summaryrefslogtreecommitdiff
path: root/82/d73f174aff9ab55d8058d381c2cd5b233a7cf7
blob: ac83a3532b3826844870025300888d850fa3a5c9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
Return-Path: <johanth@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 4C6D7CAD;
	Thu, 24 Oct 2019 13:49:24 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-lj1-f170.google.com (mail-lj1-f170.google.com
	[209.85.208.170])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id EA9F087B;
	Thu, 24 Oct 2019 13:49:22 +0000 (UTC)
Received: by mail-lj1-f170.google.com with SMTP id j19so25128546lja.1;
	Thu, 24 Oct 2019 06:49:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=mime-version:references:in-reply-to:from:date:message-id:subject:to
	:cc; bh=Ap5w/y69qvIJpGA7vfOz8lZgukArEzjDjbS437tTPyI=;
	b=c/g2FCAavwUE318kn8jC77icl9/wmiN0Acg6cSzfZq9eiUybU4j0i4aNg29rASgemh
	NzNdBlxLSU5V2DabGLsnoWeHL3Z9pPgDaLSmEGCo7boUdDaxnzIV+mA1yWXY7IZz7pks
	/kZu2JWSWBbFwvixA/ZrhxE3wCJkzRc09aheAjsPnMM2Sp/1rpeLrynUY61B4rPviPfm
	qZcr7ApbBEpmPSo8ShTXr4CHfz2vqR332bFDkSR+UqJX9bn6quiOM/loWhyOjNWxqVSJ
	d8mj6ihiL6CQIls6N0LnhtWGplNVa+MHkRbgAFSS0cQ6TwgY2QyoMXa1De6PxxBh32vk
	v36w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:cc;
	bh=Ap5w/y69qvIJpGA7vfOz8lZgukArEzjDjbS437tTPyI=;
	b=jnhKfvSMTPCv8TFOJqKcPbrst2KsaHmASIcAmO0c6jpifdZnwdrebXQVzjs2lbeTWv
	zAP4SQ9o8mNb2zL9tISxYCc5saLJGi4OcZ/4wXwy+TEtgvAOjLxww4ufgeNfKSya9k9L
	ORjG0fLuj5qMgPUMDCCsgQU7L00sGAREfYr92+JeKBlXly6OePDuKNp4rWKZtSK/2w6U
	o0AAPA+0g2RVKBxQgamiKiqbIQ/NrIt7OZ4bDYRdSLzDvCJkd/E63msdQOhtYw1Me+hZ
	HSSVbpB83IeA67isXArzhQErymDS0QWcZA1lVoROlCfeFi6jwpcaaWSG6Z2eTSqrUaYC
	Zr8w==
X-Gm-Message-State: APjAAAWZAEBmq0KgvDYDf/gBG8y8GjauN1PNZ0fThwnynMuF4Q3JqdfB
	/AWxvDhLHWekYDxUgoKoCpEr5i57IOhfqP+r/Tfg3+0+
X-Google-Smtp-Source: APXvYqwGaD+t0f9bwcI7RxIO8izZSQWY0t/tr8vuONjDlQuUA9RcU1QgvfUtxb6Vv62zmxVhIp4mm6jeBbWmYL1OuH4=
X-Received: by 2002:a2e:8694:: with SMTP id l20mr25928218lji.64.1571924961049; 
	Thu, 24 Oct 2019 06:49:21 -0700 (PDT)
MIME-Version: 1.0
References: <c3f68b73-84c6-7428-4bf6-b47802141392@mattcorallo.com>
	<878t163qzi.fsf@rustcorp.com.au>
	<725fc55a-6263-a9fc-74a5-1017cb1cc885@mattcorallo.com>
	<87wonfem03.fsf@rustcorp.com.au>
	<D072562F-5AD0-4B38-94D1-A0AEF04C3DEB@mattcorallo.com>
	<87zhr0gvw0.fsf@rustcorp.com.au>
In-Reply-To: <87zhr0gvw0.fsf@rustcorp.com.au>
From: =?UTF-8?Q?Johan_Tor=C3=A5s_Halseth?= <johanth@gmail.com>
Date: Thu, 24 Oct 2019 15:49:09 +0200
Message-ID: <CAD3i26AjhQ9VkCo_5y8aqZ_8YvSqKP2MCkdRv8YunjAhmmXz=Q@mail.gmail.com>
To: Rusty Russell <rusty@rustcorp.com.au>
Content-Type: multipart/alternative; boundary="000000000000eac0fb0595a84ccc"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, DOS_RCVD_IP_TWICE_B, FREEMAIL_FROM,
	HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Thu, 24 Oct 2019 14:22:28 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
	lightning-dev <lightning-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] [Lightning-dev] CPFP Carve-Out for Fee-Prediction
 Issues in Contracting Applications (eg Lightning)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 13:49:24 -0000

