Round synchronisation could be very slow

[milosevic]

Imagine the system with 4 nodes p1, p2, p3 and p4, where p4 is faulty process. Assume that p3 is initially disconnected with the rest of the nodes, and at time t p1, p2 and p4 are in round 10. Faulty process is always sending nil so it does not help correct processes to commit a value.

After time t, we enter synchronous period and p3 is now able to communicate in timely and reliable manner with other correct processes. p4 is still sending nil so p1, p2 and p4 keep proceeding in rounds and in parallel they are helping p3 to catch up. Note that although other correct processes are in higher round and we have common exit condition at consensus layer that allow processes to jump ahead, at the gossip layer we always send a message from the peer current round. So p3 will receive messages from round 0, and he will in the worst case wait for at least TimeoutCommit before moving to round 1. Timeouts are being increased with rounds so round synchronisation gets slower with increasing rounds. Can we guarantee that in this scenario p3 will be able to catch up with other correct processes so we can decide? Furthermore, how long in the worst case we will need to wait before this happens? Is it a problem if this is order of minutes for example. During this time period we are not delivering blocks although network is synchronous.

[melekes]

[ebuchman]

yahoo!

So p3 will receive messages from round 0, and he will in the worst case wait for at least TimeoutCommit before moving to round 1.

I think you mean TimeoutPrecommit.

But I think you're right - the linearly increasing timeouts and the fact that nodes will have to wait for the TimeoutPrecommitWait on their way through (even if its synchronous period!) means we might not be able to catch up.

Note if there was a polka somewhere, and we're just missing the catching-up node's Precommit, then when he gets to that round he should be able to cause the Commit. But if there was never a polka, then they may never catch up.

Seems there are two approaches to dealing with it:

• super-linear timeout increases
• round skipping

I think we should be able to safely implement the round skipping.

[ValarDragon]

I'm confused as to why round skipping is safe. A Byzantine subset would be able to convince you to skip rounds, and then you'd wouldn't round regress to sign the lower round everyone else on the network is actually at. (Unless round skipping requires seeing every in between block proposal. But if an attacker controls 2 consecutive block proposals this could still happen)

Super linear timeouts sounds safer to me.

[milosevic]

Skipping to a higher round requires seeing at least single message from a correct process, i.e., at least f+1 voting power equivalent messages. So Byzantine subset can't force you to skip rounds. With round skipping we have faster catchup, so also possibility to commit next block faster once we are in synchronous period. The issue with round skipping is how to implement it at the gossip level without creating additional attack surface as currently we only send messages to a peer from the peer current round (we never send messages from higher round even if we are in the higher round).

[ebuchman]

super-linear timeout increases

Doesn't #2540 mean this actually won't help?

Can we guarantee that in this scenario p3 will be able to catch up with other correct processes so we can decide?

From the looks of it, we don't send the proposals/block parts for all the rounds (only once we're on the same round), but we do send all the votes, in order. In the worst case, with empty blocks and where there's never a polka, and according to the changes in #2540 , we will also have to wait all the timeouts, in order. I think this means we can't guarantee p3 can catch up. Does that sound right? We should definitely try to write a test for this, though it might be hard to replicate the worst-case scenario, so the test might not distinguish "never" from "slow".

If this is true, we need to fix it.

The issue with round skipping is how to implement it at the gossip level without creating additional attack surface as currently we only send messages to a peer from the peer current round (we never send messages from higher round even if we are in the higher round).

Maybe instead of "round skipping" we can just send precommits for the peer's round, and not the prevotes. It might still be slow, but at least in this case the catching up peer only needs to receive the precommits. But would it still need to wait all the timeouts?

[milosevic]

Doesn't #2540 mean this actually won't help?

This is exactly the reason why Precommit related rules are not conditional on state. This gives us possibility to jump to a higher round and to immediately trigger timeoutPrecommit. The scenario to address is a process at round k and his peer at round k-x. In this case, from the consensus point of view (after #2540), nothing prevents us to process immediately messages from round k and to jump to round k. The issue is at the gossip layer as it forces the peer to sequentially go through rounds. This means waiting for at least timeoutPrecommit every round (in the worst case timeoutPropose+timeoutPrevote+timeoutPrecommit), which essentially means that round skipping is not supported. I was thinking about having more flexibility at the gossip layer where a peer could define number of higher rounds from which he will be fine to receive messages without disconnecting. Then we could support round skipping.

This is quite tricky to test at the unit test level. We can run small experiment with 4 Docker instances where one will be faulty (sending always Precommit and Prevote nil) and one process joining with some delay to simulate lagging behind. Then we can check when (if) it terminates. Maybe @melekes can help me to set up such experiment.