
     1  Gossip data dissemination protocol
     2  ==================================
     4  Hyperledger Fabric optimizes blockchain network performance, security,
     5  and scalability by dividing workload across transaction execution
     6  (endorsing and committing) peers and transaction ordering nodes. This
     7  decoupling of network operations requires a secure, reliable and
     8  scalable data dissemination protocol to ensure data integrity and
     9  consistency. To meet these requirements, Fabric implements a
    10  **gossip data dissemination protocol**.
    12  Gossip protocol
    13  ---------------
    15  Peers leverage gossip to broadcast ledger and channel data in a scalable fashion.
    16  Gossip messaging is continuous, and each peer on a channel is
    17  constantly receiving current and consistent ledger data from multiple
    18  peers. Each gossiped message is signed, thereby allowing Byzantine participants
    19  sending faked messages to be easily identified and the distribution of the
    20  message(s) to unwanted targets to be prevented. Peers affected by delays, network
    21  partitions, or other causes resulting in missed blocks will eventually be
    22  synced up to the current ledger state by contacting peers in possession of these
    23  missing blocks.
    25  The gossip-based data dissemination protocol performs three primary functions on
    26  a Fabric network:
    28  1. Manages peer discovery and channel membership, by continually
    29     identifying available member peers, and eventually detecting peers that have
    30     gone offline.
    31  2. Disseminates ledger data across all peers on a channel. Any peer with data
    32     that is out of sync with the rest of the channel identifies the
    33     missing blocks and syncs itself by copying the correct data.
    34  3. Bring newly connected peers up to speed by allowing peer-to-peer state
    35     transfer update of ledger data.
    37  Gossip-based broadcasting operates by peers receiving messages from
    38  other peers on the channel, and then forwarding these messages to a number of
    39  randomly selected peers on the channel, where this number is a configurable
    40  constant. Peers can also exercise a pull mechanism rather than waiting for
    41  delivery of a message. This cycle repeats, with the result of channel
    42  membership, ledger and state information continually being kept current and in
    43  sync. For dissemination of new blocks, the **leader** peer on the channel pulls
    44  the data from the ordering service and initiates gossip dissemination to peers
    45  in its own organization.
    47  Leader election
    48  ---------------
    50  The leader election mechanism is used to **elect** one peer per organization
    51  which will maintain connection with the ordering service and initiate distribution of
    52  newly arrived blocks across the peers of its own organization. Leveraging leader election
    53  provides the system with the ability to efficiently utilize the bandwidth of the ordering
    54  service. There are two possible modes of operation for a leader election module:
    56  1. **Static** --- a system administrator manually configures a peer in an organization to
    57     be the leader.
    58  2. **Dynamic** --- peers execute a leader election procedure to select one peer in an
    59     organization to become leader.
    61  Static leader election
    62  ~~~~~~~~~~~~~~~~~~~~~~
    64  Static leader election allows you to manually define one or more peers within an
    65  organization as leader peers.  Please note, however, that having too many peers connect
    66  to the ordering service may result in inefficient use of bandwidth. To enable static
    67  leader election mode, configure the following parameters within the section of ``core.yaml``:
    69  ::
    71      peer:
    72          # Gossip related configuration
    73          gossip:
    74              useLeaderElection: false
    75              orgLeader: true
    77  Alternatively these parameters could be configured and overridden with environmental variables:
    79  ::
    82      export CORE_PEER_GOSSIP_ORGLEADER=true
    85  .. note:: The following configuration will keep peer in **stand-by** mode, i.e.
    86            peer will not try to become a leader:
    88  ::
    91      export CORE_PEER_GOSSIP_ORGLEADER=false
    94     with ``true`` value is ambiguous and will lead to an error.
    95  3. In static configuration organization admin is responsible to provide high availability
    96     of the leader node in case for failure or crashes.
    98  Dynamic leader election
    99  ~~~~~~~~~~~~~~~~~~~~~~~
   101  Dynamic leader election enables organization peers to **elect** one peer which will
   102  connect to the ordering service and pull out new blocks. This leader is elected
   103  for an organization's peers independently.
   105  A dynamically elected leader sends **heartbeat** messages to the rest of the peers
   106  as an evidence of liveness. If one or more peers don't receive **heartbeats** updates
   107  during a set period of time, they will elect a new leader.
   109  In the worst case scenario of a network partition, there will be more than one
   110  active leader for organization to guarantee resiliency and availability to allow
   111  an organization's peers to continue making progress. After the network partition
   112  has been healed, one of the leaders will relinquish its leadership. In
   113  a steady state with no network partitions, there will be
   114  **only** one active leader connecting to the ordering service.
   116  Following configuration controls frequency of the leader **heartbeat** messages:
   118  ::
   120      peer:
   121          # Gossip related configuration
   122          gossip:
   123              election:
   124                  leaderAliveThreshold: 10s
   126  In order to enable dynamic leader election, the following parameters need to be configured
   127  within ``core.yaml``:
   129  ::
   131      peer:
   132          # Gossip related configuration
   133          gossip:
   134              useLeaderElection: true
   135              orgLeader: false
   137  Alternatively these parameters could be configured and overridden with environment variables:
   139  ::
   142      export CORE_PEER_GOSSIP_ORGLEADER=false
   144  Anchor peers
   145  ------------
   147  Anchor peers are used by gossip to make sure peers in different organizations
   148  know about each other.
   150  When a configuration block that contains an update to the anchor peers is committed,
   151  peers reach out to the anchor peers and learn from them about all of the peers known
   152  to the anchor peer(s). Once at least one peer from each organization has contacted an
   153  anchor peer, the anchor peer learns about every peer in the channel. Since gossip
   154  communication is constant, and because peers always ask to be told about the existence
   155  of any peer they don't know about, a common view of membership can be established for
   156  a channel.
   158  For example, let's assume we have three organizations---`A`, `B`, `C`--- in the channel
   159  and a single anchor peer---`peer0.orgC`--- defined for organization `C`. When `peer1.orgA`
   160  (from organization `A`) contacts `peer0.orgC`, it will tell it about `peer0.orgA`. And
   161  when at a later time `peer1.orgB` contacts `peer0.orgC`, the latter would tell the
   162  former about `peer0.orgA`. From that point forward, organizations `A` and `B` would
   163  start exchanging membership information directly without any assistance from
   164  `peer0.orgC`.
   166  As communication across organizations depends on gossip in order to work, there must
   167  be at least one anchor peer defined in the channel configuration. It is strongly
   168  recommended that every organization provides its own set of anchor peers for high
   169  availability and redundancy. Note that the anchor peer does not need to be the
   170  same peer as the leader peer.
   172  External and internal endpoints
   173  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   175  In order for gossip to work effectively, peers need to be able to obtain the
   176  endpoint information of peers in their own organization as well as from peers in
   177  other organizations.
   179  When a peer is bootstrapped it will use ``peer.gossip.bootstrap`` in its
   180  ``core.yaml`` to advertise itself and exchange membership information, building
   181  a view of all available peers within its own organization.
   183  The ``peer.gossip.bootstrap`` property in the ``core.yaml`` of the peer is
   184  used to bootstrap gossip **within an organization**. If you are using gossip, you
   185  will typically configure all the peers in your organization to point to an initial set of
   186  bootstrap peers (you can specify a space-separated list of peers). The internal
   187  endpoint is usually auto-computed by the peer itself or just passed explicitly
   188  via ``core.peer.address`` in ``core.yaml``. If you need to overwrite this value,
   189  you can export ``CORE_PEER_GOSSIP_ENDPOINT`` as an environment variable.
   191  Bootstrap information is similarly required to establish communication **across
   192  organizations**. The initial cross-organization bootstrap information is provided
   193  via the "anchor peers" setting described above. If you want to make other peers
   194  in your organization known to other organizations, you need to set the
   195  ``peer.gossip.externalendpoint`` in the ``core.yaml`` of your peer.
   196  If this is not set, the endpoint information of the peer will not be broadcast
   197  to peers in other organizations.
   199  To set these properties, issue:
   201  ::
   203      export CORE_PEER_GOSSIP_BOOTSTRAP=<a list of peer endpoints within the peer's org>
   204      export CORE_PEER_GOSSIP_EXTERNALENDPOINT=<the peer endpoint, as known outside the org>
   206  Gossip messaging
   207  ----------------
   209  Online peers indicate their availability by continually broadcasting "alive"
   210  messages, with each containing the **public key infrastructure (PKI)** ID and the
   211  signature of the sender over the message. Peers maintain channel membership by collecting
   212  these alive messages; if no peer receives an alive message from a specific peer,
   213  this "dead" peer is eventually purged from channel membership. Because "alive"
   214  messages are cryptographically signed, malicious peers can never impersonate
   215  other peers, as they lack a signing key authorized by a root certificate
   216  authority (CA).
   218  In addition to the automatic forwarding of received messages, a state
   219  reconciliation process synchronizes **world state** across peers on each
   220  channel. Each peer continually pulls blocks from other peers on the channel,
   221  in order to repair its own state if discrepancies are identified. Because fixed
   222  connectivity is not required to maintain gossip-based data dissemination, the
   223  process reliably provides data consistency and integrity to the shared ledger,
   224  including tolerance for node crashes.
   226  Because channels are segregated, peers on one channel cannot message or
   227  share information on any other channel. Though any peer can belong
   228  to multiple channels, partitioned messaging prevents blocks from being disseminated
   229  to peers that are not in the channel by applying message routing policies based
   230  on a peers' channel subscriptions.
   232  .. note:: 1. Security of point-to-point messages are handled by the peer TLS layer, and do
   233            not require signatures. Peers are authenticated by their certificates,
   234            which are assigned by a CA. Although TLS certs are also used, it is
   235            the peer certificates that are authenticated in the gossip layer. Ledger blocks
   236            are signed by the ordering service, and then delivered to the leader peers on a channel.
   238            2. Authentication is governed by the membership service provider for the
   239            peer. When the peer connects to the channel for the first time, the
   240            TLS session binds with the membership identity. This essentially
   241            authenticates each peer to the connecting peer, with respect to
   242            membership in the network and channel.
