Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id B3FFAC002D for ; Fri, 17 Jun 2022 20:08:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 87E7840117 for ; Fri, 17 Jun 2022 20:08:53 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 87E7840117 Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=DMOf/vjw X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D7p5kAalWrga for ; Fri, 17 Jun 2022 20:08:49 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 1722A40012 Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) by smtp2.osuosl.org (Postfix) with ESMTPS id 1722A40012 for ; Fri, 17 Jun 2022 20:08:48 +0000 (UTC) Received: by mail-io1-xd31.google.com with SMTP id r5so5589315iod.5 for ; Fri, 17 Jun 2022 13:08:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=F+A3Usvt+0b9Uww+xKyekJvcnhO88g6gP4BeosdGyn8=; b=DMOf/vjw1A++JxF+tcIsLSP4D12+LH4HNUGa8rBnPw37h59s0idzepINXjUcwfsMq1 GIc5DlBhOAOwJTfzEwxfZpmchCEppO7ch+eo1/UnrWOq0rbMxoDVaLnirXXOXlkvfSaa PcjTEO3fBod+Led+uTXUO/z0Pb+aFoEPGkme3PGE9HPV1KmzoQgwoqohRIZ677Rpltz3 nDgBhPfhlxXPRJiswDDeoVu/ogo5Xuy25sjP8C9n9mX+xqZjQDUvPRNFPE9Ly3wcLbiK nnD/x4iUpTdzGKqkwuuqAylA/G2+5O9sGnqy7l/p/pD8m3bzcp6QWn6ijTqCeRJKwRCA OBTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=F+A3Usvt+0b9Uww+xKyekJvcnhO88g6gP4BeosdGyn8=; b=NNlzoOmVjIrJ4nLG/4bZbdtyurHOPA7R4swsQpNqzbbk00n06+DH6eqKa6bq4WU3GN wi4ciC7FaH7uSv6KFvvXD869cYeJTdlecRWE+HfPpscn1VlEX3XgjdD00Nsj/LFav0Tf ynvI8WyXybT5cM65aG3Dt7xEGix5E61IQ5fn9eD0Jy97AREWSwBrdh5ENbNFpO8KWo9p qrB1aGqE4FyqIVlk7uF0onP50ha9KaBHR4pZDwpR0l+ki091CBsPkDEHSAo94zKrBEU/ /stYPP/CODKQLv0NOVm7aol9Q+kmk3tj5/E2n73hvAd+X3pKT/1YD1qJRQUq+VRAcEmw agPQ== X-Gm-Message-State: AJIora92WSXoU5qXoWCLFaq4aRP0Vxh+ITSIPIap9v8GGib5Y3dk5Mg7 rbr1yngbD23J4Gdrbh+RpQ/ZenFHOGvP8vYaz7cVrRJ4ZbE= X-Google-Smtp-Source: AGRyM1tvbKiyvdSUQCHvBsefF/OLpqs7j9Q/HplvwO3XTGYywsNat3bLsijEioEg6VJ9NrvS6eneqndXxodNyC08ALc= X-Received: by 2002:a02:3448:0:b0:331:84bb:d66b with SMTP id z8-20020a023448000000b0033184bbd66bmr6500696jaz.292.1655496527853; Fri, 17 Jun 2022 13:08:47 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Antoine Riard Date: Fri, 17 Jun 2022 16:08:36 -0400 Message-ID: To: Gloria Zhao , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000783eb205e1aa52ce" X-Mailman-Approved-At: Fri, 17 Jun 2022 20:13:50 +0000 Subject: Re: [bitcoin-dev] Package Relay Proposal X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jun 2022 20:08:53 -0000 --000000000000783eb205e1aa52ce Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Gloria, Thanks for working on that, > Always overestimating fees may sidestep this issue temporarily (while mempool > traffic is low and predictable), but this solution is not foolproof > and wastes users' money. The feerate market can change due to sudden > spikes in traffic (e.g. huge 12sat/vB dump a few days ago [9]) or > sustained, high volume of Bitcoin payments (e.g. April 2021 and > December 2017). Even if the LN implementations started to overestimate fees based on the historical worst-case of block inclusion feerates, there is still room for exploitation due to bip125 rule#3. Indeed, as long as the adversary is able to stick in the mempool a higher fee package while the feerate is not compelling enough to get it mined, your "honest" LN package should be bounced off. Considering Core's `MAX_STANDARD_TX_WEIGHT` of 400000 WU, I think it's practical for an attacker to succeed with this pinning tactic in periods of traffic spikes. Of course, LN implementation could overestimate fees with a target like `MAX_STANDARD_WEIGHT` * `worst_case_block_inclusion_feerate` to mitigate. However, assuming a value of 20sat for the latter, it would require from any LN user a minimal channel value of 2000000 satoshis to be theoretically secure against this type of pinning. So package relay is required to mitigate efficiently and realistically against pinning attacks, while conserving the same level of "economic" openness for Lightning. Beyond, it should be also noted that package relay is only building block of the full set of mitigations, and there should be a yet to-find-consensus-as-of-today other policy change such as user-elected package limits or replace-by-feerate. Anyway, I think it would be beneficial to document the design trade-offs of pinning mitigations in the `Rationale` subsection, at the attention of future L2s devs and users ? > {| > | Field Name || Type || Size || Purpose > |- > |version || uint32_t || 4 || Denotes a package version supported by the > node. > |- > |max_count || uint32_t || 4 ||Specifies the maximum number of transaction= s > per package this node is > willing to accept. > |- > |max_weight || uint32_t || 4 ||Specifies the maximum total weight per > package this node is willing > to accept. > |- > |} It's unclear to me what's the purpose of `max_count` and `max_weight` in the overall package relay flow, if they are intended to be exposed as configurable settings to node operators. If those fields are present to allow DoS protection increase of low-performance host, I believe it would be better to restrain the number of consumed UTXOs or executed sigops per package, as DoS vectors are more likely to be CPU-based, rather than memory-based as package size already bounded at acceptance by `MAX_PACKAGE_COUNT`. Thinking more we might introduce a `MAX_SIGOPS_PER_PACKAGR` limit, as otherwise if we naively grant one package announcement as equal to one transaction announcement in our tx-request logic, we might increase our DoS surface, node ressources staying equivalent ? > {| > | Field Name || Type || Size || Purpose > |- > |txns_length||CompactSize||1 or 3 bytes|| The number of transactions > requested. I'm not sure if we'll ever allow 3-bytes of package size, that would be ~32k of transactions. > |- > |txns||List of wtxids||txns_length * 32|| The wtxids of each transaction in > the package. > |} I think there is a bandwidth consumption trade-off to be aware of in the function of the package-relay usage. Let's consider a single issuer broadcasting the package to spend a shared-utxo, after the first shot the parent component should be spread across the network mempools. At each fee-bump, only the bumped CPFP will propagate on the network, the parent wtxid is reannounced in `pckginfo1` though there is no need to fetch it redundantly and waste bandwidth. However, I think the bandwidth saving does not hold in case of competing transaction issuers to spend a shared-utxo. In that case, the parent might differ at each broadcast and the list of wtxid is dissemblable at every claim of the shared-utxo. We could save the 32 bytes * number of packages elements by announcing a package_id, computed from the list of wtxids. I don't know about the occurrence of competing broadcasts among LN non-cooperative closes, where bandwidth could be potentially saved. I would say it's likely low because IIRC there is nothing in the LN protocol where the counterparties signal to each other they're going on-chain to introduce a competing broadcast synchronizing event. That said, it might increase in the future in a post-eltoo, multi-party contracting protocol world. So it might be interesting to document this design trade-off, if we seek bandwidth optimizations in function of a changing landscape in the type of transaction issuers in the future. > 3. The sender provides package information using "pckginfo1", > including the blockhash of the sender's best block, the wtxids of > the transactions in the package, their total fees and total weight. It's unclear to me how the `pckinfo1` receiver should proceed if the sender's best block is not in sync with the local chain tip. If the package isn't processed further, that's annoying for all the low-performance LN mobile clients, their chain tips might be always behind by few blocks from the p2p network nodes. It sounds like their packages won't propagate at all. If the package is processed further whatever the sender-receiver sync on chain tip, what's the purpose of including the blockhash ? > A child-with-unconfirmed-parents package for a transaction should be > announced when it meets the peer's fee filter but one or more of its > parents don't; a "inv(MSG_PCKG1)" instead of "inv(WTX)" should be sent > for the child. Each of the parents which meet the peer's fee filter > should still be announced normally. I believe we might have concerns of package-feerate downgrades attacks. E.g, in the LN context, where your channel counterparty is aiming to jam the propagation of the best-feerate version of the package. Let's say you have : - Alice's commitment_tx, at 1s/vB - package A + child B, at 3s/vB - package A + child C, at 10s/vB - block inclusion feerate at 10s/vB - Alice and Mallory are LN channel counterparties - commitment_tx is using LN's anchor outputs Alice's LN node broadcasts A+C to her mempool. Bob's feefilter is at 3s/vB. Mallory broadcasts her child B in Alice's mempool. LN commitment does not meet Bob's feefilter. Package A+child B at 3s/vB meets Bob's feefilter and is announced to Bob. Mallory broadcasts her own commitment_tx at 4s/vB in Bob's mempool. When Alice's child C is relayed to Bob, it's bounced off Bob's mempool. Do you think this situation is plausible ? Of course, it might be heavily dependent on package-relay yet-not-implemented internal p2p logic. I think it could be fixable if LN removes the counterparty's `anchor_output` on the local node's version of the commitment transaction, once package relay is deployed. Another question, at the next fee-bump iteration, Alice rebroadcasts A+child D, at 12 s/vB. Her node has already marked Alice's commitment_tx as known in Bob's `m_tx_inventory_known_filter`. So when a new higher fee child is discovered, should a `child-with-unconfirmed-parents` be