tendermint/docs/specification/new-spec/p2p/node.md

# Tendermint Peer Discovery

A Tendermint P2P network has different kinds of nodes with different requirements for connectivity to others.
This document describes what kind of nodes Tendermint should enable and how they should work.

## Seeds

Seeds are the first point of contact for a new node.
They return a list of known active peers and disconnect.

Seeds should operate full nodes, and with the PEX reactor in a "crawler" mode
that continuously explores to validate the availability of peers.

Seeds should only respond with some top percentile of the best peers it knows about.
See [reputation] for details on peer quality.

## New Full Node

A new node needs a few things to connect to the network:
- a list of seeds, which can be provided to Tendermint via config file or flags,
or hardcoded into the software by in-process apps
- a `ChainID`, also called `Network` at the p2p layer
- a recent block height, H, and hash, HASH for the blockchain.

The values `H` and `HASH` must be received and corroborated by means external to Tendermint, and specific to the user - ie. via the user's trusted social consensus.
This requirement to validate `H` and `HASH` out-of-band and via social consensus
is the essential difference in security models between Proof-of-Work and Proof-of-Stake blockchains.

With the above, the node then queries some seeds for peers for its chain,
dials those peers, and runs the Tendermint protocols with those it successfully connects to.

When the peer catches up to height H, it ensures the block hash matches HASH.
If not, Tendermint will exit, and the user must try again - either they are connected
to bad peers or their social consensus was invalidated.

## Restarted Full Node

A node checks its address book on startup and attempts to connect to peers from there.
If it can't connect to any peers after some time, it falls back to the seeds to find more.

Restarted full nodes can run the `blockchain` or `consensus` reactor protocols to sync up
to the latest state of the blockchain from wherever they were last.
In a Proof-of-Stake context, if they are sufficiently far behind (greater than the length
of the unbonding period), they will need to validate a recent `H` and `HASH` out-of-band again
so they know they have synced the correct chain.

## Validator Node

A validator node is a node that interfaces with a validator signing key.
These nodes require the highest security, and should not accept incoming connections.
They should maintain outgoing connections to a controlled set of "Sentry Nodes" that serve
as their proxy shield to the rest of the network.

Validators that know and trust each other can accept incoming connections from one another and maintain direct private connectivity via VPN.

## Sentry Node

Sentry nodes are guardians of a validator node and provide it access to the rest of the network.
They should be well connected to other full nodes on the network.
Sentry nodes may be dynamic, but should maintain persistent connections to some evolving random subset of each other.
They should always expect to have direct incoming connections from the validator node and its backup/s.
They do not report the validator node's address in the PEX.
They may be more strict about the quality of peers they keep.

Sentry nodes belonging to validators that trust each other may wish to maintain persistent connections via VPN with one another, but only report each other sparingly in the PEX.
p2p docs 2017-12-31 17:07:08 -05:00			`# Tendermint Peer Discovery`

			`A Tendermint P2P network has different kinds of nodes with different requirements for connectivity to others.`
			`This document describes what kind of nodes Tendermint should enable and how they should work.`

			`## Seeds`

			`Seeds are the first point of contact for a new node.`
			`They return a list of known active peers and disconnect.`

			`Seeds should operate full nodes, and with the PEX reactor in a "crawler" mode`
			`that continuously explores to validate the availability of peers.`

			`Seeds should only respond with some top percentile of the best peers it knows about.`
more p2p docs 2018-01-01 15:59:53 -05:00			`See [reputation] for details on peer quality.`
p2p docs 2017-12-31 17:07:08 -05:00
			`## New Full Node`

more p2p docs 2018-01-01 15:59:53 -05:00			`A new node needs a few things to connect to the network:`
			`- a list of seeds, which can be provided to Tendermint via config file or flags,`
			`or hardcoded into the software by in-process apps`
			- a `ChainID`, also called `Network` at the p2p layer
			`- a recent block height, H, and hash, HASH for the blockchain.`

			The values `H` and `HASH` must be received and corroborated by means external to Tendermint, and specific to the user - ie. via the user's trusted social consensus.
			This requirement to validate `H` and `HASH` out-of-band and via social consensus
			`is the essential difference in security models between Proof-of-Work and Proof-of-Stake blockchains.`
p2p docs 2017-12-31 17:07:08 -05:00
more p2p docs 2018-01-01 15:59:53 -05:00			`With the above, the node then queries some seeds for peers for its chain,`
p2p docs 2017-12-31 17:07:08 -05:00			`dials those peers, and runs the Tendermint protocols with those it successfully connects to.`

			`When the peer catches up to height H, it ensures the block hash matches HASH.`
more p2p docs 2018-01-01 15:59:53 -05:00			`If not, Tendermint will exit, and the user must try again - either they are connected`
			`to bad peers or their social consensus was invalidated.`
p2p docs 2017-12-31 17:07:08 -05:00
			`## Restarted Full Node`

			`A node checks its address book on startup and attempts to connect to peers from there.`
			`If it can't connect to any peers after some time, it falls back to the seeds to find more.`

more p2p docs 2018-01-01 15:59:53 -05:00			Restarted full nodes can run the `blockchain` or `consensus` reactor protocols to sync up
docs/p2p: updates from review (#1076) 2018-01-09 12:44:49 -05:00			`to the latest state of the blockchain from wherever they were last.`
			`In a Proof-of-Stake context, if they are sufficiently far behind (greater than the length`
			of the unbonding period), they will need to validate a recent `H` and `HASH` out-of-band again
			`so they know they have synced the correct chain.`
more p2p docs 2018-01-01 15:59:53 -05:00
p2p docs 2017-12-31 17:07:08 -05:00			`## Validator Node`

			`A validator node is a node that interfaces with a validator signing key.`
			`These nodes require the highest security, and should not accept incoming connections.`
			`They should maintain outgoing connections to a controlled set of "Sentry Nodes" that serve`
			`as their proxy shield to the rest of the network.`

			`Validators that know and trust each other can accept incoming connections from one another and maintain direct private connectivity via VPN.`

			`## Sentry Node`

			`Sentry nodes are guardians of a validator node and provide it access to the rest of the network.`
docs/p2p: updates from review (#1076) 2018-01-09 12:44:49 -05:00			`They should be well connected to other full nodes on the network.`
p2p docs 2017-12-31 17:07:08 -05:00			`Sentry nodes may be dynamic, but should maintain persistent connections to some evolving random subset of each other.`
			`They should always expect to have direct incoming connections from the validator node and its backup/s.`
			`They do not report the validator node's address in the PEX.`
			`They may be more strict about the quality of peers they keep.`

			`Sentry nodes belonging to validators that trust each other may wish to maintain persistent connections via VPN with one another, but only report each other sparingly in the PEX.`