-
Notifications
You must be signed in to change notification settings - Fork 491
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
clarification: when does max_accepted_htlcs apply? #745
Comments
fwiw, seems you addressed it in LND by running validateCommitmentSanity earlier lightningnetwork/lnd#3910 |
Yup, just need to see that everyone agrees Ping @t-bast , I think this could be a topic of discussion at a spec meeting. Of course if this is the obvious behavior, then there's nothing to talk about. But I think we should all agree on exactly when it applies. |
Agreed, we've all spent some time on this recently, so it would be nice to summarize that. |
@t-bast Forgot to attend the meeting, could be added to the next meeting agenda |
That's my understanding too that Alice's RAA in step 6 irremediably drops settle/fail HTLC from her commitment transaction and as such Bob is free to forget about it. At least this is what RL is doing : https://github.com/rust-bitcoin/rust-lightning/blob/84967faf52b992206176e58020dfed80b1093c35/lightning/src/ln/channel.rs#L2562.
+1 to clarify the spec on this point. AFAICT, the two excerpts you're mentioning aren't saying when a counterparty is supposed to drop a settled/failed HTLC otherwise a HTLC sender could prune out the number of HTLCs announced to remote as soon as |
Just to make sure we're on the same page -- Bob must validate that Alice's next sig "covers" this removed HTLC otherwise invalid commitment sig occurs.
Yeah so I guess the spec doesn't specifically mention that.
We do some pre-validation when receiving an htlc to make sure it doesn't bypass max_accepted_htlcs, but we may need to rework this because atm we assume that a RAA won't occur after an add but before a sig in this specific case of pre-commitment validating max_accepted_htlcs. |
Yes, this is my understanding too. If you ever end up constructing a commitment tx which has more than max_accepted_htlcs, your peer has violated the constraint. Thus, you could choose a more conservative approach when sending, if you wanted, but not when receiving. Side note: option_simplified_commitment fixes this, of course :) |
I don't think step 6 is valid? You haven't acked the removal yet, so you'd be over. You're allows in the spec to validate either as-you-go or defer to when you receive commitment_signed, but it has to be valid both ways! |
At least we will reject it, so I'm gonna call it invalid :) |
Ah I see, then step 6 would be invalid and lnd has the correct behavior for this case |
Is the validate as-you-go point explicit or implicit in the spec right now? If it's implicit, might be good to have it explicit? |
Actually, I was wrong: we have that language for update_fee (...
Which AFAICT is where everyone checks anyway. |
This came up in lightningnetwork/lnd#3910. If we have two parties Alice and Bob who exchange the following asynchronous state updates:
where the add Alice sends in step 1 gives Bob the max htlcs once locked-in, then is the add that Alice sends in step 7 allowed? My rationale for allowing it is that the settle/fail in step 2 will make room for the add in step 7. Alice's next signature for Bob that covers the add in step 7 must also cover the settle/fail and thus make room on Bob's commitment transaction (in the end Bob will have max htlcs).
There are two places this is mentioned in the spec:
and
Since both passages are concerned with the effect on the commitment transaction, which is the hard constraint here, I think allowing the add in step 7 is appropriate and therefore the correct behavior. If an add is sent in step 8, however, that should be rejected as this would overflow Bob's commitment. Thoughts?
The text was updated successfully, but these errors were encountered: