Hello everyone,

As mentioned in other places on the forum, we have made great progress with the recovery and stability of Trusted Execution Environment (TEE) enabled nodes. Following months of successfully running individual TEE nodes in all roles (unassigned, replica, and API BN), we are now ready for the next step: creating a dedicated TEE-enabled test subnet.

Because TEE nodes offer a higher level of hardware-backed security, we propose using 7 nodes for this subnet instead of the usual 13.

For now, this subnet is for test purposes only to gather operational experience. It will initially be authorized-only; no deployments will be permitted at this stage. Once we have sufficient experience, we will propose opening it up and/or create more TEE-enabled subnets.

For more background on TEEs on the Internet Computer, check out the Learn Hub.

We will submit the proposal for this subnet shortly. Happy voting!

The proposal 140407 has been submitted.

And for completeness the decentralization info:

Decentralization Nakamoto coefficient:

    node_provider: 0.00 -> 3.00  (+inf%)
      data_center: 0.00 -> 3.00  (+inf%)
data_center_owner: 0.00 -> 3.00  (+inf%)
             area: 0.00 -> 3.00  (+inf%)
          country: 0.00 -> 3.00  (+inf%)

Details:
Nodes added:

• hckfw-kshvv-mzhew-h6isd-5q2wd-lde6w-uipmv-7gbuz-53wqz-cz5kx-oqe [health: healthy]
• m5mj2-rta3p-n4zze-flubl-liaay-3tffk-5nl6d-k5ckv-6mdrg-acnrh-rae [health: healthy]
• vfyx3-xlume-gp5it-lkwiy-tbjoc-l5ole-f7zm4-vdi63-c4k7w-xrekc-rae [health: healthy]
• g75ol-eu444-h65jf-ddman-edmen-johle-s2bim-a3yn6-gkpat-5c32o-7ae [health: healthy]
• oauho-ofmnf-bq3eu-z47lj-j3fkh-r7odv-zkh4r-lmia2-vhkl6-r6mgh-cqe [health: healthy]
• vbryd-i5wxp-njyct-thu6d-5ydsn-djzwx-ly4ny-r55cg-sr5k3-piuad-cqe [health: healthy]
• 647s4-toz5b-tgvod-ojm2t-g7g3m-kn2le-c36yz-doyb3-rh2fo-ushld-dqe [health: healthy]

Node Providers:

3oqw6-vmpk2-mlwlx-52z5x-e3p7u-fjlcw-yxc34-lf2zq-6ub2f-v63hk-lae  0 -> 1 
6sq7t-knkul-fko6h-xzvnf-ktbvr-jhx7r-hapzr-kjlek-whugy-zt6ip-xqe  0 -> 1 
cp5ib-twnmx-h4dvd-isef2-tu44u-kb2ka-fise5-m4hta-hnxoq-k45mm-hqe  0 -> 1 
hk7eo-22zam-kqmsx-dtfbj-k5i6f-jg65h-micpf-2cztc-t2eqk-efgvx-vqe  0 -> 1 
ihbuj-erwnc-tkjux-tqtnv-zkoar-uniy2-sk2go-xfpkc-znbb4-seukm-wqe  0 -> 1 
r3yjn-kthmg-pfgmb-2fngg-5c7d7-t6kqg-wi37r-j7gy6-iee64-kjdja-jae  0 -> 1 
w4buy-lgwzr-pccs7-huzhh-qqnws-rns75-iaoox-jolrm-xs2ra-vdu3o-2qe  0 -> 1 

Data Centers:

cr1          0 -> 1
es1          0 -> 1
fm1          0 -> 1
gn1          0 -> 1
hk1          0 -> 1
mn2          0 -> 1
pa2          0 -> 1

Data Center Owners:

Adam                0 -> 1
Coolhousing         0 -> 1
Hurricane Electric  0 -> 1
NEXTDC              0 -> 1
Navegalo            0 -> 1
Unicom              0 -> 1
Yotta               0 -> 1

Area:

Barcelona      0 -> 1
California     0 -> 1
Greater Noida  0 -> 1
HongKong       0 -> 1
Melbourne      0 -> 1
Praha          0 -> 1
San Jose       0 -> 1

Countries:

AU       0 -> 1
CR       0 -> 1
CZ       0 -> 1
ES       0 -> 1
HK       0 -> 1
IN       0 -> 1
US       0 -> 1

ICP moving to TEEs is super exciting and IMO a huge boost to credibility. Looking forward to being able to store my secrets in my canisters

Does moving from 13 to 7 nodes make HTTP outcalls easier to forge? Or do they actually become harder to forge because the HTTPS certificate is checked in the GuestOS, which is now much harder / impossible to mess with? I guess the host could only block the outcall by IP then?

