📅 Original date posted:2016-08-20
📝 Original message:
Rusty Russell <rusty at rustcorp.com.au> wrote:
> Which creates a subtle requirement: even the terminal onion should
include an
> amount.
With the current draft specification, all hops receive a per-hop payload
(unless we're now abandoning the payload for the final hop due to the
"terminal" byte?). This behavior isn't changed for the final hop, so they
also
extract a payload once they process the onion packet.
Christian Decker <decker.christian at gmail.com> wrote:
> If the recipient does not know the intended amount and accepts anything
then
> fee-shaving is very profitable.
In my mind (although it seems to be handled with the current onion-packet
format), this is an issue which should be resolved/negotiated at a higher
level. Ignoring the possibility of using the network as a general messaging
layer (which seems a bit ambitious, plus brings up DoS concerns), the
sender/receiver should have already negotiated all the details of the
payment.
If the receiver communicated the target r-hash, then they should also be
aware
of the associated value to be paid out with reveal of the corresponding
r-preimage. Joseph's description fits by current thought model.
Rusty Russell <rusty at rustcorp.com.au> wrote:
> Related: I can't seem to figure out why we're so concerned with onion
reuse?
> It seems if a node were to retransmit the same onion runs this same risk.
One might say that the concern is a bit "academic" in nature. In theory,
within
a mix-net (sending emails/messages, not HTLC's), an adversary shouldn't be
able
to re-inject an arbitrary previously processed packet thereby causing node
to
process and forward the packet as normal. If they're able to do this, then
in
conjunction with several nodes participating within the network, the
adversary
may be able to partially (worse, even fully) re-construct the original path
by
observing how the replays propagate throughout the network.
However, practically, we're currently building something that more
resembles an
onion routing network rather than a mix-net. Additionally, as all
communication
links are end-to-end encrypted+authenticated, in reality, the only party
able
to attempt to replay packet within the network are nodes whom have directly
received+processes the onion packet in the past. In our particular context,
assuming the onion packet is encapsulated within the message that adds a new
HTLC, then an attempt to replay would be foolish as if one assumes nodes
remember all r-preimages, then the first hop would just immediately pull the
funds (as Rusty points out).
Joseph Poon <joseph at lightning.network> wrote:
> This may not fully solve the problem, since if one presumes that the
> second-to-last hop is malicious, they can re-create a new onion blob
> (presuming consistent hashes for each hop, of course).
First, *all* hops receive a per-hop payload which ideally would includes
details such as payment, time-lock value, etc. Second, this is only
possible if
Bob (the second-to-last hop), *knows* that they are in fact, the
second-to-last
hop *and* already knows all identities following them within the route.
Otherwise, the route will fail as Bob is unable to construct a new fully
valid
onion packet.
Even in the case that Bob if able to do this, it shouldn't affect the
payment
as a whole assuming Dave (the final receiver) knows the value he's expecting
for each particular r-hash (as you detailed earlier).
