-
Notifications
You must be signed in to change notification settings - Fork 493
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BOLT4: Specify max HTLC nLocktime for expiry_too_far #1086
BOLT4: Specify max HTLC nLocktime for expiry_too_far #1086
Conversation
Implementations should specify what parameters they currently use for this: @rustyrussell @TheBlueMatt @t-bast @Roasbeef |
Eclair has increased its default to 2016 recently (ACINQ/eclair#2677) to match LND and CLN. So now I believe all implementations use 2016 by default. |
This appears to be 2016 in LND |
LDK is also 2016. |
Spec meeting notes (#1098): should update 4032 to 2016. |
OK, propose 2016 and everyone is happy. |
04-onion-routing.md
Outdated
A common value between implementations allow forwarding nodes to increase their `cltv_expiry_delta` | ||
without reducing the payers ability to route along the network. | ||
|
||
This new common value `max_htlc_cltv` is suggested to be 4032 blocks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like we all do 2016 today, so let's stick with that as the recommendation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep if we’re all doing 2016 today let’s stick to it. Good starting point then for a base value for routing hop gossips explicitly diverging from it.
This should become a one liner. Change:
to:
|
9036d7c
to
029028a
Compare
Updated at 9036d7c with the value of 2016 as it sounds common between all implementations. Rebased with onion changes.
If you have sophisticated deanonymization adversaries targeting your flow of payments, and you’re looking to increase the number of hops to break common heuristics and you’re ready to pay the routing fees premium, potentially combined with things like #1008. Note the
|
04-onion-routing.md
Outdated
@@ -1412,6 +1413,7 @@ The _origin node_: | |||
- MAY use the data specified in the various failure types for debugging | |||
purposes. | |||
|
|||
<<<<<<< HEAD |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: remove
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
corrected thanks
029028a
to
ecfcf07
Compare
Updated at ecfcf07. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK ecfcf07
@ariard spec feedback is that we should make this change a one-liner instead of defining a new section. |
I bind my reasoning exposed above.
Especially for the first one Apart keeping the spec succinct, what is the downside of more than one-line spec update ? Note if you look on TCP standards over the last decades they have been abstracting and naming magic constant over time. |
04-onion-routing.md
Outdated
@@ -1330,7 +1331,7 @@ A _forwarding node_ MAY, but a _final node_ MUST NOT: | |||
- report the `cltv_expiry` of the outgoing HTLC and the current channel setting for the outgoing | |||
channel. | |||
- return an `incorrect_cltv_expiry` error. | |||
- if the `cltv_expiry` is unreasonably near the present: | |||
- if the `cltv_expiry` is more than `max_htlc_cltv` near the present: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be modifying the line below?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done at bccab9a, thanks for the catch.
ecfcf07
to
bccab9a
Compare
Updated at bccab9a with introducing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK bccab9a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🦋
Currently BOLT#4 recommends to forwarding node to reject HTLC with
nLocktime
field to far in the future from chain tip height (type 21:expiry_too_far
). This recommendation is reasonable to avoid liquidity griefing where a HTLC would be send so far in the future (e.g 20 000 blocks from chain tip), than in case of on-chain force-closure of the link, the forwarding node cannot confirm the HTLC-timeout and therefore recover the satoshis locked.I think this recommendation is implemented by all the main Lightning implementations. For e.g, for LDK will reject HTLC more than 2016 block in the future (
CLTV_FAR_FAR_AWAY
). This comes with few downsides, a) a payer cannot build payment path with more than 14 hops requesting at least acltv_expiry_delta
of 144 blocks, such path while onerous in term of off-chain fees could be done for privacy purpose and b) the forwarding nodes are limited in the selection of their owncltv_expiry_delta
and as such the level of safety they wish for the HTLC forward (e.g in protection against time-dilation attacks).This proposal suggests to adopt a common value between all implementations, dubbed
max_htlc_cltv
. A default value of 4032 blocks (4 weeks) is proposed (though I didn’t check what is selected by LND/CLN/Eclair currently and if it makes sense to adapt in consequence). If adopted, suchmax_htlc_cltv
will improve the safety of routing nodes network-wide and allow more advanced rebalancing like #780.Beyond, a new option could be introduced
option_shrek
and a correspondingchannel_update
message bit where routing hops are announcing they accept “unsafe” packets beyond 4032 blocks. This level of flexibility can be used by use-cases like multi-hop submarine swaps.cc lightningdevkit/rust-lightning#2250