announced between Alice and Bob ? Anyway, I think it would be interesting to pseudo-specify the package-assemblage algorithm (or if there is code already available) to see if it's robust against adversarial or unlucky situations ? > In fact, a package > of transactions may be announced using both Erlay and package relay. > After reconciliation, if the initiator would have announced a > transaction by wtxid but also has package information for it, they may > send "inv(MSG_PCKG)" instead of "inv(WTX)". Yes, I think this holds. Note, we might have to add to the reconciliation set low-fee parents succeeding the feefilter check due to a child. When the reconcildiff, we might have to bifucarte again on feefilter to decide to announce missing wtixds either as `inv(MSG_PCKG)` or `inv(WTX)`. (IIRC, I've already made few feedbacks offline though good to get them in the public space and think more) Antoine Le mar. 17 mai 2022 =C3=A0 12:09, Gloria Zhao via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> a =C3=A9crit : > Hi everybody, > > I=E2=80=99m writing to propose a set of p2p protocol changes to enable pa= ckage > relay, soliciting feedback on the design and approach. Here is a link > to the most up-to-date proposal: > > https://github.com/bitcoin/bips/pull/1324 > > If you have concept or approach feedback, *please respond on the > mailing list* to allow everybody to view and participate in the > discussion. If you find a typo or inaccurate wording, please feel free > to leave suggestions on the PR. > > I=E2=80=99m also working on an implementation for Bitcoin Core. > > > The rest of this post will include the same contents as the proposal, > with a bit of reordering and additional context. If you are not 100% > up-to-date on package relay and find the proposal hard to follow, I > hope you find this format more informative and persuasive. > > > =3D=3DBackground and Motivation=3D=3D > > Users may create and broadcast transactions that depend upon, i.e. > spend outputs of, unconfirmed transactions. A =E2=80=9Cpackage=E2=80=9D i= s the > widely-used term for a group of transactions representable by a > connected Directed Acyclic Graph (where a directed edge exists between > a transaction that spends the output of another transaction). > > Incentive-compatible mempool and miner policies help create a fair, > fee-based market for block space. While miners maximize transaction > fees in order to earn higher block rewards, non-mining users > participating in transaction relay reap many benefits from employing > policies that result in a mempool with the same contents, including > faster compact block relay and more accurate fee estimation. > Additionally, users may take advantage of mempool and miner policy to > bump the priority of their transactions by attaching high-fee > descendants (Child Pays for Parent or CPFP). Only considering > transactions one at a time for submission to the mempool creates a > limitation in the node's ability to determine which transactions have > the highest feerates, since it cannot take into account descendants > until all the transactions are in the mempool. Similarly, it cannot > use a transaction's descendants when considering which of two > conflicting transactions to keep (Replace by Fee or RBF). > > When a user's transaction does not meet a mempool's minimum feerate > and they cannot create a replacement transaction directly, their > transaction will simply be rejected by this mempool. They also cannot > attach a descendant to pay for replacing a conflicting transaction. > This limitation harms users' ability to fee-bump their transactions. > Further, it presents a security issue in contracting protocols which > rely on **presigned**, time-sensitive transactions to prevent cheating > (HTLC-Timeout in LN Penalty [1] [2] [3], Unvault Cancel in Revault > [4], Refund Transaction in Discreet Log Contracts [5], Updates in > eltoo [6]). In other words, a key security assumption of many > contracting protocols is that all parties can propagate and confirm > transactions in a timely manner. > > In the past few years, increasing attention [0][1][2][3][6] has been > brought to **pinning attacks**, a type of censorship in which the > attacker uses mempool policy restrictions to prevent a transaction > from being relayed or getting mined. TLDR: revocation transactions > must meet a certain confirmation target to be effective, but their > feerates are negotiated well ahead of broadcast time. If the > forecasted feerate was too low and no fee-bumping options are > available, attackers can steal money from their counterparties. I walk > through a concrete example for stealing Lightning HTLC outputs at > ~23:58 in this talk [7][8]. Note that most attacks are only possible > when the market for blockspace at broadcast time demands much higher > feerates than originally anticipated at signing time. Always > overestimating fees may sidestep this issue temporarily (while mempool > traffic is low and predictable), but this solution is not foolproof > and wastes users' money. The feerate market can change due to sudden > spikes in traffic (e.g. huge 12sat/vB dump a few days ago [9]) or > sustained, high volume of Bitcoin payments (e.g. April 2021 and > December 2017). > > The best solution is to enable nodes to consider packages of > transactions as a unit, e.g. one or more low-fee parent transactions > with a high-fee child, instead of separately. A package-aware mempool > policy can help determine if it would actually be economically > rational to accept a transaction to the mempool if it doesn't meet fee > requirements individually. Network-wide adoption of these policies > would create a more purely-feerate-based market for block space and > allow contracting protocols to adjust fees (and therefore mining > priority) at broadcast time. Some support for packages has existed in > Bitcoin Core for years. Since v0.13, Bitcoin Core has used ancestor > packages instead of individual transactions to evaluate the incentive > compatibility of transactions in the mempool [10] and select them for > inclusion in blocks [11]. > > Package Relay, the concept of {announcing, requesting, downloading} > packages between nodes on the p2p network, has also been discussed for > many years. The earliest public mention I can find is from 2015 [12]. > The two most common use cases for package relay are fee-bumping > otherwise-too-low-fee transactions and reducing the amount of orphans. > It seems uncontroversial to say that everybody desires package relay > conceptually, with varying degrees of urgency. Lots of work has been > done by others over the past few years, from which I've taken > inspiration from [13][14][15][16]. > > My approach has been to split the project into two components: (1) Packag= e > Mempool Accept, which includes validation logic and mempool policy. > (3) Package Relay, which includes the p2p protocol changes. > > Progress so far: > After discussions with various developers of contracting protocols > (with heavier emphasis towards LN), it was determined that a > package containing a child with all of its unconfirmed parents > (child-with-unconfirmed-parents or 1-child-multi-parent package) would > be sufficient for their use case, i.e. fee-bumping presigned > transactions. A child-with-unconfirmed-parents package has several > properties that make many things easier to reason about. > > A few months ago, I proposed a set of policies for safe package > validation and fee assessment for packages of this restricted > topology [17]. A series of PRs implementing this proposal have > been merged into Bitcoin Core [18]. > > Theoretically, developing a safe and incentive-compatible package > mempool acceptance policy is sufficient to solve this issue. Nodes > could opportunistically accept packages (e.g. by trying combinations > of transactions rejected from their mempools), but this practice would > likely be inefficient at best and open new Denial of Service attacks > at worst. Additional p2p messages may enable nodes to request and > share package validation-related information with one another in a > more communication-efficient way. > > Given that only package RBF remains for package mempool accept, and we > can make progress on p2p and mempool in parallel, I think it=E2=80=99s > appropriate to put forward a package relay proposal. > > =3D=3DProposal=3D=3D > > This proposal contains 2 components: a =E2=80=9Cgeneric=E2=80=9D package = relay > protocol and an extension of it, child-with-unconfirmed-parents > packages, as version 1 package relay. Another version of packages, > =E2=80=9Ctx-with-unconfirmed-ancestors=E2=80=9D can be created to extend = package relay > for eliminating orphans. > > =3D=3D=3DGeneric Package Relay=3D=3D=3D > > Two main ideas are introduced: > > Download and validate packages of transactions together. > > Provide information to help peers decide whether to request and/or how > to validate transactions which are part of a package. > > =3D=3D=3D=3DIntended Protocol Flow=3D=3D=3D=3D > > Due to the asynchronous nature of a distributed transaction relay > network, nodes may not receive all of the information needed to > validate a transaction at once. For example, after a node completes > Initial Block Download (IBD) and first starts participating in > transaction relay with an empty mempool, it is common to receive > orphans. In such scenarios where a node is aware that it is missing > information, a ''receiver-initiated'' dialogue is appropriate: > > 1. Receiver requests package information. > > 2. The sender provides package information, including the wtxids of > the transactions in the package and anything else that might be > relevant (e.g. total fees and