So maybe the only downside of 7 nodes is it might be slightly easier to take down a canister

Fantastic news! Congrats on all of the hard work coming together. I plan to review the proposed subnet configuration tonight or tomorrow before voting.

ccing other CO.DELTA subnet management reviewers @aligatorr89, @MalithHatananchchige

Hi, thanks for this info. Can we conclude that Target Topology for this subnet is this?

    {
      "subnet_type": "TEE",
      "number_of_subnets": 1,
      "subnet_size": 7,
      "is_sev": "TRUE",
      "subnet_limit_node_provider": 1,
      "subnet_limit_data_center": 1,
      "subnet_limit_data_center_provider": 1,
      "subnet_limit_country": 1
    },

Target Topology is a base to do a proper SubnetManagement review for Change Subnet Membership.

cc @Lorimer @MalithHatananchchige

Proposal 140407 - Wenzel | Synapse | CodeGov

Vote: ADOPT
Summary: Congratulations to DFINITY and the node providers who have TEE enabled nodes for reaching the milestone of creating the first TEE-enabled test subnet. I’m happy to be here voting on this milestone. I wish you all continued success with developing and deploying this new capability.

You may wish to follow the Wenzel known neuron if you are looking for a reliable, credible, sensible Followee for every proposal topic. Visit codegov.org to learn more about my voting philosophies and the merger plan for the Wenzel, Synapse, and CodeGov known neurons.

It’s just a simple TEST only non public subnet, so don’t worry about Topology. No need to overcomplicate things.

Adopted proposal #140407

Adds SEV-en nodes to create the 1st TEE enabled subnet for testing purposes and not open for public.
Kinda feel like this sort of proposals shouldn’t even be up for debate. Testing and R&D should just be executed by Dfinity period.
All 7 nodes are Healthy unassigned.

• hckfw has TEE active.
• m5mj2 has TEE active.
• vfyx3 has TEE active.
• g75ol has TEE active.
• oauho has TEE active.
• vbryd has TEE active.
• 647s4 has TEE active.

I only compiled the state of the topology proposed. 3 is the best possible NC, so all good.

Proposal 140407 Review | aligatorr - CO.DELTA △

VOTE: pending YES

TLDR: Overall looks very good with perfect NC of 3. Are we ok with warnings below?

• Dfinity nodes count is 0 per subnet not needed for TEE subnet
• SEV is not enabled will be enabled later
• All nodes UP

You may wish to follow the CO.DELTA known neuron if you found this analysis helpful.

Again I think this is missing the point of the proposal. It’s a brand new 7 node test subnet creation. It does not fall under the existing requirements and or suggestions.

I ran some analysis software I wrote for comparing subnet configuration at a distance (with colours representing distinct values, to highlight commonalities and differences). The proposed new subnet is the first row below. It’s mostly consistent with many other application subnets, but (as @aligatorr89 has also highlighted above) the SEV feature is not set. Other subnets have this set to false, and this proposed subnet doesn’t specify it (rather than setting it to true, as one might expect for this subnet).

image1346×691 42.7 KB

I also noticed that the max canister count is set to 0 (which means unspecified). This is actually the same for many other new subnets. I don’t think this is correct (for this or the other relatively new subnets that doesn’t specify a cap).

@rbirkner, could you confirm why:

• the SEV feature isn’t enabled for the new subnet?
• Why there is no cap on the number of canisters specified?

I don’t think you should be discouraging proper reviews, whatever the context. Also, I think you’re wrong. Mistakes made now could easily slip under the radar later, under the assumption that proper due diligence had already been performed when creating the subnet.

