[Feature] Noise XKpsk3 integration (2025 version)

[simonwicky]

Description

Noise PR #4360 is dead, long live Noise PR #5692.

No stacked PRs this time, commits description are quite explicit (and it's less of a mess than last time)

---

This change is 

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
nym-explorer-v2	❌ Failed (Inspect)			May 21, 2025 7:59am

2 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
docs-nextra	⬜️ Ignored (Inspect)	Visit Preview		May 21, 2025 7:59am
nym-next-explorer	⬜️ Ignored (Inspect)	Visit Preview		May 21, 2025 7:59am

[timkuijsten]

Is there any rationale of the choice for XKpsk3? I.e. how to do DoS mitigation? Also I'm curious how this relates to the announcement of planning to use McEliece.

[aniampio]

@timkuijsten Thanks for the question! We decided to use XKpsk3 because it provides the best forward secrecy, authentication, replay protection, and identity-hiding guarantees for client-server settings where the client cannot be identified based on its source IP address. Also, as PQ-security is on our roadmap, we opted for the variant with PSK, as the pre-shared key can be later used to inject Post-Quantum safety into the protocol. We also decided to use the XKpsk3 between nodes, as we are considering supporting private gateways in the future, so the identity of the initiator may not be obvious from the source IP address (entry-mixnode). Then, for the rest of the connections (mix node to mix node, and mix node to exit) we also use the same pattern to keep the usage across the network uniform.

In terms of DoS protection, deploying Noise at the transport layer helps shield the Sphinx layer, as each message must first be validated by Noise before any Sphinx processing occurs. However, Noise itself can still be vulnerable to DoS attacks. WireGuard mitigates this risk using a cookie-based mechanism. We could adopt a similar approach, or explore alternative strategies — all of which are currently under consideration.

[jstuczyn]

you copied it from skimmed response but you dropped filtering for inactive nodes, what gives?

[simonwicky]

Since (at least for the moment) we need this endpoint to get the Noise keys, we also need it for inactive nodes (tests and stuff) so I did not why we would need it only for active ones.
That being said, I can add the filtering back

[jstuczyn]

but it's not designed to be a noise-exlusive endpoint : )

[simonwicky]

Added the option for later in d4d6e42
I didn't implement the active version of the endpoint though

[jstuczyn]

thinking about it, given we're using hardcoded patterns, couldn't we also hardcode that psk_position to avoid unwrap alltogether?

[simonwicky]

When adding/modifying patterns, I don't want to have that info in two places, that can lead to mismatch if not maintained properly.

The snow library is parsing the pattern string to get its scheme so it's not really far from that.

Given that, I feel like this is still the better option no?

[jstuczyn]

When adding/modifying patterns, I don't want to have that info in two places, that can lead to mismatch if not maintained properly.

that's why we write unit tests : )

[jstuczyn]

you can derive EnumIter on the guy and use it in tests to make sure every variant is always covered and returns expected value

[simonwicky]

I added tests to ensure validity of all the noise pattern we hardcode in 090026d
Let's keep the hardcoded position in the tests though

[jstuczyn]

but why not also use constant for the psk_position itself xD (I guess I really don't like unwraps that could be removed)

[simonwicky]

I reckon having the automated construction somewhere and the constants somewhere else is a good thing to ensure validity.
I'm team automated construction in the actual code and constants in the tests, if the tests pass, those unwraps cannot fail.
Alternatively, I can remove them and make the fn fallible, since it's already used in a fallible function. But again, if the tests pass, they can't fail

[jstuczyn]

why would that matter?

[jstuczyn]

also, wouldn't it be better if we always and only used canonical address?

[simonwicky]

It does matter because I have seen a case where the responder sees the IPv6-mapped version of the initiator's IP, and it needs to canonicalize it to find it.

As for only using the canonical version, using solely the IP for this is kinda shaky, so let's put all the chances on our side no? We're more likely to miss a Noise supporting node than to think a node is supporting it when it doesn't

[jstuczyn]

I'm not sure I understand. wouldn't using canonical address help us in reducing chances of accidentally having duplicates of the same underlying node?

[jstuczyn]

i hope this doesn't introduce any problems/vulnerabilities, because somebody will attempt to use that.

couldn't we simply say that if we have connection from ip A.B.C.D and it doesn't use noise, all connections from that ip are not allowed to use noise (and vice versa)

[simonwicky]

They might exploit and block you if you don't update. If you do, they can't.

We could but then it means somebody can force a downgrade on your up-to-date node. Better to cause problems on older than newer nodes no?

