Trampoline Routing (2021 edition) (Feature 56/57) #829
Conversation
|
Hi @t-bast can you please link to |
https://github.com/lightningnetwork/lightning-rfc/blob/trampoline-routing-no-gossip/proposals/trampoline.md is the best way to read it (with github's markdown viewer). |
|
Regarding trampoline invoices: Do you suggest to create a new tagged field for |
|
@ecdsa the proposed spec has a new tagged field |
|
Yes, I think it's better to introduce a new one, tailored for trampoline. |
|
Very nice proposal, can't wait to see this in action. The onion A rationale that I couldn't find, but I think Acinq are using this for I just have the following points that I am still a bit unclear on:
|
This is true. However, attackers have no control on what channels will be used to relay with trampoline, so this would be a blind attack against the whole network rather than targetting specific nodes (which is still concerning).
I think we want to introduce a different, more flexible invoice routing hint. Let's explore the advantages and drawbacks of using the current routing hints (let me know if I'm missing important points there):
It's also important to note that to receive trampoline payments, the recipient still needs to upgrade his software to support trampoline onion decryption, so it's a good opportunity to implement a new routing hint format at the same time. The advantages and drawbacks of using new routing hints are:
To exemplify the argument that the design space for recipient privacy would be bigger, I've been toying with the idea of short-lived tor-like circuits between mobile wallet recipients and trampoline nodes. Obviously if Bob uses a mobile wallet with private channels, Carol and Dave know that he is the final recipient when forwarding payments to him (frequent IP address changes, offline most of the time, etc). Of course, this idea is very hand-wavy for now and has a lot of holes (and maybe route blinding works better and achieves the same results), so please don't poke at it too much yet, you will find issues, but that's not the point. I'm mentioning it because it shows how more flexible routing hints can provide a wider design space for recipients, which is important IMO. |
|
The current proposal adds a single new failure message, The current Eclair implementation seems to return |
The previous proposal had a It is true that we may rely on trial-and-error and the
I think the proposal should clarify whether the values returned in the error message are relative to the current payment, or independent of the payment. (note that I have a slight preference for fixed values. If these values depend on the payment, clients might have to do more trial-and-error in order to discover them, which might result in more htlcs flying around) |
If it does that, it's a bug. It should only do that for small payments to phoenix wallets that don't have enough incoming liquidity (and thus need a new channel opened on-the-fly). For other cases it should return I think the errors returned should be the following:
Of course, trampoline nodes may also use other errors such as
I decided to remove that mechanism because it wasn't working well: it's impossible to correctly estimate fees for all possible payments. It will force clients to overpay too often, or will still need a trial-and-error when you try to minimize the overpayment. I'm now more in favour of the trial-and-error approach, where I think this approach is the most flexible one: we should leave some room for implementations to make different choices, to ensure we have a diverse network. |
In practice, wallets will be compelled to include both I guess the data in |
Yes, that's true. And the transition period during which both will be required will likely last months (hopefully not years though as non-trampoline wallets will have an incentive to migrate to the new routing hints, even if they don't want to support trampoline). I think these new routing hints will solve a few issues that the current routing hints have, so people would upgrade to use them regardless of trampoline, and once that's done the size overhead will be somewhat negligible.
They will be different for cases where current |
|
It seems to me like this proposal should be split into two: one that
This looks like a new requirement to me, since the last trampoline
We can totally do that as well, however I think upgrading the
Is this not orthogonal to the original trampoline proposal? I don't
Reusing an existing error code seems wrong to me Overall I think two smaller proposals with a single feature being |
Sounds good, I'll keep the current PR open and up-to-date for people who want
I don't see any satisfactory way of doing that... That's why I want to avoid having that scenario in the spec and prefer doing E2E If you find a satisfying way of achieving that I'm interested, but I don't think
That's a reasonable objection, I'll make a separate PR.
I mentioned this simply as an example to show that it allows a larger design
Sure, we can do that, it's more explicit that way. |
Like I said above, it would be useful to have distinct error numbers for In the first case, Trampoline A does not know about Trampoline B, and the sender should not ask TA to forward to TB again. In the second case, the sender will know that TA failed to forward a certain amount to TB, but it may be able to forward a different amount right now, or the same amount later. Perhaps even more granularity is desirable. If TA fails to find a path to TB, it might return the "capacity" it believes it can send to TB in the error message. |
|
I integrated all these requirements in the trampoline onion PR, let's discuss it there: #836. |
t-bast
changed the title
t-bast
force-pushed
the
trampoline-routing-no-gossip
branch
from
b80370d to
03e9309
Compare
| trampoline node, and adds a trampoline node in her own neighborhood at the | ||
| beginning of the trampoline route. She includes the invoice's encrypted data | ||
| for each node in their respective trampoline payload: this is very similarly | ||
| to paying a blinded path without trampoline. |
There was a problem hiding this comment.
