missioncontrol: add invalid onion blinding handling for blinded paths #8095
Conversation
carlaKC
force-pushed
the
7882-mcblinding
branch
2 times, most recently
from
152ca56 to
dd01d71
Compare
routing/result_interpretation.go
Outdated
| // Everything up until the error source forwarded the payment | ||
| // correctly. | ||
| i.successPairRange(route, 0, errorSourceIdx-1) | ||
| i.failPairRange( |
There was a problem hiding this comment.
With failPairRange this fails pairs after errorSourceIdx completely, which means that all hops afterwards are discarded for any amount in future attempts, because the failure amount is set to zero (additionally pairs are failed backwards and forwards, which may be unneccesary). I feel like we should use failPairBalance only for the last hop, as this will already invalidate the blinded part of the route for the amount that was tried, but it leaves some room for the splitting algo to retry the blinded path in case of multiple blinded paths? The other benefit of this would be to not pollute mission control with many ephemeral keys (payment successes could be handled similarly).
I think we ideally don't want any ephemeral outgoing pairs associated with the introduction node to be reported failed (as it currently is) nor succeeded. Node reputation is computed on all outgoing results of a node, which is why this would add/remove node penalization (hope my analysis is correct, see https://github.com/lightningnetwork/lnd/blob/master/routing/missioncontrol.go#L335 and https://github.com/lightningnetwork/lnd/blob/master/routing/probability_apriori.go#L180). Otherwise this may be gameable by providing faulty invoices that would worsen/improve introduction nodes' routing reputation.
There was a problem hiding this comment.
I feel like we should use failPairBalance only for the last hop, as this will already invalidate the blinded part of the route for the amount that was tried
Oh yeah, this is much nicer. WDYT we should do in the case of a single hop blinded route (Introduction -> Blinded Recipient), because failPairBalance is only effective on intermediate nodes rn? afaik we don't have a way to penalize the blinded recipient without penalizing the intro node, so just set a final failure so that we give up?
Otherwise this may be gameable by providing faulty invoices that would worsen/improve introduction nodes' routing reputation.
I do wonder how much we actually need to worry about this? To "poison" an introduction node, the malicious receiver needs to get the sender to pay that invoice. Which would only happen if the sender wants to make that payment (buy something / send money etc), and then surely the receiver is more incentivized to "shut up and take my money"? Not disagreeing with leaving the intro node untouched (makes sense for node score), just not sure how much of a threat it would be.
Thanks for taking a look!
There was a problem hiding this comment.
Oh yeah, this is much nicer. WDYT we should do in the case of a single hop blinded route (Introduction -> Blinded Recipient), because failPairBalance is only effective on intermediate nodes rn? afaik we don't have a way to penalize the blinded recipient without penalizing the intro node, so just set a final failure so that we give up?
Yes, that one is tricky, but it seems reasonable to fail the payment, since the receiver should have added a route hint that has liquidity. Another case which is not handled right now is the case where we see FailInvalidBlinding from a node after the introduction point (spec violated twice?). In that case we probably would like to punish the introduction node for not letting the error originate from it (thereby also invalidating the blinded route). Since all of this is really complicated I tried check any edge cases as well (https://github.com/bitromortac/lnd/tree/re-8095-231018-11-blinded-error).
There was a problem hiding this comment.
Yes, that one is tricky, but it seems reasonable to fail the payment, since the receiver should have added a route hint that has liquidity.
I think this might get a little tricky with multi-blinded path support, but I think this is a good start for the single-path case.
Thanks for going through all the edge cases! Updated code to account for single hop case + errors after the introduction node. Also updated PR description with overview of each case - lmk if anything is missing / different to your interpretation.
carlaKC
force-pushed
the
7882-mcblinding
branch
from
dd01d71 to
4aa871c
Compare
carlaKC
force-pushed
the
7882-mcblinding
branch
from
4aa871c to
b97ce37
Compare
|
Updated handling of blinded errors after the introduction node to a higher level in the decision tree (before we decide to handle intermediate / final). I think that this makes sense because it's a new "class" or error type we need to handle, but also happy to move it into the individual |
|
@ziggie1984: review reminder |
carlaKC
force-pushed
the
7882-mcblinding
branch
from
b97ce37 to
6f67d52
Compare
|
Latest push just a rebase! |
carlaKC
force-pushed
the
7882-mcblinding
branch
2 times, most recently
from
5a3a4ab to
0075a8e
Compare
This commit adds handling for errors that originate after the introduction node when making payment to a blinded route. This indicates that the introduction node is not obeying the spec, so it is punished for the violation.
This commit adds handling for route blinding errors that are reported by the introduction node in a multi-hop blinded route. As the introduction node is always responsible for handling blinded errors, it is not penalized - only the final hop is penalized to discourage the blinded route without filling up mission control with ephemeral results. If this error code is reported by a node that is not an introduction node, we penalize the node because it is returning an error code that it should not be using.
Note: this refactor updates the inequality used from >= 2 to > 1 to align with the rest of this file so that we express this concept consistently throughout the code.
We do not expect blinding errors from the final node: 1. If the introduction is the recipient, they should use regular errors. 2. Otherwise, nodes have no business sending this error when they are not part of a blinded route.
carlaKC
force-pushed
the
7882-mcblinding
branch
from
0075a8e to
b31bab3
Compare
Def, can you create this (given current context) @carlaKC? |
|
Opened #8363 with write up, @ziggie1984 / @bitromortac please give it a peep to make sure I've covered everything properly! |
This PR updates mission control to handle
InvalidOnionBlindingerrors, fixes #7882.Key ideas in this PR (h/t @bitromortac for digging into edge cases):
Key for images:
InvalidOnionBlinding❗ Handling has been updated to also reward the incoming link to the introduction node after discussion on the PR, images are slightly outdated ❗
Regular Blinded Paths
Misuse of Error Code
Final Hop
Final Hop Case:
