docs: add extensible records RFC

Reference discussion
[post](https://forum.vac.dev/t/sybil-and-dos-spam-protection-for-libp2p-mix/598).
This PR includes sections for spam protecting a mixnet deployment using
mix protocol and how spam protection mechansims are pluggable in nature.
It lists down requirements of a spam protection mechanism and suggests
two integration methods for any mechanism with various trade-offs.
- [x] Add spam protection mechanism architecture
- [x] Suggest various approaches possible with trade-offs 
- [x] Detail how each approach would be integrated into sphinx packet
and changes to it
- [x] Include node responsibilities
- [x]  Interface definition for spam protection implementations

vac/raw/consensus-hashgraphlike.md

@@ -73,11 +73,11 @@ message Proposal {
   string payload = 11;               // Proposal description
   uint32 proposal_id = 12;           // Unique identifier of the proposal
   bytes proposal_owner = 13;         // Public key of the creator 
-  repeated Votes = 14;               // Vote list in the proposal
+  repeated Vote votes = 14;              // Vote list in the proposal
   uint32 expected_voters_count = 15; // Maximum number of distinct voters
-  uint32 round = 16;                 // Number of Votes 
+  uint32 round = 16;                 // Number of rounds 
   uint64 timestamp = 17;             // Creation time of proposal
-  uint64 expiration_time = 18;       // The time interval that the proposal is active.  
+  uint64 expiration_timestamp = 18;  // The timestamp at which the proposal becomes outdated  
   bool liveness_criteria_yes = 19;   // Shows how managing the silent peers vote
 }
 
@@ -85,7 +85,7 @@ message Vote {
   uint32 vote_id = 20;            // Unique identifier of the vote
   bytes vote_owner = 21;          // Voter's public key
   uint32 proposal_id = 22;        // Linking votes and proposals
-  int64 timestamp = 23;           // Time when the vote was cast
+  uint64 timestamp = 23;          // Time when the vote was cast
   bool vote = 24;                 // Vote bool value (true/false)
   bytes parent_hash = 25;         // Hash of previous owner's Vote
   bytes received_hash = 26;       // Hash of previous received Vote
@@ -138,7 +138,7 @@ check that the hash of the former vote is equal to the `parent_hash` of the late
   
    5.3. Increase the round by one, namely `P_2.round = P_1.round + 1`.
   
-   5.4. Verify that the proposal has not expired by checking that: `P_2.timestamp - current_time < P_1.expiration_time`.
+   5.4. Verify that the proposal has not expired by checking that: `current_time in [P_timestamp, P_expiration_timestamp]`.
     If this does not hold, other peers ignore the message.
 
 After the peer creates the proposal `P_2` with its vote `V_2`,

vac/raw/eth-mls-offchain.md

@@ -54,11 +54,15 @@ are to be interpreted as described in [2119](https://www.ietf.org/rfc/rfc2119.tx
 
 The three roles used in de-MLS is as follows:
 
-- `node`: Nodes are members of network without being in any secure group messaging.
+- `node`: Nodes are participants in the network that are not currently members
+of any secure group messaging session but remain available as potential candidates for group membership.
 - `member`: Members are special nodes in the secure group messaging who
 obtains current group key of secure group messaging.
-- `steward`: Stewards are special and transparent members in secure group
-messaging who organizes the changes upon the voted-proposals.
+Each node is assigned a unique identity represented as a 20-byte value named `member id`.
+- `steward`: Stewards are special and transparent members in the secure group
+messaging who organize the changes by releasing commit messages upon the voted proposals.
+There are two special subsets of steward as epoch and backup steward,
+which are defined in the section de-MLS Objects.
 
 ## MLS Background
 
@@ -78,7 +82,7 @@ manage the `keyPackage` of the users where the `keyPackage` is the objects
 
 Following section presents the MLS objects and components that used in this RFC:
 
-`Epoch`: Fixed time intervals that changes the state that is defined by members,
+`Epoch`: Time intervals that changes the state that is defined by members,
 section 3.4 in [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/).
 