Just a point of double-checking following a discussion with @joostjager: blinded paths to a non-Trampoline node are meant to be the only mechanism to use Trampoline for payments to a legacy node, and the spec no longer supports legacy payment recipients without blinded paths?
There was a problem hiding this comment.
Yes, because there is no good solution that doesn't sacrifice the payment privacy when paying Bolt 11 invoices that don't support trampoline, so I don't want to introduce it to the BOLTs. As discussed during the last spec meeting, I will document how this can be done in a bLIP however, which can be used while transitioning to trampoline and/or blinded paths.
| | +---------------------------+ | | HTLC(1480 msat, 600065 cltv) | total_amount: 2500 msat | | | ||
| | | EOF | | | +-----------------------+ | trampoline_onion: | | | ||
| | +---------------------------+ | | | amount_fwd: 1400 msat | | +-------------------------+ | | | ||
| | HTLC(500 msat, 600112 cltv) | | | expiry: 600000 | | | amount_fwd: 2500 msat | | | |
There was a problem hiding this comment.
You set amount_fwd == total_amount in the final trampoline onions for the receiver in this mpp ascii drawing. Is there any specific reason to do this?
I cannot find details about this in the conditions for final nodes in
Lines 547 to 553 in 9938ab3
Is it fine to set the final trampoline_onions
amount_fwd to the outer onions amount_fwd as well?
There was a problem hiding this comment.
Is it fine to set the final trampoline_onions amount_fwd to the outer onions amount_fwd as well?
That would be fine whenever you use a single trampoline route, but that wouldn't work if you want to split a payment across multiple trampoline routes: that's where the trampoline onion's total_msat field is necessary.
For example, if you want to send 250 000 sats that you split into two trampoline routes:
- sender -> T1 -> T2 -> recipient where you send 100 000 sats
- sender -> T3 -> T4 -> recipient where you send 150 000 sats
The trampoline onion's total_msat would be 250 000 sats in both routes, whereas the outer onions will only believe they carry a 100 000 sats payment for the first route and a 150 000 sats payment for the second route.
Does that make sense?
I cannot find details about this in the conditions for final nodes in
I haven't duplicated every requirement because for most of the logic, the trampoline onion must be validated very similarly to the outer onion. I was hoping this case would be captured by:
- MUST process the `trampoline_onion_packet` as an `onion_packet`.
- MUST fail the HTLC if dictated by the requirements under [Failure Messages](#failure-messages).
But if you think it's worth explicitly detailing this requirement, I can add that!
There was a problem hiding this comment.
Consider e.g. this paragraph:
Lines 373 to 377 in 9938ab3
What we mean by HTLC there becomes really fuzzy with this recursion.
When looking at the amt_to_forward inside the trampoline onion, first the final recipient needs to aggregate all the outer_onion level htlcs that have a matching payment_hash+outer_payment_secret. The htlc-value-sum of this set, should match the inner amt_to_forward.
Then a second-level of aggregation can be done: the sum of the inner amt_to_forwards matches the inner total_amount.
I guess the outer total_amount matching the inner amt_to_forward is invariant.
