Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Describe the risks of filtering at the DS #258

Merged
merged 2 commits into from
Jun 10, 2024
Merged

Describe the risks of filtering at the DS #258

merged 2 commits into from
Jun 10, 2024

Conversation

bifurcation
Copy link
Collaborator

Fixes #251

@bifurcation bifurcation mentioned this pull request Jun 10, 2024
Closed
Bren2010
Bren2010 reviewed Jun 10, 2024
View reviewed changes
draft-ietf-mls-architecture.md Outdated
Comment on lines 783 to 786
For example, having the DS wait to update its state until it gets confirmation
of acceptance from a quorum of members provides some protection against buggy
clients. It is up to the designers and operators of a DS to ensure that
sufficient mechanisms are in place to address these risks.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this PR is essentially the same as mine except that you've removed the proposal to defer to clients / allow forks, with a proposal to have a quorum. Is that a correct statement? Why do you think quorum is better than allowing forks, when quorum requires all group members to be online and forking can be offline?

@TWal
Copy link
Contributor

TWal commented Jun 10, 2024

I think this PR does a good job at framing the problem described in #251, however I think it would be best to refrain from trying to give solutions: the only solution would be to transmit all commits in a consistent order, and any attempt to filter may lead to DoS. The architecture document should allow the DS to filter (because actual deployments will filter), but warn about the risks it implies.

@ekr
Copy link
Collaborator

ekr commented Jun 10, 2024

I propose we take Richard's first two grafs more or less as-is and then reduce the last graf to say:

Given these risks, it is effectively impossible for a strongly consistent DS to
know with absolute certainty when it is safe to update its internal state.
It is up to the designers and operators of a DS to ensure that
sufficient mechanisms are in place to address these risks.

@bifurcation
Copy link
Collaborator Author

@ekr done

ekr
ekr approved these changes Jun 10, 2024
View reviewed changes
Copy link
Collaborator

@ekr ekr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. @rohanmahy any objections?

rohanmahy
rohanmahy approved these changes Jun 10, 2024
View reviewed changes
Copy link
Contributor

@rohanmahy rohanmahy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

works for me

@ekr ekr merged commit 717150c into mlswg:main Jun 10, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Bren2010 Bren2010 Bren2010 left review comments

@ekr ekr ekr approved these changes

@rohanmahy rohanmahy rohanmahy approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Can the Delivery Service actually filter Commit messages?
5 participants
@bifurcation @TWal @ekr @Bren2010 @rohanmahy