Description
🗺 What's left for release
- potential deadlock and go routine leak on close? go-yamux#129
- Address comment in go-clock migration #3293 (comment)
- Introduce Rate Limiting #3265
- [ ]
<List of items with remaining PRs and/or Issues to be considered for this release>
Deferred
⚠ Breaking Changes
Added a new method, VerifySourceAddress(net.Addr) bool, to the Resource Manager interface.
For more details see the Source Address Verification section.
For custom implementation which want to opt out of Source Address Verification and keep the existing behavior, return false from the method.
🔦 Highlights
Per Address Reachability via AutoNAT v2
libp2p hosts can now determine reachability for individual addresses using AutoNATV2. To opt in to reachability checking use the EnableAutoNATV2 libp2p option. Using this nodes can now determine their IPv4, IPv6, and browser address reachability separately. In a future release, AutoRelay will use this information and make appropriate relay reservations accordingly.
There's a new method on the basic host, ConfirmedAddrs() (reachable, unreachable, unknown []ma.Multiaddr) that provides Reachability information per host address.
There's a new event which is sent on Address Reachability changes event.EvtHostReachableAddrsChanged
Rate Limiting
We've introduced the package github.com/libp2p/go-libp2p/x/rate for rate limiting. The struct rate.Limiter provides Global, Network Specific, and Subnet Specific rate limiting. The Subnet specific rate limits allows for better DoS Protection by rate limiting malicious IPs.
Use Limit(f func(s network.Stream)) func(s network.Stream) on Limiter to limit specific stream handlers. For example, within libp2p, the Identify Service uses this as
ids.Host.SetStreamHandler(IDPush, ids.rateLimiter.Limit(ids.handlePush)) to rate limit the number of times peers can perform identify push.
For non Stream use cases use the Allow(ip) method on the limiter.
Connection Rate Limiting
New connection requests are now rate limited per IP. By default we allow 1 connection every 5 seconds from an IP address with a burst of 16 connections per IP. The burst is high enough that this should only block malicious peers.
To configure the connection rate limits, use the WithConnRateLimiters option on the Resource Manager.
Source Address Verification for QUIC
This release introduces Source Address Verification for QUIC, preventing DoS attacks by spoofing IP addresses. See: https://www.rfc-editor.org/rfc/rfc9000.html#section-8 for details.
We are now gating incoming QUIC connections before the handshake is started. This further improves DoS protection by not wasting CPU on handshaking QUIC connections which would have been dropped by the Resource Manager.
Other changes
- WebRTC Direct peers can now send messages of up to 256 kB (see spec: Update WebRTC message size limit specs#628)
- Refactored the addressing code within BasicHost and moved it into Address Manager. In a future release, this will be exposed to users with an improved Address API for the libp2p Host.
Changelog
< changelog generated by scripts/mkreleaselog >
✅ Release Checklist
- Stage 0 - Finishing Touches
- Go through relevant libp2p repos looking for unreleased changes that should make it into the release. If you find any, cut releases.
- Run
go get -u ./...to see if there are any out-of-date deps that look important. If there are, bubble them. Try to avoid directly updating indirect deps in go-libp2p'sgo.modwhen possible.
- Stage 1 - Release
- Publish the release through the GitHub UI, adding the release notes. Some users rely on this to receive notifications of new releases.
- Announce the release on the discuss.libp2p.io.
- Stage 2 - Update Upstream
- Update the examples to the final release
- Update the upstream dependencies to the final release and create PRs.
- filecoin-project/lotus
- go-libp2p-kad-dht
- go-libp2p-pubsub (In case of breaking changes.)
- ipfs/kubo
- Add new release to interop tester in test-plans
- Make required changes to the release process.