20:09:29 #startmeeting 20:09:29 Meeting started Mon Aug 3 20:09:29 2020 UTC. The chair is t-bast. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:09:29 Useful Commands: #action #agreed #help #info #idea #link #topic. 20:09:45 #link https://github.com/lightningnetwork/lightning-rfc/issues/792 20:10:00 Here is the (tentative) agenda for today, don't hesitate to suggest something 20:10:29 A bunch of small PRs that shouldn't take too long and then the usual long standing issues ;) 20:10:43 #topic Harden cltv_expiry_delta recommendations 20:10:51 #link https://github.com/lightningnetwork/lightning-rfc/pull/785 20:11:26 The discussion has made good progress on the PR, IIUC the only thing you'd like me to change is to revert the default back to 9 (instead of 18) in Bolt 11 for backwards-compat? 20:11:30 Tiny nit on changing the default: that change is redundant if we make the field mandatory, and would automatically make all existing nodes non-compliant 20:11:48 so default and recommened? 20:12:12 Yep, just for cleanliness' sake, make the field mandatory, but keep the old default if a node doesn't specify it 20:12:28 (mandatory but not enforced that is) 20:12:32 fwiw lnd always includes our value explicitly, as has for soem time I think 20:12:35 we now say that implementation MUST specify this field in invoices, so I don't really know what to do with the previous suggestion of a default of 9 20:12:45 isn't it backwards compat to assume a new higher default? 20:12:57 Note that the 18 *is* backwards compatible, since you can always set more than they ask. 20:13:01 in that if they want 9, and we send 18, that should be ok assuming it's in their tolerance 20:13:06 Oh right, nevermind then ^^ 20:13:08 I agree with roasbeef, even if nodes accept 9, sending them 18 is always better, right? 20:13:09 but sending a lower would be a no go ofc 20:13:10 roasbeef: snap. 20:13:13 it's backwards compatible on the sender-side, it's not on the receiver side 20:13:20 In that case we don't need to make it mandatory either, do we? 20:13:33 the sender can always use a higher value, the receiver must continue to accept lower values if the sender still uses 9 20:13:46 it's better to be explicit in the invoice instead of relying on a magic value in the spec IMHO 20:14:00 agreed, but i always agree with decker that we can't change the assumed default 20:14:00 exactly like bitconner says 20:14:01 the policy doesn't change on the receiver side, is just a recommendation on the sender-side 20:14:11 bitconner: that's why it's mandatory, for sender though, at least until some magical day... 20:14:30 rusty: yes i think that's all we can do 20:14:31 receivers will now have it specified in their invoice so they don't care 20:14:49 Hm, you're right, there is no clean solution. I'll retract my comments 20:14:52 t-bast, they have old invoices which don't 20:15:02 but these old invoices expires after 1 hour 20:15:07 so it's ok, right? 20:15:07 they might* 20:15:17 you can set longer expirations :P 20:15:28 do you use long expirations? 20:15:31 c-lightning will also set the field fwiw 20:16:05 i personally don't, but there are users that do 20:16:15 if we all already set this field, then there's probably no need to worry about backwards-compat; in that case we could completely remove the recommended default of 9 from the spec and don't recommend any default? 20:16:20 cdecker: not if it's actually 9... 20:16:38 yeh we also recently had to tighten up our config validation to ensure a user can't set a value lower than the existing default (of 9) 20:16:54 t-bast: no, if someone actually sets it to 9 we will omit it :( 20:16:58 roasbeef: our validation now requires all user-chosen CLTV values to be at least 18 20:17:00 but really isn't two different things what you write inside the invoice and how do you reject HTLC when they arrive at last hop? 20:17:20 rusty: daaamn, then I'll just put back 9 in there and it should be good? 20:17:29 t-bast: no, I prefer 18 :) 20:17:56 I'm lost on who prefers what now :D 20:18:12 I mean, it's not critical, but 18 works too and is more sensible? 20:18:17 ariard: but this one you reject based on what's in your invoice since you're the recipient 20:18:21 We do need some default value unf. 20:18:44 imo there's no need to change the assumed default, it can stay at 9 20:18:53 My preference is to put 18 for future implementers that don't have backwards-compat requirements (for example electrum and rust-lightning) 20:19:13 So that we don't have an unhealthy recommendation lingering in the spec 20:19:34 But that's nit TBH so I can settle for 9 if the majority prefers that 20:20:08 perhaps we can just note that the goal is to ultimately remove the assumed default entirely 20:20:27 (same should be done for expiry tbh) 20:20:43 bitconner: yeah, we can simply note that you assume X if not specified, for backwards compat with old spec mistakes... 20:21:30 bitconner: I could do something like that: "Default is 9 if not specified (for backwards-compatibility with old nodes)" 20:21:37 t-bast: but IIRC the spec doesn't require you to reject HTLC as final hop based on invoice non-compliance, it might not even has one (spontaneous payment) 20:22:23 ariard: true, but it's for your own safety that you want to check that value (but I agree that it may come from your internal configuration instead of the invoice, but having it in the invoice lets the sender know what value they should use) 20:23:09 ariard: keysend are clearly an issue in that regard: we don't know what final_expiry to use (it should be added to node_announcement in an extension tlv or something) 20:24:44 for keysends we just check that the final ctlv is greater than our go-to-chain delta 20:24:48 t-bast: really I think that's 2 different parameters, minimum cltv_expiry is a safety measure to avoid someone easily double-spending the HTLC, beyond and what should be in the invoice is an application-specific one on how much block parties let them to come to resolution 20:24:51 Doesn't accepting payments with the wrong final CLTV open you up to probing for being the last hop? 20:25:06 t-bast: actually, I am swayed by the idea of making 18 the default because keysend. 20:25:07 like delayed HTLC 20:25:33 cdecker: not an issue anymore with payment_secret ? 20:25:45 Righto 20:26:44 ariard: I don't understand, we're talking about `min_final_expiry_delta` right? Can you clarify? 20:28:20 rusty: default on invoices? there are no invoices in keysend? 20:28:37 bitconner: yeah, but it's a nudge in the right direction :) 20:28:48 if it's just a sender-side default that is easy, but doesn't need to affect BOLT 11 at all 20:29:11 Like, "FFS, just use 18 if you don't know what to use" matches our advice on the recipient side... 20:29:23 bitconner: I think the goal is that this way senders will use 18 for keysend - for example I believe lnd uses 13 instead of 9 today for keysend 20:29:51 rusty: YES, the goal is to say: just use a high enough values when in doubt, because it's not harmful in any way 20:30:09 t-bast: right, but why if upgraded nodes just send 18 by default as sender, it's above old minimal cltv_expiry and is going to be accepted by non-upgraded? 20:30:11 why does 9 vs 13 matter? 20:30:29 fwiw lnd pads the cltvs in the path with and extra 3 blocks, so 18 -> 21 20:30:54 I agree with bitconner, doesn't need to affect BOLT 11, implementations should reject invoices with values under 18 20:30:58 ariard: yes they're going to be accepted by non-upgraded since the check is `actual_ctlv_expiry > my_expiry_from_invcoie` 20:32:07 bitconner as an aside: does lnd also insist on receiving the +1 we add for the case a block is found in the meantime? I found that if I send with a final cltv of 9 (which is the current default) some nodes would reject, but not if I do the courtesy +1 20:32:12 bitconner: simply that if I try to send you a keysend with the default recommendation of 9, will you accept it? your code makes it look like you won't because you want 13 20:32:53 bitconner: but I just skimmed through it, I'm probably wrong 20:32:54 cdecker: we do a courtesy +3 blocks, as block processing can be really slow on shitty devices 20:33:11 interesting, we only do a +1 courtesy on eclair, maybe we should bump that 20:33:17 cdecker: we add a few blocks in case blocks are found while the htlc is in transit, yes. but it is only done by the sender, nothing changes on the receiver side 20:33:18 That's on the sender side though ariard, correct? 20:33:38 ariard: lnd also does +3 20:33:55 cdecker: yes, on the sender-side, you don't have issue on the receiver-side to be in the future? 20:34:01 Hm, still hunting for the implementation that didn't add a final cltv to its invoices and was insisting on getting a 10 instead of a 9 20:34:26 t-bast: i'm pretty sure we'll accept it with 9, but i'd have to double check on that 20:34:28 I think we're in bikeshed territory. We need to specify a (deprecated) default, and 9 and 18 are the obv. Can we have a straight up vote? 20:34:57 sgtm 20:34:58 (TBH I don't really care, it's not worth delaying this PR for either value!) 20:35:07 18. 20:35:10 * cdecker votes for 18 being the default, and making the field mandatory for future implementations 20:35:26 yes let's vote, I vote for 18 20:35:27 rusty: I think people disagree on scope should 18 be both on a) mimimal_cltv_expirty and b) on invoices? 20:35:34 (i.e., keep it as the PR proposes) 20:35:48 if it just minimal_cltv_expiry, I vote 18 20:35:56 i'd say 9 because bolt 11 is one of the most widely implemented parts of lightning, and there's no need to change something we're going to delete and is obsoleted by just setting an explicit value 20:36:29 (which we're already doing anyways) 20:36:43 but only the encoding/decoding part is what's implemented very widely, not this check which is really when constructing the onion and paying, right? 