Rusty Russell [ARCHIVE] on Nostr: 📅 Original date posted:2021-04-24 📝 Original message: Matt Corallo <lf-lists at ...
📅 Original date posted:2021-04-24
📝 Original message:
Matt Corallo <lf-lists at mattcorallo.com> writes:
> Somehow I missed this thread, but I did note in a previous meeting - these issues are great fodder for fuzzing. We’ve had a fuzzer which aggressively tests for precisely these types of message-non-delivery-and-resending production desync bugs for several years. When it initially landed it forced several rewrites of parts of the state machine, but quickly exhausted the bug fruit (though catches other classes of bugs occasionally as well). The state machine here is really not that big - while I agree simplifying it where possible is nice, ripping things out to replace them with fresh code (which would need similar testing) is probably not the most obvious decrease in complexity.
It's historically had more bugs than anything else in the protocol. We
literally found another one in feerate negotiation since the last
c-lightning release :(
I'd rather not have bugs than try to catch them all.
>> I've been revisiting this because it makes things like splicing easier:
>> the current draft requires stopping changes while splicing is being
>> negotiated, which is not entirely trivial. With the simplified method,
>> you don't have to wait at all.
>
> Hmm, what’s nontrivial about this? How much more complicated is this than having an alternation to updates and pausing HTLC updates for a cycle or two while splicing is negotiated (I assume it would still need a similar requirement, as otherwise you have the same complexity)? We already have a similar update-stopping process for shutdown, though of course it doesn’t include restarting.
You could propose a splice (or update to anchors, or whatever) any time
when it's your turn, as long as you haven't proposed any other updates.
That's simple!
Instead, *both* sides have to send a splice message to synchronize, and
they can only do so once all in-flight changes have cleared. You have
to resolve simultaneous splice attempts (we use "highest feerate"
tiebreak by node_id), and keep track of this stage while you clear
in-flight changes.
Here's the subset of requirements from the draft which relate to this:
The sender:
- MUST NOT send another splice message while a splice is being negotiated.
- MUST NOT send a splice message after sending uncommitted changes.
- MUST NOT send other channel updates until splice negotiation has completed.
The receiver:
- MUST respond with a `splice` message of its own if it has not already.
- MUST NOT reply with `splice` until all commitment updates are resolved by both peers.
- MUST use the higher of the two `funding_feerate_perkw` as the feerate for
the splice.
- MUST NOT send other channel updates until splice negotiation has completed.
Similar requirements exist for other major channel changes.
Cheers,
Rusty.
Published at
2023-06-09 13:02:18Event JSON
{
"id": "a1cf7420a6083e2ea93529e0d497cd23988cd63a786eef2c3087a8dac1caadd3",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686315738,
"kind": 1,
"tags": [
[
"e",
"5553893599fc04c98be25342f54aa462a3c042c383d72c4c91ba0e2e16004f4c",
"",
"root"
],
[
"e",
"4d7901f8835bcd2517ef3c6beac21046415e514527aaaa0413e0f1d765d518b1",
"",
"reply"
],
[
"p",
"cd753aa8fbc112e14ffe9fe09d3630f0eff76ca68e376e004b8e77b687adddba"
]
],
"content": "📅 Original date posted:2021-04-24\n📝 Original message:\nMatt Corallo \u003clf-lists at mattcorallo.com\u003e writes:\n\u003e Somehow I missed this thread, but I did note in a previous meeting - these issues are great fodder for fuzzing. We’ve had a fuzzer which aggressively tests for precisely these types of message-non-delivery-and-resending production desync bugs for several years. When it initially landed it forced several rewrites of parts of the state machine, but quickly exhausted the bug fruit (though catches other classes of bugs occasionally as well). The state machine here is really not that big - while I agree simplifying it where possible is nice, ripping things out to replace them with fresh code (which would need similar testing) is probably not the most obvious decrease in complexity.\n\nIt's historically had more bugs than anything else in the protocol. We\nliterally found another one in feerate negotiation since the last\nc-lightning release :(\n\nI'd rather not have bugs than try to catch them all.\n\n\u003e\u003e I've been revisiting this because it makes things like splicing easier:\n\u003e\u003e the current draft requires stopping changes while splicing is being\n\u003e\u003e negotiated, which is not entirely trivial. With the simplified method,\n\u003e\u003e you don't have to wait at all.\n\u003e\n\u003e Hmm, what’s nontrivial about this? How much more complicated is this than having an alternation to updates and pausing HTLC updates for a cycle or two while splicing is negotiated (I assume it would still need a similar requirement, as otherwise you have the same complexity)? We already have a similar update-stopping process for shutdown, though of course it doesn’t include restarting.\n\nYou could propose a splice (or update to anchors, or whatever) any time\nwhen it's your turn, as long as you haven't proposed any other updates.\nThat's simple!\n\nInstead, *both* sides have to send a splice message to synchronize, and\nthey can only do so once all in-flight changes have cleared. You have\nto resolve simultaneous splice attempts (we use \"highest feerate\"\ntiebreak by node_id), and keep track of this stage while you clear\nin-flight changes.\n\nHere's the subset of requirements from the draft which relate to this:\n\nThe sender:\n- MUST NOT send another splice message while a splice is being negotiated.\n- MUST NOT send a splice message after sending uncommitted changes.\n- MUST NOT send other channel updates until splice negotiation has completed.\n\nThe receiver:\n- MUST respond with a `splice` message of its own if it has not already.\n- MUST NOT reply with `splice` until all commitment updates are resolved by both peers.\n- MUST use the higher of the two `funding_feerate_perkw` as the feerate for\n the splice.\n- MUST NOT send other channel updates until splice negotiation has completed.\n\nSimilar requirements exist for other major channel changes.\n\nCheers,\nRusty.",
"sig": "344277654cc5b66cb44002b6e9cbe59f546bb5cfad030ff275acf3906670edb7f96b2070fa877403d8075c85d6ba83d6caa1772a852a4841e1b88fabda072e7d"
}