--000000000000eac0fb0595a84ccc
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Reviving this old thread now that the recently released RC for bitcoind
0.19 includes the above mentioned carve-out rule.

In an attempt to pave the way for more robust CPFP of on-chain contracts
(Lightning commitment transactions), the carve-out rule was added in
https://github.com/bitcoin/bitcoin/pull/15681. However, having worked on an
implementation of a new commitment format for utilizing the Bring Your Own
Fees strategy using CPFP, I=E2=80=99m wondering if the special case rule sh=
ould
have been relaxed a bit, to avoid the need for adding a 1 CSV to all
outputs (in case of Lightning this means HTLC scripts would need to be
changed to add the CSV delay).

Instead, what about letting the rule be

The last transaction which is added to a package of dependent
transactions in the mempool must:
  * Have no more than one unconfirmed parent.

This would of course allow adding a large transaction to each output of the
unconfirmed parent, which in effect would allow an attacker to exceed the
MAX_PACKAGE_VIRTUAL_SIZE limit in some cases. However, is this a problem
with the current mempool acceptance code in bitcoind? I would imagine
evicting transactions based on feerate when the max mempool size is met
handles this, but I=E2=80=99m asking since it seems like there has been sev=
eral
changes to the acceptance code and eviction policy since the limit was
first introduced.

- Johan


On Wed, Feb 13, 2019 at 6:57 AM Rusty Russell <rusty@rustcorp.com.au> wrote=
:

> Matt Corallo <lf-lists@mattcorallo.com> writes:
> >>> Thus, even if you imagine a steady-state mempool growth, unless the
> >>> "near the top of the mempool" criteria is "near the top of the next
> >>> block" (which is obviously *not* incentive-compatible)
> >>
> >> I was defining "top of mempool" as "in the first 4 MSipa", ie. next
> >> block, and assumed you'd only allow RBF if the old package wasn't in t=
he
> >> top and the replacement would be.  That seems incentive compatible; mo=
re
> >> than the current scheme?
> >
> > My point was, because of block time variance, even that criteria doesn'=
t
> hold up. If you assume a steady flow of new transactions and one or two
> blocks come in "late", suddenly "top 4MWeight" isn't likely to get
> confirmed until a few blocks come in "early". Given block variance within=
 a
> 12 block window, this is a relatively likely scenario.
>
> [ Digging through old mail. ]
>
> Doesn't really matter.  Lightning close algorithm would be:
>
> 1.  Give bitcoind unileratal close.
> 2.  Ask bitcoind what current expidited fee is (or survey your mempool).
> 3.  Give bitcoind child "push" tx at that total feerate.
> 4.  If next block doesn't contain unilateral close tx, goto 2.
>
> In this case, if you allow a simpified RBF where 'you can replace if
> 1. feerate is higher, 2. new tx is in first 4Msipa of mempool, 3. old tx
> isnt',
> it works.
>
> It allows someone 100k of free tx spam, sure.  But it's simple.
>
> We could further restrict it by marking the unilateral close somehow to
> say "gonna be pushed" and further limiting the child tx weight (say,
> 5kSipa?) in that case.
>
> Cheers,
> Rusty.
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>

