery: added authenticated udp port to name record
eb59a07
@dshulyak dshulyak force-pushed the dmitry/wireauth-integration branch from fe8542d to adedbe9 Compare November 21, 2025 07:56
@dshulyak dshulyak force-pushed the dmitry/wireauth-integration branch 8 times, most recently from 6682a37 to 5365aec Compare November 26, 2025 19:08
@dshulyak dshulyak force-pushed the dmitry/wireauth-integration branch from 5365aec to 30bff0c Compare November 27, 2025 09:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@omegablitz omegablitz Awaiting requested review from omegablitz omegablitz will be requested when the pull request is marked ready for review omegablitz is a code owner

@ariqchowdhury ariqchowdhury Awaiting requested review from ariqchowdhury ariqchowdhury will be requested when the pull request is marked ready for review ariqchowdhury is a code owner

@michael-yxchen michael-yxchen Awaiting requested review from michael-yxchen michael-yxchen will be requested when the pull request is marked ready for review michael-yxchen is a code owner

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dshulyak