Review Corda resilience and vulnerability when nodes are registered on the network with unexpectedly long names


This specifically relates to ticket and (affecting B3i and HQLAx) - if a node manages to join the Corda network by making a local change to the node database schema (specifically in node_named_identities) to allow name to be over 128 characters this effectively "breaks" all other nodes which are visible to each other in the same network map.
Effectively one node has the ability to deactivate all other nodes in the network.
So we need to consider how to prevent this happening. The obvious way is in the doorman itself since this is the "gatekeeper" for node registration. But since the doorman has a current limit for Legal name of 256 characters - so we could consider for now making this the same field size as an in place change (set to 128 characters) until all nodes can be upgraded on UAT/Prod. This would prevent any nodes being registered even if they were accidental. (a separate ticket can be raised for Network Services for this).

Also we should review the related component so Corda for consistency - in this case the doorman field size (legal_name in certificate_signing_request table) is completely out of line with node field size. Any associated changes on node side as per should be coordinated with network services side for consistency.

But this ticket is to also to review how can we make the nodes themselves more resilient when this happens by still continuing to process transactions after a set number of failed attempts (graceful failure).?





Amos Smith





Fix versions

Ported to...


Feature Team

Kernel Group