feat: publish pkarr self-announces through the derper

Author: Frando

iroh-base/src/key.rs

@@ -229,6 +229,12 @@ impl From<VerifyingKey> for PublicKey {
     }
 }
 
+impl From<PublicKey> for VerifyingKey {
+    fn from(value: PublicKey) -> Self {
+        value.public()
+    }
+}
+
 impl Debug for PublicKey {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         write!(f, "PublicKey({})", base32::fmt_short(self.as_bytes()))
@@ -391,6 +397,12 @@ impl From<SigningKey> for SecretKey {
     }
 }
 
+impl From<SecretKey> for SigningKey {
+    fn from(secret: SecretKey) -> Self {
+        secret.secret
+    }
+}
+
 impl From<[u8; 32]> for SecretKey {
     fn from(value: [u8; 32]) -> Self {
         Self::from_bytes(&value)

iroh-net/src/bin/derper.rs

@@ -32,6 +32,7 @@ use tracing::{debug, debug_span, error, info, info_span, trace, warn, Instrument
 use tracing_subscriber::{prelude::*, EnvFilter};
 
 use metrics::StunMetrics;
+use url::Url;
 
 type BytesBody = http_body_util::Full<hyper::body::Bytes>;
 type HyperError = Box<dyn std::error::Error + Send + Sync>;
@@ -201,6 +202,8 @@ struct Config {
     #[cfg(feature = "metrics")]
     /// Metrics serve address. If not set, metrics are not served.
     metrics_addr: Option<SocketAddr>,
+    /// Pkarr relay to publish node announces to
+    pkarr_relay: Option<Url>,
 }
 
 #[derive(Serialize, Deserialize)]
@@ -261,6 +264,7 @@ impl Default for Config {
             mesh: None,
             #[cfg(feature = "metrics")]
             metrics_addr: None,
+            pkarr_relay: None,
         }
     }
 }
@@ -481,6 +485,9 @@ async fn run(
             Box::new(serve_no_content_handler),
         );
     }
+    if let Some(pkarr_relay) = cfg.pkarr_relay {
+        builder = builder.pkarr_relay(pkarr_relay);
+    }
     let derp_server = builder.spawn().await?;
 
     // captive portal detections must be served over HTTP

iroh-net/src/derp.rs

@@ -17,6 +17,7 @@ mod codec;
 pub mod http;
 mod map;
 mod metrics;
+pub(crate) mod pkarr_announce;
 pub(crate) mod server;
 pub(crate) mod types;
 

iroh-net/src/derp/client.rs

@@ -21,6 +21,7 @@ use super::{
     types::{ClientInfo, MeshKey, RateLimiter, ServerInfo},
 };
 
+use crate::derp::codec::PkarrWirePacket;
 use crate::key::{PublicKey, SecretKey};
 use crate::util::AbortingJoinHandle;
 
@@ -76,6 +77,8 @@ pub struct InnerClient {
     reader_task: AbortingJoinHandle<()>,
     /// [`PublicKey`] of the server we are connected to
     server_public_key: PublicKey,
+    /// Whether the server supports publishing pkarr packets for us
+    can_pkarr_publish: bool,
 }
 
 impl Client {
@@ -160,6 +163,21 @@ impl Client {
         Ok(())
     }
 
+    /// Send a pkarr packet to the derper to publish for us.
+    ///
+    /// Must be signed by our secret key, otherwise the derper will reject it.
+    pub async fn pkarr_publish_packet(&self, packet: pkarr::SignedPacket) -> Result<()> {
+        if !self.inner.can_pkarr_publish {
+            bail!("the server does not allow pkarr publishing");
+        }
+        // todo: check pkey
+        self.inner
+            .writer_channel
+            .send(ClientWriterMessage::PkarrPublish(packet))
+            .await?;
+        Ok(())
+    }
+
     /// The local address that the [`Client`] is listening on.
     pub fn local_addr(&self) -> Result<SocketAddr> {
         Ok(self.inner.local_addr)
@@ -253,6 +271,8 @@ enum ClientWriterMessage {
     /// Asks the server to close the target's connection.
     /// Should only be used for mesh clients.
     ClosePeer(PublicKey),
+    /// Publish a pkarr signed packet about ourselves
+    PkarrPublish(pkarr::SignedPacket),
     /// Shutdown the writer
     Shutdown,
 }
@@ -305,6 +325,11 @@ impl<W: AsyncWrite + Unpin + Send + 'static> ClientWriter<W> {
                     write_frame(&mut self.writer, Frame::ClosePeer { peer }, None).await?;
                     self.writer.flush().await?;
                 }
+                ClientWriterMessage::PkarrPublish(packet) => {
+                    let packet = PkarrWirePacket::V0(packet.as_bytes());
+                    write_frame(&mut self.writer, Frame::PkarrPublish { packet }, None).await?;
+                    self.writer.flush().await?;
+                }
                 ClientWriterMessage::Shutdown => {
                     return Ok(());
                 }
@@ -368,7 +393,7 @@ impl ClientBuilder {
         self
     }
 
