Ecosystem/misc-research
1
0
Fork 0
mirror of https://github.com/Rucknium/misc-research.git synced 2025-04-03 04:29:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add Subnet Deduplication for Monero Node Peer Selection

Browse source
This commit is contained in:
Rucknium 2025-02-12 16:45:28 +00:00
parent 22ffd837d8
commit 3fe27b56a5
9 changed files with 1093 additions and 0 deletions

338
Monero-Peer-Subnet-Deduplication/code/R/LICENSE.md Normal file
View file

@ -0,0 +1,338 @@
Copyright (c) 2025 Rucknium
GNU General Public License
==========================
_Version 2, June 1991_
_Copyright © 1989, 1991 Free Software Foundation, Inc.,_
_51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA_
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
### Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: **(1)** copyright the software, and
**(2)** offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
### TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
**0.** This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The “Program”, below,
refers to any such program or work, and a “work based on the Program”
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term “modification”.) Each licensee is addressed as “you”.
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
**1.** You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
**2.** You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
* **a)** You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
* **b)** You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
* **c)** If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
**3.** You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
* **a)** Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
* **b)** Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
* **c)** Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
**4.** You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
**5.** You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
**6.** Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
**7.** If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
**8.** If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
**9.** The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and “any
later version”, you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
**10.** If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
### NO WARRANTY
**11.** BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
**12.** IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
### How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the “copyright” line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w` and `show c` should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w` and `show c`; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a “copyright disclaimer” for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License.

