I’m pleased to announce that we’re nearing the deployment of the first API boundary nodes under NNS control. Before we proceed, we need to submit a proposal for monitoring access from DFINITY datacenters. This will allow us to observe the health of the API boundary nodes and address any issues.
Following this, we will propose converting some unassigned nodes into API boundary nodes. This marks the first step towards the new boundary node architecture, detailed here.
Feel free to ask any questions. We will update this thread with the proposals as we submit them.
We have just submitted the proposal to allow access to all “monitoring and observability” ports from the DFINITY datacenters. You can find proposal 130319 here and vote on it.
In particular, this proposal provides access to the following ports:
7070: orchestrator dashboard
9091: orchestrator metrics
9100: node exporter metrics
9324: ic-boundary metrics
19100: metrics proxy metrics
19531: systemd-journal-gatewayd (logs)
For now this firewall rule has no effect, but will be used as soon as the first API boundary node is deployed.
Both proposals have been adopted and the first two API boundary nodes are live! Right now, they are not yet taking any production traffic as that is still routed through the existing boundary nodes. However, as we make progress towards the new boundary node architecture, we will gradually add more API boundary nodes and start shifting traffic to them.
The first two API boundary nodes are live and are happy to serve any requests you might have. If you want to try it out, you can for example query the total ckBTC supply using the follow command:
I guess that doesn’t really help much. So what does it mean:
We are redesigning the edge of the Internet Computer. Today, there are boundary nodes (or “today’s boundary nodes”) and they do mainly two things:
translate your browser’s HTTP requests into API calls;
route API calls to the right subnet and replica.
This is what is running under icp0.io and ic0.app. These domains serve both purposes: you can directly access canisters using CANISTER_ID.icp0.io and you can directly submit API calls using icp0.io/api/v2/....
The new edge will, at a very high level, split today’s boundary nodes into two entities: API boundary nodes and HTTP gateways. API boundary nodes only serve the API endpoints, while the HTTP gateways mainly provide the capability to access canisters directly from your browser.
Ultimately, bc1-dll02.blockchaindevlabs.com/api/v2/... serves the same purpose as icp0.io/api/v2....
Hi @rbirkner, thank you for all of the awesome work you and your team have been doing
As of today, if a user would like to access a website hosted on the IC, what are their options for accessing it in a way that is least susceptible to an attack. Assume the user signs into the site and deals with large sums of crypto (so if an attacker can control what the user sees on the frontend and how it interacts with the backend, then they can control what happens to the funds).
Thank you for the kind words! I really appreciate the support.
Regarding your question, there are three ways to access canister frontends on the IC via the HTTP Gateway Protocol:
The most convenient option is using one of the DFINITY-operated HTTP Gateways, allowing users to access sites directly from their browsers without extra setup.
If users prefer not to rely on DFINITY’s gateways, other operators or a dapp team (e.g., WaterNeuron) could run its own HTTP gateway (either catch-all like DFINITY or dapp specific). This requires additional infrastructure and maintenance. Users still need to trust these operators, but they have more options.
For maximum control, users can run a local HTTP gateway, eliminating reliance on external parties. A proof-of-concept can be found here: HTTP proxy.
If you only need to do API canister calls, you can directly target the API boundary nodes using the agents and completely bypass any centralized infrastructure.
Thanks @rbirkner What sort of trust assumptions need to be made about the boundary node that gets used? Presumably the node could act as a man in the middle and modify the request
HTTP Gateways need to be fully trusted as they take your HTTP request, transform it into an IC API request (usually query call), verify the certification of the query response, and then turn the query response into an HTTP response. The HTTP gateway can modify, inject, drop at any step of that. Here, you are trading convenience for security: you are trusting the gateway operator.
API boundary nodes on the other hand don’t have to be trusted. The worst an API BN can do, is to drop or delay your request or the corresponding response. This is the case as you as a client sign the request and the replica signs the response.
Thanks @rbirkner! I could definitely do with diving deeper into this topic. Ideally I’d love there to be a way for all users to be able to depend on IC websites, even the less tech savvy ones (without having to make trust assumptions). I have some additional thoughts / questions.
Presumably if there are multiple domain names, and each one is controlled by a different entity, one could validate that all domains serve binary equivalent assets (given certain requests), providing DNS consensus. Is this an approach you could see working?
If there’s no need for any significant trust assumptions about boundary nodes, is it not possible to extend this safety to http gateways? For arguments sake, if an API call to a boundary node returned a byte stream representing and HTML page (and/or other assets), couldn’t this be served up by the browser (theoretically speaking)? I guess I’m trying to understand why the security that’s offered for API calls to boundary nodes cannot also be applied for HTTP request/responses.
Given that DNS is all about not having to memorise an IP address, theoretically a user could just visit the IP address directly, rather than entering a domain name. I guess that only gets you this far though → https://193.118.59.140/
I’m mostly thinking out loud, but I’d really appreciate your insights relating to these thoughts.
The problem is that for this you always need to rely on Web2 technology and this is usually inherently centralized (e.g., look at DNS).
That’s an option, but there is even a simpler one: when you make a request through an HTTP gateway, the HTTP gateway will “forward” the certification of the data to you as part of the header. That’s the ic-certificate header. However, all of these approaches require some processing client-side and don’t work out of the box with a standard browser. So again, not something for a “normal” user.
It’s all about convenience: The HTTP gateway makes the IC API request for you. As long as you don’t make it yourself, you need to trust the gateway. You could integrate the HTTP gateway into the browser (i.e., similar to the IPFS integrations brave has). One or two years ago, we looked into that, but we stopped the effort as browser extensions are too limited and a direct browser integration doesn’t really make sense as long as it won’t be a mainstream browser with high adoption.
Of course, you could use a very old browser with less restrictive APIs, but what would you get from that? Old browsers are missing many security patches, you still need to install a specific program, you might lack your other extensions, bookmarks etc. In that case, might as well just use the http proxy, which does everything you want and works with any browser.
Thanks @rbirkner. So if a bad actor were able to repoint a trusted domain name to serve up a fake / adjusted version of a dapp frontend, this would be detectable by any user that decides to check the validity of the certificate in the header?
Great! Are there any examples of frontend code that performs this check that can be pointed to?
I understand that a frontend validating its own certificate is somewhat pointless. Instead, I’m just thinking a snippet of js that could run in the browser’s dev console would do the trick for anyone who wants to check.
What sort of trust assumptions need to be made about the boundary node that gets used? Presumably the node could act as a man in the middle and modify the request 