Antoine Riard [ARCHIVE] on Nostr: 📅 Original date posted:2022-12-06 📝 Original message: Hi Joost, > The economic ...
📅 Original date posted:2022-12-06
📝 Original message:
Hi Joost,
> The economic proportionality is that an attacker can't do much with a
> severely limited channel, and would need many more to achieve the same
> effect. I don't think it is possible to eliminate all bad behavior, and
> that the goal should just be to make it a lot harder than it currently is.
> Not sure how force-closes come into play. I don't think there needs to be
> any force-close?
I think I share the assumption that you're restraining the ability of a
jamming attacker by applying congestion control, though it sounds only a
hindrance and there might still be an asymmetry between the on-chain
opening channel cost encumbered by the attacker and the gain from hijacking
HTLC traffic. Force-close would be a means to increase the cost for the
attacker by slashing the channel source of jamming.
Though, I think in the design of jammign solution, there is a conceptual
step to define first what we aim to achieve by making a routing hop
"jamming safe", either putting a cost so high on the attacker it's not
economically profitable (from my understanding the direction of
circuitbreaker, or old stake certificates) or guaranteeing routing fees
incomes to the routing hop, whatever the outcome of the HTLC traffic (more
the direction of unconditional fees or reputational credentials).
Best,
Antoine
Le sam. 3 déc. 2022 à 02:50, Joost Jager <joost.jager at gmail.com> a écrit :
> Hi Antoine,
>
> If I understand correctly circuitbreaker, it adds new "dynamic" HTLC slot
>> limits, in opposition to the "static" ones declared to your counterparty
>> during channel opening (within the protocol-limit of 483). On top, you can
>> rate-limit the HTLCs forwards based on the incoming source.
>>
>
> Correct.
>
>
>> Effectively, this scheme would penalize your own routing hop as HTLC
>> senders routing algorithms would likely cause the hop, in the lack of a new
>> gossip message advertising the limits/rates. Further, it sounds for the
>> measure to be robust, a circuitbreaking policy should be applied
>> recursively by your counterparty on their network topologies. Otherwise,
>> you're opening I think you'll have the non-constrained links being targeted
>> as entry points in the rate-limited, "jamming-safe" subset of the graph.
>>
>
> Indeed, the more nodes run it, the harder it becomes for attackers to
> attack. You'd only penalize your own routing node if you send back
> failures. If you hold the htlc, there is no penalty with the network as it
> is currently.
>
>
>> The limits could be based on HTLC values, e.g the Xth slots for HTLCs of
>> value <1k sats, the Yth slots for HTLC of value <100k sats, the remaining
>> Zth slots for HTLC of value <200k sats. IIRC, this jamming countermeasure
>> has been implemented by Eclair [0] and discussed more in detail here [1].
>> While it increases the liquidity cost for an attacker to launch jamming
>> attacks against the high-value slots, it comes at the major downside of
>> lowering the cost for jamming low-value slots. Betting on an increasing
>> bitcoin price, all other things equals, we'll make simple payments from
>> lambda users more and more vulnerable.
>>
>
> It is true that the limits make it easier to jam a channel, but the theory
> is that everyone does it, the attacker won't have much reach anymore.
>
>
>> Beyond that, I think this solution would classify in the reputation-based
>> family of solutions, where reputation is local and enforced through
>> rate-limiting (from my understanding), I would say there is no economic
>> proportionality enforced between the rate-limiting and the cost for an
>> attacker. A jamming attacker could open new channels during period of
>> low-fees in the edges of the graph, and still launch attacks against
>> distant hops by splitting the jamming traffic between many sources,
>> therefore avoiding force-closures (e.g 230 HTLCs from channel Mallory, 253
>> HTLCs from channel Malicia). Even force-closure in case of observed jamming
>> isn't that evident, as the economic traffic could still be opportunistic
>> locally but only a jam on a distant hop. So I think the economic
>> equilibrium and risk structure of this scheme is still uncertain.
>>
>
> The economic proportionality is that an attacker can't do much with a
> severely limited channel, and would need many more to achieve the same
> effect. I don't think it is possible to eliminate all bad behavior, and
> that the goal should just be to make it a lot harder than it currently is.
> Not sure how force-closes come into play. I don't think there needs to be
> any force-close? I just mentioned them in my original post because they can
> happen for independent reasons (bug, node offline), and then the size of
> the commitment tx and number of pending htlcs translates to a real cost.
>
>
>> However, I think the mode of queuing HTLCs is still valuable itself,
>> independently of jamming, either a) to increase routed privacy of HTLC (e.g
>> "delay my HTLC" option [2]), maybe with double opt-in of both senders/hops
>> or b) as a congestion control mechanism where you have >100% of honest
>> incoming HTLC traffic and you would like to earn routing fees on all of
>> them, in the limit of what the outgoing CLTV allow you. An advanced idea
>> could be based on statistics collection, sending back-pressure messages or
>> HTLC sending scheduling information to the upstream hops. Let's say in the
>> future we have more periodic payments, those ones could be scheduled in
>> periods of low-congestions.
>>
>> So I wonder if we don't have two (or even more) problems when we think
>> about jamming, the first one, the HTLC forward "counterparty risk" (the
>> real jamming) and the other one, congestion and scheduling of efficient
>> HTLC traffic, with some interdependencies between them of course.
>>
>
> Yes, so the main idea that I tried to present is that applying congestion
> control by holding htlcs may wake up everyone along the path back to the
> attacker and move them to apply congestion control too.
>
>
>> On experimenting with circuitbreaker, I don't know which HTLC
>> intercepting interface it does expect, we still have a rudimentary one on
>> the LDK-side only supporting JIT channels use-case.
>>
>
> It connects to lnd's htlc interceptor and htlc events interfaces.
>
> Joost
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20221205/1fa4f5eb/attachment.html>;
📝 Original message:
Hi Joost,
> The economic proportionality is that an attacker can't do much with a
> severely limited channel, and would need many more to achieve the same
> effect. I don't think it is possible to eliminate all bad behavior, and
> that the goal should just be to make it a lot harder than it currently is.
> Not sure how force-closes come into play. I don't think there needs to be
> any force-close?
I think I share the assumption that you're restraining the ability of a
jamming attacker by applying congestion control, though it sounds only a
hindrance and there might still be an asymmetry between the on-chain
opening channel cost encumbered by the attacker and the gain from hijacking
HTLC traffic. Force-close would be a means to increase the cost for the
attacker by slashing the channel source of jamming.
Though, I think in the design of jammign solution, there is a conceptual
step to define first what we aim to achieve by making a routing hop
"jamming safe", either putting a cost so high on the attacker it's not
economically profitable (from my understanding the direction of
circuitbreaker, or old stake certificates) or guaranteeing routing fees
incomes to the routing hop, whatever the outcome of the HTLC traffic (more
the direction of unconditional fees or reputational credentials).
Best,
Antoine
Le sam. 3 déc. 2022 à 02:50, Joost Jager <joost.jager at gmail.com> a écrit :
> Hi Antoine,
>
> If I understand correctly circuitbreaker, it adds new "dynamic" HTLC slot
>> limits, in opposition to the "static" ones declared to your counterparty
>> during channel opening (within the protocol-limit of 483). On top, you can
>> rate-limit the HTLCs forwards based on the incoming source.
>>
>
> Correct.
>
>
>> Effectively, this scheme would penalize your own routing hop as HTLC
>> senders routing algorithms would likely cause the hop, in the lack of a new
>> gossip message advertising the limits/rates. Further, it sounds for the
>> measure to be robust, a circuitbreaking policy should be applied
>> recursively by your counterparty on their network topologies. Otherwise,
>> you're opening I think you'll have the non-constrained links being targeted
>> as entry points in the rate-limited, "jamming-safe" subset of the graph.
>>
>
> Indeed, the more nodes run it, the harder it becomes for attackers to
> attack. You'd only penalize your own routing node if you send back
> failures. If you hold the htlc, there is no penalty with the network as it
> is currently.
>
>
>> The limits could be based on HTLC values, e.g the Xth slots for HTLCs of
>> value <1k sats, the Yth slots for HTLC of value <100k sats, the remaining
>> Zth slots for HTLC of value <200k sats. IIRC, this jamming countermeasure
>> has been implemented by Eclair [0] and discussed more in detail here [1].
>> While it increases the liquidity cost for an attacker to launch jamming
>> attacks against the high-value slots, it comes at the major downside of
>> lowering the cost for jamming low-value slots. Betting on an increasing
>> bitcoin price, all other things equals, we'll make simple payments from
>> lambda users more and more vulnerable.
>>
>
> It is true that the limits make it easier to jam a channel, but the theory
> is that everyone does it, the attacker won't have much reach anymore.
>
>
>> Beyond that, I think this solution would classify in the reputation-based
>> family of solutions, where reputation is local and enforced through
>> rate-limiting (from my understanding), I would say there is no economic
>> proportionality enforced between the rate-limiting and the cost for an
>> attacker. A jamming attacker could open new channels during period of
>> low-fees in the edges of the graph, and still launch attacks against
>> distant hops by splitting the jamming traffic between many sources,
>> therefore avoiding force-closures (e.g 230 HTLCs from channel Mallory, 253
>> HTLCs from channel Malicia). Even force-closure in case of observed jamming
>> isn't that evident, as the economic traffic could still be opportunistic
>> locally but only a jam on a distant hop. So I think the economic
>> equilibrium and risk structure of this scheme is still uncertain.
>>
>
> The economic proportionality is that an attacker can't do much with a
> severely limited channel, and would need many more to achieve the same
> effect. I don't think it is possible to eliminate all bad behavior, and
> that the goal should just be to make it a lot harder than it currently is.
> Not sure how force-closes come into play. I don't think there needs to be
> any force-close? I just mentioned them in my original post because they can
> happen for independent reasons (bug, node offline), and then the size of
> the commitment tx and number of pending htlcs translates to a real cost.
>
>
>> However, I think the mode of queuing HTLCs is still valuable itself,
>> independently of jamming, either a) to increase routed privacy of HTLC (e.g
>> "delay my HTLC" option [2]), maybe with double opt-in of both senders/hops
>> or b) as a congestion control mechanism where you have >100% of honest
>> incoming HTLC traffic and you would like to earn routing fees on all of
>> them, in the limit of what the outgoing CLTV allow you. An advanced idea
>> could be based on statistics collection, sending back-pressure messages or
>> HTLC sending scheduling information to the upstream hops. Let's say in the
>> future we have more periodic payments, those ones could be scheduled in
>> periods of low-congestions.
>>
>> So I wonder if we don't have two (or even more) problems when we think
>> about jamming, the first one, the HTLC forward "counterparty risk" (the
>> real jamming) and the other one, congestion and scheduling of efficient
>> HTLC traffic, with some interdependencies between them of course.
>>
>
> Yes, so the main idea that I tried to present is that applying congestion
> control by holding htlcs may wake up everyone along the path back to the
> attacker and move them to apply congestion control too.
>
>
>> On experimenting with circuitbreaker, I don't know which HTLC
>> intercepting interface it does expect, we still have a rudimentary one on
>> the LDK-side only supporting JIT channels use-case.
>>
>
> It connects to lnd's htlc interceptor and htlc events interfaces.
>
> Joost
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20221205/1fa4f5eb/attachment.html>;