191
Monero-Peer-Subnet-Deduplication/code/R/subnet-deduplication-plots-and-simulations.R Normal file
View file

@ -0,0 +1,191 @@
# install.packages(c("data.table", "ggplot2", "treemapify", "future", "future.apply"))
library(data.table)
unique.outbound.ips <- readLines("good_peers.txt")
# Run this for an hour to get good_peers:
# https://gist.github.com/Boog900/5e9fe91197fbbf5f5214df77de0c8cd8
unique.outbound.ips <- stringr::str_extract(unique.outbound.ips, "[0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}")
unique.outbound.ips <- unique(unique.outbound.ips)
# wget https://github.com/Boog900/monero-ban-list/raw/refs/heads/main/ban_list.txt
ban_list <- readLines("ban_list.txt")
convert.subnet.16 <- function(x) {
gsub("[.][0-9]{1,3}[.][0-9]{1,3}$", "", x)
}
convert.subnet.24 <- function(x) {
gsub("[.][0-9]{1,3}$", "", x)
}
unique.outbound.ips <- data.table(
ip = unique.outbound.ips,
subnet.16 = convert.subnet.16(unique.outbound.ips),
subnet.24 = convert.subnet.24(unique.outbound.ips))
nrow(unique.outbound.ips)
uniqueN(unique.outbound.ips$subnet.16)
uniqueN(unique.outbound.ips$subnet.24)
ban_list.singletons <- ban_list[! grepl("/", ban_list)]
ban_list.ranges <- ban_list[grepl("/", ban_list)]
uniqueN(convert.subnet.16(ban_list.singletons))
malicious.ips <- unique.outbound.ips[ip %in% ban_list.singletons, ip]
for (i in ban_list.ranges) {
for (j in seq_along(unique.outbound.ips$ip)) {
if ( ! is.na(IP::ip.match(IP::ipv4(unique.outbound.ips$ip[j]), IP::ipv4r( i )))) {
malicious.ips <- c(malicious.ips, unique.outbound.ips$ip[j])
}
}
}
h_d <- unique.outbound.ips[ ! ip %in% malicious.ips, uniqueN(ip)]
h_s <- unique.outbound.ips[ ! ip %in% malicious.ips, uniqueN(subnet.16)]
h_d / h_s
# Condition for p_ss > p_dd
unique.outbound.ips[, type := ifelse(ip %in% malicious.ips, "spy", "honest")]
unique.outbound.ips[, y := 1]
library(ggplot2)
library(treemapify)
png("pdf/images/treemap-status-quo.png", width = 1000, height = 1000)
ggplot(unique.outbound.ips, aes(area = y, fill = type,
subgroup = subnet.16, subgroup2 = subnet.24)) +
labs(title = "Subnet treemap of honest and spy nodes",
subtitle = "Black perimeters indicate /16 subnet groupings. Yellow indicates /24 subnets.") +
geom_treemap() +
geom_treemap_subgroup2_border(colour = "yellow", size = 1.5) +
geom_treemap_subgroup_border(color = "black", size = 2) +
scale_fill_manual(name = "Node type:",
values = c(scales::muted("blue", l = 40), scales::muted("red", l = 60))) +
geom_treemap_subgroup_text(colour = "white", place = "centre", grow = TRUE, min.size = 8) +
theme(plot.title = element_text(size = 25),
plot.subtitle = element_text(size = 18),
legend.title = element_text(size = 18),
legend.text = element_text(size = 18),
legend.position = "top")
dev.off()
unique.outbound.ips.deduplicated <- unique.outbound.ips[,
.(spy.share = mean(type == "spy")), by = "subnet.16"]
unique.outbound.ips.deduplicated[, type := "mixed"]
unique.outbound.ips.deduplicated[spy.share == 1, type := "spy"]
unique.outbound.ips.deduplicated[spy.share == 0, type := "honest"]
unique.outbound.ips.deduplicated[, y := 1]
setorder(unique.outbound.ips.deduplicated, type)
setorder(unique.outbound.ips.deduplicated, spy.share)
png("pdf/images/treemap-16-subnet-deduplication.png", width = 1000, height = 1000)
ggplot(unique.outbound.ips.deduplicated, aes(area = y, fill = spy.share)) +
labs(title = "Subnet treemap of honest and spy nodes after /16 subnet deduplication") +
geom_treemap(start = "topright") + # layout = "fixed"
# start: The corner in which to start placing the tiles. One of
# 'bottomleft' (the default), 'topleft', 'topright' or 'bottomright'.
scale_fill_gradient2(name = "Spy share: ", midpoint = 0.5,
low = scales::muted("blue", l = 40), high = scales::muted("red", l = 60)) +
# guides(fill = guide_legend(title = "Spy share")) +
guides(fill = guide_colorbar(barwidth = 20)) +
theme(plot.title = element_text(size = 25),
legend.title = element_text(size = 18),
legend.text = element_text(size = 18),
legend.position = "top")
dev.off()
threads <- 4
future::plan(future::multicore, workers = threads)
# Change to future::multisession if on Windows or in RStudio
n.default.out <- 12
n.nodes <- 10000
choose.peers <- function(unique.outbound.ips, connections, n.default.out, method) {
while(length(connections) < n.default.out) {
if (method == "status quo") {
candidates <- unique.outbound.ips[! subnet.16 %in% convert.subnet.16(connections), ip]
}
if (method == "subnet deduplication") {
candidates <- unique.outbound.ips[! subnet.16 %in% convert.subnet.16(connections), ]
candidates <- candidates[sample.int(.N), ]
candidates <- candidates[!duplicated(subnet.16), ip]
}
connections[length(connections) + 1] <- sample(candidates, 1)
}
connections
}
set.seed(314)
status.quo <- future.apply::future_replicate(n.nodes,
choose.peers(unique.outbound.ips, c(), n.default.out, "status quo"),
future.packages = "data.table")
deduplicated <- future.apply::future_replicate(n.nodes,
choose.peers(unique.outbound.ips, c(), n.default.out, "subnet deduplication"),
future.packages = "data.table")
mean(c(status.quo) %in% malicious.ips)
mean(c(deduplicated) %in% malicious.ips)
churn.peers <- function(x, churns, method) {
for (i in seq_len(churns)) {
x <- sample(x, length(x) - 1)
x <- choose.peers(unique.outbound.ips, x, n.default.out, method)
}
x
}
set.seed(314)
status.quo.churned <- future.apply::future_apply(status.quo, MARGIN = 2,
function(x) { churn.peers(x, 100, "status quo") },
future.seed = TRUE, future.packages = "data.table")
deduplicated.churned <- future.apply::future_apply(deduplicated, MARGIN = 2,
function(x) { churn.peers(x, 100, "subnet deduplication") },
future.seed = TRUE, future.packages = "data.table")
mean(c(status.quo.churned) %in% malicious.ips)
mean(c(deduplicated.churned) %in% malicious.ips)

1
Monero-Peer-Subnet-Deduplication/pdf/LICENSE Normal file
View file

@ -0,0 +1 @@
Works in this directory are Copyright 2025 Rucknium and licensed under CC BY-SA 4.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/4.0/

BIN
Monero-Peer-Subnet-Deduplication/pdf/images/stem-phase.jpg Normal file
View file

Binary file not shown.
Side by side

After

(image error) Size: 33 KiB

BIN
Monero-Peer-Subnet-Deduplication/pdf/images/treemap-16-subnet-deduplication.png Normal file
View file

Binary file not shown.
Side by side

After

(image error) Size: 41 KiB

BIN
Monero-Peer-Subnet-Deduplication/pdf/images/treemap-status-quo.png Normal file
View file

Binary file not shown.
Side by side

After

(image error) Size: 226 KiB

BIN
Monero-Peer-Subnet-Deduplication/pdf/monero-peer-subnet-deduplication.pdf Normal file
View file

Binary file not shown.