-    async fn server_handshake(&mut self) -> Result<(PublicKey, Option<RateLimiter>)> {
+    async fn server_handshake(&mut self) -> Result<(PublicKey, Option<RateLimiter>, bool)> {
         debug!("server_handshake: started");
         let server_key = recv_server_key(&mut self.reader)
             .await
@@ -404,6 +429,8 @@ impl ClientBuilder {
         };
         let mut buf = encrypted_message.to_vec();
         shared_secret.open(&mut buf)?;
+
+        // TODO: Can we parse the server info from old derpers without pkarr support?
         let info: ServerInfo = postcard::from_bytes(&buf)?;
         if info.version != PROTOCOL_VERSION {
             bail!(
@@ -417,12 +444,12 @@ impl ClientBuilder {
         )?;
 
         debug!("server_handshake: done");
-        Ok((server_key, rate_limiter))
+        Ok((server_key, rate_limiter, info.can_pkarr_publish))
     }
 
     pub async fn build(mut self) -> Result<(Client, ClientReceiver)> {
         // exchange information with the server
-        let (server_public_key, rate_limiter) = self.server_handshake().await?;
+        let (server_public_key, rate_limiter, can_pkarr_publish) = self.server_handshake().await?;
 
         // create task to handle writing to the server
         let (writer_sender, writer_recv) = mpsc::channel(PER_CLIENT_SEND_QUEUE_DEPTH);
@@ -485,6 +512,7 @@ impl ClientBuilder {
                 writer_task: writer_task.into(),
                 reader_task: reader_task.into(),
                 server_public_key,
+                can_pkarr_publish,
             }),
         };
 

iroh-net/src/derp/client_conn.rs

@@ -16,7 +16,7 @@ use crate::{disco::looks_like_disco_wrapper, key::PublicKey};
 
 use iroh_metrics::{inc, inc_by};
 
-use super::codec::{DerpCodec, Frame};
+use super::codec::{DerpCodec, Frame, PkarrWirePacket};
 use super::server::MaybeTlsStream;
 use super::{
     codec::{write_frame, KEEP_ALIVE},
@@ -89,6 +89,7 @@ where
     pub(crate) write_timeout: Option<Duration>,
     pub(crate) channel_capacity: usize,
     pub(crate) server_channel: mpsc::Sender<ServerMessage<P>>,
+    pub(crate) can_pkarr_publish: bool,
 }
 
 impl<P> ClientConnBuilder<P>
@@ -106,6 +107,7 @@ where
             self.write_timeout,
             self.channel_capacity,
             self.server_channel,
+            self.can_pkarr_publish,
         )
     }
 }
@@ -123,6 +125,7 @@ impl ClientConnManager {
         write_timeout: Option<Duration>,
         channel_capacity: usize,
         server_channel: mpsc::Sender<ServerMessage<P>>,
+        can_pkarr_publish: bool,
     ) -> ClientConnManager
     where
         P: PacketForwarder,
@@ -150,6 +153,7 @@ impl ClientConnManager {
             key,
             preferred: Arc::clone(&preferred),
             server_channel: server_channel.clone(),
+            can_pkarr_publish,
         };
 
         // start io loop
@@ -242,6 +246,8 @@ impl ClientConnManager {
 pub(crate) struct ClientConnIo<P: PacketForwarder> {
     /// Indicates whether this client can mesh
     can_mesh: bool,
+    /// Indicates whether this client can do pkarr publish
+    can_pkarr_publish: bool,
     /// Io to talk to the client
     io: Framed<MaybeTlsStream, DerpCodec>,
     /// Max time we wait to complete a write to the client
@@ -480,6 +486,9 @@ where
             Frame::Health { .. } => {
                 inc!(Metrics, other_packets_recv);
             }
+            Frame::PkarrPublish { packet } => {
+                self.handle_pkarr_publish(packet).await?;
+            }
             _ => {
                 inc!(Metrics, unknown_frames);
             }
@@ -553,6 +562,15 @@ where
         Ok(())
     }
 
