When syncing, replace misbehaving peers after a delay (minutes) instead of immediately

[nfrisby]

On 2024 Aug 21, @crocodile-dentist reminded us of a request our two teams had previously discussed. This Issue makes that request concrete.

For the sake of tuning the Ouroboros Genesis parameters, the Tweag team worked out upper bounds for the most delay the adversary could induce at once. Those bounds assumed the adversary was not replenishing itself: ie immediately replacing adversarial peers that the syncing node disconnects from with a coordinated adversarial peer.

The worked out bounds become significantly worse if the adversary does successfully replenish itself, and then parameter tuning becomes much more delicate. The probability of replenishment --- especially multiple occurrences --- is quite low, unless the adversary controls a lot of stake. Even so, we are interested in effectively eliminating the risk of replenishment by delaying the replacement of misbehaving peers by 15min or so (edit: we still disconnect from them immediately, but delay before connecting to their replacement). Since it only applies to misbehaving peers, it should not slow down the sync, since we assume the syncing node has at least one honest peer.

If this delay turns out to be particularly onerous to implement, then perhaps the Consensus Team can reconsider investing more effort in revisiting the parameter tuning under the more difficult assumptions.