📅 Original date posted:2015-07-07
📝 Original message:
CJP <cjp at ultimatestunts.nl> writes:
> The routing design has important implications for privacy, but also for
> the enforcement of regulations on the Lightning network.
Hi CJP! I was hoping you'd weigh in here, thanks!
> Imagine, for instance, that a couple of large nodes start requiring
> their neighbors to provide identity information (KYC-style regulation),
> and then require them to recursively provide identity information for
> all their neighbors' neighbors, and so on. If it is visible to
> intermediate nodes which other nodes participate in a transaction, this
> would cause the Lightning network to split into a regulated and a
> non-regulated part: nobody would dare to interface between the two,
> since that would prove to the regulated side that they illegally provide
> connectivity on the non-regulated side.
>
> So, I don't want nodes to explicitly know the shape of the entire
> network. Based on how Wikipedia explains source routing to me, I think
> it is incompatible with what I want. Please also note that IP almost
> never uses source routing.
Total agreement. The network must be robust against
censorship/partition for good technical reasons as well as malice.
People will also rightfully expect a caching layer for bitcoin to have
the same open-membership properties that bitcoin has.
> Also, as a counter-measure against censorship (or persecution) based on
> destination address, I think the function of "destination address of a
> route" should be de-coupled from the function of "payer endpoint" or
> "payee endpoint" of a route. In many cases, the "payer endpoint" or
> especially the "payee endpoint" will also fulfill the role of
> "destination address", but they may also choose a neutral "meeting
> point" node in the middle, and both route towards its address. This will
> allow nodes to secretly interface between regulated and non-regulated
> parts of the network, for transactions going in both directions.
OK, so this is why I proposed an onion routing system.
Basically: each node sees the next hop, the R hash, the amount, the
timeout, the fee being offered. It doesn't see the source, nor the
final destination.
This, however, requires source routing.
> The time-out value is a bit of a problem in this concept, since it is an
> indication of the number of hops from the payee endpoint. However, if
> nodes are free to choose the time-out increment for themselves, they
> could choose to make that increment smaller, to be able to route through
> a node that provides an interface to the regulated part.
>
> An additional advantage of separating destination addresses from the
> payment endpoints is that routing tables can be much smaller. Most
> consumers, and a lot of small shops can choose not to have their own
> destination address, but instead route through the destination address
> of their Lightning provider (a bit like a NAT router's IP address).
This was close to my original mental model: several thousand hubs, most
people as clients. But this risks becoming centralized, which directly
leads to the problem of censorship. You would simply blacklist certain
providers, or whitelist the ones you approve of.
So Joseph pushed my thinkoing in a radically more decentralized
direction, but routing becomes a *much* harder problem.
Anyway, I think it makes sense to support this in the protocol by adding
an opaque destination token. This could distinguish separate payments
or separate clients. Some nodes may well support transparent forwarding
of these to other nodes.
> In my view, routing tables are a sort of a heuristic, that tells you how
> likely a payment (of a certain amount!) to/from a certain destination
> address is to succeed on one of your interfaces. It is an optimization
> over the dumb algorithm of simply trying out all your interfaces one by
> one(*). It is TBD how to determine these heuristics, and how to exchange
> them between nodes.
>
> This is probably quite different from how routing on the Internet works,
> and I'm not sure how it will scale and how it can be defended against
> DoS attacks, but it sort of follows automatically from the desire to
> keep the network free.
Yep, spray-and-pray is always a good starting point! But it definitely
won't scale, so I'd like to make sure we don't paint ourselves into a
corner (even if that's our first cut).
Fees are a real issue. Without source routing the client is guessing
how much fees will be, and there'll be a lot of gaming to decide how
much of the pie to take (take too much, you get none as payment fails to
route). I think you'll end up asking your provider how you should to
pay, and that's a pretty horrible model for privacy.
With source routing and onion it's a little better; you can explicitly
state what each hop gets. Of course, if your route/payment information
is out of date you lose, too.
In summary:
1) Each-hop routing:
- Final destination hub is revealed to all nodes.
- May be forwarded, though.
- Source may be revealed to all nodes?
- Fees are tricky.
- Too low will fail
- How to estimate?
- Adaptable to changing network conditions
- Intermediary nodes can reroute.
- End clients need not know anything.
2) Source routing:
- Neither final source nor dest revealed to intermediary nodes.
- Fees are known in advance.
- Requires retransmission from source if routes change.
- End clients need routing/fee information.
- Allows selection of nodes from source
- May let you avoid bad/tracking/unreliable nodes?
Is there anything I missed?