@t-bast's ascii drawings are magnificent, but we need to go even larger :D
HTLC(1500 msat, 600112 cltv)
+---------------------------+
| amount_fwd: 1500 msat |
| expiry: 600112 |
HTLC(1560 msat, 600124 cltv) | payment_secret: aaaaa |
+-----------------------+ | total_amount: 2800 msat |
| amount_fwd: 1500 msat | | trampoline_onion: | HTLC1(1100 msat, 600000 cltv)
| expiry: 600112 | | +-----------------------+ | +-----------------------------+
+--> | channel_id: 3 | ---> I1 ---> | | amount_fwd: 2500 msat | | --+ | amount_fwd: 1100 msat |
| |-----------------------| | | expiry: 600000 | | | | expiry: 600000 |
| | (encrypted) | | | node_id: Bob | | | | payment_secret: xxxxx |
| +-----------------------+ | +-----------------------+ | | HTLC(1150 msat, 600080 cltv) | total_amount: 2500 msat |
| | | (encrypted) | | | +-----------------------+ | trampoline_onion: |
| | +-----------------------+ | | | amount_fwd: 1100 msat | | +-------------------------+ |
| +---------------------------+ | | expiry: 600000 | | | amount_fwd: 2500 msat | |
| | EOF | | +--> | channel_id: 561 | ---> I4 ---> | | expiry: 600000 | | --+
| +---------------------------+ | | |-----------------------| | | total_amount: 5200 msat | | |
| HTLC(800 msat, 600112 cltv) | | | (encrypted) | | | payment_secret: yyyyy | | |
| +---------------------------+ | | +-----------------------+ | +-------------------------+ | |
| | amount_fwd: 800 msat | | | | | EOF | | |
| | expiry: 600112 | | | | +-------------------------+ | |
| HTLC(820 msat, 600130 cltv) | payment_secret: aaaaa | | | +-----------------------------+ |
| +-----------------------+ | total_amount: 2800 msat | | | | EOF | |
| | amount_fwd: 800 msat | | trampoline_onion: | | | +-----------------------------+ |
| | expiry: 600112 | | +-----------------------+ | | | |
+-------+--> | channel_id: 5 | ---> I2 ---> | | amount_fwd: 2500 msat | | --+----> T1 ------+ +----+
| | |-----------------------| | | expiry: 600000 | | | (fee 170 msat) | HTLC2(1400 msat, 600000 cltv) | |
| | | (encrypted) | | | node_id: Bob | | | (delta 32) | +-----------------------------+ | |
| | +-----------------------+ | +-----------------------+ | | | | amount_fwd: 1400 msat | | |
| | | | (encrypted) | | | | | expiry: 600000 | | |
| | | +-----------------------+ | | | | payment_secret: xxxxx | | |
| | +---------------------------+ | | HTLC(1480 msat, 600065 cltv) | total_amount: 2500 msat | | |
| | | EOF | | | +-----------------------+ | trampoline_onion: | | |
| | +---------------------------+ | | | amount_fwd: 1400 msat | | +-------------------------+ | | |
| | HTLC(500 msat, 600112 cltv) | | | expiry: 600000 | | | amount_fwd: 2500 msat | | | |
| | +---------------------------+ | +--> | channel_id: 1105 | ---> I5 ---> | | expiry: 600000 | | --+ |
| | | amount_fwd: 500 msat | | |-----------------------| | | total_amount: 5200 msat | | |
| | | expiry: 600112 | | | (encrypted) | | | payment_secret: yyyyy | | |
| | HTLC(510 msat, 600120 cltv) | payment_secret: aaaaa | | +-----------------------+ | +-------------------------+ | |
| | +-----------------------+ | total_amount: 2800 msat | | | | EOF | | |
| | | amount_fwd: 500 msat | | trampoline_onion: | | | +-------------------------+ | |
| | | expiry: 600112 | | +-----------------------+ | | +-----------------------------+ |
| +--> | channel_id: 7 | ---> I3 ---> | | amount_fwd: 2500 msat | | --+ | EOF | |
| |-----------------------| | | expiry: 600000 | | +-----------------------------+ |
| | (encrypted) | | | node_id: Bob | | |
| +-----------------------+ | +-----------------------+ | |
| | | (encrypted) | | |
| | +-----------------------+ | |
| +---------------------------+ |
| | EOF | |
| +---------------------------+ |
| |
Alice --+ +--> Bob
| |
| |
| HTLC(1500 msat, 600112 cltv) |
| +---------------------------+ |
| | amount_fwd: 1500 msat | |
| | expiry: 600112 | |
| HTLC(1560 msat, 600124 cltv) | payment_secret: bbbbb | |
| +-----------------------+ | total_amount: 3000 msat | |
| | amount_fwd: 1500 msat | | trampoline_onion: | HTLC3(1200 msat, 600000 cltv) |
| | expiry: 600112 | | +-----------------------+ | +-----------------------------+ |
| +--> | channel_id: 4 | ---> J1 ---> | | amount_fwd: 2700 msat | | --+ | amount_fwd: 1200 msat | |
| | |-----------------------| | | expiry: 600000 | | | | expiry: 600000 | |
| | | (encrypted) | | | node_id: Bob | | | | payment_secret: zzzzz | |
| | +-----------------------+ | +-----------------------+ | | HTLC(1250 msat, 600080 cltv) | total_amount: 2700 msat | |
| | | | (encrypted) | | | +-----------------------+ | trampoline_onion: | |
| | | +-----------------------+ | | | amount_fwd: 1200 msat | | +-------------------------+ | |
| | +---------------------------+ | | expiry: 600000 | | | amount_fwd: 2700 msat | | |
| | | EOF | | +--> | channel_id: 563 | ---> J4 ---> | | expiry: 600000 | | --+ |
| | +---------------------------+ | | |-----------------------| | | total_amount: 5200 msat | | | |
| | HTLC(900 msat, 600112 cltv) | | | (encrypted) | | | payment_secret: yyyyy | | | |
| | +---------------------------+ | | +-----------------------+ | +-------------------------+ | | |
| | | amount_fwd: 900 msat | | | | | EOF | | | |
| | | expiry: 600112 | | | | +-------------------------+ | | |
| | HTLC(920 msat, 600130 cltv) | payment_secret: bbbbb | | | +-----------------------------+ | |
| | +-----------------------+ | total_amount: 3000 msat | | | | EOF | | |
| | | amount_fwd: 900 msat | | trampoline_onion: | | | +-----------------------------+ | |
| | | expiry: 600112 | | +-----------------------+ | | | | |
+-------+--> | channel_id: 6 | ---> J2 ---> | | amount_fwd: 2700 msat | | --+----> T2 ------+ +----+
| |-----------------------| | | expiry: 600000 | | | (fee 170 msat) | HTLC4(1500 msat, 600000 cltv) |
| | (encrypted) | | | node_id: Bob | | | (delta 32) | +-----------------------------+ |
| +-----------------------+ | +-----------------------+ | | | | amount_fwd: 1500 msat | |
| | | (encrypted) | | | | | expiry: 600000 | |
| | +-----------------------+ | | | | payment_secret: zzzzz | |
| +---------------------------+ | | HTLC(1580 msat, 600065 cltv) | total_amount: 2700 msat | |
| | EOF | | | +-----------------------+ | trampoline_onion: | |
| +---------------------------+ | | | amount_fwd: 1500 msat | | +-------------------------+ | |
| HTLC(600 msat, 600112 cltv) | | | expiry: 600000 | | | amount_fwd: 2700 msat | | |
| +---------------------------+ | +--> | channel_id: 1108 | ---> J5 ---> | | expiry: 600000 | | --+
| | amount_fwd: 600 msat | | |-----------------------| | | total_amount: 5200 msat | |
| | expiry: 600112 | | | (encrypted) | | | payment_secret: yyyyy | |
| HTLC(610 msat, 600120 cltv) | payment_secret: bbbbb | | +-----------------------+ | +-------------------------+ |
| +-----------------------+ | total_amount: 3000 msat | | | | EOF | |
| | amount_fwd: 600 msat | | trampoline_onion: | | | +-------------------------+ |
| | expiry: 600112 | | +-----------------------+ | | +-----------------------------+
+--> | channel_id: 8 | ---> J3 ---> | | amount_fwd: 2700 msat | | --+ | EOF |
|-----------------------| | | expiry: 600000 | | +-----------------------------+
| (encrypted) | | | node_id: Bob | |
+-----------------------+ | +-----------------------+ |
| | (encrypted) | |
| +-----------------------+ |
+---------------------------+
| EOF |
+---------------------------+
This proposal allows nodes running on constrained devices to sync only a small portion of the network and leverage trampoline nodes to calculate the missing parts of the payment route while providing the same privacy as fully source-routed payments.
The main idea is to use layered onions: a normal onion contains a smaller onion for the last hop of the route, and that smaller onion contains routing information about the next trampoline hop.
This PR provides a high-level view of trampoline routing, where concepts and designs are presented in a more user-friendly format than formal spec work. This document lets reviewers see the big picture and how all the pieces work together. It also contains pretty detailed examples that should give reviewers some intuition about the subtle low-level details.
Then reviewers can move on to #836 which contains the usual spec format for the onion construction: this is where we'll work on the nitty-gritty details.
This PR supercedes #654 based on what we learnt after 1 year running trampoline in production in Phoenix and many discussions with @ecdsa while Electrum worked on their own trampoline implementation. The important changes are:
cltv_expiry_deltathat must be used for the last trampoline hopcltv_expiry_delta: since senders need at most two trampoline hops to protect their privacy (and in some cases, only one trampoline hop), this retry-on-failure approach doesn't add too much latency in practice