+    async fn handle_pkarr_publish(&self, frame: PkarrWirePacket) -> Result<()> {
+        ensure!(self.can_pkarr_publish, "insufficient permissions");
+        let res = frame.verify_and_decode(&self.key);
+        let packet = res?;
+        self.send_server(ServerMessage::PkarrPublish(packet))
+            .await?;
+        Ok(())
+    }
+
     /// Parse the FORWARD_PACKET frame, getting the destination, source, and
     /// packet content. Then sends the packet to the server, who directs it
     /// to the destination.
@@ -654,6 +672,7 @@ mod tests {
             key,
             server_channel: server_channel_s,
             preferred: Arc::clone(&preferred),
+            can_pkarr_publish: false,
         };
 
         let done = CancellationToken::new();
@@ -865,6 +884,7 @@ mod tests {
             key,
             server_channel: server_channel_s,
             preferred: Arc::clone(&preferred),
+            can_pkarr_publish: false,
         };
 
         let done = CancellationToken::new();

iroh-net/src/derp/clients.rs

@@ -339,6 +339,7 @@ mod tests {
                 write_timeout: None,
                 channel_capacity: 10,
                 server_channel,
+                can_pkarr_publish: false,
             },
             FramedRead::new(test_io, DerpCodec),
         )

iroh-net/src/derp/codec.rs

@@ -118,6 +118,9 @@ pub(crate) enum FrameType {
     Restarting = 15,
     /// 32B src pub key + 32B dst pub key + packet bytes
     ForwardPacket = 16,
+    /// Sent from the client to the server with a pkarr [`SignedPacket`], which the server should
+    /// publish on behalf to the client.
+    PkarrPublish = 17,
     #[num_enum(default)]
     Unknown = 255,
 }
@@ -259,6 +262,54 @@ pub(crate) enum Frame {
         dst_key: PublicKey,
         packet: Bytes,
     },
+    PkarrPublish {
+        packet: PkarrWirePacket,
+    },
+}
+
+/// A pkarr signed packet.
+///
+/// This is wrapped in a wire encoding to allow changing the package format in the future without
+/// breaking the protocol.
+#[derive(Debug, Clone, Eq, PartialEq)]
+pub enum PkarrWirePacket {
+    V0(Bytes),
+}
+impl PkarrWirePacket {
+    pub fn len(&self) -> usize {
+        match self {
+            PkarrWirePacket::V0(b) => b.len() + 1,
+        }
+    }
+    pub fn encode(&self, dst: &mut BytesMut) {
+        match self {
+            PkarrWirePacket::V0(b) => {
+                dst.put_u8(0u8);
+                dst.put(b.as_ref());
+            }
+        }
+    }
+    pub fn from_bytes(mut src: Bytes) -> anyhow::Result<Self> {
+        ensure!(src.len() > 1, "packet too short");
+        let version = src.split_to(1);
+        match version[0] {
+            0 => Ok(Self::V0(src)),
+            _ => bail!("unsupported pkarr wire packet version"),
+        }
+    }
+    pub fn verify_and_decode(self, public_key: &PublicKey) -> anyhow::Result<pkarr::SignedPacket> {
+        match self {
+            PkarrWirePacket::V0(bytes) => {
+                ensure!(bytes.len() > 104, "invalid pkarr packet");
+                ensure!(
+                    &bytes[..32] == public_key.as_bytes(),
+                    "pkarr packet does not match client public key"
+                );
+                let packet = pkarr::SignedPacket::from_bytes(bytes, true)?;
+                Ok(packet)
+            }
+        }
+    }
 }
 
 impl Frame {
@@ -280,6 +331,7 @@ impl Frame {
             Frame::Health { .. } => FrameType::Health,
             Frame::Restarting { .. } => FrameType::Restarting,
             Frame::ForwardPacket { .. } => FrameType::ForwardPacket,
+            Frame::PkarrPublish { .. } => FrameType::PkarrPublish,
         }
     }
 
@@ -312,6 +364,7 @@ impl Frame {
                 dst_key: _,
                 packet,
             } => PUBLIC_KEY_LENGTH * 2 + packet.len(),
+            Frame::PkarrPublish { packet } => packet.len(),
         }
     }
 
@@ -383,6 +436,7 @@ impl Frame {
                 dst.put(dst_key.as_ref());
                 dst.put(packet.as_ref());
             }
+            Frame::PkarrPublish { packet } => packet.encode(dst),
         }
     }
 
@@ -535,6 +589,10 @@ impl Frame {
                     packet,
                 }
             }
+            FrameType::PkarrPublish => {
+                let packet = PkarrWirePacket::from_bytes(content)?;
+                Self::PkarrPublish { packet }
+            }
             _ => {
                 anyhow::bail!("invalid frame type: {:?}", frame_type);
             }