From 77934d828030c4027e4c4bcd004775df958db3c0 Mon Sep 17 00:00:00 2001 From: Rahul Ghangas Date: Fri, 9 Sep 2022 11:09:42 +0000 Subject: [PATCH 1/6] feat: add initial vesion of ADR for whitelisting chains --- docs/architecture/ADR-004-IBC-whitelist.md | 29 ++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 docs/architecture/ADR-004-IBC-whitelist.md diff --git a/docs/architecture/ADR-004-IBC-whitelist.md b/docs/architecture/ADR-004-IBC-whitelist.md new file mode 100644 index 0000000000..c671acab43 --- /dev/null +++ b/docs/architecture/ADR-004-IBC-whitelist.md @@ -0,0 +1,29 @@ +# ADR 004: IBC Whitelist/Allowlist + + + +## Terminology + +All terminolofy is defined in [ICS 024](https://github.com/cosmos/ibc/tree/main/spec/core/ics-024-host-requirements) and some references are from correspodnign implementation of [ICS 002](https://github.com/cosmos/ibc/tree/main/spec/core/ics-002-client-semantics) in [ibc-go](https://github.com/cosmos/ibc-go/blob/da1b7e0aaf4b7d466b1a7d1ed4f5d81149ff1d5b/modules/core/02-client) + +## Changelog + +- 2022-03-03: Initial Commit + +## Context + +While enabling IBC, we want to connect, and allow messages from selected chains. However, we dont want the ability for an arbitrary entity to create an IBC connection with a zone. This is so that we can keep the state machine as minimal and focused as possible. + +ICS specification indicates that is possible by providing a custom `validateClientIdentifier`, but no such functionality exists currently. + +Secondly, the ICS specification dictates that `createClient` takes in an `Identifier`. A potential solution could be to create a store for allowed `Identifiers` at genesis, and reject creation of clients for invalid identifiers. However, this is not true for the current state of the implementation. Rather, client ID is generated from an incremental counter `NextClientSequence` and the client type. + +## Proposal + +Fork IBC, and create a store of whitelisted public keys. Only `createClient` txns that are signed by private keys corresponding to whitelisted/stored public keys are deemed valid, and the rest are invalidated. Specific keys will only be required for client creation, and rest of IBC will work as is. + +## Alternative approaches + +1. Simplest solution is fork to IBC, and add a small change to disallow creation/registration of new clients. Then we can create clients for the chains that we want to allow at genesis, and effectively create a whitelist. However, adding new clients or removing clients is not feasible under this. + +2. Add a middleware to revert packets from non-whitelisted chains. This still adds state bloat since clients and corresponding connections are allowed to be established, but adds economic incentive in terms of lost gas from the malicious user/actor \ No newline at end of file From 70b7f6ee9c2dce33a388ac450e334c2f083d4c31 Mon Sep 17 00:00:00 2001 From: Rahul Ghangas Date: Thu, 15 Sep 2022 14:23:58 +1000 Subject: [PATCH 2/6] chore: remove markdown lint Co-authored-by: Rootul P --- docs/architecture/ADR-004-IBC-whitelist.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/architecture/ADR-004-IBC-whitelist.md b/docs/architecture/ADR-004-IBC-whitelist.md index c671acab43..ce2f5a65da 100644 --- a/docs/architecture/ADR-004-IBC-whitelist.md +++ b/docs/architecture/ADR-004-IBC-whitelist.md @@ -1,6 +1,4 @@ # ADR 004: IBC Whitelist/Allowlist - - ## Terminology From ffabfbd0847a656db9879196d1ab6456ce74b36c Mon Sep 17 00:00:00 2001 From: Rahul Ghangas Date: Thu, 15 Sep 2022 14:24:12 +1000 Subject: [PATCH 3/6] chore: typo Co-authored-by: Rootul P --- docs/architecture/ADR-004-IBC-whitelist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/ADR-004-IBC-whitelist.md b/docs/architecture/ADR-004-IBC-whitelist.md index ce2f5a65da..70550f21d6 100644 --- a/docs/architecture/ADR-004-IBC-whitelist.md +++ b/docs/architecture/ADR-004-IBC-whitelist.md @@ -2,7 +2,7 @@ ## Terminology -All terminolofy is defined in [ICS 024](https://github.com/cosmos/ibc/tree/main/spec/core/ics-024-host-requirements) and some references are from correspodnign implementation of [ICS 