📅 Original date posted:2018-05-14
📝 Original message:
Jim Posen <jim.posen at gmail.com> writes:
> Thanks for the thoughtful responses.
>
>> You missed the vital detail: that you must prove channel closure if you
>> can't unpeel the onion further. That *will* hit an unresponsive party
>> with a penalty.
>
> Ah, that is a good point. I still find the proposal overall worryingly
> complex in terms of communication overhead, time it takes to prove channel
> closure, all of your points in [1], [2], [3], etc. Furthermore, this
> mandates that immediate channel closure is the only allowed reaction to a
> party delaying an HTLC for a time period above a threshold -- the node
> reputation approach gives more discretion to the preceding hop.
> Deobfuscating the route may turn out to be the right option, but I think
> the reputation system has certain advantages over this.
Agreed, it's a tradeoff.
>> The models we tried in Milan all created an incentive to fail payments,
>> which is a non-starter.
>
> Do you mind elaborating or summarizing the reasons? The way I'm analyzing
> it, even if there's a nominal spam fee paid to routing nodes that fail
> payments, as long as it's low enough (say 2-5% for arguments sake), the
> nodes still have more to gain by forwarding the payment and earning the
> full fee on a completed payment, and possibly the reputation boost
> associated with completing a payment if that system was in effect.
You're forgetting the failure cases, where now I can profit.
If I disconnect from another node, I now have a disincentive to tell
others. At the moment we send an update disabling the channel (though
we should give a few seconds for reconnect first, but whatever).
Similarly, the rewards aren't proportional: being cheaper than other
routes gets you all the traffic, but now you profit even if you can't
service the payments. In fact, once a channel becomes hard to use (low
capacity, transient disconnect, whatever), I *should* advertize it as
cheaper route than anyone else: free money!
I'm sure there are other ways to game it, but the underlying reason is
clear: it misaligns user and node incentives.
> Moreover, a node that constantly fails payments will be blacklisted by the
> sender eventually and stop receiving HTLCs from them at all. Overall, I
> don't think this is a profitable strategy. Furthermore, I think it works
> quite well in combination with the reputation system.
If the system is sufficiently decentralized, managing to cheat everyone
once is very profitable though.
>> This seems like we'd need some serious evaluation to show that this
>> works, because the risks are very high.
>
> I agree that it needs to be evaluated. I may start working on some network
> simulations to test various DOS mitigation strategies.
>
>> I can destroy your node's reputation by routing crap through you; even
>> if it costs me marginaly more reputation than it does you, that just
>> means that the largest players can force failure upon smaller players,
>> centralizing the network. And I think trying to ensure that it costs me
>> more reputation than the sum of downstream reputation loss leaks too
>> much information
>
> I will add to ZmnSCPxj's response, which is mostly on point. The key here
> is that the only way to lose significant reputation is to delay a payment
> yourself or forward to a malicious downstream that delays -- neither of
> these can be forced by the sender alone. This amounts to a system where you
> are on the hook for any malicious behavior of your downstream peers, which
> is why you must keep a reputation score for each which they earn over time.
> This should keep all links in the network high quality and quickly
> disconnect off delaying nodes if the incentives are right.
But I can make you look like a delaying node whenever I want. The only
way to ensure that I lose more reputation than you do is to leak
information about route length for *everyone*. And even then, it's just
a matter of numbers. I can make successful payments to myself through
the same peers (but not you!) to stay above their threshold so my
reputation is intact.
So it's basically a question of how expensive is it for me to throw you
off the network? You have to tune that number carefully.
> While I agree that a lot of reputation is leaked by aggregating the losses
> along the route, this serves exactly to prevent large nodes with high
> reputation from ruining links elsewhere. There are two things a node
> looking to cause reputation loss could do. 1) Identify a node (not itself)
> it thinks will delay a payment and send to them. This locks up funds on
> their behalf, but is actually good behavior because it identifies a faulty
> node and rightfully forces a loss in their reputation, eventually resulting
> in them being booted from the network. Everyone upstream loses some
> reputation for having connectivity to them, but less because of the loss
> aggregation along the route. 2) Delay a payment oneself and force upstream
> reputation loss. This is why I think it's important that the reputation
> loss aggregate so that the malicious party loses the most.
