Subnet Management - uzr34 (II)

Proposal 133149

1 degraded node replaced with another Sri Lanka node. Nice and simple, looks good. I’ve adopted.

image920×410 76.4 KB

Voted to adopt Proposal 133149.

This proposal replaces a node in subnet uzr34: suty3, which appears as “Status: Degraded” in the IC dashboard, with another node from the same node provider and data centre thereby having no impact on Nakamoto coefficients or target topology parameters.

Voted to adopt with nothing to object.

Voted to adopt proposal 133149. Replaces a degraded node without changing the Nakamoto Coefficient.

DFINITY will submit an NNS proposal today to reduce the notarization delay on the Internet Identity subnet, uzr34, similar to what has happened on other subnets in recent weeks (you can find all details in this forum thread).

After the successful rollout of the Application subnets, we propose a gradual rollout for the System subnets, starting with the Internet Identity subnet.

Thanks for this announcement @dsharifi, it seems to have aligned perfectly with my lunch break

Are you able to elaborate on the choice of subnet? The SNS subnet is technically an application subnet (albeit a special one). It has 34 nodes. I’d expect this to be a safer choice for starting the production changes on the large subnets (or maybe the fiduciary subnet). If something unexpected goes wrong in production, the II subnet would probably have one of the highest blast radiuses wouldn’t it?

At the moment this change has only been deployed to 13 node subnets (all of them).

Voted to adopt proposal 133307. The subnet id and the delay are correct. I don’t think that having larger number of nodes per subnet would be any issue with this, there are other limits in place that protect the subnet.

Larger subnets take longer to disseminate artifacts. That’s why this subnet currently has a delay of 1000ms instead of 600ms.

@dsharifi is setting this subnet to 300ms intentional? Could you elaborate? Perhaps this relates to the optimisation in last week’s IC OS proposal making the delay adaptive based on network conditions?

You mean the dynamic delay ? Also would you have been more comfortable with a reduction to only 600 ? I guess that we will have to wait for official answer.

Also I see from using the ic-admin tool that the current notarisation delay is 1000ms, not 600ms as the proposal says. I presume this might have been a typo but is there a case for lowering it to 600ms first? Is there some testing to help guide this decision?

@dsharifi @LaCosta

Hi,

Indeed, the current notarization delay is 1000ms on the Internet Identity subnet and all other System subnets. I forgot to change and update our proposal template summary description to 1000ms when submitting the proposal. So yes, the 600ms in the summary is an error/typo.

Yes, we have done extensive benchmarks with testnets with 40 and 31 nodes that indicate it is safe to lower the notarization delay down to 300ms. In the benchmarks we also simulate RTT, packet loss, and bandwidth to mimic the production topology based on our metrics. The benchmarks are the same ones we did with the Application testnets. The benchmarks involve:

• Stress testing the subnet with a high load of Ingress messages, filling every execution round.
• Kill nodes on the subnet for an extended duration, then restart the node to verify that it can state sync, catch up, and participate in block-making

Thanks for clearing this.

Thanks for the extra explanation @dsharifi. I’m afraid I have to reject the proposal as it fundamentally misrepresents itself to voters, which needs to be a no no (even if it’s by accident) to avoid building up potentially dangerous precedent (and promoting bad voting culture).

Regarding the change itself (aside from the wording), could you clarify why the same delay is being used for subnets that are more than twice the size of smaller subnets using that delay? My understanding is that finalisation rates are dependent on the size of the subnet. Are you planning to reduce the delay for 13 node subnets even further?

Could you also comment on the choice of subnet? Is the II subnet considered lower risk than the SNS or Fiduciary subnets? This is the first time such a change is being rolled out to a large subnet (and the magnitude of the difference compared to the existing configuration is significantly greater).

I’ve voted to reject proposal 133307. As clarified by @dsharifi above (and thank you for explaining!) the current notarisation delay was mistakenly given as 1000ms in the proposal instead of 600ms. This is a key detail as it means that the magnitude of the change is greater than what voters may be given to understand. The description of the testing is very reassuring. However, from looking through recent Subnet Management proposals I’ve noticed that a number of nodes have had a sharp decrease in performance and have been listed for removal (from a subnet) following the decrease in notarisation delay for their respective subnets. Is this a valid concern and perhaps a greater risk for the larger subnets? I’m leaning towards favouring a smaller decrease at first, perhaps to 600ms, but I’m very open to being persuaded otherwise.

Voted to reject proposal 133307. Thanks for the thorough explanation on the proposal but I have to agree that even if it is just a simple mistake regarding the previous notarization delay mentioned in the proposal, it still might mislead people that might have different opinions otherwise as @timk11 and @Lorimer had. Also I think that providing more information specially when scaling this proposals to bigger and more relevant subnets should be done initially and I also would like to hear more on how the stress testing on this subnets work, for example do you simulate the distances between nodes that provide a similar behavior with the targeted subnet? Is there a way to verify the performance of those testnets?

