Delayed RPC Send Using Tokens

[ackintosh]

Issue Addressed

closes #5785

Proposed Changes

The diagram below shows the differences in how the receiver (responder) behaves before and after this PR. The following sentences will detail the changes.

flowchart TD

subgraph "*** After ***"
    Start2([START]) --> AA[Receive request]
    AA --> COND1{Is there already an active request <br> with the same protocol?}
    COND1 --> |Yes| CC[Send error response]
    CC --> End2([END])
    %% COND1 --> |No| COND2{Request is too large?}
    %% COND2 --> |Yes| CC
    COND1 --> |No| DD[Process request]
    DD --> EE{Rate limit reached?}
    EE --> |Yes| FF[Wait until tokens are regenerated]
    FF --> EE
    EE --> |No| GG[Send response]
    GG --> End2
end

subgraph "*** Before ***"
    Start([START]) --> A[Receive request]
    A --> B{Rate limit reached <br> or <br> request is too large?}
    B -->|Yes| C[Send error response]
    C --> End([END])
    B -->|No| E[Process request]
    E --> F[Send response]
    F --> End
end

Loading

Is there already an active request with the same protocol?

This check is not performed in Before. This is taken from the PR in the consensus-spec, which proposes updates regarding rate limiting and response timeout.
https://github.com/ethereum/consensus-specs/pull/3767/files

The requester MUST NOT make more than two concurrent requests with the same ID.

The PR mentions the requester side. In this PR, I introduced the ActiveRequestsLimiter for the responder side to restrict more than two requests from running simultaneously on the same protocol per peer. If the limiter disallows a request, the responder sends a rate-limited error and penalizes the requester.

Rate limit reached? and Wait until tokens are regenerated

UPDATE: I moved the limiter logic to the behaviour side. #5923 (comment)

The rate limiter is shared between the behaviour and the handler. (Arc<Mutex<RateLimiter>>>) The handler checks the rate limit and queues the response if the limit is reached. The behaviour handles pruning.

I considered not sharing the rate limiter between the behaviour and the handler, and performing all of these either within the behaviour or handler. However, I decided against this for the following reasons:

• Regarding performing everything within the behaviour: The behaviour is unable to recognize the response protocol when RPC::send_response() is called, especially when the response is RPCCodedResponse::Error. Therefore, the behaviour can't rate limit responses based on the response protocol.
• Regarding performing everything within the handler: When multiple connections are established with a peer, there could be multiple handlers interacting with that peer. Thus, we cannot enforce rate limiting per peer solely within the handler. (Any ideas? 🤔 )

Additional Info

Naming

I have renamed the fields of the behaviour to make them more intuitive:

• limiter -> response_limiter
• self_limiter -> outbound_request_limiter

Testing

I have run beacon node with this changes for 24hours, it looks work fine.

The rate-limited error has not occurred anymore while running this branch.

Metrics

These metrics have been added in this PR.

• self_limiter_request_idling_seconds: The time our own request remained idle in the self-limiter.
• TODO

[ackintosh]

@jxs @pawanjay176 @AgeManning

This is ready for another review. 🙏

I have added a concurrency limit on the self-lmiter. Now, the self-limiter limits outbound requests based on both the number of concurrent requests and tokens (optional). Whether we also need to limit tokens in the self-limiter is still under duscussion. Let me know if you have any ideas.

---

(FYI)

I also ran lighthouse (this branch) on the testnet for ~24hours. During this time, the LH node responded with 21 RateLimited errors due to the number of active requests. These errors appear in the logs like the example below. Note that this is about inbound requests, not the self-limiter (outbound requests).

Dec 09 13:38:56.806 DEBG There is an active request with the same protocol, protocol: beacon_blocks_by_range, request: Blocks by range: Start Slot: 2738468, Count: 64, Step: 1, peer_id: 16Uiu2HAmERvtCC321A2Nu1pH6QmhXgvqALxgCnrp4qxr2qeVWr2P, service: libp2p_rpc, service: libp2p, module: lighthouse_network::rpc:491

[AgeManning]

@pawanjay176 @jxs @dapplion @jimmygchen - If anyone has any spare time, I think this is a good one to get in.

[ackintosh]

I removed RPC::is_request_size_too_large in cfea9d2 because such invalid requests are now handled in the Handler, as implemented in the following PRs:

• Fork aware max values in rpc #6847
• Penalize peers that send an invalid rpc request #6986

[dapplion]

This means we can have at most two blocks_by_range ReqResp requests per peer?

[ackintosh]

Yes, that's correct. Each peer can handle up to two blocks_by_range ReqResp requests at most.

[dapplion]

Overall architecture looks good! Just some comments.

Could you add a metric to track the time our own requests are idling in the self-rate limiter? It will help inform is sync performance is hindered by this new rate limit policy. We should also track the time outbound responses are idling in the rate limiter.

[dapplion]

We consider the memory cost of storing responses too low to worry? The worst case is buffering 2 x data_columns_by_range for all possible indices for all peers. For 9 blobs per block, that's 131072*2 * 9 * 100 / 1e6 = 235 MB

[dapplion]

Is the point of this PR to not have an additional global rate limiter? It would help to reduce the worst case scenario

[ackintosh]

Thanks for your feedback! I hadn't considered a global rate limiter, and your point about its potential to mitigate worst-case memory usage is well taken. 💡 I'll look into what configuration values would be optimal.

[dapplion]

If you remove a QueuedRequest item from queued_requests and the limiter doesn't allow to send, is this request lost?

[ackintosh]

The QueuedRequest that the limiter did not allow is requeued in queued_requests here:

lighthouse/beacon_node/lighthouse_network/src/rpc/self_limiter.rs

Lines 189 to 195 in 1f521d6

	Err((rate_limited_req, wait_time)) => {
	let key = (peer_id, protocol);
	self.next_peer_request.insert(key, wait_time);
	queued_requests.push_front(rate_limited_req);
	// If one fails just wait for the next window that allows sending requests.
	return;
	}

[jxs]

Hi, Akihito, thanks for following this. left some comments, specially regarding limiting our responses.
I think we should just rate limit incoming requests.

[jxs]

nit: this indentation is not correct right?

[jxs]

Suggested change

	response_limiter: Option<ResponseLimiter<E>>,
	inbound_rate_limiter: Option<ResponseLimiter<E>>,

I would keep the previous naming, to also still follow the naming of the configurations. But mostly what we are rate limiting are external requests right? Not our responses

[jxs]

following the naming conventions this could be as_protocol.

Suggested change

	pub fn protocol(&self) -> Protocol {
	pub fn as_protocol(&self) -> Protocol {

[ackintosh]

I didn't know the naming conventions. 💡 Thanks!

[jxs]

Suggested change

	outbound_request_limiter: SelfRateLimiter<Id, E>,
	outbound_rate_limiter: SelfRateLimiter<Id, E>,

Here I would follow the same naming, so that it's clear that both outbound and inbound we are rate limiting requests right?

[jxs]

can we then leave a comment explain that Akihito, as we have on send_request?
Thanks!

[jxs]

Hum, this is kinda fishy, may expose us to DOS attacks right? even if we are rate limiting the requester client we are still incrementing active_inbound_requests unboundly.
Can we rework send_response for an internal version that accepts the request_id? So that we only keep the requests that are not rate limited on active_inbound_requests

[jxs]

nit:
can we move this sub match arms to the main match to avoid the unreachable?
I feel it's more elegant to repeat the self.events.push code than to have an unreachable here, wdyt Akihito?

[ackintosh]

Yeah, that's much simpler. Thanks!