Network Permissioning

Network Permissioning is a feature that controls which nodes can connect to a given node and also to which nodes the given node can dial out to. Currently, it is managed at the individual node level by the --permissioned command line flag when starting the node.

If the --permissioned flag is set, the node looks for a file named <data-dir>/permissioned-nodes.json . This file contains the whitelist of enodes that this node can connect to and accept connections from. Therefore, with permissioning enabled, only the nodes that are listed in the permissioned-nodes.json file become part of the network. If the --permissioned flag is specified but no nodes are added to the permissioned-nodes.json file then this node can neither connect to any node nor accept any incoming connections.

The permissioned-nodes.json file follows the below pattern, which is similar to the <data-dir>/static-nodes.json file that is used to specify the list of static nodes a given node always connects to:

[
"enode://remoteky1@ip1:port1",
"enode://remoteky1@ip2:port2",
"enode://remoteky1@ip3:port3",
]

Sample file: (node id truncated for clarity)

[
[
"enode://a9660d116471a594113ab8809447fc0f64053860a7069a4779294966bf8070bdf8f57003a3dff6eaa08723be376eb6e02e97c2bc8011c722010f01702d9ef0ed@XXX.XXX.XXX.XXX:30303?discport=0",
"enode://29eeecf7718aa2edfe76ba06d168f8743eda7e475388005ff745c3b34128e28c15ea4d47e7a2681437930e3ffcac51f9e195110a3aa1fd103a01ae55953f1a30@XXX.XXX.XXX.XXX:30304?discport=0",
"enode://f7bef11d1d72b19c8dd153c92064c0df1288a9d924141ec5dadaf4fce315ce8b85235df89feefde76619ad00bc20a3d9c5c37894da17f73069a40dcb771d8fea@XXX.XXX.XXX.XXX:30305?discport=0",
"enode://12e693a93470953b44c8c5dc891215f3d1e84d3c6f41d83c3184d226717e7921a0deae9da5044865afe535db254be4359ac3240f040a36703dd9006b42cb3c1e@XXX.XXX.XXX.XXX:30306?discport=0"
]
]

Note

In the current implementation, every node has its own copy of the permissioned-nodes.json file. In this case, if different nodes have a different list of remote keys then each node may have a different list of permissioned nodes - which may have an adverse effect. In a future release, the permissioned nodes list will be moved from the permissioned-nodes.json file to a Smart Contract, thereby ensuring that all nodes will use one global on-chain list to verify network connections.