Re: Need to know on network map

Mike Hearn
 

Yes. It's a problem. The NodeInfos contain inbound IPs but I don't think there's any requirement to use those same IPs for outbound traffic.

If we extended the protocol so nodes could advertise separate outbound and inbound IPs, we could write a script that converts the network map data into configuration files for various firewall products, for example iptables rules. Then corporate IT teams that can't quite treat a Corda node like a web server yet, even with the Corda Firewall, could make running that script a regular task, like daily, or put it in a cron job.

Bonus points if it knows how to intersect the network map with BNO membership lists.

But, be aware that Corda Network policy forbids this kind of IP whitelisting. It says you must accept connections from anywhere on the internet:

https://corda.network/policy/ip-addresses.html

Node P2P ports must be globally reachable via the internet, from any part of the internet. By implication you may not use TCP/IP firewall rules to block who connects to your node. Instead, access control should be done cryptographically using TLS termination and membership rule checking at the start of flow logic (i.e. before any code other than session setup runs).

So using a tool like that on Corda Network would put you in violation of the network policy. The reason is that - beyond the obvious scaling problems with this sort of approach - in future there may be reasons for nodes to contact each other that firewall admins cannot predict.

Cryptographic firewalls aren't a novel concept. Google has been promoting their use for some time now. Try visiting this website:

https://dashboard.corp.google.com

You'll see Google's intranet login page. Actually, many internal websites can be reached this way. They replaced their perimeter firewalls with TLS and client integrity checking infrastructure back in 2012, in a project called BeyondCorp:

https://duo.com/blog/rsac-2017-beyondcorp-how-google-protects-its-corporate-security-perimeter-without-firewalls

That's where we need to go for a global network of business nodes to achieve its full potential.

Join corda-dev@groups.io to automatically receive all group messages.