bolts icon indicating copy to clipboard operation
bolts copied to clipboard
verified publisher icon lightning

BOLT 2: forget the check about `update_*` messages, and check what must not happens during `shutdown`

Open vincenzopalazzo opened this issue 3 years ago • 11 comments

The rationale around this PR that is a simplification of #970 is that a node should not care about what it receives but only about what it must not receive. Just to quote @TheBlueMatt

The actual Close Channel spec tell us exactly when we need to fail, we need just to remove the confusing part related to the update_* messages

So, the concept proposed is to use a black list of messages that a node should never receive during a shutdown, and the actual status the black list contains only is just an add_htlc.

lnprototest reference implementation: https://github.com/rustyrussell/lnprototest/pull/37

vincenzopalazzo avatar Apr 06 '22 14:04 vincenzopalazzo

Any thoughts @Crypt-iQ ?

TheBlueMatt avatar Apr 11 '22 20:04 TheBlueMatt

The changes look fine, but I think we should specify when it's ok to send closing_signed

Crypt-iQ avatar Apr 22 '22 15:04 Crypt-iQ

Right, agreed, this only does half of what #970 was doing, we still need to clarify the "when can you send closing_signed" part.

TheBlueMatt avatar Apr 22 '22 16:04 TheBlueMatt

The changes look fine, but I think we should specify when it's ok to send closing_signed

Good point! In this case, we can use the same idea to simplify the code, with the following way:

  • (from the sender side) send a closing_signed message when the are no pending htlcs, and
  • (from the receiver side) we can accept closing_signed only when there are no pending htlcs, and if a closing_signed when there are htlcs to resolve, the received will send a warning message (or error to fail the close operation?)

What do you think?

vincenzopalazzo avatar Apr 22 '22 16:04 vincenzopalazzo

Good point! In this case, we can use the same idea to simplify the code, with the following way:

Lets do this in a separate PR, probably #970, I think the parts of #970 that do this are fine, though can be a bit better-defined.

TheBlueMatt avatar Apr 22 '22 17:04 TheBlueMatt

Another good thing that we can introduce here @t-bast is how manage the update_fee, how @Crypt-iQ a node can continue to send update_fee for any reason, and this can stop a node with the current master BOLT to close a channel.

However, we can also add a line to specify that update_fee need to stay in the range defined in the message description

  • if the update_fee is too low for timely processing, OR is unreasonably large: MUST send a warning and close the connection, or send an error and fail the channel

Where the unreasonable definition is up to the implementation, in this way we will solve also the problem to when send the closing_signed because if the update fee are to much faster, the node can pic one that he choose defined in a reasonable time and send the closing_signed

vincenzopalazzo avatar May 09 '22 05:05 vincenzopalazzo

However, we can also add a line to specify that update_fee need to stay in the range defined in the message description

if the update_fee is too low for timely processing, OR is unreasonably large: MUST send a warning and close the connection, or send an error and fail the channel

That would be unnecessary, we only need to have this paragraph in the section about update_fee, no need to duplicate it here it would only bloat the requirements.

t-bast avatar May 09 '22 06:05 t-bast

Today lnd doesn't actually handle update_fee if it's sent after a shutdown. At this point we assume that no other updates can happen to a channel, so we ignore them (read the message and just drop it). I'll make an issue on our end to start handling it properly, since it is the case that you need it even w/ anchors if the relay fee grows too high.

Roasbeef avatar May 09 '22 20:05 Roasbeef

no other updates can happen to a channel

I assume this does not include HTLC removal updates? Just checking to make sure. This would imply if a peer removes an HTLC and sends a fee update you'll just force-close on them?

TheBlueMatt avatar May 10 '22 23:05 TheBlueMatt

no other updates can happen to a channel

I assume this does not include HTLC removal updates? Just checking to make sure. This would imply if a peer removes an HTLC and sends a fee update you'll just force-close on them?

lnd doesn't do shutdown until the channel state is totally clean. lnd won't force close if you send messages at this point, it will just drop them. this will be fixed once the spec is a little more clear

Crypt-iQ avatar May 11 '22 16:05 Crypt-iQ

lnd doesn't do shutdown until the channel state is totally clean.

Ah that's...an interesting interpretation of the spec. But in practice I'd imagine that means this isn't a big deal - update_fee after channel is clear should be really rare, but before of course it may be common. That said it does imply lnd is willing to relay/send over a channel that will always reject the HTLC :/

TheBlueMatt avatar May 11 '22 16:05 TheBlueMatt

Mh! I jump on this PR because I was looking inside some work in lnprototest and I think this PR should add some additional info related to the message that is banned on the shutdown. or it is fine in this way?

vincenzopalazzo avatar Aug 29 '22 16:08 vincenzopalazzo