497
Monero-Peer-Subnet-Deduplication/pdf/monero-peer-subnet-deduplication.tex Normal file
View file

@ -0,0 +1,497 @@
\documentclass[usletter,11pt,english,openany]{article}
\usepackage{float}
\usepackage{wrapfig}
%Primary packages
\usepackage{fancyvrb}
\usepackage[utf8]{inputenc}
\usepackage[english]{babel}
\usepackage[pdftex]{graphicx}
% Useful packages:
% Advanced mathematical formulas and symbols
% -------------------------------------
\usepackage{amsmath}
\usepackage{amssymb}
\usepackage{amsfonts}
\usepackage{bm}
% Footnotes
% -------------------------------------
\usepackage[stable,splitrule]{footmisc}
% Color management package
% -------------------------------------
\usepackage[usenames,dvipsnames]{xcolor}
% Control line spacing
% -------------------------------------
% putting this between footmisc and hyperref seemed to fix broken footnote links
\usepackage{setspace}
\AtBeginDocument{\let~=\nobreakspace}
\usepackage{lineno}
\linenumbers
\spacing{1.4}
\usepackage[bookmarks=true]{hyperref}
\hypersetup{colorlinks=false}
\usepackage{orcidlink}
\usepackage{booktabs}
\usepackage{caption}
\usepackage{longtable}
\usepackage[T1]{fontenc}
\usepackage{geometry}
\geometry{verbose,tmargin=2cm,bmargin=2cm,lmargin=2cm,rmargin=2cm}
\usepackage{array}
\usepackage{url}
\usepackage{multirow}
\usepackage{stackrel}
\usepackage{rotating}
\usepackage{longtable}
\usepackage{booktabs}
% https://tex.stackexchange.com/questions/151241/remove-metadata-of-pdf-generated-by-latex
\hypersetup{
bookmarks=true, % show bookmarks bar?
unicode=false, % non-Latin characters in Acrobat's bookmarks
pdftoolbar=true, % show Acrobat's toolbar?
pdfmenubar=true, % show Acrobat's menu?
pdffitwindow=false, % window fit to page when opened
% pdfstartview={FitW}, % fits the width of the page to the window
pdftitle={Subnet Deduplication for Monero Node Peer Selection}, % title
pdfauthor={Rucknium}, % author
pdfsubject={}, % subject of the document
pdfcreator={Rucknium}, % creator of the document
pdfproducer={}, % producer of the document
pdfkeywords={}, % list of keywords
pdfnewwindow=true, % links in new window
colorlinks=false, % false: boxed links; true: colored links
linkcolor=red, % color of internal links
citecolor=green, % color of links to bibliography
filecolor=magenta, % color of file links
urlcolor=cyan % color of external links
}
\begin{document}
\title{Subnet Deduplication for Monero Node Peer Selection\\\vspace{.3cm}
\large Draft v0.1\vspace{-.715cm}}
\author{Rucknium\orcidlink{0000-0001-5999-8950} }
\date{February 12, 2025}
\maketitle
\begin{abstract}
Spying adversaries can set up nodes on the Monero network to try to
guess the IP address origin of a Monero transaction. A larger number
of spy nodes increases the accuracy of the guesses. Adversaries can
take advantage of bulk pricing on leasing subnets, which are contiguous
blocks of IP addresses. This research note analyzes the effectiveness
of a subnet deduplication algorithm for peer node selection. The effectiveness
of the proposed algorithm against a real spy node adversary is simulated.
The share of an honest node's connections that are spy nodes is reduced
to 2.5 percent, compared to 33.0 percent when using the status quo
peer selection algorithm. Then a game is analyzed where an adversary
is free to choose its IP address leasing strategy. The subnet deduplication
algorithm is more effective against the agile spy adversary when the
price premium of leasing subnet-distinct IP addresses is greater than
the concentration of honest nodes in subnets. Given current network
conditions, the price premium must be 38 percent or greater.
\end{abstract}
\section{Statement of the problem}
Spy nodes operating on the Monero network are a theoretical and practical
threat to user privacy. The Dandelion++ protocol helps prevent spy
nodes from determining the true IP address origin of Monero transactions,
but too many spy nodes can reduce the effectiveness of Dandelion++
\cite{Fanti2018a}. Since honest nodes and spy nodes alike do not
require permission to join the network, the only known reliable way
to limit the number of spy nodes is to impose an economic cost on
the spy node operator.
One cost that spy node operators must pay is leasing IP addresses.
Spy node operators can and do get bulk discounts by leasing contiguous
ranges of IP addresses, called ``subnets''. The purpose of this
research note is to analyze a countermeasure against an adversary's
bulk leasing strategy. The countermeasure is simple: instead of randomly
selecting peer connections from the initial candidate IP address list
where spy nodes have strategically overrepresented themselves, first