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:43:32
in reply to nevent1q…2nq5
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:43:32Event JSON
{
"id": "43e455c168f40abbd163d89a272fe8b32caf00772629d6fd67ff9ba4bbdad865",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314612,
"kind": 1,
"tags": [
[
"e",
"b051b897d36d9747c0a2ead17e2be0eb4114a547258d74b54d7d8da5c672c214",
"",
"root"
],
[
"e",
"ce16f951d68d814d7eefee92d0fff245adce80e81d858906c99cd4de5dd6ce9d",
"",
"reply"
],
[
"p",
"880fa8c3080c3bd98e574cfcd6d6f53fd13e0516c40ea3f46295438b0c07bdf5"
]
],
"content": "📅 Original date posted:2015-07-07\n📝 Original message:\nCJP \u003ccjp at ultimatestunts.nl\u003e writes:\n\u003e The routing design has important implications for privacy, but also for\n\u003e the enforcement of regulations on the Lightning network.\n\nHi CJP! I was hoping you'd weigh in here, thanks!\n\n\u003e Imagine, for instance, that a couple of large nodes start requiring\n\u003e their neighbors to provide identity information (KYC-style regulation),\n\u003e and then require them to recursively provide identity information for\n\u003e all their neighbors' neighbors, and so on. If it is visible to\n\u003e intermediate nodes which other nodes participate in a transaction, this\n\u003e would cause the Lightning network to split into a regulated and a\n\u003e non-regulated part: nobody would dare to interface between the two,\n\u003e since that would prove to the regulated side that they illegally provide\n\u003e connectivity on the non-regulated side.\n\u003e\n\u003e So, I don't want nodes to explicitly know the shape of the entire\n\u003e network. Based on how Wikipedia explains source routing to me, I think\n\u003e it is incompatible with what I want. Please also note that IP almost\n\u003e never uses source routing.\n\n Total agreement. The network must be robust against\ncensorship/partition for good technical reasons as well as malice.\nPeople will also rightfully expect a caching layer for bitcoin to have\nthe same open-membership properties that bitcoin has.\n\n\u003e Also, as a counter-measure against censorship (or persecution) based on\n\u003e destination address, I think the function of \"destination address of a\n\u003e route\" should be de-coupled from the function of \"payer endpoint\" or\n\u003e \"payee endpoint\" of a route. In many cases, the \"payer endpoint\" or\n\u003e especially the \"payee endpoint\" will also fulfill the role of\n\u003e \"destination address\", but they may also choose a neutral \"meeting\n\u003e point\" node in the middle, and both route towards its address. This will\n\u003e allow nodes to secretly interface between regulated and non-regulated\n\u003e parts of the network, for transactions going in both directions.\n\nOK, so this is why I proposed an onion routing system.\n\nBasically: each node sees the next hop, the R hash, the amount, the\ntimeout, the fee being offered. It doesn't see the source, nor the\nfinal destination.\n\nThis, however, requires source routing.\n\n\u003e The time-out value is a bit of a problem in this concept, since it is an\n\u003e indication of the number of hops from the payee endpoint. However, if\n\u003e nodes are free to choose the time-out increment for themselves, they\n\u003e could choose to make that increment smaller, to be able to route through\n\u003e a node that provides an interface to the regulated part.\n\u003e\n\u003e An additional advantage of separating destination addresses from the\n\u003e payment endpoints is that routing tables can be much smaller. Most\n\u003e consumers, and a lot of small shops can choose not to have their own\n\u003e destination address, but instead route through the destination address\n\u003e of their Lightning provider (a bit like a NAT router's IP address).\n\nThis was close to my original mental model: several thousand hubs, most\npeople as clients. But this risks becoming centralized, which directly\nleads to the problem of censorship. You would simply blacklist certain\nproviders, or whitelist the ones you approve of.\n\nSo Joseph pushed my thinkoing in a radically more decentralized\ndirection, but routing becomes a *much* harder problem.\n\nAnyway, I think it makes sense to support this in the protocol by adding\nan opaque destination token. This could distinguish separate payments\nor separate clients. Some nodes may well support transparent forwarding\nof these to other nodes.\n\n\u003e In my view, routing tables are a sort of a heuristic, that tells you how\n\u003e likely a payment (of a certain amount!) to/from a certain destination\n\u003e address is to succeed on one of your interfaces. It is an optimization\n\u003e over the dumb algorithm of simply trying out all your interfaces one by\n\u003e one(*). It is TBD how to determine these heuristics, and how to exchange\n\u003e them between nodes.\n\u003e\n\u003e This is probably quite different from how routing on the Internet works,\n\u003e and I'm not sure how it will scale and how it can be defended against\n\u003e DoS attacks, but it sort of follows automatically from the desire to\n\u003e keep the network free.\n\nYep, spray-and-pray is always a good starting point! But it definitely\nwon't scale, so I'd like to make sure we don't paint ourselves into a\ncorner (even if that's our first cut).\n\nFees are a real issue. Without source routing the client is guessing\nhow much fees will be, and there'll be a lot of gaming to decide how\nmuch of the pie to take (take too much, you get none as payment fails to\nroute). I think you'll end up asking your provider how you should to\npay, and that's a pretty horrible model for privacy.\n\nWith source routing and onion it's a little better; you can explicitly\nstate what each hop gets. Of course, if your route/payment information\nis out of date you lose, too.\n\nIn summary:\n\n1) Each-hop routing:\n - Final destination hub is revealed to all nodes.\n - May be forwarded, though.\n - Source may be revealed to all nodes?\n - Fees are tricky.\n - Too low will fail\n - How to estimate?\n - Adaptable to changing network conditions\n - Intermediary nodes can reroute.\n - End clients need not know anything.\n\n2) Source routing:\n - Neither final source nor dest revealed to intermediary nodes.\n - Fees are known in advance.\n - Requires retransmission from source if routes change.\n - End clients need routing/fee information.\n - Allows selection of nodes from source\n - May let you avoid bad/tracking/unreliable nodes?\n\nIs there anything I missed?\n\nCheers,\nRusty.",
"sig": "c46058e217f8ac24b8473bb027bb8acc9176c388be189de3e0c4ae490f699978d956f2a00dd48522543a687a43a600afc07852952c3bbdd060ef236823dfe5e3"
}