📅 Original date posted:2018-05-09
📝 Original message:
Thanks for the thoughtful responses.
> You missed the vital detail: that you must prove channel closure if you
> can't unpeel the onion further. That *will* hit an unresponsive party
> with a penalty.
Ah, that is a good point. I still find the proposal overall worryingly
complex in terms of communication overhead, time it takes to prove channel
closure, all of your points in [1], [2], [3], etc. Furthermore, this
mandates that immediate channel closure is the only allowed reaction to a
party delaying an HTLC for a time period above a threshold -- the node
reputation approach gives more discretion to the preceding hop.
Deobfuscating the route may turn out to be the right option, but I think
the reputation system has certain advantages over this.
> The models we tried in Milan all created an incentive to fail payments,
> which is a non-starter.
Do you mind elaborating or summarizing the reasons? The way I'm analyzing
it, even if there's a nominal spam fee paid to routing nodes that fail
payments, as long as it's low enough (say 2-5% for arguments sake), the
nodes still have more to gain by forwarding the payment and earning the
full fee on a completed payment, and possibly the reputation boost
associated with completing a payment if that system was in effect.
Moreover, a node that constantly fails payments will be blacklisted by the
sender eventually and stop receiving HTLCs from them at all. Overall, I
don't think this is a profitable strategy. Furthermore, I think it works
quite well in combination with the reputation system.
> This seems like we'd need some serious evaluation to show that this
> works, because the risks are very high.
I agree that it needs to be evaluated. I may start working on some network
simulations to test various DOS mitigation strategies.
> I can destroy your node's reputation by routing crap through you; even
> if it costs me marginaly more reputation than it does you, that just
> means that the largest players can force failure upon smaller players,
> centralizing the network. And I think trying to ensure that it costs me
> more reputation than the sum of downstream reputation loss leaks too
> much information
I will add to ZmnSCPxj's response, which is mostly on point. The key here
is that the only way to lose significant reputation is to delay a payment
yourself or forward to a malicious downstream that delays -- neither of
these can be forced by the sender alone. This amounts to a system where you
are on the hook for any malicious behavior of your downstream peers, which
is why you must keep a reputation score for each which they earn over time.
This should keep all links in the network high quality and quickly
disconnect off delaying nodes if the incentives are right.
While I agree that a lot of reputation is leaked by aggregating the losses
along the route, this serves exactly to prevent large nodes with high
reputation from ruining links elsewhere. There are two things a node
looking to cause reputation loss could do. 1) Identify a node (not itself)
it thinks will delay a payment and send to them. This locks up funds on
their behalf, but is actually good behavior because it identifies a faulty
node and rightfully forces a loss in their reputation, eventually resulting
in them being booted from the network. Everyone upstream loses some
reputation for having connectivity to them, but less because of the loss
aggregation along the route. 2) Delay a payment oneself and force upstream
reputation loss. This is why I think it's important that the reputation
loss aggregate so that the malicious party loses the most.
As for the amount of information leaked, yes, it helps determine the number
of upstream hops in a route. However, the CLTV values help determine the
number of downstream hops in a route in exactly the same way. I see these
as symmetric in a sense.
To address ZmnSCPxj's point:
> But it also looks more and more like a policy of "just
`update_htlc_fail`" keeps our reputation high: indeed never accepting a
forwarding attempt would ensure reputation.
> However, earning via fees should help provide incentive against "Just
`update_htlc_fail`" always. If the goal is "how do I earn money fastest"
then there is some optimal threshhold > of risk-of-reputation-loss vs.
fee-earnings-if-I-forward that is unlikely to be near the "Just fail it"
spectrum, but somewhere in between. We hope.
This is exactly the question that your local view of peer reputations helps
solve: are the potential fees here worth the risk of forwarding this
payment to this downstream? If their reputation is high, then you will want
to forward because you think there's a low chance of you incurring
reputation loss. If their reputation is low and the HTLC value is too high,
you will fail it. So I disagree that "just `update_htlc_fail`" is an
optimal strategy. Consider as well that all fees you earn on successful
payments are profit to you as well as a reputation boost in the view of
both of your peers. So in order to earn reputation, you have to forward
payments. The key is not forwarding through malicious peers.