 `MLS proposal message:` Members MUST receive the proposal message prior to the
@@ -90,6 +94,7 @@ Here, the add and remove proposals are used.
 This is restricted by [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/) as if there is pending proposal,
 the application message should be cut.
 Note that: Since the MLS is based on servers, this delay between proposal and commit messages are very small.
+
 `Commit message:` After members receive the proposals regarding group changes,
 the committer, who may be any member of the group, as specified in  [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/),
 generates the necessary key material for the next epoch, including the appropriate welcome messages
@@ -97,21 +102,48 @@ for new joiners and new entropy for removed members. In this RFC, the committers
 
 ### de-MLS Objects
 
-`Voting proposal` Similar to MLS proposals, but processed only if approved through a voting process.
+This section presents the de-MLS objects:
+
+`Voting proposal`: Similar to MLS proposals, but processed only if approved through a voting process.
 They function as application messages in the MLS group,
 allowing the steward to collect them without halting the protocol.
+There are three types of `voting proposal` according to the type of consensus as in shown Consensus Types section,
+these are, `commit proposal`, `steward election proposal` and `emergency criteria proposal`.
+
+`Epoch steward`: The steward assigned to commit in `epoch E` according to the steward list.
+Holds the primary responsibility for creating commit in that epoch.
+
+`Backup steward`: The steward next in line after the `epoch steward` on the `steward list` in `epoch E`.
+Only becomes active if the `epoch steward` is malicious or fails,
+in which case it completes the commitment phase.
+If unused in `epoch E`, it automatically becomes the `epoch steward` in `epoch E+1`.
+
+`Steward list`: It is an ordered list that contains the `member id`s of authorized stewards.
+Each steward in the list becomes main responsible for creating the commit message when its turn arrives,
+according to this order for each epoch.
+For example, suppose there are two stewards in the list `steward A` first and `steward B` last in the list.
+`steward A` is responsible for creating the commit message for first epoch.
+Similarly, `steward B` is for the last epoch.
+Since the `epoch steward` is the primary committer for an epoch,
+it holds the main responsibility for producing the commit.
+However, other stewards MAY also generate a commit within the same epoch to preserve liveness
+in case the epoch steward is inactive or slow.
+Duplicate commits are not re-applied and only the single valid commit for the epoch is accepted by the group,
+as in described in section filtering proposals against the multiple comitting.
+
+Therefore, if a malicious steward occurred, the `backup steward` will be charged with committing.
+Lastly, the size of the list named as `sn`, which also shows the epoch interval for steward list determination.
 
 ## Flow
 
 General flow is as follows:
 
 - A steward initializes a group just once, and then sends out Group Announcements (GA) periodically.
-
-- Meanwhile, each`node`creates and sends their`credential` includes `keyPackage`.
-- Each `member`creates `voting proposals` sends them to from MLS group during epoch E.
+- Meanwhile, each `node` creates and sends their `credential` includes `keyPackage`.
+- Each `member` creates `voting proposals` sends them to from MLS group during `epoch E`.
 - Meanwhile, the `steward` collects finalized `voting proposals` from MLS group and converts them into
-`MLS proposals`  then sends them with correspondng `commit messages`
-- Evantually, with the commit messages, all members starts the next epoch E+1.
+`MLS proposals` then sends them with corresponding `commit messages`
+- Evantually, with the commit messages, all members starts the next `epoch E+1`.
 
 ## Creating Voting Proposal
 
@@ -179,57 +211,220 @@ This is mostly similar with the general flow and specified in voting proposal an
 as in section 8.1. Group Context in [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/).
 2. `steward` creates a group anouncement (GA) according to the previous step and
 broadcast it to the all network periodically. GA message is visible in network to all `nodes`.
-3. The each `node` who wants to be a member needs to obtain this anouncement and create `credential`
+3. The each `node` who wants to be a `member` needs to obtain this anouncement and create `credential`
 includes `keyPackage` that is specified in [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/) section 10.
-4. The `steward` aggregates all `KeyPackages` utilizes them to provision group additions for new members,
+4. The `node` send the `KeyPackages` in plaintext with its signature with current `steward` public key which
+anounced in welcome topic. This step is crucial for security, ensuring that malicious nodes/stewards
+cannot use others' `KeyPackages`.
+It also provides flexibility for liveness in multi-steward settings,
+allowing more than one steward to obtain `KeyPackages` to commit.
+5. The `steward` aggregates all `KeyPackages` utilizes them to provision group additions for new members,
 based on the outcome of the voting process.
-5. Any `member` start to create `voting proposals` for adding or removing users,
+6. Any `member` start to create `voting proposals` for adding or removing users,
 and present them to the voting in the MLS group as an application message.
 
