Sentry Node Questions

I have some basic questions about Sentry Node architecture, which is a new concept for me. I’m interested in trying to protect my validator from DDoS and I am looking to get a better understanding about the proper way to set up and configure sentry nodes for mainnet after the secret contract upgrade this month.

  1. Do all sentry nodes need to have SGX enabled or is that not required? If SGX is required, are the acceptable values for the isvEnclaveQuoteStatus field the same as for a validator?

  2. How does one determine the optimum number of sentry nodes to include in the validator’s persistent_peers list? Is more sentry nodes always better (other than the increased cost to operate)?

  3. Would the validator continue to function properly as long as there is at least one sentry node that is up and running? In other words, would a DDoS attack have to disable all sentry nodes in the persistent_peers list simultaneously in order to actually disable the validator node?

  4. In the event of a DDoS attack on a validator’s sentry nodes what is the actual process to respond to the attack? Would one simply shut down the sentry under attack and spin up a new sentry node with a different IP address? Spinning up a new node can take hours - are there any methods to reduce the deployment time?

  5. Are there any plans for community sentry nodes perhaps run by the Secret Foundation or Enigma, which would be available to all validators on the network? This would ensure that all validators including those who may not be able to afford running their own sentry node would be able to benefit from the Sentry Node architecture and it would help strengthen the network overall.

  1. Yes & Yes

  2. More is better sure, overkill is possible. Some operators on cosmos based networks have layers of sentries.

  3. Yes & Yes

  4. Depends on your sentry node architecture. You need to do whatever it takes to ensure your validator has a line to other validators in order to mitigate DDOS.

  5. I’m exploring options for this but due to costs I can’t commit to doing it by launch or any specific time. I can’t speak for enigma or foundation but I do not believe they have plans on their own to do something like this.

When creating a Sentry Node it states ---- persistent_peers =[list of sentry nodes]
where can I find this list?

And should I make changes for both validator and sentry node on my config.toml?

Thank you

Your validator will try to maintain a permanent connection with all the peers in your persistent_peers list during its runtime. It is a comma-separated list of nodeid@ip:port values, and is something you have to create yourself (based on which nodes you trust in the network).

Yes, you will need to edit the config.toml file for both the validator and sentry node. Here is a summary showing the proper configuration for each config.toml:

pex = false
persistent_peers = [list of sentry nodes]
addr_book_strict = false (if sentry nodes are on private network/non-routable IP address)

pex = true
persistent_peers = <validator-node-id>@ip:port
private_peer_ids = <validator-node-id>
addr_book_strict = false (if validator is on private network/non-routable IP address)

You can get the node ID for your validator/sentry with the following command: secretd tendermint show-node-id

If you need any additional background on the sentry node architecture, I would refer to this post on the Cosmos forum.