📅 Original date posted:2016-08-15
📝 Original message:
On Sat, Aug 13, 2016 at 07:34:02PM +0930, Rusty Russell wrote:
> Olaoluwa Osuntokun <laolu32 at gmail.com> writes:
> > Rusty Russell <rusty at rustcorp.com.au> wrote:
> >> Ephemeral key and mac make sense as a header, but it's fairly easy
> >> to image a different next hop address format for different networks.
> >> See also "realm byte" below.
> >>
> >> Thus I'm suggesting a format like:
> >>
> >> [ephemeral key] [mac] [realm] [per-realm-information]
> >>
> >> Per-realm-information is next-hop, amount, etc.
> >
> > In order to maintain the security properties of the onion blob, each onion
> > blob
> > is required to be the exact same length. Therefore, the amount of bytes
> > allocated for the "next-hop" address needs to be uniform. In my mind, the
> > next-hop" field should just be an opaque blob (at the specification level)
> > with
> > no further explicit meaning. Nodes residing on various chains will parse the
> > address accordingly (they might be using a different curve, etc).
>
> Kind of. We need some identifier to know, as nodes may straddle chains.
>
> > With this said, I fail to see what we gain by making the current
> > chain-boundary
> > explicit (within the onion blob's mix-header).
> >
> >> An explicit network byte makes sense since we could eventually have
> > multiple
> >> networks (atomic cross-chain exchange). While node keys are network
> > globally
> >> unique (thus the exchange is *implied* by the next hop), it's nice to be
> >> explicit.
> >>
> >> We need some flag for the terminal node anyway, so it makes sense IMHO
> >> to expand it.
> >
> > Sure, but the explicit network byte should be within the main p2p message
> > header rather than the header for the onion blob itself. When crossing
> > chains,
> > nodes will properly set the net magic in the outer message header.
>
> Some node will have to straddle two chains, right? So you'd route A ->
> B -> C as normal, and C is (say) litecoin (B straddles both). You
> really want the onion to be explicit that this transfer to litecoin is
> what the sender intended. Or some sidechain.
>
> Now, we'd hope nobody would screw this up, but I think it's worth
> flagging since the sender really should know it's changing chains.
I agree that the realm byte is a sensible addition. To trigger this we
would need to have multiple channels, on different chains, using the
same identifiers between two nodes. Only in this case we'd have an
ambiguity where to transfer the funds. Assuming we have the route A ->
B => C, where => indicates two channels, one in litecoin and one in
bitcoin, and both channels use the same identity for C. Then the
instruction to forward 0.01 units to C is ambiguous, as it could be
denominated in either litecoin or bitcoin.
While not dangerous it is rather unfortunate as it results in
guesswork. It is not dangerous because if A transferred litecoin to B
then B will (hopefully) never forward a higher value to C using
bitcoin, and if it were bitcoin then the final recipient would not
sign off an inferior amount than what he expected.
To prevent this we could make it a policy to never re-use identities
for multiple channels, but someone will surely get it wrong at some
point :-)
I was thinking that it'd be stored in the per-hop payload, along with
the instructions for the hop, which is why I did not specify it, but
I'm happy to add it, should it make things clearer.
>
> > Also we don't need to allocate an additional byte for the terminal node in
> > any
> > case. The terminal node can either be identified by the null-MAC, or
> > null-nexthop (if that isn't being used to dispatch into virtual channels).
>
> That implies there's a final hop in the packet which is unused? I
> believe strongly we want a realm byte, so I think it makes more sense to
> overload it for this.
Indeed the last hop's routing information is all zeroes and the
per-hop payload is currently unused (as the node does not forward
anything). If we use the terminal identifier we can shave the 40 bytes
routing info off the packet, provided the node checks the terminal
byte in the per-hop payload before attempting anything with the
routing info which'd be garbage, i.e., encrypted fillers by the first
hop.