 However, unlimited use of `voting proposals` within the group may be misused by
 malicious or overly active members.
 Therefore, an application-level constraint can be introduced to limit the number
 or frequency of proposals initiated by each member to prevent spam or abuse.
-6. Meanwhile, the `steward` collects finalized `voting proposals` with in epoch `E`,
+7. Meanwhile, the `steward` collects finalized `voting proposals` with in epoch `E`,
 that have received affirmative votes from members via application messages.
 Otherwise, the `steward` discards proposals that did not receive a majority of "YES" votes.
 Since voting proposals are transmitted as application messages, omitting them does not affect
 the protocol’s correctness or consistency.
-7. The `steward` converts all approved `voting proposals` into
+8. The `steward` converts all approved `voting proposals` into
 corresponding `MLS proposals` and `commit message`, and
 transmits both in a single operation as in [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/) section 12.4,
-including welcome messages for the new members. Therefore, the `commit message` ends the previous epoch and create new ones.
+including welcome messages for the new members.
+Therefore, the `commit message` ends the previous epoch and create new ones.
+9. The `members` applied the incoming `commit message` by checking the signatures and `voting proposals`
+and synchronized with the upcoming epoch.
 
 ## Multi stewards
 
 Decentralization has already been achieved in the previous section.
 However, to improve availability and ensure censorship resistance,
-the single-steward protocol is extended to a multi-steward architecture.
+the single steward protocol is extended to a multi steward architecture.
 In this design, each epoch is coordinated by a designated steward,
-operating under the same protocol as the single-steward model.
-Thus, the multi-steward approach primarily defines how steward roles
+operating under the same protocol as the single steward model.
+Thus, the multi steward approach primarily defines how steward roles
 rotate across epochs while preserving the underlying structure and logic of the original protocol.
-Two variants of the multi-steward design are introduced to address different system requirements.
+Two variants of the multi steward design are introduced to address different system requirements.
 