eliminate duplicate IP addresses in the same subnet and then select
randomly from the deduplicated candidate peer list.
\section{Background}
Dandelion++, implemented in Monero in 2020, is a transaction relay
protocol that reduces the probability that spy nodes will be able
to guess the true IP address origin of a Monero transaction. Dandelion++
is much better than basic transaction relay methods used before, but
it cannot completely defeat spy nodes. The share, $p$, of an honest
node's outbound connections that are made to spy nodes determines
the honest node's privacy risk at any given time. Higher $p$ means
greater privacy risk.
The ``outbound'' qualifier in ``outbound connections'' is important.
An outbound connection from Alice's node is a connection that Alice
initiates to a peer of her choosing. Alice's inbound connections are
connection that other nodes initiate. In the stem phase of Dandelion++,
which is the privacy-sensitive phase, transactions are relayed only
to an outbound connection. Therefore, the effectiveness of Dandelion++
depends on the honest nodes' probability of selecting spy nodes as
outbound connections.
\begin{figure}
\begin{centering}
\caption{Dandelion++ stem phase illustration (courtesy of Vosto Emisio \protect\href{https://youtu.be/hM6TF3co7lI}{https://youtu.be/hM6TF3co7lI})}
\par\end{centering}
\centering{}\includegraphics[scale=0.5]{images/stem-phase}
\end{figure}
The objective of the adversary is to increase the probability that
honest nodes connect to the spy nodes. They can do this by routing
traffic from leased IP addresses to their spy nodes. Honest nodes
routinely share the IP addresses of nodes with each other. Since the
Monero network is permissionless, spy nodes can simply share their
IP addresses with a few honest nodes. Then the spy node IP addresses
propagate throughout the network as honest nodes share peer IP addresses
with each other. See \cite{Cao2020} for more information on peer
list propagation. Honest nodes randomly select from their peer candidate
list when they drop old outbound connections and create new ones.
A subnet is a grouping of IP addresses. For example, a subnet with
256 IP addresses can be defined by setting the first three numbers
in dot-decimal notation to the same value, then having a distinct
number in the final position. Such a subnet could be all IP addresses
between \texttt{91.198.115.0} and \texttt{91.198.115.255}. This is
called a \texttt{/24} subnet because the first 24 bits of the IP address
are fixed, and the rest are allowed to vary. Another subnet that we
will discuss is the \texttt{/16} subnet, which follows a pattern of
\texttt{x.x.any.any}. Despite 16 being a smaller number than 24, a
\texttt{/16} subnet is much larger than a \texttt{/24} subnet, constituting
65,536 possible IP addresses instead of 256.
There are only about 4 billion possible IP addresses in the usual
IPv4 format. IPv6 addresses, which allow about $3.4\times10^{38}$
possible addresses, are disabled by default in the Monero node software
exactly because it would be too easy for an adversary to set up thousands
of IPv6 spy nodes cheaply.\footnote{See \href{https://libera.monerologs.net/monero/20230404\#c230903-c230904}{https://libera.monerologs.net/monero/20230404\#c230903-c230904}}
Where there is scarcity and demand, there is a market and therefore
a price. The limited IPv4 addresses are controlled by governments,
telecommunications companies, universities, and similar entities.
Some of these entities lease IP addresses on the open market. When
leasing in bulk, IP addresses are usually grouped into subnets. Some
brokers and lessors quote 118 to 250 USD per \texttt{/24} subnet per
month, which works out to 0.46 to 0.98 USD per IP address per month.\footnote{See \href{https://www.ipxo.com/lease-ips/}{https://www.ipxo.com/lease-ips/},
, \href{https://www.logicweb.com/bulk-ip-address-leasing/}{https://www.logicweb.com/bulk-ip-address-leasing/},
and \href{https://www.forked.net/ip-address-leasing/}{https://www.forked.net/ip-address-leasing/}}
Evidence uncovered by Monero developer boog900 suggests that a spy
node network is currently operating on the Monero network.\footnote{\href{https://github.com/monero-project/research-lab/issues/126}{https://github.com/monero-project/research-lab/issues/126}}
The spy node operator is leasing a combination of whole \texttt{/24}
subnets and individual IP addresses. As a temporary measure, the Monero
Research Lab has recommended that honest Monero node operators prevent
connections to the suspected spy node IP addresses by enabling a -{}\texttt{-ban-list}
option on their nodes.\footnote{See \href{https://github.com/monero-project/meta/issues/1124}{https://github.com/monero-project/meta/issues/1124}}
