ICS3: Add Connection Upgrade Spec

[AdityaSripal]

This is a rough draft proposal for the ability to upgrade a connection once it has already been established

[AdityaSripal]

Some notes:

• Current idea is that upgrading a connection will require bilateral agreement. i.e. Both sides must explicitly allow the initial parts of handshake (INIT and TRY). Ack and Confirm can be completed by trustless relayer.
• There is currently a timeout specified on INIT and TRY, so that the connection does not hang indefinitely in a closed state. Not fully specified yet.
• The details of how to handle crossing hellos is not fully specified yet, so ignore that possibility on initial review.

[colin-axner]

Excellent!! Concept makes sense to me. Architecturally not difficult to introduce into existing ibc implementations

[colin-axner]

Interesting, I'd think you'd want to leave the connection unchanged until the upgrade process successfully completes. Otherwise you could potentially disrupt packet flow if the connection is in UPGRADE_INIT instead of OPEN?

I'd expect you to store the proposed upgrade connection under a proposed upgrade connection path. Use that for proofs and then if successful update the connection on ack/confirm?

[AdityaSripal]

I don't want the case where chainA has its connectionEnd OPEN with the old parameters, and chainB has its connectionEnd OPEN with the new parameters as that may cause unexpected consequences.

If a connection is OPEN on both ends it should be a valid connection always.

So either both ends are OPEN running the old parameters, or both ends are OPEN running the new parameters.

The only way to accomplish this is to temporarily close the connection on both sides (INIT and TRY), then reopen after the upgrade is complete on either end (ACK and CONFIRM).

This does mean packet flow is temporarily halted but i believe this is fine. Once the connection is back up, the relayers can either receive or timeout the pending packets

[AdityaSripal]

This is also why I specify a timeout, because I don't want the "temporary pause" to last arbitrarily long

[cwgoes]

yeah, this makes sense to me

[cwgoes]

Concept ACK; most changes ACK (modulo open question of crossing hellos); see a few minor comments.

I will also note that I would like to see re-verification of IBC safety / liveness with this logic incorporated.

[cwgoes]

yeah, this makes sense to me

[mpoke]

Concept ACK. I agree with Christopher that we need to make sure that the IBC safety and liveness are preserved with this logic incorporated. See comments below.

[mpoke]

Suggested change

	function verifyConnectionUpgradeError(
	function VerifyUpgradeError(

[AdityaSripal]

I've added Connection here to the name because there are identical functions for channel upgradability.

[mpoke]

Yeah, but the comment above is // Client VerifyUpgradeError and in the above function, i.e.,

// Connection VerifyConnectionUpgradeError method
 function verifyConnectionUpgradeError(

you call client.verifyUpgradeError

[mpoke]

Suggested change

	function verifyConnectionUpgradeTimeout(
	function VerifyUpgradeTimeout(

[AdityaSripal]

ditto

[mpoke]

clientState is not passed when calling client.verifyUpgradeError()

[AdityaSripal]

This is the same pattern used in ICS3 and ICS2. I believe it is the standard for Typescript.

https://github.com/cosmos/ibc/blob/master/spec/core/ics-003-connection-semantics/README.md#helper-functions

https://github.com/cosmos/ibc/blob/master/spec/core/ics-002-client-semantics/README.md#required-functions

[mpoke]

Yeah, I've seen that. I find it very confusing. Until now I thought it's an inconsistency. Still not convinced that it's not :)

[mpoke]

clientState is not passed when calling client.verifyUpgradeTimeout()

[AdityaSripal]

ditto

[mpoke]

This seems very Tendermint specific, i.e., https://github.com/cosmos/ibc/blob/master/spec/client/ics-007-tendermint-client/README.md#state-verification-functions

[AdityaSripal]

This does not assume anything about Tendermint, but just says we will verify membership against a consensus state at provided height. This is taken from ICS2.

https://github.com/cosmos/ibc/blob/master/spec/core/ics-002-client-semantics/README.md#example-implementation

[mpoke]

Thanks for the changes. The protocol seems correct. I left some comments, most of them minor.

[colin-axner]

Only reviewed up to the Sub-Protocols section. LGTM so far

[colin-axner]

we have to be careful to not use relayer provided information unless verified (especially if we are restoring/cancelling an upgrade)

[mpoke]

Looks great. I have just one concern regarding the transition from UPGRADE_TRY to OPEN (i.e., connUpgradeConfirm). The rest of the comments are just nits.

[mpoke]

A verification function is no longer needed for the client interface.

[mpoke]

ditto

[mpoke]

I find this a detail of implementation. Not sure it's needed in the spec.

[AdityaSripal]

No because both sides must agree on an encoding, otherwise they won't be able to verify correctly. So it must be part of spec. I think this is a downside in the rest of spec, that it doesn't explicitly define the encoding you need to use to speak with other IBC chains

[mpoke]

upgradeTimeout is not used.

[AdityaSripal]

Ahh oops, it gets used above in proof verification. Will reorder

[mpoke]

Before changing the local connection state to OPEN, shouldn't we check again that the remote connection is compatible with the local one? During connUpgradeAck, the remote side could restore the connection, which means moving to a connection with state OPEN. Just verifying that the remote side is OPEN may not be enough.

connUpgradeConfirm should also contain a proof that UpgradeError was not set by the remote side.

[AdityaSripal]

Ahh thank you, nice catch