TCP Internals¶
Overview¶
In CCF, the TCP host layer is implemented using libuv, allowing us to listen for connections from other nodes and requests from clients as well as connect to other nodes.
Both RPC and Node-to-Node connections use TCP to communicate with external resources and then pass the packets through the ring buffer to communicate with the enclave.
CCF uses a HTTP REST interface to call programs inside the enclave, so the process is usually read request, call enclave function and receive response (via ring buffer message), send the response to the client.
However, the TCP implementation in CCF is generic and could adapt to other common communication processes, but perhaps would need to change how the users (RPC, Node-to-node) use it.
Overall structure¶
The TCPImpl class (in src/host/tcp.h) implements all TCP logic (using the asynchronous libuv), used by both RPCConnections and NodeConnections.
Because TCPImpl does not have access to the ring buffer, it must use behaviour classes to allow users to register callbacks on actions (ex. on_read, on_accept, etc).
Most of the call backs are for logging purposes, but the two important ones are: - on_accept on servers, which creates a new socket to communicate with the particular connecting client - on_read, which takes the data that is read and writes it to the ring buffer
For note-to-node connections, the behaviours are: - NodeServerBehaviour, the main listening socket and, on_accept, creates a new socket to communicate with a particular connecting client - NodeIncomingBehaviour, the socket that is created above, that waits for input and passes that to the enclave - NodeOutgoingBehaviour, a socket that is created by the enclave (via ring buffer messages into the host), to connect to external nodes
For RPC connections, the behaviours are: - RPCServerBehaviour, same as the NodeServerBehaviour above - RPCClientBehaviour, a misnomer, used for both incoming and outgoing behaviours above
Here’s a diagram with the types of behaviours and their relationships:
graph BT
subgraph TCP
TCPBehaviour
TCPServerBehaviour
end
subgraph RPCConnections
RPCClientBehaviour
RCPServerBehaviour
end
subgraph NodeConnections
NodeConnectionBehaviour
NodeIncomingBehaviour
NodeOutgoingBehaviour
NodeServerBehaviour
end
RPCClientBehaviour --> TCPBehaviour
NodeConnectionBehaviour --> TCPBehaviour
NodeIncomingBehaviour --> NodeConnectionBehaviour
NodeOutgoingBehaviour --> NodeConnectionBehaviour
NodeServerBehaviour --> TCPServerBehaviour
RCPServerBehaviour --> TCPServerBehaviour
State machine¶
The TCPImpl has an internal state machine where states change as reactions to callbacks from libuv.
Since it implements both server (listen, peer, read) and client (connect, write) logic, the state helps common functions to know where to continue to on completion.
The complete state machine diagram, without failed states, is:
stateDiagram-v2
%% Server side
FRESH --> LISTENING_RESOLVING : server
LISTENING_RESOLVING --> LISTENING : uv_listen
%% Client side
state client_host <<choice>>
FRESH --> client_host : client
client_host --> BINDING : client_host != null
BINDING --> CONNECTING_RESOLVING : client_host resolved
client_host --> CONNECTING_RESOLVING : client_host == null
CONNECTING_RESOLVING --> CONNECTING : host resolved
CONNECTING --> CONNECTING_RESOLVING : retry
CONNECTING --> CONNECTED : uv_tcp_connect
%% Peer side
FRESH --> CONNECTED : peer
%% Disconnect / reconnect
CONNECTED --> DISCONNECTED : error<br>close
DISCONNECTED --> RECONNECTING : retry
RECONNECTING --> FRESH : init
Some failed states give transition to retries / reconnects, others are terminal and close the connection.
Server logic¶
The main cycle of a server is the following: - create a main socket and listen for connections - on accepting a new connection, creates a new (peer) socket to communicate with that client
read the request, communicate with the enclave, get the response backs
send the response to the client
close the socket
There could be several peer sockets open communicating with different clients at the same time and it’s up to libuv to handle the asynchronous tasks.
Here’s a diagram of the control flow for a server connection:
graph TD
subgraph RPCConnections
rl(listen)
subgraph RPCServerBehaviour
rsboa(on_accept)
end
end
subgraph TCPImpl
tl(listen)
tr(resolve)
tor(on_resolved)
tlr(listen_resolved)
toa(on_accept)
tp[TCP peer]
end
subgraph NodeConnections
nctor(NodeConnections)
subgraph NodeServerBehaviour
nsboa(on_accept)
end
end
%% Entry Points
rl --> tl
nctor --> tl
%% Listen path
tl -- LISTENING_RESOLVING --> tr
tr -. via: DNS::resolve .-> tor
tor --> tlr
tlr -. LISTENING<br>via: uv_listen .-> toa
toa --> rsboa
toa --> nsboa
toa ==> tp
The control flow of the peer connection is similar to the client (below), but the order is reverse.
The client first writes the request and then waits for the response, while the peer first waits for the request and then writes the response back.
Client logic¶
Clients don’t have a cycle, as they connect to an existing server, send the request, wait for the response and disconnect.
Clients are used from the enclave side (Node-to-node and RPC), via a ring buffer message.
Node-to-node clients are used for pings across nodes, electing a new leader, etc.
RPC clients are used for REST service callbacks from other services, ex. metrics.
Here’s the diagram of the client control flow:
graph TD
subgraph RPCConnections
rc(connect)
rw(write)
subgraph RPCClientBehaviour
rsbor(on_read)
end
end
subgraph TCPImpl
tc(connect)
tocr(on_client_resolved)
tcb(client_bind)
tr(resolve)
tor(on_resolved)
tcr(connect_resolved)
toc(on_connect<br>CONNECTED)
trs(read_start)
toa(on_alloc)
tore(on_read)
tof(on_free)
tw(write)
tow(on_write)
tfw(free_write)
tsw(send_write)
end
subgraph NodeConnections
ncc(create_connection)
nw(ccf::node_outbound)
subgraph NodeConnectionBehaviour
nsbor(on_read)
end
end
%% Entry Points
rc --> tc
ncc --> tc
rw --> tw
nw --> tw
%% Connect path
tc -- CONNECTING_RESOLVING --> tr
tc -. BINDING<br>via: DNS::resolve .-> tocr
tocr --> tcb
tcb -- uv_tcp_bind<br>CONNECTING_RESOLVING --> tr
tr -. via: DNS::resolve .-> tor
tor --> tcr
tcr -. CONNECTING<br>via: uv_tcp_connect .-> toc
toc -- retry<br>CONNECTING_RESOLVING --> tcr
toc -- pending writes --> tw
toc --> trs
%% Read path
trs -. via: uv_read_start .-> toa
trs -. via: uv_read_start .-> tore
tore -- DISCONNECTED<br>uv_read_stop --> tof
tore --> rsbor
tore --> nsbor
%% Write path
tw -- CONNECTED --> tsw
tw -- DISCONNECTED<br>no data --> tfw
tsw -. via: uv_write .-> tow
tow --> tfw
Note that some clients have a client_host parameter separate from host that is used for testing, and uses the state BINDING.
The client_host is resolved separately, bound to the client handle (via uv_tcp_bind) but the call to uv_tcp_connect is done on the host address.
This allows us to bind separate addresses to the client side while connecting to the host, to allow external packet filters (like iptables) to restrict traffic.