Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BOLT#02: clarify coop close requirements #970

Merged
merged 1 commit into from
Jul 18, 2022

Conversation

Crypt-iQ
Copy link
Contributor

@Crypt-iQ Crypt-iQ commented Mar 16, 2022

Closes #964

- MUST NOT send a `shutdown`.
- MUST NOT send an `update_add_htlc` after a `shutdown`.
- if no HTLCs remain in either commitment transaction:
- if neither side has a dangling commitment and neither commitment contains any HTLCs (including dust HTLCs):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think "dangling" is super well-defined here, and I'm not convinced we want to make that change anyway.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Allowing closing_signed while a dangling commitment exists can only happen in this transition:

---fail--> (last htlc getting cancelled)
---sig--->
<--rev----
<--sig----

The previous wording said "either" which means it wasn't accounting for the possibility of the 3rd. Also the wording in the receiver section of commit_sig says MUST reply with revoke_and_ack

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I'd argue there is still "an HTLC in (one of the) counterparty commitment transactions" at that point - it just so happens there are two counterparty commitment transactions until you get the RAA. Still, in either case, this should use more concrete language IMO.

@@ -580,10 +580,10 @@ shutdown starts, the question of how to behave if it wasn't is avoided:
the sender always sends a `commitment_signed` first.

As shutdown implies a desire to terminate, it implies that no new
HTLCs will be added or accepted. Once any HTLCs are cleared, the peer
HTLCs will be added or accepted. Once any HTLCs are cleared, there are no dangling commitments and all updates are included on both commitment transactions, the peer
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of using the word "dangling" can we specify what we mean clearly - something about commitments for which no revoke_and_ack has been sent?

Also, nit: please wrap lines at 80 chars, or so.

@@ -602,7 +602,7 @@ The `shutdown` response requirement implies that the node sends `commitment_sign

### Closing Negotiation: `closing_signed`

Once shutdown is complete and the channel is empty of HTLCs, the final
Once shutdown is complete, the channel is empty of HTLCs, there are no dangling commitments and all updates are included on both commitments, the final
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Once shutdown is complete, the channel is empty of HTLCs, there are no dangling commitments and all updates are included on both commitments, the final
Once shutdown is complete, the channel is empty of HTLCs, there are no dangling
commitments and all updates are included on both commitments, the final

The same comment of Matt here, be more specific it is good here because we avoid inconsistency for future updates or ambiguity.

may immediately begin closing negotiation, so we ban further updates
to the commitment transaction (in particular, `update_fee` would be
possible otherwise).
possible otherwise). However, while there are HTLCs on the commitment transaction, the initiator may find it desirable to increase the feerate as there may be pending HTLCs on the commitment which could timeout.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
possible otherwise). However, while there are HTLCs on the commitment transaction, the initiator may find it desirable to increase the feerate as there may be pending HTLCs on the commitment which could timeout.
possible otherwise). However, while there are HTLCs on the commitment
transaction, the initiator may find it desirable to increase
the feerate as there may be pending HTLCs on the commitment which could timeout.

@Crypt-iQ
Copy link
Contributor Author

The current wording of this PR allows:

A                            B

			<---fail---
			<---sig----
			<---fee---- (allowed)

<---fail---
<---sig----
----rev---> (immediately sent upon sig)
----sig---> (lnd does this)
<---fee----

			----rev--->
			----sig---> (dont revoke)
			<---sig---- (signing for fee)

<---sig----
----rev--->
			
			----rev--->
			<---fee----
			<---sig----

<---fee----
<---sig----

	*repeat the fee transition*

So B can continually send update_fee since B never sent a revocation for the signature. I don't think this state transition should be allowed - there needs to be some point after which update_fee is disallowed. I know that both lnd and eclair will fail eventually with these state transitions if B does not send a revoke_and_ack after some time, but it doesn't seem to be a spec requirement.

@@ -544,10 +544,10 @@ A sending node:
- if it hasn't sent a `funding_created` (if it is a funder) or a `funding_signed` (if it is a fundee):
- MUST NOT send a `shutdown`
- MAY send a `shutdown` before a `funding_locked`, i.e. before the funding transaction has reached `minimum_depth`.
- if there are updates pending on the receiving node's commitment transaction:
- if there are uncommitted updates pending on the receiving node's commitment transaction:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vincenzopalazzo started looking at this in our code and I kinda realized....why do we have this requirement at all? Like, who really cares what's pending when a shutdown goes out? after shutdown goes out you shouldn't add anything new, and certainly sending a shutdown out while an update_add is pending is kinda dumb (the peer should reject at that point), but its not like it should break anything, only pre-closing_signed is a real concern here.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume a part of the reason for this is so that the receiving end can enforce the "no new update_adds" requirement when receiving commitment_signed and not later? Does anyone do this (maybe c-lightning @rustyrussell ?)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, this was good chatting, and I'm sorry if this came out of my head after the meeting, but I just drafted the lnprototest PR rustyrussell/lnprototest#37 after the meeting and I was able to make some consideration after writing the code.

So, my idea that I shared with @TheBlueMatt is why we care about what we don't receive, and we can be more precise in the fact of what we must not receive.

This will make the spec also less ambiguous, for instance, some things like that

Suggested change
- if there are uncommitted updates pending on the receiving node's commitment transaction:
- if `add_htlc` message is received from the received after shutdown, the sender must fail the htlc

P.S: this make also the lnprototest integration test easy with a single assert MustNodeReceive('add_htlc') :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only reason to have a "black list" is that during the time this black list can blow up?

@Roasbeef
Copy link
Collaborator

Roasbeef commented May 9, 2022

Spec comment: need to define what a "dangling" commitment is explicitly (and also if we want to use that term or something else). We can add a section here if we like the wording: https://github.com/lightning/bolts/blob/master/00-introduction.md#glossary-and-terminology-guide

@Crypt-iQ
Copy link
Contributor Author

I've changed the wording so "no dangling commitments" is now roughly "no commitments for which a revocation is owed"

Copy link
Contributor

@vincenzopalazzo vincenzopalazzo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just some format changes

may immediately begin closing negotiation, so we ban further updates
to the commitment transaction (in particular, `update_fee` would be
possible otherwise).
HTLCs will be added or accepted. Once any HTLCs are cleared, there are no commitments
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
HTLCs will be added or accepted. Once any HTLCs are cleared, there are no commitments
HTLCs will be added or accepted. Once any HTLCs are cleared, there are no commitments

Comment on lines 607 to 608
- if neither side has a commitment for which a revocation is owed and neither
commitment contains any HTLCs (including dust HTLCs):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- if neither side has a commitment for which a revocation is owed and neither
commitment contains any HTLCs (including dust HTLCs):
- if neither side has a commitment for which a revocation is owed and neither
commitment contains any HTLCs (including dust HTLCs):

Copy link
Collaborator

@t-bast t-bast left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks mostly good to me, this is more clear now and I think this is the behavior we want.

02-peer-protocol.md Outdated Show resolved Hide resolved
This commit ensures closing_signed can only begin if there are
no dangling commitments. It also clarifies update_fee requirements
if it is sent after shutdown.
Copy link
Collaborator

@t-bast t-bast left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK baae0e9

@TheBlueMatt
Copy link
Collaborator

This closes #964, correct?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

bolt 2: coop-closing clarification
6 participants