Cheers,
Christian
Christian Decker [ARCHIVE] /
npub1wt…gtuyn
2023-06-09 12:46:25
in reply to nevent1q…vrpp
Author Public Key
npub1wtx5qvewc7pd6znlvwktq03mdld05mv3h5dkzfwd3dc30gdmsptsugtuynPublished at
2023-06-09 12:46:25Event JSON
{
"id": "41be50916394f21dbff1902485c83d5a6bced7ff991d6096e06866e1cec854a8",
"pubkey": "72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057",
"created_at": 1686314785,
"kind": 1,
"tags": [
[
"e",
"f166a20039cde752a8ba4e6cccc22d4b2719f9a29840f0c295641243ae59d83f",
"",
"root"
],
[
"e",
"3abe29ad455942f32c4755bdc25fb5aefb7c376157bf8f0aba3212ee9598c388",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "📅 Original date posted:2016-08-15\n📝 Original message:\nOn Sat, Aug 13, 2016 at 07:34:02PM +0930, Rusty Russell wrote:\n\u003e Olaoluwa Osuntokun \u003claolu32 at gmail.com\u003e writes:\n\u003e \u003e Rusty Russell \u003crusty at rustcorp.com.au\u003e wrote:\n\u003e \u003e\u003e Ephemeral key and mac make sense as a header, but it's fairly easy\n\u003e \u003e\u003e to image a different next hop address format for different networks.\n\u003e \u003e\u003e See also \"realm byte\" below.\n\u003e \u003e\u003e\n\u003e \u003e\u003e Thus I'm suggesting a format like:\n\u003e \u003e\u003e\n\u003e \u003e\u003e [ephemeral key] [mac] [realm] [per-realm-information]\n\u003e \u003e\u003e\n\u003e \u003e\u003e Per-realm-information is next-hop, amount, etc.\n\u003e \u003e\n\u003e \u003e In order to maintain the security properties of the onion blob, each onion\n\u003e \u003e blob\n\u003e \u003e is required to be the exact same length. Therefore, the amount of bytes\n\u003e \u003e allocated for the \"next-hop\" address needs to be uniform. In my mind, the\n\u003e \u003e next-hop\" field should just be an opaque blob (at the specification level)\n\u003e \u003e with\n\u003e \u003e no further explicit meaning. Nodes residing on various chains will parse the\n\u003e \u003e address accordingly (they might be using a different curve, etc).\n\u003e \n\u003e Kind of. We need some identifier to know, as nodes may straddle chains.\n\u003e \n\u003e \u003e With this said, I fail to see what we gain by making the current\n\u003e \u003e chain-boundary\n\u003e \u003e explicit (within the onion blob's mix-header).\n\u003e \u003e\n\u003e \u003e\u003e An explicit network byte makes sense since we could eventually have\n\u003e \u003e multiple\n\u003e \u003e\u003e networks (atomic cross-chain exchange). While node keys are network\n\u003e \u003e globally\n\u003e \u003e\u003e unique (thus the exchange is *implied* by the next hop), it's nice to be\n\u003e \u003e\u003e explicit.\n\u003e \u003e\u003e\n\u003e \u003e\u003e We need some flag for the terminal node anyway, so it makes sense IMHO\n\u003e \u003e\u003e to expand it.\n\u003e \u003e\n\u003e \u003e Sure, but the explicit network byte should be within the main p2p message\n\u003e \u003e header rather than the header for the onion blob itself. When crossing\n\u003e \u003e chains,\n\u003e \u003e nodes will properly set the net magic in the outer message header.\n\u003e \n\u003e Some node will have to straddle two chains, right? So you'd route A -\u003e\n\u003e B -\u003e C as normal, and C is (say) litecoin (B straddles both). You\n\u003e really want the onion to be explicit that this transfer to litecoin is\n\u003e what the sender intended. Or some sidechain.\n\u003e \n\u003e Now, we'd hope nobody would screw this up, but I think it's worth\n\u003e flagging since the sender really should know it's changing chains.\n\nI agree that the realm byte is a sensible addition. To trigger this we\nwould need to have multiple channels, on different chains, using the\nsame identifiers between two nodes. Only in this case we'd have an\nambiguity where to transfer the funds. Assuming we have the route A -\u003e\nB =\u003e C, where =\u003e indicates two channels, one in litecoin and one in\nbitcoin, and both channels use the same identity for C. Then the\ninstruction to forward 0.01 units to C is ambiguous, as it could be\ndenominated in either litecoin or bitcoin.\n\nWhile not dangerous it is rather unfortunate as it results in\nguesswork. It is not dangerous because if A transferred litecoin to B\nthen B will (hopefully) never forward a higher value to C using\nbitcoin, and if it were bitcoin then the final recipient would not\nsign off an inferior amount than what he expected.\n\nTo prevent this we could make it a policy to never re-use identities\nfor multiple channels, but someone will surely get it wrong at some\npoint :-)\n\nI was thinking that it'd be stored in the per-hop payload, along with\nthe instructions for the hop, which is why I did not specify it, but\nI'm happy to add it, should it make things clearer.\n\n\u003e \n\u003e \u003e Also we don't need to allocate an additional byte for the terminal node in\n\u003e \u003e any\n\u003e \u003e case. The terminal node can either be identified by the null-MAC, or\n\u003e \u003e null-nexthop (if that isn't being used to dispatch into virtual channels).\n\u003e \n\u003e That implies there's a final hop in the packet which is unused? I\n\u003e believe strongly we want a realm byte, so I think it makes more sense to\n\u003e overload it for this.\n\nIndeed the last hop's routing information is all zeroes and the\nper-hop payload is currently unused (as the node does not forward\nanything). If we use the terminal identifier we can shave the 40 bytes\nrouting info off the packet, provided the node checks the terminal\nbyte in the per-hop payload before attempting anything with the\nrouting info which'd be garbage, i.e., encrypted fillers by the first\nhop.\n\nCheers,\nChristian",
"sig": "c47827860843041ea05e3b9923e0deabaec15bbc3ef98556e46791dfa0a2f68d4786aba1d6f236fe5540496e21b3ea22c2dd0e546359aad034be847f055864e7"
}