-### Multi steward with single consensus
+### Consensus Types
+
+Consensus is agnostic with its payload; therefore, it can be used for various purposes.
+Note that each message for the consensus of proposals is an `application message` in the MLS object section.
+It is used in three ways as follows:
+
+1. `Commit proposal`:  It is the proposal instance that is specified in Creating Voting Proposal section
+with `Proposal.payload` MUST show the commit request from `members`.
+Any member MAY create this proposal in any epoch and `epoch steward` MUST collect and commit YES voted proposals.
+This is the only proposal type common to both single steward and multi steward designs.
+2. `Steward election proposal`: This is the process that finalizes the `steward list`,
+which sets and orders stewards responsible for creating commits over a predefined number of range in (`sn_min`,`sn_max`).
+The validity of the choosen `steward list` ends when the last steward in the list (the one at the final index) completes its commit.
+At that point, a new `steward election proposal` MUST be initiated again by any member during the corresponding epoch.
+The `Proposal.payload` field MUST represent the ordered identities of the proposed stewards.
+Each steward election proposal MUST be verified and finalized through the consensus process
+so that members can identify which steward will be responsible in each epoch
+and detect any unauthorized steward commits.
+3. `Emergency criteria proposal`: If there is a malicious member or steward,
+this event MUST be voted on to finalize it.
+If this returns YES, the next epoch MUST include the removal of the member or steward.
+In a specific case where a steward is removed from the group, causing the total number of stewards to fall below `sn_min`,  
+it is required to repeat the `steward election proposal`.
+`Proposal.payload` MUST consist of the evidence of the dishonesty as described in the Steward violation list,
+and the identifier of the malicious member or steward.
+This proposal can be created by any member in any epoch.
+
+The order of consensus proposal messages is important to achieving a consistent result.
+Therefore, messages MUST be prioritized by type in the following order, from highest to lowest priority:
+
+- `Emergency criteria proposal`
+
+- `Steward election proposal`
+
+- `Commit proposal`
+
+This means that if a higher-priority consensus proposal is present in the network,
+lower-priority messages MUST be withheld from transmission until the higher-priority proposals have been finalized.
+
+### Steward list creation
+
+The `steward list` consists of steward nominees who will become actual stewards if the `steward election proposal` is finalized with YES,
+is arbitrarily chosen from `member` and OPTIONALLY adjusted depending on the needs of the implementation.
+The `steward list` size, defined by the minimum `sn_min` and maximum `sn_max` bounds,
+is determined at the time of group creation.
+The `sn_min` requirement is applied only when the total number of members exceeds `sn_min`;
+if the number of available members falls below this threshold,
+the list size automatically adjusts to include all existing members.
+
+The actual size of the list MAY vary within this range as `sn`, with the minimum value being at least 1.
+
+The index of the slots shows epoch info and value of index shows `member id`s.
+The next in line steward for the `epoch E` is named as `epoch steward`, which has index E.
+And the subsequent steward in the `epoch E` is named as the `backup steward`.
+For example, let's assume steward list is (S3, S2, S1) if in the previous epoch the roles were
+(`backup steward`: S2, `epoch steward`: S1), then in the next epoch they become
+(`backup steward`: S3, `epoch steward`: S2) by shifting.
+
+If the `epoch steward` is honest, the `backup steward` does not involve the process in epoch,
+and the `backup steward` will be the `epoch steward` within the `epoch E+1`.
+
+If the `epoch steward` is malicious, the `backup steward` is involved in the commitment phase in `epoch E`
+and the former steward becomes the `backup steward` in `epoch E`.
+
+Liveness criteria:
+
+Once the active `steward list` has completed its assigned epochs,
+
+members MUST proceed to elect the next set of stewards
+(which MAY include some or all of the previous members).
+This election is conducted through a type 2 consensus procedure, `steward election proposal`.
+
+A `Steward election proposal` is considered valid only if the resulting `steward list`
+is produced through a deterministic process that ensures an unbiased distribution of steward assignments,
+since allowing bias could enable a malicious participant to manipulate the list
+and retain control within a favored group for multiple epochs.
+
+The list MUST consist of at least `sn_min` members, including retained previous stewards,
+sorted according to the ascending value of `SHA256(epoch E || member id || group id)`,
+where `epoch E` is the epoch in which the election proposal is initiated,
+and `group id` for shuffling the list across the different groups.
+Any proposal with a list that does not adhere to this generation method MUST be rejected by all members.
+
+We assume that there are no recurring entries in `SHA256(epoch E || member id || group id)`, since the SHA256 outputs are unique
+when there is no repetition in the `member id` values, against the conflicts on sorting issues.
+
+### Multi steward with big consensuses
 
 In this model, all group modifications, such as adding or removing members,
 must be approved through consensus by all participants,
-including the steward assigned for epoch `E`.
+including the steward assigned for `epoch E`.
 A configuration with multiple stewards operating under a shared consensus protocol offers
 increased decentralization and stronger protection against censorship.
 However, this benefit comes with reduced operational efficiency.
 The model is therefore best suited for small groups that value
 decentralization and censorship resistance more than performance.
 
-### Multi steward with two consensuses
+To create a multi steward with a big consensus,
+the group is initialized with a single steward as specified as follows:
 
-The two-consensus model offers improved efficiency with a trade-off in decentralization.
+1. The steward initialized the group with the config file.
+This config file MUST contain (`sn_min`,`sn_max`) as the `steward list` size range.
+2. The steward adds the members as a centralized way till the number of members reaches the `sn_min`.
+Then, members propose lists by voting proposal with size `sn`
+as a consensus among all members, as mentioned in the consensus section 2, according to the checks:
+the size of the proposed list `sn` is in the interval (`sn_min`,`sn_max`).
+Note that if the total number of members is below `sn_min`,
+then the steward list size MUST be equal to the total member count.
+3. After the voting proposal ends up with a `steward list`,
+and group changes are ready to be committed as specified in single steward section
+with a difference which is members also check the committed steward is `epoch steward` or `backup steward`,
+otherwise anyone can create `emergency criteria proposal`.
+4. If the `epoch steward` violates the changing process as mentioned in the section Steward violation list,
+one of the members MUST initialize the `emergency criteria proposal` to remove the malicious Steward.
+Then `backup steward` fulfills the epoch by committing again correctly.
+
+A large consensus group provides better decentralization, but it requires significant coordination,
+which MAY not be suitable for groups with more than 1000 members.
+
+### Multi steward with small consensuses
+
+The small consensus model offers improved efficiency with a trade-off in decentralization.
 In this design, group changes require consensus only among the stewards, rather than all members.
-Regular members participate by periodically selecting the stewards but do not take part in each decision.
+Regular members participate by periodically selecting the stewards by `steward election proposal`
+but do not take part in commit decision by `commit proposal`.
 This structure enables faster coordination since consensus is achieved within a smaller group of stewards.
 It is particularly suitable for large user groups, where involving every member in each decision would be impractical.
 
+The flow is similar to the big consensus including the `steward list` finalization with all members consensus
+only the difference here, the commit messages requires `commit proposal` only among the stewards.
+
+## Filtering proposals against the multiple comitting
+
+Since stewards are allowed to produce a commit even when they are not the designated `epoch steward`,
+multiple commits may appear within the same epoch, often reflecting recurring versions of the same proposal.
+To ensure a consistent outcome, the valid commit for the epoch SHOULD be selected as the one derived
+from the longest proposal chain, ordered by the ascending value of each proposal as `SHA256(proposal)`.
+All other cases, such as invalid commits or commits based on proposals that were not approved through voting,
+can be easily detected and discarded by the members.
+
+## Steward violation list
+
+A steward’s activity is called a violation if the action is one or more of the following:
+
+1. Broken commit: The steward releases a different commit message from the voted `commit proposal`.
+This activity is identified by the `members` since the [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/) provides the methods
+that members can use to identify the broken commit messages that are possible in a few situations,
+such as commit and proposal incompatibility. Specifically, the broken commit can arise as follows:
+    1. The commit belongs to the earlier epoch.
+    2. The commit message should equal the latest epoch
+    3. The commit needs to be compatible with the previous epoch’s `MLS proposal`.
+2. Broken MLS proposal: The steward prepares a different `MLS proposal` for the corresponding `voting proposal`.
+This activity is identified by the `members` since both `MLS proposal` and `voting proposal` are visible
+and can be identified by checking the hash of `Proposal.payload` and `MLSProposal.payload` is the same as RFC9240 section 12.1. Proposals.
+3. Censorship and inactivity: The situation where there is a voting proposal that is visible for every member,
+and the Steward does not provide an MLS proposal and commit.
+This activity is again identified by the `members`since `voting proposals` are visible to every member in the group,
+therefore each member can verify that there is no `MLS proposal` corresponding to `voting proposal`.
+
+## Security Considerations
+
+In this section, the security considerations are shown as de-MLS assurance.
+
+1. Malicious Steward: A Malicious steward can act maliciously,
+as in the Steward violation list section.
+Therefore, de-MLS enforces that any steward only follows the protocol under the consensus order
+and commits without emergency criteria application.
+2. Malicious Member: A member is only marked as malicious
+when the member acts by releasing a commit message.
+3. Steward list election bias: Although SHA256 is used together with two global variables
+to shuffle stewards in a deterministic and verifiable manner,
+this approach only minimizes election bias; it does not completely eliminate it.
+This design choice is intentional, in order to preserve the efficiency advantages provided by the MLS mechanism.
+
 ## Copyright
 
 Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/)

vac/raw/extensible-peer-records.md

@@ -0,0 +1,165 @@
+---
+title: extensible-peer-records
+name: Extensible Peer Records
+status: raw
+category: Standards Track
+tags:
+editor: Hanno Cornelius <hanno@status.im>
+contributors: Simon-Pierre Vivier <simvivier@status.im>
+---
+
+## Abstract
+
+This RFC proposes Extensible Peer Records,
+an extension of libp2p's [routing records](https://github.com/libp2p/specs/blob/7740c076350b6636b868a9e4a411280eea34d335/RFC/0003-routing-records.md),
+that enables peers to encode an arbitrary list of supported services and essential service-related information
+in distributable records.
+This version of routing records allows peers to communicate capabilities such as protocol support,
+and essential information related to such capabilities.
+This is especially useful when (signed) records are used in peer discovery,
+allowing discoverers to filter for peers matching a desired set of capability criteria.
+Extensible Peer Records maintain backwards compatibility with standard libp2p routing records,
+while adding an extensible service information field that supports finer-grained capability communication.
+
+> **_A note on terminology:_** We opt to call this structure a "_peer record_", even though the corresponding libp2p specification refers to a "_routing record_".
+This is because the libp2p specification itself defines an internal [`PeerRecord` type](https://github.com/libp2p/specs/blob/master/RFC/0003-routing-records.md#address-record-format),
+and, when serialised into a signed envelope, this is most often called a "_signed peer record_" (see, for example, [here](https://github.com/libp2p/go-libp2p/blob/479b24baab77b4b99d7e31462b91cc04f89f1de4/p2p/protocol/identify/pb/identify.proto#L37)).
+
+The keywords “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”,
+“SHOULD NOT”, “RECOMMENDED”, “MAY”, and
+“OPTIONAL” in this document are to be interpreted as described in [2119](https://www.ietf.org/rfc/rfc2119.txt).
+
+## Motivation
+
+We propose a new peer record as an extension of libp2p's [RFC003 Routing Records](https://github.com/libp2p/specs/blob/7740c076350b6636b868a9e4a411280eea34d335/RFC/0003-routing-records.md)
+that allows encoding an arbitrary list of services,
+and essential information pertaining to those services,
+supported by the peer.
+
+There are at least two reasons why a peer might want to encode service information in its peer records:
+
+1. **To augment `identify` with peer capabilities:**
+The libp2p [`identify` protocol](https://github.com/libp2p/specs/blob/7740c076350b6636b868a9e4a411280eea34d335/identify/README.md) allows peers to exchange critical information,
+such as supported protocols,
+on first connection.
+The peer record (in a signed envelope) can also be exchanged during `identify`.
+However, peers may want to exchange finer-grained information related to supported protocols/services,
+that would otherwise require an application-level negotiation protocol,
+or that is critical to connect to the service in the first place.
+An example would be nodes supporting libp2p [`mix` protocol](https://rfc.vac.dev/vac/raw/mix) also needing to exchange the mix key
+before the service can be used.
+2. **To advertise supported services:**
+If the peer record is used as the discoverable record for a peer
+(as we propose for various discovery methods)
+that peer may want to encode a list of supported services
+in its advertised record.
+These services may be (but is not limited to) a list of supported libp2p protocols
+and critical information pertaining to that service (such as the mix key, explained above).
+Discoverers can then filter discovered records for desired capabilities
+based on the encoded service information
+or use it to initiate the service.
+
+## Wire protocol
+
+### Extensible Peer Records
+
+Extensible Peer Records MUST adhere to the following structure:
+
+```protobuf
+syntax = "proto3";
+
+package peer.pb;
+
+// ExtensiblePeerRecord messages contain information that is useful to share with other peers.
+// Currently, an ExtensiblePeerRecord contains the public listen addresses for a peer
+// and an extensible list of supported services as key-value pairs.
+//
+// ExtensiblePeerRecords are designed to be serialised to bytes and placed inside of
+// SignedEnvelopes before sharing with other peers.
+message ExtensiblePeerRecord {
+
+  // AddressInfo is a wrapper around a binary multiaddr. It is defined as a
+  // separate message to allow us to add per-address metadata in the future.
+  message AddressInfo {
+    bytes multiaddr = 1;
+  }
+
+  // peer_id contains a libp2p peer id in its binary representation.
+  bytes peer_id = 1;
+
+  // seq contains a monotonically-increasing sequence counter to order ExtensiblePeerRecords in time.
+  uint64 seq = 2;
+
+  // addresses is a list of public listen addresses for the peer.
+  repeated AddressInfo addresses = 3;
+
+  message ServiceInfo{
+    string id = 1;
+    optional bytes data = 2;
+  }
+
+   // Extensible list of advertised services
+  repeated ServiceInfo services = 4;
+}
+```
+
+A peer MAY include a list of supported services in the `services` field.
+These services could be libp2p protocols,
+in which case it is RECOMMENDED that the `ServiceInfo` `id` field
+be derived from the libp2p protocol identifier.
+In any case, for each supported service,
+the `id` field MUST be populated with a string identifier for that service.
+In addition, the `data` field MAY be populated with additional information about the service.
+It is RECOMMENDED that each `data` field be no more than `33` bytes.
+(We choose `33` here to allow for the encoding of `256` bit keys with parity.
+Also see [_Size constraints_](#size-constraints) for recommendations on limiting the overall record size.)
+
+The rest of the `ExtensiblePeerRecord`
+MUST be populated as per the libp2p [`PeerRecord` specification](https://github.com/libp2p/specs/blob/7740c076350b6636b868a9e4a411280eea34d335/RFC/0003-routing-records.md).
+Due to the natural extensibility of protocol buffers,
+serialised `ExtensiblePeerRecord`s are backwards compatible with libp2p `PeerRecord`s,
+only adding the functionality related to service info exchange.
+
+#### Size constraints
+
+To limit the impact on resources,
+`ExtensiblePeerRecord`s SHOULD NOT be used to encode information
+that is not essential for discovery or service initiation.
+Since these records are likely to be exchanged frequently,
+they should be kept as small as possible while still providing all necessary functionality.
+Although specific applications MAY choose to enforce a smaller size,
+it is RECOMMENDED that an absolute maximum size of `1024` bytes is enforced for valid records.
+Extensible Peer Records may be included in size-constrained protocols
+that further limit the size (such as DNS).
+
+### Wrapping in Signed Peer Envelopes
+
+Extensible Peer Records MUST be wrapped in libp2p [signed envelope](https://github.com/libp2p/specs/blob/7740c076350b6636b868a9e4a411280eea34d335/RFC/0002-signed-envelopes.md)s
+before distributing them to peers.
+The corresponding `ExtensiblePeerRecord` message is serialised into the signed envelope's `payload` field.
+
+#### Signed Envelope Domain
+
+Extensible Peer Records MUST use `libp2p-routing-state` as domain separator string
+for the envelope signature.
+This is the same as for ordinary libp2p [routing records](https://github.com/libp2p/specs/blob/7740c076350b6636b868a9e4a411280eea34d335/RFC/0003-routing-records.md#signed-envelope-domain).
+
+#### Signed Envelope Payload Type
+
+Extensible Peer Records MUST use the UTF8 string `/libp2p/extensible-peer-record/`
+as the `payload_type` value.
+
+> **_Note:_** this will make Extensible Peer Records a subtype of the "namespace" [multicodec](https://github.com/multiformats/multicodec/blob/0c6c7d75f1580af329847dbc9900859a445ed980/table.csv).
+In future we may define a more compact multicodec type for Extensible Peer Records. 
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [libp2p `identify`](https://github.com/libp2p/specs/blob/7740c076350b6636b868a9e4a411280eea34d335/identify/README.md)
+- [libp2p mix](https://rfc.vac.dev/vac/raw/mix)
+- [multicodec](https://github.com/multiformats/multicodec/blob/0c6c7d75f1580af329847dbc9900859a445ed980/table.csv)
+- [RFC002 Signed Envelope](https://github.com/libp2p/specs/blob/7740c076350b6636b868a9e4a411280eea34d335/RFC/0002-signed-envelopes.md)
+- [RFC003 Routing Records](https://github.com/libp2p/specs/blob/7740c076350b6636b868a9e4a411280eea34d335/RFC/0003-routing-records.md)