Difference between revisions of "Node Provider FAQ"
Diego.prats (talk | contribs) |
Katie.peters (talk | contribs) (Added the security questions to the FAQ) |
||
Line 23: | Line 23: | ||
* Is unwieldy. Plugging it in and out of all the servers and keeping it around for redeployment is a pain. | * Is unwieldy. Plugging it in and out of all the servers and keeping it around for redeployment is a pain. | ||
* Doesn't provide better security than a software key — the current recommended method. | * Doesn't provide better security than a software key — the current recommended method. | ||
+ | |||
+ | == Can a Node Provider read the state of canisters or their code? == | ||
+ | '''No.''' A Node Provider does not have permission as per [[Node Provider Self-declaration|the self-declaration]] to read the canisters or their code. | ||
+ | |||
+ | Furthermore, the data stored on disk is encrypted, and—without modifying the software—reading of that data on disk is not possible. | ||
+ | |||
+ | == Does a Node Provider have credentials to access data that could be provided to law enforcement without physical access to the node? == | ||
+ | The usual path in similar cases (for example Youtube, Facebook) is for legal authorities to send cease and desist or notices to a central provider. In the case of a decentralized network like the IC, this would be the IC-community through voting on specific proposals for removing content from either nodes machines or blocking access through boundary node machines. | ||
+ | |||
+ | == Could pre-existing tools be installed to the node that would permit accessing canister state and code without disrupting the function of the node? == | ||
+ | '''No''' there are no pre-existing tools for this functionality. | ||
+ | |||
+ | == Technically it is feasible to access server data via Teleport or Proxmox but the IC Node & IC data is considered secure? Is it encrypted? == | ||
+ | The ICOS images and the documentation does not support accessing server data via Teleport or Proxmox directly. The data on an individual node is encrypted. The IC does not make any data privacy guarantees. That said, some dapps are written such as to encrypt their data with a client key which makes the data private, but this is only useful in certain cases. We’re aiming to address this with technologies such as AMD’s SEV-SNP which is a hardware mechanism that isolates VMs from the Node Provider running the bare metal machine. | ||
+ | |||
+ | The network is secured by BFT (Byzantine Fault Tolerance) which protects it against bad actors, meaning that a bad actor alone is not able to modify the network state even if they break into their node and modify the data. This is a different security guarantee than privacy. | ||
==See also== | ==See also== |
Latest revision as of 22:44, 12 November 2024
What is a node? Just one machine?
Yes.
Sometimes "Node Machine" - a single server participating with the IC - is used to differentiate from "Node", which is sometimes used to refer to the software that runs the IC.
When purchasing node hardware can I deviate from the node hardware requirements?
The hardware components must meet the generic specification of the Gen2 node hardware. This is verified by the IC-OS installer. The installer will fail if the expected components are not found.
Small details are expected to be different between vendors such as SSD manufacturer, chassis model, etc., but it is strongly recommended for node providers to purchase one of the validated configurations listed at Node Machine Hardware.
Do I need to configure RAID on my node machines?
No. RAID (hardware or software) should not be attempted. The IC-OS installer will verify there are 5x independent 6.4TB NVMe SSD’s and prepare them appropriately - formatting all disks as it installs.
IC-OS uses a ‘striped’ LVM volume across all the disks (technically a software RAID 0).
What about redundancy? Replica nodes provide redundancy at a higher level than disk redundancy.
Why is the "no HSM" onboarding preferred to using an HSM?
The NitroKey HSM:
- Has a single manufacturer — NitroKey. This is a form of centralization. Bad!
- Is not well-supported anymore. The instructions for backing up the keys don't work.
- Is unwieldy. Plugging it in and out of all the servers and keeping it around for redeployment is a pain.
- Doesn't provide better security than a software key — the current recommended method.
Can a Node Provider read the state of canisters or their code?
No. A Node Provider does not have permission as per the self-declaration to read the canisters or their code.
Furthermore, the data stored on disk is encrypted, and—without modifying the software—reading of that data on disk is not possible.
Does a Node Provider have credentials to access data that could be provided to law enforcement without physical access to the node?
The usual path in similar cases (for example Youtube, Facebook) is for legal authorities to send cease and desist or notices to a central provider. In the case of a decentralized network like the IC, this would be the IC-community through voting on specific proposals for removing content from either nodes machines or blocking access through boundary node machines.
Could pre-existing tools be installed to the node that would permit accessing canister state and code without disrupting the function of the node?
No there are no pre-existing tools for this functionality.
Technically it is feasible to access server data via Teleport or Proxmox but the IC Node & IC data is considered secure? Is it encrypted?
The ICOS images and the documentation does not support accessing server data via Teleport or Proxmox directly. The data on an individual node is encrypted. The IC does not make any data privacy guarantees. That said, some dapps are written such as to encrypt their data with a client key which makes the data private, but this is only useful in certain cases. We’re aiming to address this with technologies such as AMD’s SEV-SNP which is a hardware mechanism that isolates VMs from the Node Provider running the bare metal machine.
The network is secured by BFT (Byzantine Fault Tolerance) which protects it against bad actors, meaning that a bad actor alone is not able to modify the network state even if they break into their node and modify the data. This is a different security guarantee than privacy.