But we're busy trying to remove all the methods of deanonymizing the
network, and you seem to be adding a new one, *and* providing an
incentive to deanonymize.
> As for the amount of information leaked, yes, it helps determine the number
> of upstream hops in a route. However, the CLTV values help determine the
> number of downstream hops in a route in exactly the same way. I see these
> as symmetric in a sense.
Yes, which is why we have mitigations in place (which are still probably
insufficient). I really don't want to add another vector.
> This is exactly the question that your local view of peer reputations helps
> solve: are the potential fees here worth the risk of forwarding this
> payment to this downstream?
So now I'll try to deanonymize all payments so I can determine this.
Those who do this best will be rewarded, and those who don't try will be
knocked off the network, probably by those who can!
So I'd like to see a real design of the reputation system. If it's
practical (which is a significant hurdle), we then need to carefully
evaluate whether we're creating significant disincentives to
neighbourliness.
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:50:27
in reply to nevent1q…rm4c
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:50:27Event JSON
{
"id": "44f058e657f943683e575cbb729b04e02ca3873973ac8ec03504c854014c5b70",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686315027,
"kind": 1,
"tags": [
[
"e",
"ec647d42dc739e5a708f79cd6e7400519e655a3f7062723c1ca708888c19c0eb",
"",
"root"
],
[
"e",
"a433365079273a3a6028418fe8d6d8ea605c7521d8bf0c2a6be0731cc2feb6ee",
"",
"reply"
],
[
"p",
"7dcf0ab721a725c5b60ca861acc882015ece95fd6c708f72074e2ff1c968f91e"
]
],
"content": "📅 Original date posted:2018-05-14\n📝 Original message:\nJim Posen \u003cjim.posen at gmail.com\u003e writes:\n\u003e Thanks for the thoughtful responses.\n\u003e\n\u003e\u003e You missed the vital detail: that you must prove channel closure if you\n\u003e\u003e can't unpeel the onion further. That *will* hit an unresponsive party\n\u003e\u003e with a penalty.\n\u003e\n\u003e Ah, that is a good point. I still find the proposal overall worryingly\n\u003e complex in terms of communication overhead, time it takes to prove channel\n\u003e closure, all of your points in [1], [2], [3], etc. Furthermore, this\n\u003e mandates that immediate channel closure is the only allowed reaction to a\n\u003e party delaying an HTLC for a time period above a threshold -- the node\n\u003e reputation approach gives more discretion to the preceding hop.\n\u003e Deobfuscating the route may turn out to be the right option, but I think\n\u003e the reputation system has certain advantages over this.\n\nAgreed, it's a tradeoff.\n\n\u003e\u003e The models we tried in Milan all created an incentive to fail payments,\n\u003e\u003e which is a non-starter.\n\u003e\n\u003e Do you mind elaborating or summarizing the reasons? The way I'm analyzing\n\u003e it, even if there's a nominal spam fee paid to routing nodes that fail\n\u003e payments, as long as it's low enough (say 2-5% for arguments sake), the\n\u003e nodes still have more to gain by forwarding the payment and earning the\n\u003e full fee on a completed payment, and possibly the reputation boost\n\u003e associated with completing a payment if that system was in effect.\n\nYou're forgetting the failure cases, where now I can profit.\n\nIf I disconnect from another node, I now have a disincentive to tell\nothers. At the moment we send an update disabling the channel (though\nwe should give a few seconds for reconnect first, but whatever).\n\nSimilarly, the rewards aren't proportional: being cheaper than other\nroutes gets you all the traffic, but now you profit even if you can't\nservice the payments. In fact, once a channel becomes hard to use (low\ncapacity, transient disconnect, whatever), I *should* advertize it as\ncheaper route than anyone else: free money!\n\nI'm sure there are other ways to game it, but the underlying reason is\nclear: it misaligns user and node incentives.\n\n\u003e Moreover, a node that constantly fails payments will be blacklisted by the\n\u003e sender eventually and stop receiving HTLCs from them at all. Overall, I\n\u003e don't think this is a profitable strategy. Furthermore, I think it works\n\u003e quite well in combination with the reputation system.