From rusty at rustcorp.com.au  Sat Apr 24 04:09:18 2021
From: rusty at rustcorp.com.au (Rusty Russell)
Date: Sat, 24 Apr 2021 13:39:18 +0930
Subject: [Lightning-dev] Making unannounced channels harder to probe
Message-ID: <87pmyke32p.fsf@rustcorp.com.au>

Hi all,

        You can currently probe for a channel id attached to node N by
sending an HTLC, and seeing whether the error reply comes from the N or
the next hop.  The real answer is to get back to blinded paths, BTW.

But Joost pointed out that you need to know the node_id of the next node
though: this isn't quite true, since if the node_id is wrong the spec
says you should send an `update_fail_malformed_htlc` with failure code
invalid_onion_hmac, which node N turns into its own failure message.
Perhaps it should convert it to `unknown_next_peer` instead?  This isn't
a common error on the modern network; I think our onion implementations
have been rock solid.

This doesn't help if you've revealed your node id in other ways
ofc. i.e. you offer me an invoice, now I probe the rest of the network
to find all unannounced channels you have.  For that, implementations
*could* choose to return `update_fail_malformed_htlc`
failure_code=invalid_onion_hmac as above on anything which comes through
an unannounced channel but is not a successful payment (or part thereof,
i.e. correct payment_hash for outstanding invoice with correct
payment_secret field?).

Cheers,
Rusty.
PS. https://twitter.com/cycryptr/status/1384355046381473792 contains exploration.