|
| 1 | +## How to Ask for a New Whitelisted IP Process |
| 2 | + |
| 3 | +### Purpose |
| 4 | + |
| 5 | +This process defines how to request the addition of a new IP address to the `<network>/allowed-ip-ranges.json` in file [configs-private](https://github.com/global-synchronizer-foundation/configs-private), which is used to whitelist IPs for access to Canton network nodes, tools, or monitoring interfaces. |
| 6 | + |
| 7 | +### Status |
| 8 | + |
| 9 | +This is a proposed process based on working patterns as no formal process has been documented yet. |
| 10 | + |
| 11 | +### Process |
| 12 | + |
| 13 | +### 1. Sponsorship and Accountability |
| 14 | + |
| 15 | +#### 1a. Sponsor Involvement for Self-Hosted Validators |
| 16 | + |
| 17 | +- For validators operating their **own infrastructure**, an **SV sponsor is required** for all IP whitelisting requests. |
| 18 | +- The SV sponsor should normally be the **onboarding SV**, but another SV may act as sponsor if they explicitly agree to take responsibility. |
| 19 | +- The SV sponsor must be **explicitly recorded** in the IP whitelisting entry. |
| 20 | +- The SV sponsor is accountable for the validator node or cluster they sponsor. |
| 21 | + |
| 22 | +#### 1b. Operator Involvement for Node-as-a-Service Operated Nodes |
| 23 | + |
| 24 | +- For validators operated by a **Node as a Service (NaaS) provider**, the **NaaS provider is the responsible operator** for the validator node or cluster. |
| 25 | +- The **Node as a Service provider must be explicitly recorded** in all IP whitelisting requests and in the whitelisting record. |
| 26 | +- The NaaS provider is accountable for day-to-day infrastructure operation, security posture, and compliance with network-level requirements. |
| 27 | +- Any exceptions to this structure must be **explicitly documented** in the IP whitelisting record or PR description. |
| 28 | + |
| 29 | +#### 2. IP Address Allocation Rules |
| 30 | + |
| 31 | +- As a general rule, **one IP address should be whitelisted per validator node or cluster**. |
| 32 | +- Exceptions (for example, large institutions, exchanges, or temporary node migrations) may be considered on a case-by-case basis and must be clearly explained in the PR description. |
| 33 | +- Validator nodes and clusters **must use different IP addresses for different networks** (for example, DevNet, TestNet, and MainNet). |
| 34 | +- Operators must ensure that validator infrastructure uses a single egress gateway so that outbound traffic originates from the approved IP. |
| 35 | + |
| 36 | +#### 3. Prepare the Change and Submit a Pull Request |
| 37 | + |
| 38 | +Submit a pull request (PR) to the GitHub repository: [global-synchronizer-foundation/configs-private](https://github.com/global-synchronizer-foundation/configs-private). If you are not a maintainer, create it via a GitHub fork. |
| 39 | + |
| 40 | +When preparing the PR, consider the following: |
| 41 | + - Make changes in the file `configs/<network>/allowed-ip-ranges.json` where `<network>` is the network you wish to add the IP for (DevNet, TestNet or MainNet) |
| 42 | + - Identify the correct section for the IP entry: |
| 43 | + - `svs` |
| 44 | + - `validators` |
| 45 | + - `vpns` |
| 46 | + - `read-only clients` |
| 47 | +- Entries under `validators` or `read-only clients` must include (Separate the two using `" / "`): |
| 48 | + - The name of the validator or organization requesting access, and |
| 49 | + - The name of the operator running the node on their behalf |
| 50 | +- If the validator operates its own node, include the **SV sponsor** instead. |
| 51 | +- As a general rule, only one IP should be whitelisted per validator. Make sure that validators nodes use a single egress gateway so that they have a single egress IP. If more than one IP is required per validator, e.g. to temporarily run a second node while migrating between nodes, please explain that in the PR description. |
| 52 | + |
| 53 | +- Ensure that: |
| 54 | + - All entries are **sorted alphabetically**, and IP addresses for each entry are **sorted numerically**. |
| 55 | + - CI checks will fail if sorting requirements are not met |
| 56 | + |
| 57 | +#### 5. Additional Requirements for TestNet and MainNet |
| 58 | + |
| 59 | +If adding an IP for a validator on **TestNet** or **MainNet**, the PR description must include **one of the following**: |
| 60 | + |
| 61 | +- A link to an announcement confirming that the validator has been approved by the Tokenomics Committee, or |
| 62 | +- A link naming the approved operator (from the list of operators authorized by the Tech and Ops Committee) under whose discretion the validator is being onboarded. |
| 63 | + |
| 64 | +#### 6. Get the PR reviewed and merged |
| 65 | + |
| 66 | +- The PR must be reviewed and approved by a maintainer from a **different organization** than the submitter. |
| 67 | +- If the submitter is a maintainer, the PR may be merged only after approval from another maintainer from a different organization. |
| 68 | + |
| 69 | +#### 7. Tooling |
| 70 | + |
| 71 | +- The script [new-whitelist.sh](https://github.com/global-synchronizer-foundation/configs-private/blob/main/scripts/new-whitelist.sh) may be used to automate most of the steps above, including PR creation. |
| 72 | +- Use of the script does not remove the requirement for proper documentation, justification, and review. |
| 73 | + |
| 74 | +### Notes |
| 75 | + |
| 76 | +- Sponsors remain responsible for the nodes and clusters they sponsor after whitelisting. |
| 77 | +- Exceptions to IP allocation or sponsorship rules must be explicitly documented. |
| 78 | +- Operators must ensure IP allocations comply with all network-level requirements before deployment. |
| 79 | +- SV operators are encouraged to document and share evolving best practices during PR review. |
0 commit comments