Proposal 134921 Review | LORIMER Known Neuron

VOTE: YES

TLDR: DFINITY occasionally need to raise targeted proposals that enable them to SSH into “allowed” nodes of a target subnet in order to establish a CUP (during disaster recovery scenarios). This proposal ensures that SH1 nodes (which are DFINITY-owned) are correctly recognised as “allowed”. Note that all subnets should have at least 1 DFINITY-owned node to facilitate subnet recovery (and slightly more for larger subnets).

The proposal payload updates the “ReplicaNodes”-scoped firewall rule at position 0. Note that action 1 means “Allow”. The last time this firewall rule was updated was 2024-03-14 by Proposal: 128303. I’ve diffed the payloads to confirm the config that has changed, which is just the addition of 1 Ipv6 subnet (the networking kind) →

2001:4c08:2003:b09::/64

{
  "expected_hash": "8F53770034886C7B6DC6524F2CF4D1FD5B5AC104955AC0CF97B3B8DE24504FD3",
  "positions": [
    0
  ],
  "rules": [
    {
      "action": 1,
      "comment": "Firewall rules for all replica nodes",
      "direction": null,
      "ipv4_prefixes": [],
      "ipv6_prefixes": [
        "2001:4c08:2003:b09::/64",      <------ Inserted as the only change
        "2001:438:fffd:11c::/64",
        "2001:470:1:c76::/64",
        "2001:4d78:400:10a::/64",
        "2001:4d78:40d::/48",
        "2001:920:401a:1706::/64",
        "2001:920:401a:1708::/64",
        "2001:920:401a:1710::/64",
        "2401:3f00:1000:22::/64",
        "2401:3f00:1000:23::/64",
        "2401:3f00:1000:24::/64",
        "2600:2c01:21::/64",
        "2600:3000:1300:1300::/64",
        "2600:3000:6100:200::/64",
        "2600:3004:1200:1200::/56",
        "2600:3006:1400:1500::/64",
        "2600:c02:b002:15::/64",
        "2600:c0d:3002:4::/64",
        "2602:fb2b::/36",
        "2602:ffe4:801:16::/64",
        "2602:ffe4:801:17::/64",
        "2602:ffe4:801:18::/64",
        "2604:1380:4091:3000::/48",
        "2604:1380:40e1:4700::/48",
        "2604:1380:40f1:1700::/64",
        "2604:1380:45d1:bf00::/64",
        "2604:1380:45e1:a600::/48",
        "2604:1380:45f1:9400::/64",
        "2604:1380:4601:6200::/48",
        "2604:1380:4641:6100::/48",
        "2604:3fc0:2001::/48",
        "2604:3fc0:3002::/48",
        "2604:6800:258:1::/64",
        "2604:7e00:30:3::/64",
        "2604:7e00:50::/64",
        "2604:b900:4001:76::/64",
        "2607:f1d0:10:1::/64",
        "2607:f6f0:3004::/48",
        "2607:f758:1220::/64",
        "2607:f758:c300::/64",
        "2607:fb58:9005::/48",
        "2607:ff70:3:2::/64",
        "2610:190:6000:1::/64",
        "2610:190:df01:5::/64",
        "2a00:fa0:3::/48",
        "2a00:fb01:400:200::/64",
        "2a00:fb01:400::/56",
        "2a00:fc0:5000:300::/64",
        "2a01:138:900a::/48",
        "2a01:2a8:a13c:1::/64",
        "2a01:2a8:a13d:1::/64",
        "2a01:2a8:a13e:1::/64",
        "2a02:418:3002:0::/64",
        "2a02:41b:300e::/48",
        "2a02:800:2:2003::/64",
        "2a04:9dc0:0:108::/64",
        "2a05:d01c:e2c:a700::/56",
        "2a0b:21c0:b002:2::/64",
        "2a0f:cd00:0002::/56",
        "fd00:2:1:1::/64"
      ],
      "ports": [
        22,
        2497,
        4100,
        8080,
        9090,
        9091,
        9100,
        19100,
        19531
      ],
      "user": null
    }
  ],
  "scope": "ReplicaNodes"
}

All 28 nodes of the SH1 data centre are at this network address (see first portion of IP addresses here). These are indeed DFINITY nodes, provided by the “DFINITY Stiftung” NP.

Side note: I had intended to write a utility that scans all firewall rules and pairs the network addresses with the relevant data centres and node providers, for the sake of understanding the current firewall landscape a little better. However I ran out of time, hence my vote towards the end of the voting period. I have automated notifications to avoid missing the deadline. In any case, apologies for cutting it close. I intend to do some follow up analysis when I have the time (I’ll save some questions that I have until then).