-
Notifications
You must be signed in to change notification settings - Fork 492
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trampoline Routing (2021 edition) (Feature 56/57) #829
base: master
Are you sure you want to change the base?
Conversation
Hi @t-bast can you please link to |
https://github.com/lightningnetwork/lightning-rfc/blob/trampoline-routing-no-gossip/proposals/trampoline.md is the best way to read it (with github's markdown viewer). |
Regarding trampoline invoices: Do you suggest to create a new tagged field for |
@ecdsa the proposed spec has a new tagged field |
Yes, I think it's better to introduce a new one, tailored for trampoline. |
Very nice proposal, can't wait to see this in action. The onion A rationale that I couldn't find, but I think Acinq are using this for I just have the following points that I am still a bit unclear on:
|
This is true. However, attackers have no control on what channels will be used to relay with trampoline, so this would be a blind attack against the whole network rather than targetting specific nodes (which is still concerning).
I think we want to introduce a different, more flexible invoice routing hint. Let's explore the advantages and drawbacks of using the current routing hints (let me know if I'm missing important points there):
It's also important to note that to receive trampoline payments, the recipient still needs to upgrade his software to support trampoline onion decryption, so it's a good opportunity to implement a new routing hint format at the same time. The advantages and drawbacks of using new routing hints are:
To exemplify the argument that the design space for recipient privacy would be bigger, I've been toying with the idea of short-lived tor-like circuits between mobile wallet recipients and trampoline nodes.
Obviously if Bob uses a mobile wallet with private channels, Carol and Dave know that he is the final recipient when forwarding payments to him (frequent IP address changes, offline most of the time, etc). Of course, this idea is very hand-wavy for now and has a lot of holes (and maybe route blinding works better and achieves the same results), so please don't poke at it too much yet, you will find issues, but that's not the point. I'm mentioning it because it shows how more flexible routing hints can provide a wider design space for recipients, which is important IMO. |
The current proposal adds a single new failure message, The current Eclair implementation seems to return |
The previous proposal had a It is true that we may rely on trial-and-error and the
I think the proposal should clarify whether the values returned in the error message are relative to the current payment, or independent of the payment. (note that I have a slight preference for fixed values. If these values depend on the payment, clients might have to do more trial-and-error in order to discover them, which might result in more htlcs flying around) |
If it does that, it's a bug. It should only do that for small payments to phoenix wallets that don't have enough incoming liquidity (and thus need a new channel opened on-the-fly). For other cases it should return I think the errors returned should be the following:
Of course, trampoline nodes may also use other errors such as
I decided to remove that mechanism because it wasn't working well: it's impossible to correctly estimate fees for all possible payments. It will force clients to overpay too often, or will still need a trial-and-error when you try to minimize the overpayment. I'm now more in favour of the trial-and-error approach, where I think this approach is the most flexible one: we should leave some room for implementations to make different choices, to ensure we have a diverse network. |
In practice, wallets will be compelled to include both I guess the data in |
Yes, that's true. And the transition period during which both will be required will likely last months (hopefully not years though as non-trampoline wallets will have an incentive to migrate to the new routing hints, even if they don't want to support trampoline). I think these new routing hints will solve a few issues that the current routing hints have, so people would upgrade to use them regardless of trampoline, and once that's done the size overhead will be somewhat negligible.
They will be different for cases where current |
It seems to me like this proposal should be split into two: one that
This looks like a new requirement to me, since the last trampoline
We can totally do that as well, however I think upgrading the
Is this not orthogonal to the original trampoline proposal? I don't
Reusing an existing error code seems wrong to me Overall I think two smaller proposals with a single feature being |
Sounds good, I'll keep the current PR open and up-to-date for people who want
I don't see any satisfactory way of doing that... That's why I want to avoid having that scenario in the spec and prefer doing E2E If you find a satisfying way of achieving that I'm interested, but I don't think
That's a reasonable objection, I'll make a separate PR.
I mentioned this simply as an example to show that it allows a larger design
Sure, we can do that, it's more explicit that way. |
Like I said above, it would be useful to have distinct error numbers for In the first case, Trampoline A does not know about Trampoline B, and the sender should not ask TA to forward to TB again. In the second case, the sender will know that TA failed to forward a certain amount to TB, but it may be able to forward a different amount right now, or the same amount later. Perhaps even more granularity is desirable. If TA fails to find a path to TB, it might return the "capacity" it believes it can send to TB in the error message. |
I integrated all these requirements in the trampoline onion PR, let's discuss it there: #836. |
This proposal allows nodes running on constrained devices to sync only a small portion of the network and leverage trampoline nodes to calculate the missing parts of the payment route. The main idea is to use layered onions: a normal onion contains a smaller onion for the last hop of the route, and that smaller onion contains routing information to reach the next trampoline hop.
dbe2bcf
to
b80370d
Compare
| | | | blinded_paths: | payload | | | | | | ||
| | | | <blinded_path_from_I1> | for N1 | | | | | | ||
| | | | <blinded_path_from_I3> | | | | | | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@TheBlueMatt pointed out that just including the blinded paths for the trampoline hop this way currently won't work for sender-set custom TLVs or keysend preimages for async payments. Would be great to get your thoughts on this @t-bast!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point! For this use-case, we'd need the recipient to support trampoline. This way we could include a trampoline onion for the recipient that would contain any sender-set data necessary. In this specific example, instead of having EOF
right below, the trampoline onion would contain another trampoline hop for the recipient, that must be included by the trampoline node. Does that make sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think so, but does that mean every hop in the blinded path would need to support trampoline + get its own trampoline_onion
nested packet?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, it's just like normal trampoline relay, intermediate nodes don't need to know anything about trampoline, only the final hop will receive a trampoline onion TLV in its onion payload.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So does this mean for async payments we'll need a new trampoline version that allows you to say "here's a small encrypted packet for the blinded path recipient but otherwise please build a new onion for the blinded path with the current block height as CLTV starting delta".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As long as we can do multi-hop trampoline I think its fine. Indeed, we should probably assume the recipient supports trampoline (if they're doing async, they probably should), but AFAIU that would still require multi-hop trampoline? Even just that by itself is a big improvement - not showing the LSP the blinded path as it exists in the static invoice means at least the "mobile recipient with a 2-hop BP behind their LSP" case is better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright, then we'll need to figure out a way to improve the amount of data we put in the trampoline onion to allow doing multi-hop trampoline to a blinded path. I will do some analysis of what data we must have in the onion and what data we can save: I'll try to get that done before the lightning summit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIRC another possibility we touched on was including trampoline hops within the blinded path. In my mind, this essentially meant that a forwarding trampoline+blinded node's TLVs would contain a next_node_id
rather than an scid (amongst other changes). @t-bast does this option still seem worth exploring too? Happy to help btw.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that's basically the option I want to pursue:
- if the recipient does not support trampoline, then we include the blinded path in the trampoline onion for the last trampoline node: in that case we should be able to use multiple trampoline hops because there is no duplication of the blinded path data since after the last trampoline, this will be a "standard" blinded payment without a trampoline onion
- if the recipient does support trampoline, then we assume that the nodes inside its blinded path support trampoline too, and we put the blinded path's encrypted payloads inside the trampoline onion for each hop of the blinded path
This is hard to write in plain english, I'll work on diagrams to explain this better for the lightning summit ;)
I'll share it with you beforehand when it's ready for feedback!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've detailed how this would work with diagrams: https://github.com/t-bast/trampoline-blinded-paths/blob/master/Trampoline%20with%20blinded%20paths.pdf
We can discuss this further during the lightning summit: this is somewhat subtle in where we place the path_key
(update_add_htlc
vs outer onion vs trampoline onion) but I think it works nicely once you get used to it!
This proposal seems to fix all the issues we previously had: there is no duplication of the blinded path anymore, and you can use multiple trampoline hops in the case where you must disclose the blinded path to the last trampoline node. The (IMO acceptable) drawback is that the payment recipient can only use trampoline if all nodes in its blinded path support trampoline (which is fine for protocols like async payments).
This proposal allows nodes running on constrained devices to sync only a small portion of the network and leverage trampoline nodes to calculate the missing parts of the payment route while providing the same privacy as fully source-routed payments.
The main idea is to use layered onions: a normal onion contains a smaller onion for the last hop of the route, and that smaller onion contains routing information about the next trampoline hop.
This PR provides a high-level view of trampoline routing, where concepts and designs are presented in a more user-friendly format than formal spec work. This document lets reviewers see the big picture and how all the pieces work together. It also contains pretty detailed examples that should give reviewers some intuition about the subtle low-level details.
Then reviewers can move on to #836 which contains the usual spec format for the onion construction: this is where we'll work on the nitty-gritty details.
This PR supercedes #654 based on what we learnt after 1 year running trampoline in production in Phoenix and many discussions with @ecdsa while Electrum worked on their own trampoline implementation. The important changes are: