Published on: 2022-09-03T13:09:15+00:00
In a discussion on the Lightning-dev mailing list, Alex Akselrod from NYDIG proposed a solution to harden large LND (Lightning Network Daemon) deployments. Currently, LND verifies the identity of external untrusted peers during the noise handshake before enforcing any potential key-based allow lists. To reduce the attack surface of the main node process, Akselrod suggested separating peer communication into a separate process, similar to CLN's connectd. This would involve multiplexing connections over a single network connection initiated from the node to the proxy. A draft PR demonstrating this idea has been shared on GitHub.In response to this proposal, Pierre-Marie Padiou from ACINQ commented that their implementation, which aims to reduce the attack surface while improving scalability, is quite similar to eclair's cluster mode. ACINQ's implementation involves multiple instances of a proxy that can be adjusted without downtime. The proxy also performs preprocessing for gossip, such as keeping an up-to-date copy of the routing table and deduplicating incoming announcements before forwarding them to the backend for verification. Outgoing connections are initiated by the proxy, and incoming connections from Tor are directed to the proxy. They also introduced a separate key hierarchy for channel management and considered implementing a "lockdown mode" where the front only allows incoming connections from known peers that already have a channel.NYDIG is currently considering the proposal and seeks feedback on the general direction of the solution. They have created a draft PR on GitHub to demonstrate the core of the idea. The goal is to separate peer communication into a separate process to reduce the attack area of the main node process. By doing so, they aim to enhance the security and scalability of large LND deployments. The proposal comes in response to the need for infrastructure to withstand strong attacks from adversaries targeting high-value Lightning Network infrastructure. The LDK-side has been working on security and safety hardening measures, including external signing, replicated chain monitoring, dynamic fee-bumping of time-sensitive transactions, and mitigating various attack vectors. They also hope to collaborate with the wider Lightning community on reusable security modules and advocate for improvements in Bitcoin Core.Overall, NYDIG's proposal to separate peer communication in large LND deployments aims to improve security and scalability by reducing the attack surface of the main node process. The proposal is open for feedback, and a draft PR has been shared on GitHub to demonstrate the core idea.
Updated on: 2023-08-01T00:40:56.409111+00:00