002](https://github.com/cosmos/ibc/tree/main/spec/core/ics-002-client-semantics) in [ibc-go](https://github.com/cosmos/ibc-go/blob/da1b7e0aaf4b7d466b1a7d1ed4f5d81149ff1d5b/modules/core/02-client) +All terminology is defined in [ICS 024](https://github.com/cosmos/ibc/tree/main/spec/core/ics-024-host-requirements) and some references are from corresponding implementation of [ICS 002](https://github.com/cosmos/ibc/tree/main/spec/core/ics-002-client-semantics) in [ibc-go](https://github.com/cosmos/ibc-go/blob/da1b7e0aaf4b7d466b1a7d1ed4f5d81149ff1d5b/modules/core/02-client) ## Changelog From b407e4bb693b74ef5da4b665e15c65ea1508ec6d Mon Sep 17 00:00:00 2001 From: Rahul Ghangas Date: Thu, 15 Sep 2022 14:24:25 +1000 Subject: [PATCH 4/6] chore: typo Co-authored-by: Rootul P --- docs/architecture/ADR-004-IBC-whitelist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/ADR-004-IBC-whitelist.md b/docs/architecture/ADR-004-IBC-whitelist.md index 70550f21d6..c80ce69622 100644 --- a/docs/architecture/ADR-004-IBC-whitelist.md +++ b/docs/architecture/ADR-004-IBC-whitelist.md @@ -10,7 +10,7 @@ All terminology is defined in [ICS 024](https://github.com/cosmos/ibc/tree/main/ ## Context -While enabling IBC, we want to connect, and allow messages from selected chains. However, we dont want the ability for an arbitrary entity to create an IBC connection with a zone. This is so that we can keep the state machine as minimal and focused as possible. +While enabling IBC, we want to connect, and allow messages from selected chains. However, we don't want the ability for an arbitrary entity to create an IBC connection with a zone. This is so that we can keep the state machine as minimal and focused as possible. ICS specification indicates that is possible by providing a custom `validateClientIdentifier`, but no such functionality exists currently. From 35694cc878ad9b773d52f89ac8ee8905839bdf3e Mon Sep 17 00:00:00 2001 From: Rahul Ghangas Date: Sun, 25 Sep 2022 14:46:10 +1000 Subject: [PATCH 5/6] chore: only use allowlist Co-authored-by: Rootul P --- docs/architecture/ADR-004-IBC-whitelist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/ADR-004-IBC-whitelist.md b/docs/architecture/ADR-004-IBC-whitelist.md index c80ce69622..b913ba3c12 100644 --- a/docs/architecture/ADR-004-IBC-whitelist.md +++ b/docs/architecture/ADR-004-IBC-whitelist.md @@ -1,4 +1,4 @@ -# ADR 004: IBC Whitelist/Allowlist +# ADR 004: IBC Allowlist ## Terminology From e3b621927a89f09a8bf2dd448a9828d868e818cb Mon Sep 17 00:00:00 2001 From: Rahul Ghangas Date: Sun, 25 Sep 2022 16:17:58 +1000 Subject: [PATCH 6/6] chore: rename ADR-004-ibc whitelist to ADR-004-ibc-allowlist --- .../{ADR-004-IBC-whitelist.md => ADR-004-IBC-allowlist.md} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename docs/architecture/{ADR-004-IBC-whitelist.md => ADR-004-IBC-allowlist.md} (97%) diff --git a/docs/architecture/ADR-004-IBC-whitelist.md b/docs/architecture/ADR-004-IBC-allowlist.md similarity index 97% rename from docs/architecture/ADR-004-IBC-whitelist.md rename to docs/architecture/ADR-004-IBC-allowlist.md index b913ba3c12..e5b988129b 100644 --- a/docs/architecture/ADR-004-IBC-whitelist.md +++ b/docs/architecture/ADR-004-IBC-allowlist.md @@ -24,4 +24,4 @@ Fork IBC, and create a store of whitelisted public keys. Only `createClient` txn 1. Simplest solution is fork to IBC, and add a small change to disallow creation/registration of new clients. Then we can create clients for the chains that we want to allow at genesis, and effectively create a whitelist. However, adding new clients or removing clients is not feasible under this. -2. Add a middleware to revert packets from non-whitelisted chains. This still adds state bloat since clients and corresponding connections are allowed to be established, but adds economic incentive in terms of lost gas from the malicious user/actor \ No newline at end of file +2. Add a middleware to revert packets from non-whitelisted chains. This still adds state bloat since clients and corresponding connections are allowed to be established, but adds economic incentive in terms of lost gas from the malicious user/actor