Skip to content

fix: p2p security and privacy improvements#81

Merged
R0BC0D3R merged 5 commits into
masterfrom
fix/security-p2p-net-node
May 21, 2026
Merged

fix: p2p security and privacy improvements#81
R0BC0D3R merged 5 commits into
masterfrom
fix/security-p2p-net-node

Conversation

@R0BC0D3R
Copy link
Copy Markdown
Member

@R0BC0D3R R0BC0D3R commented May 15, 2026

Summary

Ports several security and privacy fixes from upstream Monero to src/p2p/net_node.inl and src/p2p/net_node.h.

  • Anonymous inbound address leak (Monero PR #9632): Self-address inserted at a random position with timestamp=0 in timed sync responses, preventing correlation of our own onion/I2P address by list position or wall-clock time across responses.

  • Peer diversity (Monero PR #9939): Upgraded subnet deduplication from /16 to /24, and changed the tried-peers tracking set from list index to peer ID to avoid skipping valid peers when the peerlist is modified mid-iteration.

  • Stale outgoing connection counter: get_outgoing_connections_count now refreshes m_current_number_of_out_peers on every call, preventing the connection-maker from stalling when peers drop between 1-second poll intervals.

  • Peer ID disabled over anonymity networks (Monero commit 37bb594): Peer IDs were randomly assigned to all network zones including Tor and I2P, allowing an observer to correlate connections across anonymity network traffic. Fixed by defaulting peer_id to 1 for non-public zones and guarding all peer_id comparisons with a public-zone check. Anonymity networks now identify duplicate connections by address only.

  • Silent tx drop on privacy networks (Monero PR #9267): Tx send no longer selects an anonymity network zone that has no active outgoing connections, preventing transactions from being silently queued with no chance of delivery.

Test plan

  • Builds cleanly on target platforms
  • Daemon starts and connects to peers normally
  • No regression in outbound connection count over time

R0BC0D3R added 4 commits May 15, 2026 11:22
@R0BC0D3R
fix: prevent anonymous inbound address leak in timed sync responses
076edbe 
Nodes running --anonymous-inbound (Tor/I2P) were appending their own
onion/I2P address to peerlist responses with a real wall-clock timestamp
and always in the last position. An observer receiving multiple responses
could trivially identify the node's own address by its fixed position and
correlate it across time using the timestamp.

Fix: insert at a random position with timestamp=0, matching Monero PR #9632
(shipped in v0.18.4.0, Apr 2025).

No effect on clearnet-only nodes — the code path requires an outgoing
connection in the same zone as m_our_address.
@R0BC0D3R
fix: p2p peer diversity and connection reliability improvements
df42022 
- Upgrade peer diversity filter from /16 to /24 subnet deduplication:
  reduces spy node effectiveness from ~3.6 to ~1.06 connections per
  outbound slot (Monero PR #9939)

- Track tried peers by ID not peerlist index in
  make_new_connection_from_peerlist: peerlist shifts between iterations
  could cause retries or skips with index-based tracking

- Refresh m_current_number_of_out_peers in get_outgoing_connections_count:
  stale counter caused try_to_connect_and_handshake_with_new_peer to
  refuse new connections after a peer dropped until the background
  thread caught up (Monero PR #9939)
@R0BC0D3R
fix: skip anonymity network zones with no outgoing connections on tx …
eac9bc4 
…send

When sending transactions over Tor/I2P, the fallback zone selection loop
checked only whether a proxy was configured (m_connect), not whether active
outgoing connections existed. This could silently queue transactions on a
zone with no peers, where they may never be delivered.

Now verifies at least one outgoing connection exists before selecting a
zone, and logs a warning when all anonymity networks lack connections.

Port of Monero PR #9267.
@R0BC0D3R
fix: disable peer ID tracking on anonymity network zones
dac24ec 
Peer IDs were randomly assigned to all network zones, including Tor and
I2P. This allowed an observer to correlate connections across a node's
anonymity network traffic using the persistent peer_id field.

Fix by defaulting peer_id to 1 for all zones and assigning a random value
only to the public zone during init. All peer_id comparisons (self-
connection detection, is_peer_used) are now guarded by a public-zone
check. Anonymity network zones identify duplicate connections by address
only. Also adds guards to skip connecting to our own onion/I2P address
if it appears in the peerlist.

Port of Monero commit 37bb594.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 15, 2026
edited
Loading

Build Artifacts

Target Status Download
nerva-linux-armv7 Download
nerva-linux-armv8 Download
nerva-windows-x32 Download
nerva-linux-i686 Download
nerva-windows-x64 Download
nerva-linux-x86_64 Download
nerva-macos-x64 Download
nerva-macos-armv8 Download
nerva-freebsd-x86_64 Download
nerva-android-armv8 Download

10 succeeded, 0 failed | View workflow run

sn1f3rt

This comment was marked as outdated.

Sign in to view

sn1f3rt

This comment was marked as outdated.

Sign in to view

sn1f3rt

This comment was marked as outdated.

Sign in to view

sn1f3rt

This comment was marked as outdated.

Sign in to view

sn1f3rt
sn1f3rt reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@sn1f3rt sn1f3rt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two inline issues identified in the diff.

Comment thread src/p2p/net_node.inl Outdated
Comment thread src/p2p/net_node.inl
@R0BC0D3R
fix: correct subnet mask byte order and add self-address guard to anc…
8a68658 
…hor peerlist

0x00ffffff masks the wrong octets when m_ip is in network byte order,
causing /24 deduplication to compare mismatched subnet values. Corrected
to 0xffffff00 which preserves the first three octets as intended.

Add the zone.m_our_address == pe.adr self-address guard to
make_new_connection_from_anchor_peerlist for defence-in-depth,
matching the existing check in make_new_connection_from_peerlist.

Addresses review comments by sn1f3rt on PR #81.
sn1f3rt
sn1f3rt approved these changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@sn1f3rt sn1f3rt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. The critical subnet mask byte-order bug ( → ) has been correctly fixed. The remaining two observations (write-back in and unguarded seed/priority peer call sites) are not blockers — the counter is atomic so there's no data race, and the unguarded paths require operator misconfiguration to trigger. Good to merge.

sn1f3rt

This comment was marked as outdated.

Sign in to view

@R0BC0D3R R0BC0D3R merged commit b83a2bc into master May 21, 2026
14 checks passed
@R0BC0D3R R0BC0D3R deleted the fix/security-p2p-net-node branch May 21, 2026 14:34
@sn1f3rt sn1f3rt mentioned this pull request May 22, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ngeojiajun ngeojiajun ngeojiajun approved these changes

@sn1f3rt sn1f3rt sn1f3rt approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@R0BC0D3R @ngeojiajun @sn1f3rt