Enabling a ban list:
\begin{enumerate}
\item Requires node operators to trust the judgment and honesty of Monero's
developers and researchers,
\item Requires updating the IP address list if the adversary changes the
IP addresses it is leasing, and
\item Does not work against an adversary who deploys spy nodes that are
harder to distinguish from honest nodes.
\end{enumerate}
Therefore, a more universal solution is desired. Subnet deduplication
can counteract the adversary's bulk discount on leasing whole subnets.
First we will analyze the effect of subnet deduplication on the effectiveness
of the actual spy nodes currently deployed on the Monero network.
Then we will determine under what conditions subnet deduplication
is more effective than the status quo peer selection algorithm when
an adversary has free choice of whether to lease subnets or subnet-distinct
IP addresses.
\section{Simulated effect of subnet deduplication on current spy node effectiveness}
Monero's status quo peer selection algorithm does have one existing
countermeasure against spy node subnets. If Alice's node is already
connected to an IP address within a specific \texttt{/16} subnet,
then Alice's node will not connect to another node in that subnet.\footnote{\href{https://github.com/monero-project/monero/blob/84df77404e8bcbe1cf409f64c81e4e4f9c84885b/src/p2p/net_node.inl\#L1588}{https://github.com/monero-project/monero/blob/84df77404e8bcbe1cf409f64c81e4e4f9c84885b/src/p2p/net\_node.inl\#L1588}}
When an adversary leases many\texttt{ /24} subnets that are in distinct
\texttt{/16} subnets, this countermeasure is not very effective. Note
that the Tor protocol requires that no two nodes in its three-node
circuit can be in the same \texttt{/16} subnet \cite{Rochet2020}.
The proposed subnet deduplication peer selection algorithm keeps the
original rule about not selecting a peer that is in a \texttt{/16}
subnet that Alice is already connected to. In addition, it eliminates
from the peer candidate list all but one IP address in each \texttt{/16}
subnet. This form of the subnet deduplication algorithm is the most
aggressive. Less aggressive forms could deduplicate at a smaller subnet
level or keep more than one IP address in each subnet after deduplication.
To compare the effectiveness of spy nodes against the status quo algorithm
and the subnet deduplication algorithm, we must collect a list of
spy nodes, honest nodes, and their subnets. A list of IP addresses
accepting inbound connections for the Monero protocol can be obtained
easily by a Monero network scan.\footnote{\href{https://gist.github.com/Boog900/5e9fe91197fbbf5f5214df77de0c8cd8}{https://gist.github.com/Boog900/5e9fe91197fbbf5f5214df77de0c8cd8}}
First, the scanner contacts the Monero seed nodes to get an initial
list of nodes on the network. Then the scanner contacts all the nodes
on the initial list, requesting their own lists of nodes' IP addresses.
The scanner iterates through the accumulated list until all contactable
nodes have been contacted. These nodes can be classified into their
subnets and cross-referenced against the list of suspected spy nodes.
Figure \ref{fig-pre-dedup-treemap} plots a treemap of honest nodes
and spy nodes that accept inbound connections, based on a network
scan performed on February 11, 2025. Each of the 4,433 small colored
rectangles represents one node's IP address. Nodes in the same \texttt{/16}
subnet are grouped inside black-lined perimeters and are labeled with
white text where possible. Nodes in the same /24 subnet are grouped
inside yellow-lined perimeters. The share of the plot area that is
red is approximately the share of spy nodes on the network. Along
the left side and bottom of the plot, we observe six \texttt{/24}
subnets within distinct \texttt{/16} subnets that are entirely occupied
by spy nodes. Smaller numbers of spy nodes are scattered among \texttt{/16}
subnets that they share with some honest nodes, yet are in distinct
\texttt{/24} subnets (observe the yellow lines). These subnets are
likely owned by server providers used by honest nodes and spy nodes
alike. There are only two spy nodes alone in their own \texttt{/16}
subnets, but the majority of honest nodes are alone in their own \texttt{/16}
subnet.
\begin{figure}[H]
\caption{Subnet treemap of honest and spy nodes}
\label{fig-pre-dedup-treemap}
\includegraphics[scale=0.5]{images/treemap-status-quo}
\end{figure}
Figure \ref{fig-post-dedup-treemap} shows a treemap of honest nodes
and spy nodes after deduplication of \texttt{/16} subnets. When a
\texttt{/16} subnet contains both honest nodes and spy nodes, the