\n\nIf the system is sufficiently decentralized, managing to cheat everyone\nonce is very profitable though.\n\n\u003e\u003e This seems like we'd need some serious evaluation to show that this\n\u003e\u003e works, because the risks are very high.\n\u003e\n\u003e I agree that it needs to be evaluated. I may start working on some network\n\u003e simulations to test various DOS mitigation strategies.\n\u003e\n\u003e\u003e I can destroy your node's reputation by routing crap through you; even\n\u003e\u003e if it costs me marginaly more reputation than it does you, that just\n\u003e\u003e means that the largest players can force failure upon smaller players,\n\u003e\u003e centralizing the network. And I think trying to ensure that it costs me\n\u003e\u003e more reputation than the sum of downstream reputation loss leaks too\n\u003e\u003e much information\n\u003e\n\u003e I will add to ZmnSCPxj's response, which is mostly on point. The key here\n\u003e is that the only way to lose significant reputation is to delay a payment\n\u003e yourself or forward to a malicious downstream that delays -- neither of\n\u003e these can be forced by the sender alone. This amounts to a system where you\n\u003e are on the hook for any malicious behavior of your downstream peers, which\n\u003e is why you must keep a reputation score for each which they earn over time.\n\u003e This should keep all links in the network high quality and quickly\n\u003e disconnect off delaying nodes if the incentives are right.\n\nBut I can make you look like a delaying node whenever I want. The only\nway to ensure that I lose more reputation than you do is to leak\ninformation about route length for *everyone*. And even then, it's just\na matter of numbers. I can make successful payments to myself through\nthe same peers (but not you!) to stay above their threshold so my\nreputation is intact.\n\nSo it's basically a question of how expensive is it for me to throw you\noff the network? You have to tune that number carefully.\n\n\u003e While I agree that a lot of reputation is leaked by aggregating the losses\n\u003e along the route, this serves exactly to prevent large nodes with high\n\u003e reputation from ruining links elsewhere. There are two things a node\n\u003e looking to cause reputation loss could do. 1) Identify a node (not itself)\n\u003e it thinks will delay a payment and send to them. This locks up funds on\n\u003e their behalf, but is actually good behavior because it identifies a faulty\n\u003e node and rightfully forces a loss in their reputation, eventually resulting\n\u003e in them being booted from the network. Everyone upstream loses some\n\u003e reputation for having connectivity to them, but less because of the loss\n\u003e aggregation along the route. 2) Delay a payment oneself and force upstream\n\u003e reputation loss. This is why I think it's important that the reputation\n\u003e loss aggregate so that the malicious party loses the most.\n\nBut we're busy trying to remove all the methods of deanonymizing the\nnetwork, and you seem to be adding a new one, *and* providing an\nincentive to deanonymize.\n\n\u003e As for the amount of information leaked, yes, it helps determine the number\n\u003e of upstream hops in a route. However, the CLTV values help determine the\n\u003e number of downstream hops in a route in exactly the same way. I see these\n\u003e as symmetric in a sense.\n\nYes, which is why we have mitigations in place (which are still probably\ninsufficient). I really don't want to add another vector.\n\n\u003e This is exactly the question that your local view of peer reputations helps\n\u003e solve: are the potential fees here worth the risk of forwarding this\n\u003e payment to this downstream?\n\nSo now I'll try to deanonymize all payments so I can determine this.\nThose who do this best will be rewarded, and those who don't try will be\nknocked off the network, probably by those who can!\n\nSo I'd like to see a real design of the reputation system. If it's\npractical (which is a significant hurdle), we then need to carefully\nevaluate whether we're creating significant disincentives to\nneighbourliness.\n\nCheers,\nRusty.",
"sig": "b1225cf1039111cbb1c5df89af2f81f1858426c71e1cfc97b40abf180a4248d5bddae25ad445e8f835ded5ef359a5341e19709d0ce43c04cd4971b459b750173"
}