Overview
UDP Authentication provides secure, authenticated peer-to-peer communication for Monad nodes. This feature is currently opt-in and will become required in a future release. Benefits:- Enhanced Security: Cryptographically authenticated peer connections using your existing validator keys
- DoS Protection: Prevents resource exhaustion from spoofed packets
- Traffic Prioritization: Enables efficient QoS policies for transaction forwarding
- Performance: ~100x faster packet verification compared to per-packet ECDSA signatures
Prerequisites
- Monad Version:
0.12.6or later - Access: Root/sudo privileges on your node
- Keystore: Existing
/home/monad/monad-bft/config/id-secpfile - Network: Ability to open UDP port 8001 on your firewall
Instructions for node operators
1. Verify the Monad version
Verify the installation:2. Configure Firewall
Open UDP port 8001 for authenticated traffic:3. Generate Authentication Signature
Generate your node’s authenticated name record signature:Important: TheExample Output:--self-record-seq-numvalue must be greater than your currentself_record_seq_numinnode.toml.
- If your config shows
self_record_seq_num = 0, use1- If your config shows
self_record_seq_num = 1, use2
authenticated_udp_port parameter, as the parameter name in node.toml is self_auth_port.
Save this output - you’ll need it in the next step.
4. Update Configuration
Edit your Monad configuration:4.1 Update Peer Discovery Section
In the node configuration:- replace the values in the
[peer_discovery]section with your output from Step 3 - add the
self_auth_portparameter
4.2 Update Network Section
Add theauthenticated_bind_address_port parameter to [network]:
4.3 Update Peer Records (Validators Only)
If you operate a validator with downstream full nodes, update peer configurations as they enable UDP authentication. For peers that have enabled UDP authentication:- update
record_seq_numandname_record_sigusing the new values of the downstream node - set the
auth_port = 8001
peers.toml file with auth_port = 8001.
auth_port line should be omited:
5. Restart and Verify
Restart the Monad service:Verification
Check Service Status
active (running)
Verify Port Binding
Troubleshooting
Issue: “invalid name record signature in config file”
Cause: The signature innode.toml doesn’t match the parameters.
Solution:
- Verify you incremented
self_record_seq_numcorrectly - Re-run
monad-sign-name-recordwith the correct seq_num - Copy the new signature to
node.toml - Restart the service
Issue: Port 8001 Not Listening
Solution:Issue: Firewall Blocking Connections
Solution:Rollback Instructions
To disable UDP authentication if needed:1. Generate New Signature Without Auth Port
2. Update Configuration
Edit/home/monad/monad-bft/config/node.toml:
- Update
self_record_seq_numandself_name_record_sigin[peer_discovery] - Remove or comment out
authenticated_bind_address_portin[network] - Remove all
auth_portentries from peer configurations
3. Restart Service
Quick Health Check Script
Save this ascheck_udp_auth.sh for quick verification:
Additional Notes
- Backward Compatibility: Nodes can communicate with both authenticated and non-authenticated peers
- Gradual Rollout: You can enable authentication at your own pace during the opt-in period
- Future Requirement: UDP authentication will become mandatory in a future release (date TBD)
- Sequence Numbers: Always increment
self_record_seq_numwhen regenerating signatures - Key Reuse: Authentication uses your existing validator keys (secp256k1)
Support
If you encounter issues not covered in this guide:- Check logs:
journalctl -u monad-bft -n 500 --no-pager - Verify all configuration parameters match the examples
- Ensure your firewall and network policies allow UDP/8001
- Contact Monad support with your logs and configuration (sanitized of sensitive data)

