this thread is to debate methods for enforcing subnet dao rules in the Rita codebase
Pre tunnel opening
Before the tunnel opens we query the subnet dao, I’m thinking in between the hello callback and the identity callback. We only open tunnels we know are to members of the DAO, or in bootstrapping mode we open tunnels to everyone because we have no idea.
Pros: No minimum surface for attacks from hostile peers
Cons: Requires the implementation of some method to come back and clean up after bootstrapping, requires a single futures chain
Post tunnel opening
In this scenario we open a tunnel with everyone, bandwidth restricted by default. Then we send off a message to the DAOManager to check if the tunnel is ok.
Pros: Somewhat cleaner to implement (we break the futures chain into separate callbacks)
Cons: Still need to check periodically to get bootstrapping cleaned up, also exposes a somewhat larger attack surface
Decoupled iterative check
In this scenario we open a tunnel with everyone, bandwidth restricted by default, then we have a totally separate tick operation that goes over and checks the dao state of all tunnels every 5 seconds.
Pros: Totally decoupled events, easiest futures situation. Handles bootstrappting very nicely in a general sense
Cons: attack surface, in theory we can mitigate it if we don’t listen with babel until we’re sure.