rectangle's color is a mixture of blue and red proportional to the
share of honest and spy nodes in the subnet. Compared to Figure \ref{fig-pre-dedup-treemap},
the area occupied by the red spy nodes is much smaller after subnet
deduplication.
\begin{figure}[H]
\caption{Subnet treemap of Honest and spy nodes after /16 subnet deduplication}
\label{fig-post-dedup-treemap}
\includegraphics[scale=0.5]{images/treemap-16-subnet-deduplication}
\end{figure}
If each node chose a single peer node, then the share of connections
to spy nodes could be computed simply by dividing the total number
of nodes by the number of spy nodes. However, by default nodes choose
12 outbound peers without replacement. Probability computations where
elements are drawn without replacement with unequal probability are
known to be much more complicated than in problems where elements
are drawn with replacement with unequal probability \cite{TILLE2023100533}.
The computation is further complicated by the the status quo rule
to not select a peer in a \texttt{/16} subnet when already connected
to a peer in that \texttt{/16} subnet.
I wrote a Monte Carlo simulation that imitates the status quo and
subnet deduplication peer selection algorithms, using the data from
the network scan as its basis. First, the 12 outbound peer slots are
filled sequentially using the respective peer selection algorithm.
Then, peer ``churn'' is simulated 100 times. A churn occurs when
one peer is randomly dropped and a new one chosen, using the peer
selection rules. This simulation is done 10,000 times to estimate
the real share of a typical nodes's outbound peer connections that
would be composed of spy nodes. Note that the Monte Carlo simulation
ignores the fact that nodes' \texttt{white\_list} and \texttt{gray\_list}
are limited to 1,000 and 5,000 IP addresses, respectively. See \cite{Cao2020}
for more details about Monero's graylist housekeeping.
The results of the Monte Carlo simulation are as follows. When the
status quo peer selection algorithm is used, the share of connections
to spy nodes is 33.0 percent. When the subnet deduplication peer selection
algorithm is used, the share of connections to spy nodes is 2.5 percent.
\section{Protocol-adversary interaction as a game}
Behavior is not static. When the actions of one agent change, other
agents may change their behavior, too. Therefore, we must go beyond
analyzing the effectiveness of subnet deduplication against a specific
adversary's current behavior. If the Monero protocol switches to subnet
deduplication, could privacy actually worsen? Can the cure be worse
than the disease? We will set up a simple game theory model and compute
under what conditions it is better to use the subnet deduplication
peer selection strategy. The theoretical result of this section is
that the choice of the honest node's strategy depends on the price
difference between bulk and individual IP address leasing, compared
to the concentration of honest nodes within subnets.
We make the following assumptions:
\begin{enumerate}
\item The privacy impact of spy nodes is equal to the probability of connecting
to a spy node in a single draw, with replacement. This ignores the
more complicated computations of drawing without replacement discussed
in the previous section.
\item Conditional on the pricing structure (i.e. bulk subnet or subnet-distinct
IP addresses), costs are a linear function of price. In other words,
if $w$ is the price and $x$ is the number of IP addresses leased,
then the cost is $w\cdot x$. This assumption may not be realistic
if the adversary exhausts low-cost IP address providers when leasing
a large number of IP addresses, and then must resort to high-cost
IP address providers.
\item The adversary is assumed to either lease only subnets or only subnet-distinct
IP addresses, i.e. no hybrid strategies. This assumption could be
relaxed in further work.
\end{enumerate}
There are two players, an honest node and a spying adversary. They
each can play two possible strategies. The honest node can use the
status quo peer selection algorithm or the subnet deduplication peer
selection algorithm. The adversary can lease whole \texttt{/24} subnets
at a bulk price discount or lease individual subnet-distinct IP addresses.
The game is assumed to be zero-sum. The payoff function for the adversary
is the probability that a single peer chosen by the honest node is
a spy node. The payoff function for the honest node is the negative
of that probability.
Define these probabilities that an honest node selects a spy node
peer:
$p_{s,s}$ when the honest node uses the status quo peer selection
algorithm and the adversary leases whole subnets,