--000000000000eac0fb0595a84ccc
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div>Reviving this old thread now that th=
e recently released RC for bitcoind 0.19 includes the above mentioned carve=
-out rule.</div><div><br></div><div>In an attempt to pave the way for more =
robust CPFP of on-chain contracts (Lightning commitment transactions), the =
carve-out rule was added in <a href=3D"https://github.com/bitcoin/bitcoin/p=
ull/15681">https://github.com/bitcoin/bitcoin/pull/15681</a>. However, havi=
ng worked on an implementation of a new commitment format for utilizing the=
 Bring Your Own Fees strategy using CPFP, I=E2=80=99m wondering if the spec=
ial case rule should have been relaxed a bit, to avoid the need for adding =
a 1 CSV to all outputs (in case of Lightning this means HTLC scripts would =
need to be changed to add the CSV delay).</div><div><br></div><div>Instead,=
 what about letting the rule be</div><div><br></div><div>The last transacti=
on which is added to a package of dependent</div><div>transactions in the m=
empool must:</div><div>=C2=A0 * Have no more than one unconfirmed parent.</=
div><div><br></div><div>This would of course allow adding a large transacti=
on to each output of the unconfirmed parent, which in effect would allow an=
 attacker to exceed the MAX_PACKAGE_VIRTUAL_SIZE limit in some cases. Howev=
er, is this a problem with the current mempool acceptance code in bitcoind?=
 I would imagine evicting transactions based on feerate when the max mempoo=
l size is met handles this, but I=E2=80=99m asking since it seems like ther=
e has been several changes to the acceptance code and eviction policy since=
 the limit was first introduced.</div><div><br></div><div>- Johan</div><div=
><br></div></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" clas=
s=3D"gmail_attr">On Wed, Feb 13, 2019 at 6:57 AM Rusty Russell &lt;<a href=
=3D"mailto:rusty@rustcorp.com.au">rusty@rustcorp.com.au</a>&gt; wrote:<br><=
/div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bo=
rder-left:1px solid rgb(204,204,204);padding-left:1ex">Matt Corallo &lt;<a =
href=3D"mailto:lf-lists@mattcorallo.com" target=3D"_blank">lf-lists@mattcor=
allo.com</a>&gt; writes:<br>
&gt;&gt;&gt; Thus, even if you imagine a steady-state mempool growth, unles=
s the <br>
&gt;&gt;&gt; &quot;near the top of the mempool&quot; criteria is &quot;near=
 the top of the next <br>
&gt;&gt;&gt; block&quot; (which is obviously *not* incentive-compatible)<br=
>
&gt;&gt; <br>
&gt;&gt; I was defining &quot;top of mempool&quot; as &quot;in the first 4 =
MSipa&quot;, ie. next<br>
&gt;&gt; block, and assumed you&#39;d only allow RBF if the old package was=
n&#39;t in the<br>
&gt;&gt; top and the replacement would be.=C2=A0 That seems incentive compa=
tible; more<br>
&gt;&gt; than the current scheme?<br>
&gt;<br>
&gt; My point was, because of block time variance, even that criteria doesn=
&#39;t hold up. If you assume a steady flow of new transactions and one or =
two blocks come in &quot;late&quot;, suddenly &quot;top 4MWeight&quot; isn&=
#39;t likely to get confirmed until a few blocks come in &quot;early&quot;.=
 Given block variance within a 12 block window, this is a relatively likely=
 scenario.<br>
<br>
[ Digging through old mail. ]<br>
<br>
Doesn&#39;t really matter.=C2=A0 Lightning close algorithm would be:<br>
<br>
1.=C2=A0 Give bitcoind unileratal close.<br>
2.=C2=A0 Ask bitcoind what current expidited fee is (or survey your mempool=
).<br>
3.=C2=A0 Give bitcoind child &quot;push&quot; tx at that total feerate.<br>
4.=C2=A0 If next block doesn&#39;t contain unilateral close tx, goto 2.<br>
<br>
In this case, if you allow a simpified RBF where &#39;you can replace if<br=
>
1. feerate is higher, 2. new tx is in first 4Msipa of mempool, 3. old tx is=
nt&#39;,<br>
it works.<br>
<br>
It allows someone 100k of free tx spam, sure.=C2=A0 But it&#39;s simple.<br=
>
<br>
We could further restrict it by marking the unilateral close somehow to<br>
say &quot;gonna be pushed&quot; and further limiting the child tx weight (s=
ay,<br>
5kSipa?) in that case.<br>
<br>
Cheers,<br>
Rusty.<br>
_______________________________________________<br>
Lightning-dev mailing list<br>
<a href=3D"mailto:Lightning-dev@lists.linuxfoundation.org" target=3D"_blank=
">Lightning-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev=
" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/ma=
ilman/listinfo/lightning-dev</a><br>
</blockquote></div>

--000000000000eac0fb0595a84ccc--