[jstuczyn]

but start_send does not imply the data has been sent

[simonwicky]

Added flushing afterwards in fc16dc6

[jstuczyn]

this won't work as you wouldn't be able to flush it before sending is finished. you'd need some sort of state machine to keep track of it. i think. perhaps use one of tokio-util's adapters?

[simonwicky]

Hold up, Tokio is doing exactly that in their SinkWriter implementation to go from a Sink to an AsyncWrite :
https://docs.rs/tokio-util/latest/src/tokio_util/io/sink_writer.rs.html#104

[jstuczyn]

there's a tiny issue. currently nym api will return unimplemented on that endpoint : (

[simonwicky]

Well let's sure to update the nym-api before the nodes.
This endpoint is implemented in that PR

[jstuczyn]

wait, hold on a second here. i'm not sure this is the port you want to be using. this is the port the remote node is listening on. when it tries to establish connection to your node, it will be different

[simonwicky]

This is exactly the info I want. The port info is used by initiator, which is sending to your node.
The responder will only use the IP part that is constructed here, where I'm removing the port info :

nym/common/nymnoise/src/config.rs

Line 70 in fba6c26

let noise_support = new

[timkuijsten]

In terms of DoS protection, deploying Noise at the transport layer helps shield the Sphinx layer, as each message must first be validated by Noise before any Sphinx processing occurs. However, Noise itself can still be vulnerable to DoS attacks. WireGuard mitigates this risk using a cookie-based mechanism. We could adopt a similar approach, or explore alternative strategies — all of which are currently under consideration.

I guess XK + cookie and making sure there is no responder-side state for unauthenticated connections (like rosenpass did) would put you in a good position. Are there already any public discussions, designs or transcripts?

[jstuczyn]

I'm not sure I understand. wouldn't using canonical address help us in reducing chances of accidentally having duplicates of the same underlying node?

[jstuczyn]

I wonder, do we always have to allocate so much data per each message? i don't think that was the noise design

[simonwicky]

Edit : Reading the code (from snow too) again, indeed allocating noise_message.len() - TAGLEN will suffice, fixed in ea233c7

[jstuczyn]

why not just return those bytes immediately here

[simonwicky]

Maybe we have things in the buffer that needs to be returned before that.
A call to this poll_read might end up with us having data we have decrypted but can't return yet.
Hence we need to check it first before returning that part

[jstuczyn]

why not reuse existing buf or at least use its length? it's seems very wasteful to always allocate 60k for each tiny write...

[simonwicky]

In theory the writes can be up to 60k bytes though

[simonwicky]

Edit : Reading the code (from snow too) again, indeed allocating buf.len() + TAGLEN will suffice, fixed in ea233c7

[jstuczyn]

would https://docs.rs/tokio-util/latest/tokio_util/io/struct.SinkWriter.html work instead of implementing AsyncWrite? actually, why do we even need AsyncWrite + AsyncRead?

[simonwicky]

Without Noise, we're wrapping the TcpStream into a tokio_util::codec::Framed with the sphinx packet codec.
To code a one-for-one replacement, NoiseStream has to be AsyncWrite + AsyncRead in a way or another

[simonwicky]

SinkWriter doesn't work for the same reason StreamReader doesn't. We need to handle the encryption in the middle

[simonwicky]

@timkuijsten There are no public discussions or designs yet no.
Using cookies is a good lead, although it's just used to confirm the IP address so it can then be limited with other means.

[timkuijsten]

Using cookies is a good lead, although it's just used to confirm the IP address so it can then be limited with other means.

But nym uses TCP right? Isn't TCP's three-way-handshake enough for IP ownership confirmation? (unlike WireGuard which needs the cookie because it uses UDP).

[simonwicky]

@timkuijsten For the moment it does indeed. That's a fair point, I'll need to think about it.

[jstuczyn]

wouldn't we end up in a constant reconnection loop if receiver doesn't support noise?

[simonwicky]

The error message is a bit misleading tbh, my bad.
If the receiver doesn't support Noise, there won't be any handshake, and we will just return the TcpStream wrapped in a Connection for compatibility

[jstuczyn]

but why not also use constant for the psk_position itself xD (I guess I really don't like unwraps that could be removed)

[jstuczyn]

looking slightly deeper into it. i'm a bit confused: why are you having a method on self that takes handshake argument that originally was part of self but you temporarily removed it?

[simonwicky]

We still need the inner_stream from self to send the encrypted handshake message.
I'm taking the handshake out from self to prevent duplicate calls to this fn from messing with the first one.