$p_{d,s}$ when the honest node uses the subnet deduplication peer
selection algorithm and the adversary leases whole subnets,
$p_{s,d}$ when the honest node uses the status quo peer selection
algorithm and the adversary leases subnet-distinct IP addresses, and
$p_{d,d}$ when the honest node uses the subnet deduplication peer
selection algorithm and the adversary leases subnet-distinct IP addresses.
Table \ref{table-normal-form-game} shows the normal-form game. The
left side of each cell is the honest node's payoff. The right side
is the adversary's payoff.
\begin{table}
\caption{2x2 normal-form game}
\label{table-normal-form-game}
\begin{tabular}{|c|c|c|c|}
\cline{3-4} \cline{4-4}
\multicolumn{1}{c}{} & & \multicolumn{2}{c|}{Adversary}\tabularnewline
\cline{3-4} \cline{4-4}
\multicolumn{1}{c}{} & & Lease whole subnets & Lease subnet-distinct IP addresses\tabularnewline
\hline
\multirow{2}{*}{Honest node} & Status quo & $-p_{s,s}$,$\quad$$p_{s,s}$ & $-p_{s,d}$,$\quad$$p_{s,d}$\tabularnewline
\cline{2-4} \cline{3-4} \cline{4-4}
& Subnet deduplication & $-p_{d,s}$,$\quad$$p_{d,s}$ & $-p_{d,d}$,$\quad$$p_{d,d}$\tabularnewline
\hline
\end{tabular}
\end{table}
We want to know under what conditions will the honest node have more
privacy with a subnet deduplication peer selection algorithm instead
of the status quo peer selection algorithm. We assume that the adversary
uses the ``lease whole subnets'' strategy when the honest node uses
the status quo algorithm and the adversary uses the ``lease subnet-distinct
IP addresses'' strategy when the honest node uses the subnet deduplication
algorithm. Therefore, we want to know under what conditions $p_{s,s}>p_{d,d}$.
Let
$h_{s}$ be the total number of honest nodes that accept inbound connections,
including nodes in the same subnet,
$b$ be the budget of adversary,
$a$ be number of IP addresses leased by adversary, and
$w_{s}$ be the price per IP address when leasing whole subnets. (If
the price to lease a subnet is 150 USD, then the price per IP address
is 150/254 = 0.59 USD because there are 254 usable IP addresses in
a \texttt{/24} subnet.)
When using the status quo peer selection algorithm, the probability
that an honest node selects an adversary's IP address as a peer is
simply the share of nodes operated by the adversary:
$p_{s,s}=\dfrac{a}{h_{s}+a}$
How many adversary nodes exist? The adversary exhausts its budget,
so $a=b/w_{s}$. Now we have the probability that an honest node selects
an adversary's IP address as a peer in terms of the adversary's budget,
the price per leased IP address, and the number of honest nodes:
$p_{s,s}=\dfrac{b/w_{s}}{h_{s}+b/w_{s}}$
Multiplying through by $w_{s}$ gets us a simpler expression:
\begin{equation}
p_{s,s}=\dfrac{b}{w_{s}h_{s}+b}\label{eq:pss}
\end{equation}
$p_{s,s}$ denotes the probability that an honest node selects an
adversary's IP address when honest nodes are following the status
quo peer selection algorithm and the adversary is leasing whole subnets.
Next, we will compute $p_{d,d}$, the probability that an honest node
selects an adversary's IP address when honest nodes are following
a subnet deduplication peer selection algorithm and the adversary
is leasing IP addresses only in distinct subnets.
Let
$h_{d}$ be the number of distinct subnets with at least one honest
node and
$w_{d}$ be the price to lease one subnet-distinct IP address.
By a similar logic as in the $p_{s,s}$ case,
\begin{equation}
p_{d,d}=\dfrac{b}{w_{d}h_{d}+b}\label{eq:pdd}
\end{equation}
Comparing (\ref{eq:pss}) and (\ref{eq:pdd}), it is easy to see that
$p_{s,s}>p_{d,d}$ if and only if $w_{s}h_{s}<w_{d}h_{d}$. Rearranging,
we have this condition:
\begin{equation}
\dfrac{w_{s}}{w_{d}}<\dfrac{h_{d}}{h_{s}}
\end{equation}
This inequality says that subnet deduplication is a better strategy
for the honest node if the price premium of leasing subnet-distinct
IP addresses is less than the ratio of the number of distinct subnets
with at least one honest node to the total number of honest nodes.
Note that this condition does not depend on the adversary's budget.
At any given moment, $h_{d}/h_{s}$ can be computed by performing
a network scan, assuming we can determine which nodes are honest.
Using the network scan and list of suspected spy nodes from the previous
section, we have $h_{d}/h_{s}=1.38$. That means that the subnet deduplication
algorithm is better than the status quo if the price premium to lease
subnet-distinct IP addreses is 38 percent or greater. Of course, the
subnet concentration of honest nodes can change over time.
\begin{singlespace}
\bibliographystyle{apalike-ejor}
\addcontentsline{toc}{section}{\refname}\bibliography{references}
\end{singlespace}
\end{document}

