BOLT #7: receiving node requirements related to timestamp for channel_update message#621
Conversation
While going through the BOLT lightning#7 I was confused by this receiving node requirement for `channel_update` message: "if the `timestamp` is equal to the last-received `channel_update` AND the fields (other than `signature`) differ: MAY blacklist this `node_id`; MAY forget all channels associated with it." On the outset it might read to "`timestamp` should be same, the `signature` should be same as previous but if the other data is different; then blacklist the `node_id`". However, if `signature` is same as previous update but data is different, then the `signature` would be rendered invalid. And since `signature` check is done prior to the `timestamp` check, this situation of checking may not arise. So this check seems to be redundant. However, Mark H corrected me on stackexchange (https://bitcoin.stackexchange.com/questions/88350/bolt-7-can-receiving-node-requirements-in-channel-update-message-give-rise-to) by saying that a valid signature must be provided for this update and timestamp to go through. This pull request corrects the language behind this check. While creating this pull request, I also noticed a slight typo in the same section. The sentence prior to the one I mentioned above says that if the timestamp is not greater than the previous message, the node should ignore the message. And the second sentence is about comparing if timestamp is equal. But again, this check might not be processed as the message will be discarded if it is not greater. I have changed that to "greater than or equal to".
…or channel_update message While going through the BOLT lightning#7 I was confused by this receiving node requirement for `channel_update` message: "if the `timestamp` is equal to the last-received `channel_update` AND the fields (other than `signature`) differ: MAY blacklist this `node_id`; MAY forget all channels associated with it." On the outset it might read to "`timestamp` should be same, the `signature` should be same as previous but if the other data is different; then blacklist the `node_id`". However, if `signature` is same as previous update but data is different, then the `signature` would be rendered invalid. And since `signature` check is done prior to the `timestamp` check, this situation of checking may not arise. So this check seems to be redundant. However, Mark H corrected me on stackexchange (https://bitcoin.stackexchange.com/questions/88350/bolt-7-can-receiving-node-requirements-in-channel-update-message-give-rise-to) by saying that a valid signature must be provided for this update and timestamp to go through. This pull slightly corrects the language behind this check and adds a paragraph in the rationale to explain that point. While creating this pull request, I also noticed a slight typo in the same section. The sentence prior to the one I mentioned above says that if the timestamp is not greater than the previous message, the node should ignore the message. And the second sentence is about comparing if timestamp is equal. But again, the equal to check might not be processed as the message will be discarded if it is not greater. I have changed that to "greater than or equal to".
Co-Authored-By: Bastien Teinturier <31281497+t-bast@users.noreply.github.com>
Co-Authored-By: Bastien Teinturier <31281497+t-bast@users.noreply.github.com>
| the specified chain): | ||
| - MUST ignore the channel update. | ||
| - if `timestamp` is NOT greater than that of the last-received | ||
| - if `timestamp` is lower than that of the last-received |
There was a problem hiding this comment.
this the new rewording leaves a gap, since it doesn't specify what to do if the timestamp is equal to the last-received and the message is indeed a duplicate. in this case, the message should still be ignored.
i think this is resolved keeping the NOT greater than here and removing the otherwise on line 500. i think it also requires switching the order of the checks, since the blacklist check is a stricter subset of the <=check.
to be clear, i'm suggesting:
if blacklist:
...
if timestamp <=:
...
There was a problem hiding this comment.
@cfromknecht Thanks! I included your suggestion for the condition where the timestamp is equal. But in order to not leave other holes, I slightly changed it in terms of order than what you suggested. Let me know if its good.
| It is assumed that more than one `channel_update` message changing the channel | ||
| parameters in the same second may be a DoS attempt, and therefore, the node responsible | ||
| for signing such messages may be blacklisted. However, a node can send a same | ||
| `channel_update` message with a different signature (changing the nonce in signature |
There was a problem hiding this comment.
important to note that since ECDSA signatures are malleable, the signatures can be different even if the node only signed once.
There was a problem hiding this comment.
Very fair point. I'm incorporating this in the rationale.
|
@ugamkamat could you update to fix the typo (which would make the build succeed)? |
Co-Authored-By: Bastien Teinturier <31281497+t-bast@users.noreply.github.com>
|
@t-bast Done, typo is fixed |
|
The build is still failing because you introduce words that aren't in the spellcheck list yet. |
|
@t-bast Done. Since this was my first time adding a commit, I wasn't entirely sure how to update that file. I have created a PR with those words added. |
Updated for DoS and ECDSA
|
@t-bast So, I have pushed the file to this PR. Let me know if that is correct. |
|
ACK |
| - if `timestamp` is lower than that of the last-received | ||
| `channel_update` for this `short_channel_id` AND for `node_id`: | ||
| - SHOULD ignore the message. | ||
| - otherwise: |
There was a problem hiding this comment.
I guess this otherwise could have been removed too?
There was a problem hiding this comment.
@jtimon No that otherwise is needed. Just that both the if and otherwise should be indented on the previous otherwise. I think there was a formatting error when creating the pull request.
The idea was to have it this way. Timestamp equal to previous do this. Time stamp lower than previous do that. Otherwise: if timestamp too large in future do this, otherwise do that
There was a problem hiding this comment.
Is reverting the commit and making changes the right way to go?
There was a problem hiding this comment.
No we don't rewrite history. You can submit a tiny indentation fix PR and it should be approved very quickly.
Related to pull lightning#621 Corrected the indentation in the otherwise section in the `timestamp` check of the `channel_update` message. Both the if appeared at the same level of otherwise.
While going through BOLT #7 I was confused by this receiving node requirement for
channel_updatemessage: "if thetimestampis equal to the last-receivedchannel_updateAND the fields (other thansignature) differ: MAY blacklist thisnode_id; MAY forget all channels associated with it." On the outset it might read to "timestampshould be same, thesignatureshould be same as previous but if the other data is different; then blacklist thenode_id". However, ifsignatureis same as previous update but data is different, then thesignaturewould be rendered invalid. And sincesignaturecheck is done prior to thetimestampcheck, this situation of checking may not arise. So this check seems to be redundant. However, Mark H corrected me on stackexchange (https://bitcoin.stackexchange.com/questions/88350/bolt-7-can-receiving-node-requirements-in-channel-update-message-give-rise-to) by saying that a validsignaturemust be provided for thischannel_updateandtimestampto go through. This pull request slightly corrects the language behind this check and adds a paragraph in the rationale to explain that point.In correcting the point, I have said fields below
timestampdiffers for the following reason: (1)short_channel_idandchain_hashrequirements are processed prior totimestampand (2) validsignaturecheck is also done prior to thetimestamp.While creating this pull request, I also noticed a slight typo in the same section. The sentence prior to the one I mentioned above says that if the
timestampis not greater than the previous message, the node should ignore the message. And the second sentence is about comparing iftimestampis equal. But again, the equal to check might not be processed as the message will be discarded if it is not greater. I have changed that to "greater than or equal to". Would love your comments and suggestions.