Here’s an example of what I mean → https://forum.dfinity.org/t/updating-the-list-of-public-subnets/53093/8

Proposal 140407 Review | Lorimer - CO.DELTA △

VOTE: NO

TLDR: Before adopting this new subnet the IC Target Topology should be updated by a motion that sets the requirements for this new type of subnet. At the moment there is nothing against which the parameters of the subnet can be validated.

@aligatorr89 has done a great job highlighting some unexpected parameter inconsistencies above. My analysis tooling has also flagged issues.

There will be 0 DFINITY-controlled nodes in this subnet if this proposal executes, complicating disaster recovery in the event of a subnet stall. The presence of a DFINITY node is a rule is built into the mandated IC Target Topology. My understanding is that available DFINITY nodes are all Gen1 (precluding them as an option).

image985×424 60.3 KB

Node Changes

Action	Node	Status		Continent	Country	Data Center	Owner	Node Provider	Node Operator
Add	hckfw	UP		Oceania	Australia	Melbourne 2 (mn2)	NEXTDC	Icaria Systems Pty Ltd	l5lhp
Add	g75ol	UP		North America	Costa Rica	San José 1 (cr1)	Navegalo	GeoNodes LLC	eqv2i
Add	m5mj2	UP		Europe	Czechia	Praha 2 (pa2)	Coolhousing	Vladyslav Popov	6hl6v
Add	vfyx3	UP		Europe	Spain	Barcelona 1 (es1)	Adam	Decentralized Entities Foundation	6zkgt
Add	vbryd	UP		Asia	Hong Kong	HongKong 1 (hk1)	Unicom	Pindar Technology Limited	vzsx4
Add	oauho	UP		Asia	India	Greater Noida 1 (gn1)	Yotta	ACCUSET SOLUTIONS	slaxf
Add	647s4	UP		North America	United States of America (the)	Fremont (fm1)	Hurricane Electric	NoviSystems, LLC	hoqyg

You may wish to follow the CO.DELTA known neuron if you found this analysis helpful.

Note that this analysis involved data provided by the IC-API, which is not open source. I’m in the process of switching over to more verifiable sources of this sort of information for future proposal reviews. See here for related discussion.

For reference (regarding the review above)

@rbirkner, out of interest, given that there are more subnets than we needed right now (and no signs of them being needed) why not appropriate one of the existing subnets that are still private, and have nothing deployed to them yet?

As of this commit which was included in replica version b0a37d0119a5df1dad84e50dc8717b77978d8f04, the semantics of max_number_of_canisters being set to 0 have changed: instead of meaning no limit, the replica’s default value, i.e 120_000, is used.

At a first thought, a TEE-enabled subnet doesn’t really change anything in terms of HTTP outcalls. Whenever a canister makes an HTTP outcall, each replica makes the same outcall and as part of that checks the HTTPS certificate when establishing the session (independent of whether it is a TEE-enabled node or not). There is no opportunity for a MitM.

Blocking the HTTP outcall is always possible (independent of whether it is a TEE-enabled node or not) as the node provider controls the network. However, as you mention, it is easier to block enough outcalls as there are fewer replicas in the subnet.

Regarding disaster recovery:
The DFINITY node in a subnet won’t be needed for SEV subnets. The point of SEV is to completely lock out the node provider/operator. We have added more tooling to enable recovery even in this case.

There are now three levels of disaster recovery:

1. If the orchestrator is running, we can rely on the newly added proposal called SetSubnetOperationalLevel. This proposal allows to halt a subnet, set a read_only SSH key on all nodes in that subnet and set a recovery SSH key on some node (replacing the need for a DFINITY node).
2. If the orchestrator is not running, we have added two ways to get the node into a state where the orchestrator is running again and we can rely on step 1 above. The two methods to do that are (we have described both in more detail on the TEE page on learnhub):
   1. Manual rollback initiated by the node provider.
   2. Booting into an alternative GuestOS.

And a separate reason: as of today, DFINITY has no Gen2 nodes on mainnet, which would be required to have an SEV-enabled node.