Thanks for the response. I agree. This proposal should be rejected and re-submitted to not set a precedent where we vote on proposals that have misleading summaries, intentional or not.

Before answering your questions, I think it’s worth giving some context on what the notarization delay is, why it is needed, and how we choose a correct value for it.

What is a notarization delay?

When a node receives a block proposal, it verifies the block content and waits for a short duration before notarizing (signing) the block and sending its notarization to all its peers in the subnet. The time a node waits before sending the notarization share is what we call the notarization delay (ND).

For a block to be finalized, a block maker needs to send a block proposal to its peers nodes in the subnet, and at least 2/3 * subnet_size + 1 of the nodes must notarize the message and send its notarization share to the other nodes.

The ND serves as a throttle for the maximum finalization rate of a subnet. I.e. a block can never be finalized faster than the ND, as the ND is the minimum time it takes for nodes to share a notarization of a block when they receive a block proposal. So the finalization rate in a subnet will always be less than 1 block / ND, in this case, more specifically 1 block / 0.3s => 3.33 block/s.

In practice, the block rate is lower than the theoretical maximum, as there are overheads in processing a block, the execution time of canister calls, networking latencies between peers, etc.

Why do we have a notarization delay?

A node can fall behind the rest of the nodes in a subnet, for example, due to networking issues, crashing and restarting, or newly joining a subnet. When a node is behind it needs to catch up with the rest of the subnet to participate in the consensus (block proposals) of the subnet. For a node to catch up, the node typically downloads the state of the subnet at some checkpoint block height and must replay the missing blocks at a higher rate than the subnet finalizing blocks. However, if the node that is behind is unable to replay blocks at a higher rate than the rest of the subnet is finalizing blocks, then the node that is behind will never be able to catch up, as it will always lag behind the rest of the subnet.

To make it possible for nodes to catch up if they are behind, we use the ND as a throttle for the rest of the subnet to slow down the finalization rate, such that the node that is behind can replay blocks at a faster rate than the subnet is finalizing blocks.

How much we throttle a subnet’s finalization rate by (the value of the ND), is independent of the subnet size. The ND is there to ensure that all nodes can participate in consensus and block making of a subnet, and that if a node that falls behind can replay blocks at a faster rate than the subnet finalizes new ones.

What factors do we need to consider for the notarisation delay?

Available networking bandwidth on nodes

A node that is behind needs to be able to download old blocks and replay them at a faster rate than the rest of the subnet. This means that the catching up node replays blocks at a rate of:
block_download_time + block_processing_time < ND + block_processing_time.

block_download_time < ND

In the worst case scenario, where we have full blocks, each block has a max size of 4MB. A node must also have a minimum of 300 Mb/s available bandwidth to meet the IC spec. Assume 200Mb/s is available for consensus.

block_size / bandwidth < ND

4MB / 200Mb/s < ND

32Mb / 200Mb/s < ND

0.16s < ND

Thus, from a networking perspective, we need a notarisation delay of at least 160ms in order for a node to catch up in a scenario where we are replaying blocks in a subnet that is under full load.

Overhead per block.

There is also an unavoidable overhead of processing blocks and executing them once they are finalized. Once a block with messages is notarized, the node will execute the messages in that block and certify it in parallel to making new blocks.The high level idea is that if the execution and certification steps take too long, then the bottleneck for the block rate will be determined by execution and certification.

This is something we have observed in busier subnets, such as the OpenChat subnets, meaning we need a notarisation delay, or a block rate throttler that ensure the nodes that are ahead spend longer time making and notarizing blocks than it takes to execute and certify the blocks for the nodes that are behind.

From the production metrics we have about these overheads, we have deduced that a 300ms ND is enough.

1600×355 72.4 KB

What testing and experiments have been conducted?

For all of our experiments, we have simulated Round Trip Times (RTT), bandwidth, and packet loss, to simulate the network behavior of nodes that we see on the Internet Identity subnet. Checkout simulate_network.rs in the IC repo for the source code on how we set these simulations with the transmission control (tc) linux utility.

We have mainly stress tested the simulated subnet by flooding it with a large number of ingress messages, installing many canisters to increase load, and killing nodes to verify that nodes can catch up when joining the subnet.

Our tests show that the change is perfectly fine regardless of the subnet type and subnet size.

We will re-submit a new proposal with an updated summary to lower the notarization delay to 300ms.

Thanks @dsharifi for this very helpful explanation. Is this material also in a blog post or elsewhere in the online resources? If not, I think it would be well worth adding.

I’ve voted to adopt proposal 133315 based on this explanation. This proposal reduces the notarisation delay for subnet uzr34 with the aim of reducing network latency.

Thanks for the thorough explanation on this topic. I have voted to adopt proposal 133315 that reduces the notarization delay of the uzr34 subnet (Internet Identity subnet) from 1000ms to 300ms.