size). > > 3. The reciever uses the package information to decide how to request > and validate the transactions. > > Sometimes, no matter what order transactions are received by a node, > validating them individually is insufficient. When the sender is aware > of additional information that the receiver needs to accept a package, > a proactive ''sender-initiated'' dialogue should be enabled: > > 1. Sender announces they have package information pertaining to a > transaction that might otherwise be undesired on its own. > > 2. The receiver requests package information. > > 3. The sender provides package information, including the wtxids of > the transactions in the package and anything else that might be > relevant (e.g. total fees and size). > > 4. The reciever uses the package information to decide how to request > and validate the transactions. > > Package relay is negotiated between two peers during the version > handshake. Package relay requires both peers to support wtxid-based > relay because package transactions are referenced by their wtxid. > > =3D=3D=3D=3DNew Messages=3D=3D=3D=3D > > Three new protocol messages are added for use in any version of > package relay. Additionally, each version of package relay must define > its own inv type and "pckginfo" message version, referred to in this > document as "MSG_PCKG" and "pckginfo" respectively. See > BIP-v1-packages for a concrete example. > > =3D=3D=3D=3D=3Dsendpackages=3D=3D=3D=3D=3D > > {| > | Field Name || Type || Size || Purpose > |- > |version || uint32_t || 4 || Denotes a package version supported by the > node. > |- > |max_count || uint32_t || 4 ||Specifies the maximum number of transaction= s > per package this node is > willing to accept. > |- > |max_weight || uint32_t || 4 ||Specifies the maximum total weight per > package this node is willing > to accept. > |- > |} > > 1. The "sendpackages" message has the structure defined above, with > pchCommand =3D=3D "sendpackages". > > 2. During version handshake, nodes should send a "sendpackages" > message indicate they support package relay and may request > packages. > > 3. The message should contain a version supported by the node. Nodes > should send a "sendpackages" message for each version they support. > > 4. The "sendpackages" message MUST be sent before sending a "verack" > message. If a "sendpackages" message is received afer "verack", the > sender should be disconnected. > > 5. If 'fRelay=3D=3Dfalse' in a peer's version message, the node must not > send "sendpackages" to them. If a "sendpackages" message is > received by a peer after sending `fRelay=3D=3Dfalse` in their version > message, the sender should be disconnected. > > 6.. Upon receipt of a "sendpackages" message with a version that is > not supported, a node must treat the peer as if it never received the > message. > > 7. If both peers send "wtxidrelay" and "sendpackages" with the same > version, the peers should announce, request, and send package > information to each other. > > =3D=3D=3D=3D=3Dgetpckgtxns=3D=3D=3D=3D=3D > > {| > | Field Name || Type || Size || Purpose > |- > |txns_length||CompactSize||1 or 3 bytes|| The number of transactions > requested. > |- > |txns||List of wtxids||txns_length * 32|| The wtxids of each transaction > in the package. > |} > > 1. The "getpckgtxns" message has the structure defined above, with > pchCommand =3D=3D "getpckgtxns". > > 2. A "getpckgtxns" message should be used to request all or some of > the transactions previously announced in a "pckginfo" message, > specified by witness transactiosome id. > > 3. Upon receipt of a "getpckgtxns" message, a node must respond with > either a "pckgtxns" containing the requested transactions or a > "notfound" message indicating one or more of the transactions is > unavailable. This allows the receiver to avoid downloading and storing > transactions that cannot be validated immediately. > > 4. A "getpckgtxns" message should only be sent if both peers agreed to > send packages in the version handshake. If a "getpckgtxns" message > is received from a peer with which package relay was not negotiated, > the sender should be disconnected. > > =3D=3D=3D=3D=3Dpckgtxns=3D=3D=3D=3D=3D > > {| > | Field Name || Type || Size || Purpose > |- > |txns_length||CompactSize||1 or 3 bytes|| The number of transactions > provided. > |- > |txns||List of transactions||variable|| The transactions in the package. > |} > > 1. The "pckgtxns" message has the structure defined above, with > pchCommand =3D=3D "pckgtxns". > > 2. A "pckgtxns" message should contain the transaction data requested > using "getpckgtxns". > > 3. A "pckgtxns" message should only be sent to a peer that requested > the package using "getpckgtxns". If a node receives an unsolicited > package, the sender should be disconnected. > > 4. A "pckgtxns" message should only be sent if both peers agreed to > send packages in the version handshake. If a "pckgtxns" message is > received from a peer with which package relay was not negotiated, the > sender should be disconnected. > > =3D=3D=3DVersion 1 Packages: child-with-unconfirmed-parents=3D=3D=3D > > This extends package relay for packages consisting of one transaction > and all of its unconfirmed parents,by defining version 1 packages, a > pckginfo1 message, and a MSG_PCKG1 inv type. It enables the use case > in which a child pays for its otherwise-too-low-fee parents and their > mempool conflict(s). > > =3D=3D=3D=3DIntended Protocol Flow=3D=3D=3D=3D > > When relaying a package of low-fee parent(s) and high-fee child, the > sender and receiver do the following: > > 1. Sender announces they have a child-with-unconfirmed-parents package > for a child that pays for otherwise-too-low-fee parent(s) using > "inv(MSG_PCKG1)". > > 2. The receiver requests package information using > "getdata(MSG_PCKG1)". > > 3. The sender provides package information using "pckginfo1", > including the blockhash of the sender's best block, the wtxids of > the transactions in the package, their total fees and total weight. > > 4. The reciever uses the package information to decide how to request > the transactions. For example, if the receiver already has some of > the transactions in their mempool, they only request the missing ones. > They could also decide not to request the package at all based on the > fee information provided. > > 5. Upon receiving a "pckgtxns", the receiver submits the transactions > together as a package. > > =3D=3D=3D=3DNew Messages=3D=3D=3D=3D > > A new inv type, "MSG_PCKG1", and new protocol message, "PCKGINFO1", > are added. > > =3D=3D=3D=3D=3Dpckginfo1=3D=3D=3D=3D=3D > > {| > | Field Name || Type || Size || Purpose > |- > |blockhash || uint256 || 32 || The chain tip at which this package is > defined. > |- > |pckg_fee||CAmount||4|| The sum total fees paid by all transactions in th= e > package. > |- > |pckg_weight||int64_t||8|| The sum total weight of all transactions in th= e > package. > |- > |txns_length||CompactSize||1 or 3 bytes|| The number of transactions > provided. > |- > |txns||List of wtxids||txns_length * 32|| The wtxids of each transaction > in the package. > |} > > > 1. The "pckginfo1" message has the structure defined above, with > pchCommand =3D=3D "pckginfo1". > > 2. A "pckginfo1" message contains information about a version 1 > package (defined below), referenced by the wtxid of the transaction > it pertains to and the current blockhash. > > 3. Upon receipt of a "pckginfo1" message, the node should decide if it > wants to validate the package, request transaction data if > necessary, etc. > > 4. Upon receipt of a malformed "pckginfo1" message or package that > does not abide by the max_count, max_weight, or other rules > specified by the version agreed upon in the initial negotiation, the > sender should be disconnected. If a node receives a "pckginfo1" > message for which the "pckg_fee" or "pckg_weight" do not reflect the > true total fees and weight, respectively, or the transactions in the > package, the message is malformed. > > 5. A node MUST NOT send a "pckginfo1" message that has not been > requested by the recipient. Upon receipt of an unsolicited > "pckginfo1", a node should disconnect the sender. > > 6. A "pckginfo1" message should only be sent if both peers agreed to > send version 1 packages in the version handshake. If a "pckginfo1" > message is received from a peer with which package relay was not > negotiated, the sender should be disconnected. > > =3D=3D=3D=3D=3DMSG_PCKG1=3D=3D=3D=3D=3D > > 1. A new inv type (MSG_PCKG1 =3D=3D 0x6) is added, for use in inv message= s > and getdata requests pertaining to version 1 packages. > > 2. As an inv type, it indicates that both transaction data and version > 1 package information are available for the transaction. The > transaction is referenced by its wtxid. As a getdata request type, it > indicates that the sender wants package information for the > transaction. > > 3. Upon receipt of a "getdata" request for "MSG_PCKG1", the node > should respond with the version 1 package corresponding to the > requested transaction and its current chain tip, or with NOTFOUND. > The node should not assume that the sender is requesting the > transaction data as well. > > =3D=3D=3D=3DChild With Parent Packages Rules=3D=3D=3D=3D > > A child-with-unconfirmed-parents package sent between nodes must abide > by the rules below, otherwise the package is malformed and the sender > should be disconnected. > > A version 1 or ''child-with-unconfirmed-parents'' package can be > defined for any transaction that spends unconfirmed inputs. The child > can be thought of as the "representative" of the package. This package > can be uniquely identified by the transaction's wtxid and the current > chain