-- Laolu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20160820/81e0955d/attachment.html>;
Olaoluwa Osuntokun [ARCHIVE] /
npub19h…zkvn4
2023-06-09 12:46:28
in reply to nevent1q…uemn
Author Public Key
npub19helcfnqgk2jrwzjex2aflq6jwfc8zd9uzzkwlgwhve7lykv23mq5zkvn4Published at
2023-06-09 12:46:28Event JSON
{
"id": "fef110d27372a3db8e4d7a97e599ad7afc01de66da4896cc46af92b1dcff89aa",
"pubkey": "2df3fc2660459521b852c995d4fc1a93938389a5e085677d0ebb33ef92cc5476",
"created_at": 1686314788,
"kind": 1,
"tags": [
[
"e",
"f166a20039cde752a8ba4e6cccc22d4b2719f9a29840f0c295641243ae59d83f",
"",
"root"
],
[
"e",
"2b3a5bc01ba5c76bd5f772acf067337bd053400f681a64b25e776d7c094afa72",
"",
"reply"
],
[
"p",
"ccb4cc87c455b74febaee5929cfd0726421b2eea64ad2b16440b68e8c7433211"
]
],
"content": "📅 Original date posted:2016-08-20\n📝 Original message:\nRusty Russell \u003crusty at rustcorp.com.au\u003e wrote:\n\u003e Which creates a subtle requirement: even the terminal onion should\ninclude an\n\u003e amount.\n\nWith the current draft specification, all hops receive a per-hop payload\n(unless we're now abandoning the payload for the final hop due to the\n\"terminal\" byte?). This behavior isn't changed for the final hop, so they\nalso\nextract a payload once they process the onion packet.\n\nChristian Decker \u003cdecker.christian at gmail.com\u003e wrote:\n\u003e If the recipient does not know the intended amount and accepts anything\nthen\n\u003e fee-shaving is very profitable.\n\nIn my mind (although it seems to be handled with the current onion-packet\nformat), this is an issue which should be resolved/negotiated at a higher\nlevel. Ignoring the possibility of using the network as a general messaging\nlayer (which seems a bit ambitious, plus brings up DoS concerns), the\nsender/receiver should have already negotiated all the details of the\npayment.\nIf the receiver communicated the target r-hash, then they should also be\naware\nof the associated value to be paid out with reveal of the corresponding\nr-preimage. Joseph's description fits by current thought model.\n\nRusty Russell \u003crusty at rustcorp.com.au\u003e wrote:\n\u003e Related: I can't seem to figure out why we're so concerned with onion\nreuse?\n\u003e It seems if a node were to retransmit the same onion runs this same risk.\n\nOne might say that the concern is a bit \"academic\" in nature. In theory,\nwithin\na mix-net (sending emails/messages, not HTLC's), an adversary shouldn't be\nable\nto re-inject an arbitrary previously processed packet thereby causing node\nto\nprocess and forward the packet as normal. If they're able to do this, then\nin\nconjunction with several nodes participating within the network, the\nadversary\nmay be able to partially (worse, even fully) re-construct the original path\nby\nobserving how the replays propagate throughout the network.\n\nHowever, practically, we're currently building something that more\nresembles an\nonion routing network rather than a mix-net. Additionally, as all\ncommunication\nlinks are end-to-end encrypted+authenticated, in reality, the only party\nable\nto attempt to replay packet within the network are nodes whom have directly\nreceived+processes the onion packet in the past. In our particular context,\nassuming the onion packet is encapsulated within the message that adds a new\nHTLC, then an attempt to replay would be foolish as if one assumes nodes\nremember all r-preimages, then the first hop would just immediately pull the\nfunds (as Rusty points out).\n\nJoseph Poon \u003cjoseph at lightning.network\u003e wrote:\n\u003e This may not fully solve the problem, since if one presumes that the\n\u003e second-to-last hop is malicious, they can re-create a new onion blob\n\u003e (presuming consistent hashes for each hop, of course).\n\nFirst, *all* hops receive a per-hop payload which ideally would includes\ndetails such as payment, time-lock value, etc. Second, this is only\npossible if\nBob (the second-to-last hop), *knows* that they are in fact, the\nsecond-to-last\nhop *and* already knows all identities following them within the route.\nOtherwise, the route will fail as Bob is unable to construct a new fully\nvalid\nonion packet.\n\nEven in the case that Bob if able to do this, it shouldn't affect the\npayment\nas a whole assuming Dave (the final receiver) knows the value he's expecting\nfor each particular r-hash (as you detailed earlier).\n\n-- Laolu\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20160820/81e0955d/attachment.html\u003e",
"sig": "cb612a8ee34e642027428b1461b3d570d969d49cd9cbb4162450159deee6b8d200b850c84c8145290e006f4aa77d64c3bc858c7b83efc244269dbf1b7c866585"
}