-jimpo
On Wed, May 9, 2018 at 12:31 AM, ZmnSCPxj <ZmnSCPxj at protonmail.com> wrote:
> Good morning Rusty, Jim, and list,
>
> > I can destroy your node's reputation by routing crap through you; even
> >
> > if it costs me marginaly more reputation than it does you, that just
> >
> > means that the largest players can force failure upon smaller players,
> >
> > centralizing the network.
>
> My understanding of the proposal was that reputation loss would occur only
> if the reply (`update_htlc_fail` or `update_htlc_success`) is delayed; this
> means that for you to force me to lose reputation, you need to somehow make
> me delay my reply. In particular if you do simple things like give me an
> invalid onion, or make me forward to a payee who does not know the
> preimage, I do not lose reputation by replying very quickly with an
> `update_htlc_fail`.
>
> Of course, a large player could force reputation loss by delaying reply
> when they receive, and having patsy nodes route to them. So for instance
> if it is Jim -> ZmnSCPxj -> Rusty, and Rusty activates the
> Blockstream-takes-over-the-world Apocalypse program, the Rusty node would
> then delay for a long time before replying, which makes my reputation
> suffer. But it also makes Rusty reputation suffer even more and my
> reaction would be that, the next time Jim hands me an HTLC that forwards to
> Rusty, I would instead quickly `update_htlc_fail` back to Jim (which does
> not lose me significant reputation due to my quick response) than risk
> forwarding it to you, since you have a reputation for being slow and
> unresponsive.
>
> Indeed, another aspect of Jim proposal is that it is extremely local: if
> Jim has no channel to Rusty, then Jim has no opinion about Rusty, only
> about ZmnSCPxj. However, ZmnSCPxj does have an opinion about Rusty, as
> ZmnSCPxj has channel with Rusty. If I suffer too much reputation loss due
> to Rusty, my opinion of Rusty drops even faster, and I decide to
> `update_htlc_fail` in order to prevent Jim opinion of me from dropping too
> much that Jim decides not to forward to me (if I have other channels with
> more reasonable nodes).
>
> But it also looks more and more like a policy of "just `update_htlc_fail`"
> keeps our reputation high: indeed never accepting a forwarding attempt
> would ensure reputation.
>
> However, earning via fees should help provide incentive against "Just
> `update_htlc_fail`" always. If the goal is "how do I earn money fastest"
> then there is some optimal threshhold of risk-of-reputation-loss vs.
> fee-earnings-if-I-forward that is unlikely to be near the "Just fail it"
> spectrum, but somewhere in between. We hope.
>
> > And I think trying to ensure that it costs me
> >
> > more reputation than the sum of downstream reputation loss leaks too
> >
> > much information
>
> Yes, this is a major drawback of the proposal. The rate at which the
> sender of the HTLC threatens me with reputation loss lets me estimate my
> distance from the ultimate sender of the funds.
>
> Regards,
> ZmnSCPxj
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20180509/1cec1f17/attachment-0001.html>;
Jim Posen [ARCHIVE] /
npub1nc…lqt2n
2023-06-09 12:50:24
in reply to nevent1q…cswt
Author Public Key
npub1ncnj8arudstdxzfhxk7k4nwgkrw3hyw8sgt0wqqmm5hh2c4knmgs2lqt2nPublished at
2023-06-09 12:50:24Event JSON
{
"id": "7220acf6fff9180fa0980797ef4c5556f6479997ca1a5a559c51bbf7341ef230",
"pubkey": "9e2723f47c6c16d3093735bd6acdc8b0dd1b91c78216f7001bdd2f7562b69ed1",
"created_at": 1686315024,
"kind": 1,
"tags": [
[
"e",
"ec647d42dc739e5a708f79cd6e7400519e655a3f7062723c1ca708888c19c0eb",
"",
"root"
],
[
"e",
