RFC: TxSize.MaxBytes consensus parameter

[melekes]

"consensus_params": {
    "block_size_params": {
      "max_txs_bytes": "22020096",
      "max_gas": "-1"
    },
    "tx_size_params": {
      "max_bytes": "10240",
      "max_gas": "-1"
    },
    "block_gossip_params": {
      "block_part_size_bytes": "65536"
    },
    "evidence_params": {
      "max_age": "100000"
    }
  }

Right now, in consensus params we have TxSize.MaxBytes, which is supposed to limit the size of a single transaction. It's enforced in the mempool (>= 0.24.0), but not in the consensus when we validate a block ("A proposer running different mempool code could include txs larger than TxSize.MaxBytes".)

There are two ways we can go:

1. Enforce TxSize.MaxBytes in the consensus.
2. Get rid of TxSize.MaxBytes and use BlockSize.MaxBytes & TxSize.MaxGas to limit transactions.

1) Enforce TxSize.MaxBytes in the consensus.

This gives you more control as you can have different values for tx / block maximums (e.g., TxSize.MaxBytes: 1KB and BlockSize.MaxBytes: 10MB).

NOTE: we can allow -1 for unlimited transactions (~ up to BlockSize.MaxBytes).

Questions:

• Is it worth it? What if we remove it? Will it make Tendermint-based networks more fragile to DDOS where an attacker floods the network with large transactions (tx size ~ maximum block size)?

2) Get rid of TxSize.MaxBytes and use BlockSize.MaxBytes & TxSize.MaxGas to limit transactions.

This reduces the surface area (number of config parameters). Other blockchains seems to be doing fine with tx gas (TxSize.MaxBytes) and block max size (BlockSize.MaxBytes).

===========

Original discussion: #2184 (comment)

[ValarDragon]

I've thought about this a bit more since my original comment in the linked thread. Having TxSize.MaxBytes as a mempool config feels like a bad idea to me. This is basically a p2p config that everyone has set, so it is in effect blocking these large txs from ever getting through. (To communicate a way for you as a validator to accept these large txs would directly link who your sentries AFAICT)

Suppose now you have a valid reason for having a significant numbers of txs all greater than the current max tx size. (Multisigs + Multimsg txs) Your only recourse is to appeal to governance to please change the default. However its not a consensus parameter, so most full nodes / tx relayers are unlikely to adapt this change from a request to update the defaults. (Their only incentive to do so is if the gas is sufficiently large, which they can't determine since the tx is deleted before any "priority" function is called) However if this came from the application to change a consensus parameter, then our default / expected implementations would be to only reject txs based on size only if they are over the tx size limit. Its reasonable to expect full nodes to change if it was a consensus parameter, since this is the definition of the tx being valid or not.

[vrde]

TL;DR: get rid of TxSize.MaxBytes.

The maximum size of a transaction should be managed by the validation logic of the proxy application.

@ValarDragon made a good point:

Your only recourse is to appeal to governance to please change the default.

This would be really painful to deal with and it would require restarting the network. On the other side, if the parameter is managed by the app, it can be managed on chain, and it can be changed dynamically using some kind of transactional election process without the need to restart anything.

[ebuchman]

I'm in favour of letting applications handle this so we can reduce the surface area on the Tendermint side. I would vote for Tendermint to have no explicit tx limits (neither bytes nor gas), but to simply limit tx size/gas by the block - so the worst case is a block with a single massive tx.

Of course, apps can still limit tx gas/size on their end.

Also note that the mempool must have an upper bound on message size - it's currently hardcoded to 1MB but perhaps we can make it dependent on the block size (ie. it should be the max size of data for the block)

[ValarDragon]

I like the idea of having this then done within the application. (Note that consensus params can also be changed via governance as well @vrde, though I'm unsure if were supporting this at launch)

I expressed somewhere, I forget where, concern for allowing invalid txs to go through an amino decoding when too big. Upon further thought, this seems entirely unreasonable to worry about, as in the same exact threat model you can force a signature verification which is absolutely going to take longer. (If not, something has gone horribly wrong within amino)

[melekes]

though I'm unsure if were supporting this at launch

we do.

as in the same exact threat model you can force a signature verification which is absolutely going to take longer

exactly

[melekes]

If we're leaving this up to the ABCI application, should we still have a mempool.tx_max_bytes in config.toml as additional level of defense?

[milosevic]

From the consensus point of view we work with blocks of transactions, so it does not seem correct to have TxSize.MaxBytes as a consensus parameter. So I would suggest to remove it from consensus parameters. On the other hand, we probably want to constrain max message size at the Mempool level. Especially with the current Mempool algorithm it could easily saturate network and make it completely unusable. I am wondering if dealing with large transactions should be differently treated at the Mempool level; for example, we don't gossip whole transaction but we split it into parts and gossip parts, the similar way we gossip BlockProposal. Also we will have soon analysis of alternative Mempool gossip algorithms ready which might change perspective a bit.