tip block hash. > > A ''child-with-unconfirmed-parents'' package MUST be: > > 1. ''Sorted topologically.'' For every transaction t in the package, > if any of t's parents are present in the package, the parent must > appear somewhere in the list before t. In other words, the > transactions must be sorted in ascending order of the number of > ancestors present in the package. > > 2. ''Only 1 child with unconfirmed parents.'' The package must consist > of one transaction and its unconfirmed parents. There must not be > any other transactions in the package. Other dependency relationships > may exist within the package (e.g. one parent may spend the output of > another parent) provided that topological order is respected. > > 3. ''All unconfirmed parents.'' All of the child's unconfirmed parents > must be present. > > 4. ''No conflicts.'' None of the transactions in the package may > conflict with each other (i.e. spend the same prevout). > > 5. ''Total fees and weight.'' The 'total_fee' and 'total_weight' > fields must accurately represent the sum total of all transactions' > fees and weights as defined in BIP141, respectively. > > Not all of the child's parents must be present; the child transaction > may also spend confirmed inputs. However, if the child has confirmed > parents, they must not be in the package. > > While a child-with-unconfirmed-parents package is perhaps most > relevant when the child has a higher feerate than its parents, this > property is not required to construct a valid package. > > =3D=3D=3D=3DClarifications=3D=3D=3D=3D > > ''Q: Under what circumstances should a sender announce a > child-with-unconfirmed-parents package?'' > > A child-with-unconfirmed-parents package for a transaction should be > announced when it meets the peer's fee filter but one or more of its > parents don't; a "inv(MSG_PCKG1)" instead of "inv(WTX)" should be sent > for the child. Each of the parents which meet the peer's fee filter > should still be announced normally. > > ''Q: What if a new block arrives in between messages?'' > > A child-with-unconfirmed-parents package is defined for a transaction > based on the current chain state. As such, a new block extending the > tip may decrease the number of transactions in the package (i.e. if > any of the transaction's parents were included in the block). In a > reorg, the number of transactions in the package may decrease or > increase (i.e. if any of the transaction's parents were included in a > block in the previous chain but not the new one). > > If the new block arrives before the "getdata" or "pckginfo1", nothing > needs to change. > > If the new block arrives before "getpckgtxns" or before "pckgtxns", > the receiver may need to re-request package information if the block > contained a transaction in the package. If the block doesn't contain > any transactions in the package, whether it extends the previous tip > or causes a reorg, nothing needs to change. > > ''Q: Can "getpckgtxns" and "pckgtxns" messages contain only one > transaction?'' > > Yes. > > =3D=3D=3DFurther Protocol Extensions=3D=3D=3D > > When introducing a new type of package, assign it a version number "n" > and use an additional "sendpackages" message during version handshake > to negotiate support for it. An additional package information message > "pckginfon" and inv type "MSG_PCKGn" should be defined for the type of > package. However, "getpckgtxns" and "pckgtxns" do not need to be > changed. > > Example proposal for tx-with-unconfirmed-ancestors package relay: [19] > > =3D=3D=3DCompatibility=3D=3D=3D > > Older clients remain fully compatible and interoperable after this > change. Clients implementing this protocol will only attempt to send > and request packages if agreed upon during the version handshake. > > =3D=3D=3DPackage Erlay=3D=3D=3D > > Clients using BIP330 reconciliation-based transaction relay (Erlay) > are able to use package relay without interference. In fact, a package > of transactions may be announced using both Erlay and package relay. > After reconciliation, if the initiator would have announced a > transaction by wtxid but also has package information for it, they may > send "inv(MSG_PCKG)" instead of "inv(WTX)". > > =3D=3D=3DRationale=3D=3D=3D > > =3D=3D=3D=3DP2P Message Design=3D=3D=3D=3D > > These p2p messages are added for communication efficiency and, as > such, one should measure alternative solutions based on the resources > used to communicate (not necessarily trustworthy) information: We > would like to minimize network bandwidth, avoid downloading a > transaction more than once, avoid downloading transactions that are > eventually rejected, and minimize storage allocated for > not-yet-validated transactions. > > Consider these (plausible) scenarios in transaction relay: > > Alice (the "sender") is relaying transactions to Bob (the "receiver"). > Alice's mempool has a minimum feerate of 1sat/vB and Bob's has a > minimum feerate of 3sat/vB. For simplicity, all transactions are > 1600Wu in virtual size and 500 bytes in serialized size. Apart from > the spending relationships specified, all other inputs are from > confirmed UTXOs. > > 1. Package {A, B} where A pays 0 satoshis and B pays 8000 satoshis in > fees. > > 2. Package {C, D} where C pays 0 satoshis and D pays 1200 satoshis in > fees. > > 3. Package {E, F, G, H, J} that pays 4000, 8000, 0, 2000, and 4000 > satoshis in fees, respectively. > > =3D=3D=3D=3DAlternative Designs Considered=3D=3D=3D=3D > > ''Package Information Only:'' Just having "pckginfo" gives enough > information for the receiver to accept the package. Omit the > "getpckgtxns" and "pckgtxns" messages. While this option is a good > fallback if batched transaction download fails for some reason, it > shouldn't be used as the default because it 'always' requires storage > of unvalidated transactions. > > ''No Package Information Round:'' Instead of having a package > information round, just use the child's wtxid to refer to the package > and always send the entire package together. This would cause nodes to > redownload duplicate transactions. > > I have also created a slidedeck exploring various alternative designs > and some examples in which they fall flat [20]. Please feel free to > suggest other alternatives. > > =3D=3D=3D=3DVersioning System=3D=3D=3D=3D > > This protocol should be extensible to support multiple types of > packages based on future desired use cases. Two "flavors" of > versioning were considered: > > 1. When package mempool acceptance is upgraded to support more types > of packages, increment the version number (similar to Erlay). > During version handshake, peers negotiate which version of package > relay they will use by each sending one "sendpackages" message. > > 2. When introducing another type of package, assign a version number > to it and announce it as an additional supported version (similar > to Compact Block Relay). During version handshake, peers send one > "sendpackages" message for each version supported. > > The second option was favored because it allows different parameters > for different versions. For example, it should be possible to support > both "arbitrary topology but maximum 3-transaction" package as well as > "child-with-unconfirmed-parents with default mempool ancestor limits" > packages simultaneously. > > =3D=3DAcknowledgements=3D=3D > > I hope to have made it abundantly clear that this proposal isn=E2=80=99t > inventing the concept of package relay, and in fact builds upon years > of work by many others, including Suhas Daftuar and Antoine Riard. > > Thank you to John Newbery and Martin Zumsande for input on the design. > > Thank you to Matt Corallo, Christian Decker, David Harding, Antoine > Poinsot, Antoine Riard, Gregory Sanders, Chris Stewart, Bastien > Teinturier, and others for input on the desired interface for > contracting protocols. > > Looking forward to hearing your thoughts! > > Best, > Gloria > > [0]: > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/0198= 17.html > [1]: > https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-April/0026= 39.html > [2]: > https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-June/00275= 8.html > [3]: > https://github.com/t-bast/lightning-docs/blob/master/pinning-attacks.md > [4]: > https://github.com/revault/practical-revault/blob/master/transactions.md#= cancel_tx > [5]: > https://github.com/discreetlogcontracts/dlcspecs/blob/master/Transactions= .md#refund-transaction > [6]: https://gist.github.com/instagibbs/60264606e181451e977e439a49f69fe1 > [7]: > https://btctranscripts.com/adopting-bitcoin/2021/2021-11-16-gloria-zhao-t= ransaction-relay-policy/#lightning-attacks > [8]: https://youtu.be/fbWSQvJjKFs?t=3D1438 > [9]: > https://www.reddit.com/r/Bitcoin/comments/unew4e/looks_like_70_mvb_of_tra= nsactions_just_got_dumped/ > [10]: https://github.com/bitcoin/bitcoin/pull/7594 > [11]: https://github.com/bitcoin/bitcoin/pull/7600 > [12]: https://github.com/bitcoin/bitcoin/pull/6455#issuecomment-122716820 > [13]: https://gist.github.com/sdaftuar/8756699bfcad4d3806ba9f3396d4e66a > [14]: https://github.com/bitcoin/bitcoin/issues/14895 > [15]: https://github.com/bitcoin/bitcoin/pull/16401 > [16]: https://github.com/bitcoin/bitcoin/pull/19621 > [17]: > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-September/01= 9464.html > [18]: https://github.com/users/glozow/projects/5/views/4?layout=3Dboard > [19]: https://gist.github.com/glozow/9b321cd3ef6505135c763112033ff2a7 > [20]: > https://docs.google.com/presentation/d/1B__KlZO1VzxJGx-0DYChlWawaEmGJ9EGA= pEzrHqZpQc/edit?usp=3Dsharing > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --000000000000783eb205e1aa52ce Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Gloria,

Thanks for working on that,

= > Always overestimating fees may sidestep this issue temporarily (while = mempool
> traffic is low and predictable), but this solution is not f= oolproof
> and wastes users' money. The feerate market can change= due to sudden
> spikes in traffic (e.g. huge 12sat/vB dump a few day= s ago [9]) or
> sustained, high volume of Bitcoin payments (e.g.=C2= =A0 April 2021 and
> December 2017).

Even if the LN implementa= tions started to overestimate fees based on the historical worst-case of bl= ock inclusion feerates, there is still room for exploitation due to bip125 = rule#3. Indeed, as long as the adversary is able to stick in the mempool a = higher fee package while the feerate is not compelling enough to get it min= ed, your "honest" LN package should be bounced off.

Consid= ering Core's `MAX_STANDARD_TX_WEIGHT` of 400000 WU, I think it's pr= actical for an attacker to succeed with this pinning tactic in periods of t= raffic spikes. Of course, LN implementation could overestimate fees with a = target like `MAX_STANDARD_WEIGHT` * `worst_case_block_inclusion_feerate` to= mitigate. However, assuming a value of 20sat for the latter, it would requ= ire from any LN user a minimal channel value of 2000000 satoshis to be theo= retically secure against this type of pinning.

So package relay is r= equired to mitigate efficiently and realistically against pinning attacks, = while conserving the same level of "economic" openness for Lightn= ing. Beyond, it should be also noted that package relay is only building bl= ock of the full set of mitigations, and there should be a yet to-find-conse= nsus-as-of-today other policy change such as user-elected package limits or= replace-by-feerate.

Anyway, I think it would be beneficial to docum= ent the design trade-offs of pinning mitigations in the `Rationale` subsect= ion, at the attention of future L2s devs and users ?

> {|
>= | =C2=A0Field Name =C2=A0|| =C2=A0Type =C2=A0|| =C2=A0Size =C2=A0|| =C2=A0= Purpose
> |-
> |version || uint32_t || 4 || Denotes a package v= ersion supported by the
> node.
> |-
> |max_count || uint= 32_t || 4 ||Specifies the maximum number of transactions
> per packag= e this node is
> willing to accept.
> |-
> |max_weight ||= uint32_t || 4 ||Specifies the maximum total weight per
> package thi= s node is willing
> to accept.
> |-
> |}

It's = unclear to me what's the purpose of `max_count` and `max_weight` in the= overall package relay flow, if they are intended to be exposed as configur= able settings to node operators. If those fields are present to allow DoS p= rotection increase of low-performance host, I believe it would be better to= restrain the number of consumed UTXOs or executed sigops per package, as D= oS vectors are more likely to be CPU-based, rather than memory-based as pac= kage size already bounded at acceptance by `MAX_PACKAGE_COUNT`.

Thin= king more we might introduce a `MAX_SIGOPS_PER_PACKAGR` limit, as otherwise= if we naively grant one package announcement as equal to one transaction a= nnouncement in our tx-request logic, we might increase our DoS surface, nod= e ressources staying equivalent ?

> {|
> | =C2=A0Field Name= =C2=A0|| =C2=A0Type =C2=A0|| =C2=A0Size =C2=A0|| =C2=A0 Purpose
> |-=
> |txns_length||CompactSize||1 or 3 bytes|| The number of transactio= ns
> requested.

I'm not sure if we'll ever allow 3-byt= es of package size, that would be ~32k of transactions.

> |-
&= gt; |txns||List of wtxids||txns_length * 32|| The wtxids of each transactio= n in
> the package.
> |}

I think there is a bandwidth co= nsumption trade-off to be aware of in the function of the package-relay usa= ge. Let's consider a single issuer broadcasting the package to spend a = shared-utxo, after the first shot the parent component should be spread acr= oss the network mempools. At each fee-bump, only the bumped CPFP will propa= gate on the network, the parent wtxid is reannounced in `pckginfo1` though = there is no need to fetch it redundantly and waste bandwidth.

Howeve= r, I think the bandwidth saving does not hold in case of competing transact= ion issuers to spend a shared-utxo. In that case, the parent might differ a= t each broadcast and the list of wtxid is dissemblable at every claim of th= e shared-utxo. We could save the 32 bytes * number of packages elements by = announcing a package_id, computed from the list of wtxids.

I don'= ;t know about the occurrence of competing broadcasts among LN non-cooperati= ve closes, where bandwidth could be potentially saved. I would say it's= likely low because IIRC there is nothing in the LN protocol where the coun= terparties signal to each other they're going on-chain to introduce a c= ompeting broadcast synchronizing event. That said, it might increase in the= future in a post-eltoo, multi-party contracting protocol world.

So = it might be interesting to document this design trade-off, if we seek bandw= idth optimizations in function of a changing landscape in the type of trans= action issuers in the future.

> 3. The sender provides package in= formation using "pckginfo1",
> =C2=A0 =C2=A0including the b= lockhash of the sender's best block, the wtxids of
> the transact= ions in the package, their total fees and total weight.

It's unc= lear to me how the `pckinfo1` receiver should proceed if the sender's b= est block is not in sync with the local chain tip.

If the package i= sn't processed further, that's annoying for all the low-performance= =C2=A0 LN mobile clients, their chain tips might be always behind by few bl= ocks from the p2p network nodes. It sounds like their packages won't pr= opagate at all.

If the package is processed further whatever the sen= der-receiver sync on chain tip, what's the purpose of including the blo= ckhash ?

> A child-with-unconfirmed-parents package for a transac= tion should be
> announced when it meets the peer's fee filter bu= t one or more of its
> parents don't; a "inv(MSG_PCKG1)"= ; instead of "inv(WTX)" should be sent
> for the child. Eac= h of the parents which meet the peer's fee filter
> should still = be announced normally.

I believe we might have concerns of package-f= eerate downgrades attacks. E.g, in the LN context, where your channel count= erparty is aiming to jam the propagation of the best-feerate version of the= package.

Let's say you have :
- Alice's commitment_tx, a= t 1s/vB
- package A + child B, at 3s/vB
- package A + child C, at 10s= /vB
- block inclusion feerate at 10s/vB
- Alice and Mallory are LN ch= annel counterparties
- commitment_tx is using LN's anchor outputs
Alice's LN node broadcasts A+C to her mempool.
Bob's feefil= ter is at 3s/vB.
Mallory broadcasts her child B in Alice's mempool.<= br>LN commitment does not meet Bob's feefilter.
Package A+child B at= 3s/vB meets Bob's feefilter and is announced to Bob.
Mallory broadc= asts her own commitment_tx at 4s/vB in Bob's mempool.
When Alice'= ;s child C is relayed to Bob, it's bounced off Bob's mempool.
Do you think this situation is plausible ? Of course, it might be heavily= dependent on package-relay yet-not-implemented internal p2p logic.
I th= ink it could be fixable if LN removes the counterparty's `anchor_output= ` on the local node's version of the commitment transaction, once packa= ge relay is deployed.

Another question, at the next fee-bump iterati= on, Alice rebroadcasts A+child D, at 12 s/vB. Her node has already marked A= lice's commitment_tx as known in Bob's `m_tx_inventory_known_filter= `. So when a new higher fee child is=C2=A0 discovered, should a `child-with= -unconfirmed-parents` be announced between Alice and Bob ?

Anyway, I= think it would be interesting to pseudo-specify the package-assemblage alg= orithm (or if there is code already available) to see if it's robust ag= ainst adversarial or unlucky situations ?

> In fact, a package> of transactions may be announced using both Erlay and package relay.<= br>> After reconciliation, if the initiator would have announced a
&g= t; transaction by wtxid but also has package information for it, they may> send "inv(MSG_PCKG)" instead of "inv(WTX)".
<= br>Yes, I think this holds. Note, we might have to add to the reconciliatio= n set low-fee parents succeeding the feefilter check due to a child. When t= he reconcildiff, we might have to bifucarte again on feefilter to decide to= announce missing wtixds either as `inv(MSG_PCKG)` or `inv(WTX)`.

(IIRC, I've already made few feedbacks offline though good to get t= hem in the public space and think more)

Antoine
=
Le=C2= =A0mar. 17 mai 2022 =C3=A0=C2=A012:09, Gloria Zhao via bitcoin-dev <bitcoin-dev@lists.linu= xfoundation.org> a =C3=A9crit=C2=A0:
Hi everybody,

I=E2=80= =99m writing to propose a set of p2p protocol changes to enable package
= relay, soliciting feedback on the design and approach. Here is a link
to= the most up-to-date proposal:

https://github.com/bitcoin/bips/pull/132= 4

If you have concept or approach feedback, *please respond on t= he
mailing list* to allow everybody to view and participate in the
di= scussion. If you find a typo or inaccurate wording, please feel free
to = leave suggestions on the PR.

I=E2=80=99m also working on an implemen= tation for Bitcoin Core.


The rest of this = post will include the same contents as the proposal,
with a bit of reord= ering and additional context. If you are not 100%
up-to-date on package = relay and find the proposal hard to follow, I
hope you find this fo= rmat more informative and persuasive.


=3D=3DBackgro= und and Motivation=3D=3D

Users may create and broadcast transactions= that depend upon, i.e.
spend outputs of, unconfirmed transactions. A = =E2=80=9Cpackage=E2=80=9D is the
widely-used term for a group of transac= tions representable by a
connected Directed Acyclic Graph (where a direc= ted edge exists between
a transaction that spends the output of another = transaction).

Incentive-compatible mempool and miner policies help c= reate a fair,
fee-based market for block space. While miners maximize tr= ansaction
fees in order to earn higher block rewards, non-mining usersparticipating in transaction relay reap many benefits from employing
p= olicies that result in a mempool with the same contents, including
faste= r compact block relay and more accurate fee estimation.
Additionally, us= ers may take advantage of mempool and miner policy to
bump the priority = of their transactions by attaching high-fee
descendants (Child Pays for = Parent or CPFP).=C2=A0 Only considering
transactions one at a time for s= ubmission to the mempool creates a
limitation in the node's ability = to determine which transactions have
the highest feerates, since it cann= ot take into account descendants
until all the transactions are in the m= empool. Similarly, it cannot
use a transaction's descendants when co= nsidering which of two
conflicting transactions to keep (Replace by Fee = or RBF).

When a user's transaction does not meet a mempool's= minimum feerate
and they cannot create a replacement transaction direct= ly, their
transaction will simply be rejected by this mempool. They also= cannot
attach a descendant to pay for replacing a conflicting transacti= on.
This limitation harms users' ability to fee-bump their transacti= ons.
Further, it presents a security issue in contracting protocols whic= h
rely on **presigned**, time-sensitive transactions to prevent cheating=
(HTLC-Timeout in LN Penalty [1] [2] [3], Unvault Cancel in Revault
[= 4], Refund Transaction in Discreet Log Contracts [5], Updates in
eltoo [= 6]). In other words, a key security assumption of many
contracting proto= cols is that all parties can propagate and confirm
transactions in a tim= ely manner.

In the past few years, increasing attention [0][1][2][3]= [6] has been
brought to **pinning attacks**, a type of censorship in whi= ch the
attacker uses mempool policy restrictions to prevent a transactio= n
from being relayed or getting mined.=C2=A0 TLDR: revocation transactio= ns
must meet a certain confirmation target to be effective, but theirfeerates are negotiated well ahead of broadcast time. If the
forecasted= feerate was too low and no fee-bumping options are
available, attackers= can steal money from their counterparties. I walk
through a concrete ex= ample for stealing Lightning HTLC outputs at
~23:58 in this talk [7][8].= =C2=A0 Note that most attacks are only possible
when the market for bloc= kspace at broadcast time =C2=A0demands much higher
feerates than origina= lly anticipated at signing time. Always
overestimating fees may sidestep= this issue temporarily (while mempool
traffic is low and predictable), = but this solution is not foolproof
and wastes users' money. The feer= ate market can change due to sudden
spikes in traffic (e.g. huge 12sat/v= B dump a few days ago [9]) or
sustained, high volume of Bitcoin payments= (e.g.=C2=A0 April 2021 and
December 2017).

The best solution is = to enable nodes to consider packages of
transactions as a unit, e.g. one= or more low-fee parent transactions
with a high-fee child, instead of s= eparately. A package-aware mempool
policy can help determine if it would= actually be economically
rational to accept a transaction to the mempoo= l if it doesn't meet fee
requirements individually. Network-wide ado= ption of these policies
would create a more purely-feerate-based market = for block space and
allow contracting protocols to adjust fees (and ther= efore mining
priority) at broadcast time.=C2=A0 Some support for package= s has existed in
Bitcoin Core for years. Since v0.13, Bitcoin Core has u= sed ancestor
packages instead of individual transactions to evaluate the= incentive
compatibility of transactions in the mempool [10] and select = them for
inclusion in blocks [11].

Package Relay, the concept of = {announcing, requesting, downloading}
packages between nodes on the p2p = network, has also been discussed for
many years. The earliest public men= tion I can find is from 2015 [12].
The two most common use cases for pac= kage relay are fee-bumping
otherwise-too-low-fee transactions and reduci= ng the amount of orphans.
It seems uncontroversial to say that everybody= desires package relay
conceptually, with varying degrees of urgency. Lo= ts of work has been
done by others over the past few years, from which I= 've taken
inspiration from [13][14][15][16].

My approach has = been to split the project into two components: (1) Package
Mempool Accep= t, which includes validation logic and mempool policy.
(3) Package Relay= , which includes the p2p protocol changes.

Progress so far:
After= discussions with various developers of contracting protocols
(with heav= ier emphasis towards LN), it was determined that a
package containing a = child with all of its unconfirmed parents
(child-with-unconfirmed-parent= s or 1-child-multi-parent package) would
be sufficient for their use cas= e, i.e. fee-bumping presigned
transactions. A child-with-unconfirmed-par= ents package has several
properties that make many things easier to reas= on about.

A few months ago, I proposed a set of policies for safe pa= ckage
validation and fee assessment for packages of this restricted
<= div>topology [17]. A series of PRs implementing this proposal have
been merged into Bitcoin Core [18].

Theoretically, developin= g a safe and incentive-compatible package
mempool acceptance policy is s= ufficient to solve this issue. Nodes
could opportunistically accept pack= ages (e.g. by trying combinations
of transactions rejected from their me= mpools), but this practice would
likely be inefficient at best and open = new Denial of Service attacks
at worst. Additional p2p messages may enab= le nodes to request and
share package validation-related information wit= h one another in a
more communication-efficient way.

Given that o= nly package RBF remains for package mempool accept, and we
can make prog= ress on p2p and mempool in parallel, I think it=E2=80=99s
appropriate to= put forward a package relay proposal.

=3D=3DProposal=3D=3D

T= his proposal contains 2 components: a =E2=80=9Cgeneric=E2=80=9D package rel= ay
protocol and an extension of it, child-with-unconfirmed-parents
pa= ckages, as version 1 package relay. Another version of packages,
=E2=80= =9Ctx-with-unconfirmed-ancestors=E2=80=9D can be created to extend package = relay
for eliminating orphans.

=3D=3D=3DGeneric Package Relay=3D= =3D=3D

Two main ideas are introduced:

Download and validate p= ackages of transactions together.

Provide information to help peers = decide whether to request and/or how
to validate transactions which are = part of a package.

=3D=3D=3D=3DIntended Protocol Flow=3D=3D=3D=3D
Due to the asynchronous nature of a distributed transaction relay
n= etwork, nodes may not receive all of the information needed to
validate = a transaction at once. For example, after a node completes
Initial Block= Download (IBD) and first starts participating in
transaction relay with= an empty mempool, it is common to receive
orphans. In such scenarios wh= ere a node is aware that it is missing
information, a ''receiver= -initiated'' dialogue is appropriate:

1. Receiver requests p= ackage information.

2. The sender provides package information, incl= uding the wtxids of
=C2=A0 =C2=A0the transactions in the package and any= thing else that might be
relevant (e.g. total fees and size).

3. = The reciever uses the package information to decide how to request
=C2= =A0 =C2=A0and validate the transactions.

Sometimes, no matter what o= rder transactions are received by a node,
validating them individually i= s insufficient. When the sender is aware
of additional information that = the receiver needs to accept a package,
a proactive ''sender-ini= tiated'' dialogue should be enabled:

1. Sender announces the= y have package information pertaining to a
=C2=A0 =C2=A0transaction that= might otherwise be undesired on its own.

2. The receiver requests p= ackage information.

3. The sender provides package information, incl= uding the wtxids of
=C2=A0 =C2=A0the transactions in the package and any= thing else that might be
relevant (e.g. total fees and size).

4. = The reciever uses the package information to decide how to request
=C2= =A0 =C2=A0and validate the transactions.

Package relay is negotiated= between two peers during the version
handshake. Package relay requires = both peers to support wtxid-based
relay because package transactions are= referenced by their wtxid.

=3D=3D=3D=3DNew Messages=3D=3D=3D=3D
=
Three new protocol messages are added for use in any version of
pack= age relay. Additionally, each version of package relay must define
its o= wn inv type and "pckginfo" message version, referred to in thisdocument as "MSG_PCKG" and "pckginfo" respectively. S= ee
BIP-v1-packages for a concrete example.

=3D=3D=3D=3D=3Dsendpac= kages=3D=3D=3D=3D=3D

{|
| =C2=A0Field Name =C2=A0|| =C2=A0Type = =C2=A0|| =C2=A0Size =C2=A0|| =C2=A0Purpose
|-
|version || uint32_t ||= 4 || Denotes a package version supported by the node.
|-
|max_count = || uint32_t || 4 ||Specifies the maximum number of transactions per package= this node is
willing to accept.
|-
|max_weight || uint32_t || 4 |= |Specifies the maximum total weight per package this node is willing
to = accept.
|-
|}

1. The "sendpackages" message has the = structure defined above, with
=C2=A0 =C2=A0pchCommand =3D=3D "sendp= ackages".

2. During version handshake, nodes should send a &quo= t;sendpackages"
=C2=A0 =C2=A0message indicate they support package = relay and may request
packages.

3. The message should contain a v= ersion supported by the node. Nodes
=C2=A0 =C2=A0should send a "sen= dpackages" message for each version they support.

4. The "= sendpackages" message MUST be sent before sending a "verack"=
=C2=A0 =C2=A0message. If a "sendpackages" message is received= afer "verack", the
sender should be disconnected.

5. I= f 'fRelay=3D=3Dfalse' in a peer's version message, the node mus= t not
=C2=A0 =C2=A0send "sendpackages" to them. If a "sen= dpackages" message is
received by a peer after sending `fRelay=3D= =3Dfalse` in their version
message, the sender should be disconnected.
6.. Upon receipt of a "sendpackages" message with a version= that is
not supported, a node must treat the peer as if it never receiv= ed the
message.

7. If both peers send "wtxidrelay" and = "sendpackages" with the same
=C2=A0 =C2=A0version, the peers s= hould announce, request, and send package
information to each other.
=
=3D=3D=3D=3D=3Dgetpckgtxns=3D=3D=3D=3D=3D

{|
| =C2=A0Field Na= me =C2=A0|| =C2=A0Type =C2=A0|| =C2=A0Size =C2=A0|| =C2=A0 Purpose
|-|txns_length||CompactSize||1 or 3 bytes|| The number of transactions reque= sted.
|-
|txns||List of wtxids||txns_length * 32|| The wtxids of each= transaction in the package.
|}

1. The "getpckgtxns" me= ssage has the structure defined above, with
=C2=A0 =C2=A0pchCommand =3D= =3D "getpckgtxns".

2. A "getpckgtxns" message sh= ould be used to request all or some of
=C2=A0 =C2=A0the transactions pre= viously announced in a "pckginfo" message,
specified by witnes= s transactiosome id.

3. Upon receipt of a "getpckgtxns" me= ssage, a node must respond with
=C2=A0 =C2=A0either a "pckgtxns&quo= t; containing the requested transactions or a
"notfound" messa= ge indicating one or more of the transactions is
unavailable. This allow= s the receiver to avoid downloading and storing
transactions that cannot= be validated immediately.

4. A "getpckgtxns" message shou= ld only be sent if both peers agreed to
=C2=A0 =C2=A0send packages in th= e version handshake. If a "getpckgtxns" message
is received fr= om a peer with which package relay was not negotiated,
the sender should= be disconnected.

=3D=3D=3D=3D=3Dpckgtxns=3D=3D=3D=3D=3D

{|| =C2=A0Field Name =C2=A0|| =C2=A0Type =C2=A0|| =C2=A0Size =C2=A0|| =C2= =A0 Purpose
|-
|txns_length||CompactSize||1 or 3 bytes|| The number o= f transactions provided.
|-
|txns||List of transactions||variable|| T= he transactions in the package.
|}

1. The "pckgtxns" me= ssage has the structure defined above, with
=C2=A0 =C2=A0pchCommand =3D= =3D "pckgtxns".

2. A "pckgtxns" message should c= ontain the transaction data requested
=C2=A0 =C2=A0using "getpckgtx= ns".

3. A "pckgtxns" message should only be sent to a= peer that requested
=C2=A0 =C2=A0the package using "getpckgtxns&qu= ot;. If a node receives an unsolicited
package, the sender should be dis= connected.

4. A "pckgtxns" message should only be sent if = both peers agreed to
=C2=A0 =C2=A0send packages in the version handshake= . If a "pckgtxns" message is
received from a peer with which p= ackage relay was not negotiated, the
sender should be disconnected.
<= br>=3D=3D=3DVersion 1 Packages: child-with-unconfirmed-parents=3D=3D=3D =C2= =A0

This extends package relay for packages consisting of one transa= ction
and all of its unconfirmed parents,by defining version 1 packages,= a
pckginfo1 message, and a MSG_PCKG1 inv type. It enables the use case<= br>in which a child pays for its otherwise-too-low-fee parents and theirmempool conflict(s).

=3D=3D=3D=3DIntended Protocol Flow=3D=3D=3D=3D=

When relaying a package of low-fee parent(s) and high-fee child, th= e
sender and receiver do the following:

1. Sender announces they = have a child-with-unconfirmed-parents package
=C2=A0 =C2=A0for a child t= hat pays for otherwise-too-low-fee parent(s) using
"inv(MSG_PCKG1)&= quot;.

2. The receiver requests package information using
=C2=A0 = =C2=A0"getdata(MSG_PCKG1)".

3. The sender provides package= information using "pckginfo1",
=C2=A0 =C2=A0including the blo= ckhash of the sender's best block, the wtxids of
the transactions in= the package, their total fees and total weight.

4. The reciever use= s the package information to decide how to request
=C2=A0 =C2=A0the tran= sactions. For example, if the receiver already has some of
the transacti= ons in their mempool, they only request the missing ones.
They could als= o decide not to request the package at all based on the
fee information = provided.

5. Upon receiving a "pckgtxns", the receiver sub= mits the transactions
=C2=A0 =C2=A0together as a package.

=3D=3D= =3D=3DNew Messages=3D=3D=3D=3D

A new inv type, "MSG_PCKG1"= , and new protocol message, "PCKGINFO1",
are added.

=3D= =3D=3D=3D=3Dpckginfo1=3D=3D=3D=3D=3D

{|
| =C2=A0Field Name =C2=A0= || =C2=A0Type =C2=A0|| =C2=A0Size =C2=A0|| =C2=A0 Purpose
|-
|blockha= sh || uint256 || 32 || The chain tip at which this package is defined.
|= -
|pckg_fee||CAmount||4|| The sum total fees paid by all transactions in= the package.
|-
|pckg_weight||int64_t||8|| The sum total weight of a= ll transactions in the package.
|-
|txns_length||CompactSize||1 or 3 = bytes|| The number of transactions provided.
|-
|txns||List of wtxids= ||txns_length * 32|| The wtxids of each transaction in the package.
|}

1. The "pckginfo1" message has the structure defined ab= ove, with
=C2=A0 =C2=A0pchCommand =3D=3D "pckginfo1".

2= . A "pckginfo1" message contains information about a version 1=C2=A0 =C2=A0package (defined below), referenced by the wtxid of the trans= action
it pertains to and the current blockhash.

3. Upon receipt = of a "pckginfo1" message, the node should decide if it
=C2=A0 = =C2=A0wants to validate the package, request transaction data if
necessa= ry, etc.

4. Upon receipt of a malformed "pckginfo1" messag= e or package that
=C2=A0 =C2=A0does not abide by the max_count, max_weig= ht, or other rules
specified by the version agreed upon in the initial n= egotiation, the
sender should be disconnected.=C2=A0 If a node receives = a "pckginfo1"
message for which the "pckg_fee" or &q= uot;pckg_weight" do not reflect the
true total fees and weight, res= pectively, or the transactions in the
package, the message is malformed.=

5. A node MUST NOT send a "pckginfo1" message that has no= t been
=C2=A0 =C2=A0requested by the recipient. Upon receipt of an unsol= icited
"pckginfo1", a node should disconnect the sender.
6. A "pckginfo1" message should only be sent if both peers agre= ed to
=C2=A0 =C2=A0send version 1 packages in the version handshake. If = a "pckginfo1"
message is received from a peer with which packa= ge relay was not
negotiated, the sender should be disconnected.

= =3D=3D=3D=3D=3DMSG_PCKG1=3D=3D=3D=3D=3D

1. A new inv type (MSG_PCKG1= =3D=3D 0x6) is added, for use in inv messages
=C2=A0 =C2=A0and getdata = requests pertaining to version 1 packages.

2. As an inv type, it ind= icates that both transaction data and version
=C2=A0 =C2=A01 package inf= ormation are available for the transaction. The
transaction is reference= d by its wtxid. As a getdata request type, it
indicates that the sender = wants package information for the
transaction.

3. Upon receipt of= a "getdata" request for "MSG_PCKG1", the node
=C2= =A0 =C2=A0should respond with the version 1 package corresponding to therequested transaction and its current chain tip, or with NOTFOUND.
The = node should not assume that the sender is requesting the
transaction dat= a as well.

=3D=3D=3D=3DChild With Parent Packages Rules=3D=3D=3D=3D<= br>
A child-with-unconfirmed-parents package sent between nodes must abi= de
by the rules below, otherwise the package is malformed and the sender=
should be disconnected.

A version 1 or ''child-with-unco= nfirmed-parents'' package can be
defined for any transaction tha= t spends unconfirmed inputs. The child
can be thought of as the "re= presentative" of the package. This package
can be uniquely identifi= ed by the transaction's wtxid and the current
chain tip block hash.<= br>
A ''child-with-unconfirmed-parents'' package MUST be= :

1. ''Sorted topologically.'' For every transaction= t in the package,
=C2=A0 =C2=A0if any of t's parents are present in= the package, the parent must
appear somewhere in the list before t. In = other words, the
transactions must be sorted in ascending order of the n= umber of
ancestors present in the package.

2. ''Only 1 ch= ild with unconfirmed parents.'' The package must consist
=C2=A0 = =C2=A0of one transaction and its unconfirmed parents. There must not be
= any other transactions in the package. Other dependency relationships
ma= y exist within the package (e.g. one parent may spend the output of
anot= her parent) provided that topological order is respected.

3. '&#= 39;All unconfirmed parents.'' All of the child's unconfirmed pa= rents
=C2=A0 =C2=A0must be present.

4. ''No conflicts.= 9;' None of the transactions in the package may
=C2=A0 =C2=A0conflic= t with each other (i.e. =C2=A0spend the same prevout).

