Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Optimistic Sync #2770

Merged
merged 77 commits into from
Jan 25, 2022
Merged

Optimistic Sync #2770

Show file tree
Hide file tree
Changes from 62 commits
Commits
Show all changes
77 commits
Select commit Hold shift + click to select a range
c99e48c
Add first efforts
paulhauner Dec 5, 2021
38fffd3
Tidy, finish duties
paulhauner Dec 13, 2021
8918823
Start adding p2p components
paulhauner Dec 13, 2021
7f5b7d1
Remove attesting during opt sync
paulhauner Dec 13, 2021
1a89d16
Remove recent valid ancestor
paulhauner Dec 13, 2021
5a5f980
Add RPC responses
paulhauner Dec 13, 2021
2c62ed3
Flip bool
paulhauner Dec 14, 2021
497b5f8
Add EE assumptions
paulhauner Dec 14, 2021
0ad6025
Remove valid roots set
paulhauner Dec 14, 2021
3b67c33
Add note about removal from optimistic_roots
paulhauner Dec 14, 2021
fb520a8
Condense gossip topics
paulhauner Dec 14, 2021
d1851dc
Tidy tab formatting
paulhauner Dec 14, 2021
4c4ffe7
Fix latest_valid_ancestor
paulhauner Dec 14, 2021
3f6e5b9
Add checkpoint sync
paulhauner Dec 14, 2021
ffc2c40
Add section about API
paulhauner Dec 14, 2021
9d7d4d0
Remove validate_merge_block check
paulhauner Dec 14, 2021
4f1d815
Add note about full verification
paulhauner Dec 14, 2021
eb32e14
Fix typo
paulhauner Dec 14, 2021
0842554
Add section about re-orgs
paulhauner Dec 14, 2021
d9a0d16
Tidy
paulhauner Dec 14, 2021
538cc81
Flip bool
paulhauner Dec 14, 2021
5c1fcaf
Add qualification for errors
paulhauner Dec 19, 2021
2aa4edf
Move helpers
paulhauner Dec 19, 2021
e49685e
Add section for enabling opt sync
paulhauner Dec 19, 2021
ffba24f
Add failure recovery
paulhauner Dec 19, 2021
26e934b
Remove merge transition section
paulhauner Dec 19, 2021
da6cad8
Tidy
paulhauner Dec 19, 2021
9901cb3
Move optimsitic_roots definition
paulhauner Dec 19, 2021
26431b7
Tidy
paulhauner Dec 20, 2021
a797ae4
Add qualification about fc store
paulhauner Dec 20, 2021
b287f65
Allow RPC blocks
paulhauner Dec 20, 2021
91cad9b
Improve gossip wording
paulhauner Dec 20, 2021
aa9a296
Clarify API head condition
paulhauner Dec 20, 2021
7837dc7
Tidy, add validator endpoints
paulhauner Dec 20, 2021
451ae29
Specify no invalid parents
paulhauner Dec 20, 2021
9421bf3
Tidy
paulhauner Dec 20, 2021
ff50bfe
Remove block production exception
paulhauner Dec 20, 2021
e696d11
Update gossip conditions
paulhauner Dec 20, 2021
941531c
Update sync/optimistic.md
paulhauner Dec 21, 2021
12293c9
Bump safe slots
paulhauner Dec 21, 2021
50f526e
Fix typo
paulhauner Dec 21, 2021
9e619f8
Apply suggestions from code review
paulhauner Jan 11, 2022
6eba269
Update sync/optimistic.md
paulhauner Jan 11, 2022
6c13e2e
Expand `should_optimistically_import_block`
paulhauner Jan 12, 2022
2ce2aac
Address "yet to" paragraph
paulhauner Jan 12, 2022
736f3ce
Remove `justified_block`
paulhauner Jan 12, 2022
55d92ce
Fix typo
paulhauner Jan 12, 2022
1228e01
Update p2p-networking
paulhauner Jan 12, 2022
e97335a
Merge branch 'dev' into opt-sync-2
paulhauner Jan 12, 2022
60eab25
Add section about merge block
paulhauner Jan 12, 2022
0ae80d9
Fix typo
paulhauner Jan 12, 2022
de1a6ca
Add comment about INVALID block
paulhauner Jan 12, 2022
ad7e924
Update links to bellatrix
paulhauner Jan 12, 2022
90fb7f6
Add rationale
paulhauner Jan 12, 2022
6d73b0a
Add poisoning prevention
paulhauner Jan 12, 2022
0c2e416
Run doctoc
paulhauner Jan 12, 2022
6d72038
Fix spelling mistakes
paulhauner Jan 12, 2022
18c32e0
Fix indents
paulhauner Jan 12, 2022
6af3d4c
Fix comment indents
paulhauner Jan 12, 2022
b7c332f
Tidy
paulhauner Jan 12, 2022
8522f27
Modify "when" section
paulhauner Jan 12, 2022
856eea4
Describe all fields in store
paulhauner Jan 12, 2022
15ef2f3
Apply suggestions from @djrtwo review
paulhauner Jan 17, 2022
b1ec9bc
Update gossip conditions
paulhauner Jan 18, 2022
6225236
Specify about EL/CL scoring rules
paulhauner Jan 18, 2022
092f3e0
Propose -> Propagate
paulhauner Jan 18, 2022
52caba6
Add section about backwards compat
paulhauner Jan 18, 2022
b50bee1
Rename Store -> OptimisticStore
paulhauner Jan 18, 2022
4ccd38b
Tidy tracking note
paulhauner Jan 18, 2022
f4a125c
Remove reorg section
paulhauner Jan 18, 2022
0ec61bd
Clarify liveness
paulhauner Jan 18, 2022
bfe4172
Define `current_slot`
paulhauner Jan 18, 2022
24947be
Rename should_optimistically_import...
paulhauner Jan 18, 2022
be4319a
Rename `justified_is_verified`
paulhauner Jan 18, 2022
50b236e
Address TERMINAL_BLOCK_HASH
paulhauner Jan 18, 2022
a5b3c91
build opimistic sync file and fix a minor lint/typing issue
djrtwo Jan 20, 2022
b50bea8
Merge pull request #2 from ethereum/build-opt-sync
paulhauner Jan 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions specs/bellatrix/p2p-interface.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ Readers should understand the Phase 0 and Altair documents and use them as a bas
- [Why was the max gossip message size increased at Bellatrix?](#why-was-the-max-gossip-message-size-increased-at-bellatrix)
- [Req/Resp](#reqresp)
- [Why was the max chunk response size increased at Bellatrix?](#why-was-the-max-chunk-response-size-increased-at-bellatrix)
- [Why allow invalid payloads on the P2P network?](#why-allow-invalid-payloads-on-the-p2p-network)

<!-- END doctoc generated TOC please keep comment here to allow auto update -->
<!-- /TOC -->
Expand Down Expand Up @@ -85,13 +86,24 @@ The *type* of the payload of this topic changes to the (modified) `SignedBeaconB
Specifically, this type changes with the addition of `execution_payload` to the inner `BeaconBlockBody`.
See Bellatrix [state transition document](./beacon-chain.md#beaconblockbody) for further details.

Blocks with execution enabled will be permitted to propagate regardless of the
validity of the execution payload. This prevents network segregation between
[optimistic](/sync/optimistic.md) and non-optimistic nodes.

In addition to the gossip validations for this topic from prior specifications,
the following validations MUST pass before forwarding the `signed_beacon_block` on the network.
Alias `block = signed_beacon_block.message`, `execution_payload = block.body.execution_payload`.
- If the execution is enabled for the block -- i.e. `is_execution_enabled(state, block.body)`
then validate the following:
- _[REJECT]_ The block's execution payload timestamp is correct with respect to the slot
-- i.e. `execution_payload.timestamp == compute_timestamp_at_slot(state, block.slot)`.
- [REJECT] The block's parent (defined by `block.parent_root`) passes all
validation, excluding verification of the `block.body.execution_payload`.
- [IGNORE] The block's parent (defined by `block.parent_root`) passes all
validation, including verification of the `block.body.execution_payload`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be reasonable to phrase this as:

Suggested change
- [IGNORE] The block's parent (defined by `block.parent_root`) passes all
validation, including verification of the `block.body.execution_payload`.
- [IGNORE] The block's parent (defined by `block.parent_root`) passes
verification of the `block.body.execution_payload`.

Given the reject rule above we already know that all verification except for the execution_payload passes so are just choosing between ignore and accept based on whether the execution payload is valid or not.

Although both versions still feel ambiguous about whether the result is ACCEPT or IGNORE in the case of the parent execution payload not yet being executed because the EL is syncing. I think it should be ACCEPT because the whole point is that an optimistic node can't validate the payload but also needs to avoid censoring blocks just because it can't validate the parent.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These two conditions are a bit tough to parse in the way they are phrased in the positive.

Agreed that ACCEPT vs IGNORE is particularly hard to parse here.

Maybe:

    - If `exection_payload` verification of block's parent is *not* complete:
        - [REJECT] The block's parent (defined by `block.parent_root`) passes all
          validation (excluding verification of the `block.body.execution_payload`).
    - otherwise:
        - [IGNORE] The block's parent (defined by `block.parent_root`) passes all 
          validation (including verification of the `block.body.execution_payload`).

I know it says the same thing, but I think the outer if/else might help parsing them

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I struggled to figure out the wording for this. The language for these propagation conditions is tricky!

I've applied @djrtwo's suggestion in b1ec9bc.

I was tempted to go off piste and use a different specification language for these conditions, since it would have been easier to parse (IMO). However, that breaks standard and might get a bit unruly if we have another spec that needs to override some of these rules.

I'm still open to suggestion here 😅

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, I think I likely made a bad decision quite a while ago on the choice of if not positive_condition: REJECT/IGNORE. Might have been saner as if negative_condition: REJECT/IGNORE...


The following gossip validation from prior specifications MUST NOT be applied if the execution is enabled for the block -- i.e. `is_execution_enabled(state, block.body)`:
- [REJECT] The block's parent (defined by `block.parent_root`) passes validation.

### Transitioning the gossip

Expand All @@ -100,6 +112,12 @@ details on how to handle transitioning gossip topics for Bellatrix.

## The Req/Resp domain

Non-faulty, [optimistic](/sync/optimistic.md) nodes may send blocks which
result in an INVALID response from an execution engine. To prevent network
segregation between optimistic and non-optimistic nodes, transmission of an
INVALID payload via the Req/Resp domain SHOULD NOT cause a node to be
djrtwo marked this conversation as resolved.
Show resolved Hide resolved
down-scored or disconnected.

### Messages

#### BeaconBlocksByRange v2
Expand Down Expand Up @@ -181,3 +199,26 @@ valid block sizes in the range of gas limits expected in the medium term.

As with both gossip and req/rsp maximum values, type-specific limits should
always by simultaneously respected.

### Why allow invalid payloads on the P2P network?

The specification allows blocks with invalid payloads to propagate across
paulhauner marked this conversation as resolved.
Show resolved Hide resolved
gossip and via RPC calls. The reasoning for this is as follows:

1. Optimistic nodes must listen to block gossip to obtain a view of the head of
the chain.
2. Therefore, optimistic nodes must propagate gossip blocks. Otherwise, they'd
be censoring.
3. If optimistic nodes will propose blocks via gossip, then they must respond
djrtwo marked this conversation as resolved.
Show resolved Hide resolved
to requests for the parent via RPC.
4. Therefore, optimistic nodes must send optimistic blocks via RPC.

So, to prevent network segregation from optimistic nodes accidentally sending
paulhauner marked this conversation as resolved.
Show resolved Hide resolved
invalid payloads, nodes should never downscore/disconnect nodes due to invalid
paulhauner marked this conversation as resolved.
Show resolved Hide resolved
payloads. This does open the network to some DoS attacks from invalid execution
payloads, but the scope of actors is limited to validators who can put those
payloads in valid (and slashable) beacon blocks. Therefore, it is argued that
the DoS risk introduced in tolerable.

More complicated schemes are possible that could restrict invalid payloads from
RPC. However, it's not clear that complexity is warranted.
Loading