66
Monero-Peer-Subnet-Deduplication/pdf/references.bib Normal file
View file

@ -0,0 +1,66 @@
@inproceedings{Cao2020,
title = "Exploring the Monero Peer-to-Peer Network",
ISBN = "978-3-030-51280-4",
year = "2020",
URL = "https://link.springer.com/chapter/10.1007/978-3-030-51280-4_31",
booktitle = "Financial Cryptography and Data Security",
pages = "578--594",
author = "Cao, Tong and Yu, Jiangshan and Decouchant, J{\'e}r{\'e}mie and Luo, Xiapu and Verissimo, Paulo",
editor = "Bonneau, Joseph and Heninger, Nadia",
abstract = "As of September 2019, Monero is the most capitalized privacy-preserving cryptocurrency, and is ranked tenth among all cryptocurrencies. Monero's on-chain data privacy guarantees, i.e., how mixins are selected in each transaction, have been extensively studied. However, despite Monero's prominence, the network of peers running Monero clients has not been analyzed. Such analysis is of prime importance, since potential vulnerabilities in the peer-to-peer network may lead to attacks on the blockchain's safety (e.g., by isolating a set of nodes) and on users' privacy (e.g., tracing transactions flow in the network).",
publisher = "Springer International Publishing",
}
@article{Fanti2018a,
title = "Dandelion++: Lightweight Cryptocurrency Networking with Formal Anonymity Guarantees",
DOI = "10.1145/3224424",
volume = "2",
number = "2",
year = "2018",
URL = "https://doi.org/10.1145/3224424",
journal = "Proc. ACM Meas. Anal. Comput. Syst.",
author = "Fanti, Giulia and Venkatakrishnan, Shaileshh Bojja and Bakshi, Surya and Denby, Bradley and Bhargava, Shruti and Miller, Andrew and Viswanath, Pramod",
abstract = "Recent work has demonstrated significant anonymity vulnerabilities in Bitcoin's networking stack. In particular, the current mechanism for broadcasting Bitcoin transactions allows third-party observers to link transactions to the IP addresses that originated them. This lays the groundwork for low-cost, large-scale deanonymization attacks. In this work, we present Algopp, a first-principles defense against large-scale deanonymization attacks with near-optimal information-theoretic guarantees. Dandelion++ builds upon a recent proposal called Dandelion that exhibited similar goals. However, in this paper, we highlight some simplifying assumptions made in Dandelion, and show how they can lead to serious deanonymization attacks when violated. In contrast, Dandelion++ defends against stronger adversaries that are allowed to disobey protocol. Dandelion++ is lightweight, scalable, and completely interoperable with the existing Bitcoin network. We evaluate it through experiments on Bitcoin's mainnet (i.e., the live Bitcoin network) to demonstrate its interoperability and low broadcast latency overhead.",
}
@inproceedings{Rochet2020,
author = {Rochet, Florentin and Wails, Ryan and Johnson, Aaron and Mittal, Prateek and Pereira, Olivier},
title = {CLAPS: Client-Location-Aware Path Selection in Tor},
year = {2020},
isbn = {9781450370899},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3372297.3417279},
doi = {10.1145/3372297.3417279},
abstract = {Much research has investigated improving the security and performance of Tor by having Tor clients choose paths through the network in a way that depends on the client's location. However, this approach has been demonstrated to lead to serious deanonymization attacks. Moreover, we show how in some scenarios it can lead to significant performance degradation. For example, we demonstrate that using the recently-proposed Counter-RAPTOR system when guard bandwidth isn't abundant could increase median download times by 28.7\%. We propose the CLAPS system for performing client-location-aware path selection, which fixes the known security and performance issues of existing designs. We experimentally compare the security and performance of CLAPS to Counter-RAPTOR and DeNASA. CLAPS puts a strict bound on the leakage of information about the client's location, where the other systems could completely reveal it after just a few connections. It also guarantees a limit on the advantage that an adversary can obtain by strategic relay placement, which we demonstrate to be overwhelming against the other systems. Finally, due to a powerful formalization of path selection as an optimization problem, CLAPS is approaching or even exceeding the original goals of algorithms to which it is applied, while solving their known deficiencies.},
booktitle = {Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security},
pages = {17-34},
numpages = {18},
keywords = {anonymity, onion routing, tor},
location = {Virtual Event, USA},
series = {CCS 2020}
}
@article{TILLE2023100533,
title = {Remarks on some misconceptions about unequal probability sampling without replacement},
journal = {Computer Science Review},
volume = {47},
pages = {100533},
year = {2023},
issn = {1574-0137},
doi = {https://doi.org/10.1016/j.cosrev.2022.100533},
url = {https://www.sciencedirect.com/science/article/pii/S1574013722000673},
author = {Yves Till{\'e}},
keywords = {Entropy, Inclusion probability, Poisson sampling, Sampling algorithm, Weighted sampling},
abstract = {Before computer scientists became interested in unequal probability sampling methods, they were widely studied by survey statisticians. We show that sometimes the same sampling methods have been proposed again without reference to existing methods. We also show that methods that are not correct and that were widely discussed in the 1950s are being proposed again. We review the most common errors and misunderstandings about these methods.}
}