5. ''= Total fees and weight.'' The 'total_fee' and 'total_wei= ght'
=C2=A0 =C2=A0fields must accurately represent the sum total of = all transactions'
fees and weights as defined in BIP141, respectivel= y.

Not all of the child's parents must be present; the child tra= nsaction
may also spend confirmed inputs. However, if the child has conf= irmed
parents, they must not be in the package.

While a child-wit= h-unconfirmed-parents package is perhaps most
relevant when the child ha= s a higher feerate than its parents, this
property is not required to co= nstruct a valid package.

=3D=3D=3D=3DClarifications=3D=3D=3D=3D
<= br>''Q: Under what circumstances should a sender announce a
chil= d-with-unconfirmed-parents package?''

A child-with-unconfirm= ed-parents package for a transaction should be
announced when it meets t= he peer's fee filter but one or more of its
parents don't; a &qu= ot;inv(MSG_PCKG1)" instead of "inv(WTX)" should be sent
f= or the child. Each of the parents which meet the peer's fee filter
s= hould still be announced normally.

''Q: What if a new block = arrives in between messages?''

A child-with-unconfirmed-pare= nts package is defined for a transaction
based on the current chain stat= e. As such, a new block extending the
tip may decrease the number of tra= nsactions in the package (i.e. if
any of the transaction's parents w= ere included in the block). In a
reorg, the number of transactions in th= e package may decrease or
increase (i.e. if any of the transaction's= parents were included in a
block in the previous chain but not the new = one).

If the new block arrives before the "getdata" or &qu= ot;pckginfo1", nothing
needs to change.

If the new block arr= ives before "getpckgtxns" or before "pckgtxns",
the = receiver may need to re-request package information if the block
contain= ed a transaction in the package. If the block doesn't contain
any tr= ansactions in the package, whether it extends the previous tip
or causes= a reorg, nothing needs to change.

''Q: Can "getpckgtxn= s" and "pckgtxns" messages contain only one
transaction?&= #39;'

Yes.

=3D=3D=3DFurther Protocol Extensions=3D=3D=3D<= br>
When introducing a new type of package, assign it a version number &= quot;n"
and use an additional "sendpackages" message duri= ng version handshake
to negotiate support for it. An additional package = information message
"pckginfon" and inv type "MSG_PCKGn&q= uot; should be defined for the type of
package.=C2=A0 However, "get= pckgtxns" and "pckgtxns" do not need to be
changed.
Example proposal for tx-with-unconfirmed-ancestors package relay: [19]
=3D=3D=3DCompatibility=3D=3D=3D

Older clients remain fully com= patible and interoperable after this
change. Clients implementing this p= rotocol will only attempt to send
and request packages if agreed upon du= ring the version handshake.

=3D=3D=3DPackage Erlay=3D=3D=3D

C= lients using BIP330 reconciliation-based transaction relay (Erlay)
are a= ble to use package relay without interference. In fact, a package
of tra= nsactions may be announced using both Erlay and package relay.
After rec= onciliation, if the initiator would have announced a
transaction by wtxi= d but also has package information for it, they may
send "inv(MSG_P= CKG)" instead of "inv(WTX)".

=3D=3D=3DRationale=3D=3D= =3D

=3D=3D=3D=3DP2P Message Design=3D=3D=3D=3D

These p2p mess= ages are added for communication efficiency and, as
such, one should mea= sure alternative solutions based on the resources
used to communicate (n= ot necessarily trustworthy) information: We
would like to minimize netwo= rk bandwidth, avoid downloading a
transaction more than once, avoid down= loading transactions that are
eventually rejected, and minimize storage = allocated for
not-yet-validated transactions.

Consider these (pla= usible) scenarios in transaction relay:

Alice (the "sender"= ;) is relaying transactions to Bob (the "receiver").
Alice'= ;s mempool has a minimum feerate of 1sat/vB and Bob's has a
minimum = feerate of 3sat/vB. For simplicity, all transactions are
1600Wu in virtu= al size and 500 bytes in serialized size. Apart from
the spending relati= onships specified, all other inputs are from
confirmed UTXOs.

1. = Package {A, B} where A pays 0 satoshis and B pays 8000 satoshis in
=C2= =A0 =C2=A0fees.

2. Package {C, D} where C pays 0 satoshis and D pays= 1200 satoshis in
=C2=A0 =C2=A0fees.

3. Package {E, F, G, H, J} t= hat pays 4000, 8000, 0, 2000, and 4000
=C2=A0 =C2=A0satoshis in fees, re= spectively.

=3D=3D=3D=3DAlternative Designs Considered=3D=3D=3D=3D
''Package Information Only:'' Just having "pckgi= nfo" gives enough
information for the receiver to accept the packag= e. Omit the
"getpckgtxns" and "pckgtxns" messages. W= hile this option is a good
fallback if batched transaction download fail= s for some reason, it
shouldn't be used as the default because it &#= 39;always' requires storage
of unvalidated transactions.

'= ;'No Package Information Round:'' Instead of having a packageinformation round, just use the child's wtxid to refer to the package=
and always send the entire package together. This would cause nodes to<= br>redownload duplicate transactions.

I have also created a slidedec= k exploring various alternative designs
and some examples in which they = fall flat [20]. Please feel free to
suggest other alternatives.

= =3D=3D=3D=3DVersioning System=3D=3D=3D=3D

This protocol should be ex= tensible to support multiple types of
packages based on future desired u= se cases. Two "flavors" of
versioning were considered:

= 1. When package mempool acceptance is upgraded to support more types
=C2= =A0 =C2=A0of packages, increment the version number (similar to Erlay).
= During version handshake, peers negotiate which version of package
relay= they will use by each sending one "sendpackages" message.
2. When introducing another type of package, assign a version number
= =C2=A0 =C2=A0to it and announce it as an additional supported version (simi= lar
to Compact Block Relay). During version handshake, peers send one"sendpackages" message for each version supported.

The se= cond option was favored because it allows different parameters
for diffe= rent versions.=C2=A0 For example, it should be possible to support
both = "arbitrary topology but maximum 3-transaction" package as well as=
"child-with-unconfirmed-parents with default mempool ancestor limi= ts"
packages simultaneously.

=3D=3DAcknowledgements=3D=3D
I hope to have made it abundantly clear that this proposal isn=E2=80= =99t
inventing the concept of package relay, and in fact builds upon yea= rs
of work by many others, including Suhas Daftuar and Antoine Riard.
Thank you to John Newbery and Martin Zumsande for input on the design.=

Thank you to Matt Corallo, Christian Decker, David Harding, Antoine=
Poinsot, Antoine Riard, Gregory Sanders, Chris Stewart, Bastien
Tein= turier, and others for input on the desired interface for
contracting pr= otocols.

Looking forward to hearing your thoughts!
Best,
Gloria

[0]: https://lists.linuxfoundation.org/pipermail/bitco= in-dev/2022-January/019817.html
[1]: https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-April/0= 02639.html
[2]: https://lists.lin= uxfoundation.org/pipermail/lightning-dev/2020-June/002758.html
[3]: = https://github.com/t-bast/lightning-docs/blob/ma= ster/pinning-attacks.md
[4]: h= ttps://github.com/revault/practical-revault/blob/master/transactions.md#can= cel_tx
[5]: https= ://github.com/discreetlogcontracts/dlcspecs/blob/master/Transactions.md#ref= und-transaction
[6]: https://gist.github.com/= instagibbs/60264606e181451e977e439a49f69fe1
[7]: https://btctranscripts.= com/adopting-bitcoin/2021/2021-11-16-gloria-zhao-transaction-relay-policy/#= lightning-attacks
[8]: https://youtu.be/fbWSQvJjKFs?t=3D1438
[9]: https://www.reddit.com= /r/Bitcoin/comments/unew4e/looks_like_70_mvb_of_transactions_just_got_dumpe= d/
[10]: https://github.com/bitcoin/bitcoin/pull/7594
[11]: <= a href=3D"https://github.com/bitcoin/bitcoin/pull/7600" target=3D"_blank">h= ttps://github.com/bitcoin/bitcoin/pull/7600
[12]: https://github.com/bitcoin/bitcoin/pull/6455#issuecomment-122716820

[13]:
https://gist.github.com/sdaftuar/8756699bfc= ad4d3806ba9f3396d4e66a
[14]: https://github.com/bitcoin/bitcoin/i= ssues/14895
[15]: https://github.com/bitcoin/bitcoin/pull/16401=
[16]: https://github.com/bitcoin/bitcoin/pull/19621
[17]: https://lists.linuxfoundation.org/piperma= il/bitcoin-dev/2021-September/019464.html
[18]: https://github.com/users/glozow/projects/5/views/4?layout=3Dboard
[= 19]: https://gist.github.com/glozow/9b321cd3ef6505135c76= 3112033ff2a7
[20]: https://docs.google.com/presentation/d/1B__KlZO1VzxJGx-0DYChlWawaE= mGJ9EGApEzrHqZpQc/edit?usp=3Dsharing
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--000000000000783eb205e1aa52ce--