"86af82df57159c73211d31b4fa528fe56868dde81153f36c87f14f763688c771",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2018-05-09\n📝 Original message:\nThanks for the thoughtful responses.\n\n\u003e You missed the vital detail: that you must prove channel closure if you\n\u003e can't unpeel the onion further. That *will* hit an unresponsive party\n\u003e with a penalty.\n\nAh, that is a good point. I still find the proposal overall worryingly\ncomplex in terms of communication overhead, time it takes to prove channel\nclosure, all of your points in [1], [2], [3], etc. Furthermore, this\nmandates that immediate channel closure is the only allowed reaction to a\nparty delaying an HTLC for a time period above a threshold -- the node\nreputation approach gives more discretion to the preceding hop.\nDeobfuscating the route may turn out to be the right option, but I think\nthe reputation system has certain advantages over this.\n\n\u003e The models we tried in Milan all created an incentive to fail payments,\n\u003e which is a non-starter.\n\nDo you mind elaborating or summarizing the reasons? The way I'm analyzing\nit, even if there's a nominal spam fee paid to routing nodes that fail\npayments, as long as it's low enough (say 2-5% for arguments sake), the\nnodes still have more to gain by forwarding the payment and earning the\nfull fee on a completed payment, and possibly the reputation boost\nassociated with completing a payment if that system was in effect.\nMoreover, a node that constantly fails payments will be blacklisted by the\nsender eventually and stop receiving HTLCs from them at all. Overall, I\ndon't think this is a profitable strategy. Furthermore, I think it works\nquite well in combination with the reputation system.\n\n\u003e This seems like we'd need some serious evaluation to show that this\n\u003e works, because the risks are very high.\n\nI agree that it needs to be evaluated. I may start working on some network\nsimulations to test various DOS mitigation strategies.\n\n\u003e I can destroy your node's reputation by routing crap through you; even\n\u003e if it costs me marginaly more reputation than it does you, that just\n\u003e means that the largest players can force failure upon smaller players,\n\u003e centralizing the network. And I think trying to ensure that it costs me\n\u003e more reputation than the sum of downstream reputation loss leaks too\n\u003e much information\n\nI will add to ZmnSCPxj's response, which is mostly on point. The key here\nis that the only way to lose significant reputation is to delay a payment\nyourself or forward to a malicious downstream that delays -- neither of\nthese can be forced by the sender alone. This amounts to a system where you\nare on the hook for any malicious behavior of your downstream peers, which\nis why you must keep a reputation score for each which they earn over time.\nThis should keep all links in the network high quality and quickly\ndisconnect off delaying nodes if the incentives are right.\n\nWhile I agree that a lot of reputation is leaked by aggregating the losses\nalong the route, this serves exactly to prevent large nodes with high\nreputation from ruining links elsewhere. There are two things a node\nlooking to cause reputation loss could do. 1) Identify a node (not itself)\nit thinks will delay a payment and send to them. This locks up funds on\ntheir behalf, but is actually good behavior because it identifies a faulty\nnode and rightfully forces a loss in their reputation, eventually resulting\nin them being booted from the network. Everyone upstream loses some\nreputation for having connectivity to them, but less because of the loss\naggregation along the route. 2) Delay a payment oneself and force upstream\nreputation loss. This is why I think it's important that the reputation\nloss aggregate so that the malicious party loses the most.\n\nAs for the amount of information leaked, yes, it helps determine the number\nof upstream hops in a route. However, the CLTV values help determine the\nnumber of downstream hops in a route in exactly the same way. I see these\nas symmetric in a sense.\n\nTo address ZmnSCPxj's point:\n\n\u003e But it also looks more and more like a policy of \"just\n`update_htlc_fail`\" keeps our reputation high: indeed never accepting a\nforwarding attempt would ensure reputation.\n\u003e However, earning via fees should help provide incentive against \"Just\n`update_htlc_fail`\" always. If the goal is \"how do I earn money fastest\"\nthen there is some optimal threshhold \u003e of risk-of-reputation-loss vs.\nfee-earnings-if-I-forward that is unlikely to be near the \"Just fail it\"\nspectrum, but somewhere in between. We hope.\n\nThis is exactly the question that your local view of peer reputations helps\nsolve: are the potential fees here worth the risk of forwarding this\npayment to this downstream? If their reputation is high, then you will want\nto forward because you think there's a low chance of you incurring\nreputation loss. If their reputation is low and the HTLC value is too high,\nyou will fail it. So I disagree that \"just `update_htlc_fail`\" is an\noptimal strategy. Consider as well that all fees you earn on successful\npayments are profit to you as well as a reputation boost in the view of\nboth of your peers. So in order to earn reputation, you have to forward\npayments. The key is not forwarding through malicious peers.\n\n-jimpo\n\nOn Wed, May 9, 2018 at 12:31 AM, ZmnSCPxj \u003cZmnSCPxj at protonmail.com\u003e wrote:\n\n\u003e Good morning Rusty, Jim, and list,\n\u003e\n\u003e \u003e I can destroy your node's reputation by routing crap through you; even\n\u003e \u003e\n\u003e \u003e if it costs me marginaly more reputation than it does you, that just\n\u003e \u003e\n\u003e \u003e means that the largest players can force failure upon smaller players,\n\u003e \u003e\n\u003e \u003e centralizing the network.\n\u003e\n\u003e My understanding of the proposal was that reputation loss would occur only\n\u003e if the reply (`update_htlc_fail` or `update_htlc_success`) is delayed; this\n\u003e means that for you to force me to lose reputation, you need to somehow make\n\u003e me delay my reply. In particular if you do simple things like give me an\n\u003e invalid onion, or make me forward to a payee who does not know the\n\u003e preimage, I do not lose reputation by replying very quickly with an\n\u003e `update_htlc_fail`.\n\u003e\n\u003e Of course, a large player could force reputation loss by delaying reply\n\u003e when they receive, and having patsy nodes route to them. So for instance\n\u003e if it is Jim -\u003e ZmnSCPxj -\u003e Rusty, and Rusty activates the\n\u003e Blockstream-takes-over-the-world Apocalypse program, the Rusty node would\n\u003e then delay for a long time before replying, which makes my reputation\n\u003e suffer. But it also makes Rusty reputation suffer even more and my\n\u003e reaction would be that, the next time Jim hands me an HTLC that forwards to\n\u003e Rusty, I would instead quickly `update_htlc_fail` back to Jim (which does\n\u003e not lose me significant reputation due to my quick response) than risk\n\u003e forwarding it to you, since you have a reputation for being slow and\n\u003e unresponsive.\n\u003e\n\u003e Indeed, another aspect of Jim proposal is that it is extremely local: if\n\u003e Jim has no channel to Rusty, then Jim has no opinion about Rusty, only\n\u003e about ZmnSCPxj. However, ZmnSCPxj does have an opinion about Rusty, as\n\u003e ZmnSCPxj has channel with Rusty. If I suffer too much reputation loss due\n\u003e to Rusty, my opinion of Rusty drops even faster, and I decide to\n\u003e `update_htlc_fail` in order to prevent Jim opinion of me from dropping too\n\u003e much that Jim decides not to forward to me (if I have other channels with\n\u003e more reasonable nodes).\n\u003e\n\u003e But it also looks more and more like a policy of \"just `update_htlc_fail`\"\n\u003e keeps our reputation high: indeed never accepting a forwarding attempt\n\u003e would ensure reputation.\n\u003e\n\u003e However, earning via fees should help provide incentive against \"Just\n\u003e `update_htlc_fail`\" always. If the goal is \"how do I earn money fastest\"\n\u003e then there is some optimal threshhold of risk-of-reputation-loss vs.\n\u003e fee-earnings-if-I-forward that is unlikely to be near the \"Just fail it\"\n\u003e spectrum, but somewhere in between. We hope.\n\u003e\n\u003e \u003e And I think trying to ensure that it costs me\n\u003e \u003e\n\u003e \u003e more reputation than the sum of downstream reputation loss leaks too\n\u003e \u003e\n\u003e \u003e much information\n\u003e\n\u003e Yes, this is a major drawback of the proposal. The rate at which the\n\u003e sender of the HTLC threatens me with reputation loss lets me estimate my\n\u003e distance from the ultimate sender of the funds.\n\u003e\n\u003e Regards,\n\u003e ZmnSCPxj\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20180509/1cec1f17/attachment-0001.html\u003e",
"sig": "a03cb152cecba914dfd33ec3ab91b75f6662e2f4b0c465a3b225ae2c5f7e68e6b99687aefabe87ac9a825e9fffc459605bbd22cbcc3437150948ec242fca5028"
}