20:36:58 bitconner: because it's widely implemented I'm not sure we're ever going to be able to remove default... but I mildly prefer a consistent "TL;DR: use 18". 20:37:14 well when we update, all the wallets do essentially 20:37:20 bitconner: why not un-tie final_cltv_expiry verification from invoices matching at HTLC reception ? IIRC lnd does this, but post-payment_secret not an issue anymore ? 20:37:42 or at least removing the cltv_expiry requirement for invoices post-payment_secret? 20:37:55 18? 20:38:40 ariard: why so? certain payment might require longer timeouts, like if the payment is composed with external protocols 20:39:07 (yes, I specifically have a Bwahahaha plan for using longer values!) 20:39:25 yeh or if it's been excessively sharded and all needs to be resolvd on-chain 20:39:35 +1 for keeping the `c` field in the invoice 20:39:41 I'm seeing only one vote for 9...? 20:39:55 just doesn't realistic to update the assumed default at the same time we are changing to say you have to set an explicit value without breaking things 20:40:16 bitconner: is it breaking though? ppl that accept and/or are expecting 9 should also accept 18 right? 20:40:29 up to the max cltv limit 20:40:39 it is breaking if the receiver starts to assume 18 while the sender is still assuming 9 20:40:57 mhmm, so all receivers that assume 18 should also set the value explcitily in the invoice 20:41:08 bitconner: they can't do that, since spec says they *have* to set it? 20:41:32 rusty: there is still a transition period, the spec doesn't instantly update all deployments :) 20:41:38 roasbeef: exactly, it's not breaking anyone. If you're before that change, you will accept 9 when receiving. If you're after that change, you will specify a value in your invoice so even old senders will comply. You will send a higher value than necessary to old receivers. The only issue may be with your pending invoices 20:41:52 t-bast: yep 20:41:54 bitconner: you're right that's an application-check, but overall sems to me we should remove this change to require an explicit value 20:42:12 bitconner: no, old deployments will write nothing IFF it's 9. In which case, reader assuming 18 works., 20:42:16 ariard: agree 100%, it's just a matter of staggering the deployment 20:42:18 there may be some outlier wallets like BLW (idk how active they are anymore), but for the most part we should be able to deploy the change smoothly 20:42:34 rusty: not if you read your own invoice 20:43:19 anyway, if people want to change the spec to 18 that's fine 20:43:21 the only trick in implementation is that if you read your own invoice and it didn't specify anything, you'll want to accept 9 for a while, just until those invoices have expired 20:43:33 have expired or been paid 20:43:33 bitconner: you mean create an invoice pre-upgrade, read it post upgrade and interpret it differently? I cannot think of a case where that will be a problem (at least, for c-lightning) 20:43:40 just saying it probably won't land in lnd overnight bc of the rollout 20:44:13 it takes 2 releases to do it perfectly cleanly, but that shouldn't prevent us from changing it in the spec I think 20:44:43 t-bast: doesn't that prove that it is not backwards compatible? the fact that you have to wait for them to expire? 20:45:09 bitconner: no it doesn't! 20:45:26 bitconner: because it's on the receiver side that you do that trick, the spec specifies this default for the sender side 20:45:48 bitconner: because as a receiver you now MUST set it explicitly 20:46:04 i don't see that distinction? the default is being set in the field description, which i assume applies to both parties 20:46:22 bitconner: you just allow your implementation to carry over some left-over from things created before the release, which is expected 20:46:38 i see, it is actually specified in two palces 20:46:41 places* 20:47:13 like i said, if we want to change to 18 that's fine. it is all moot if we are setting explicit values 20:47:28 idk how much more time we should spend on this tbh 20:47:45 great! so are we good to go with the current state of the PR? 20:48:01 or do we want to have another look and sign-off on github later? 20:48:50 t-bast: approved! Kill me now (or at least get some more coffee...!) 20:48:57 i'll take a last look on github 20:49:12 sgtm 20:49:27 #action bitconner and t-bast to finalize on github 20:49:47 #topic ChaCha20 RFC correction 20:49:50 #link https://github.com/lightningnetwork/lightning-rfc/pull/763 20:50:09 So the RFC we've been linking to for ChaCha20-Poly1305 is obsoleted by another one 20:50:14 lgtm 20:50:16 There are a few erratas as well 20:50:28 Ack. 20:50:40 Couldn't find anything that'd impact us 20:50:40 There's no change in any implementation in the new RFC, so what we're doing today should comply with the new one 20:52:36 yeh prob just best to link to the latest stuff, tho i don't see chacha really changing much at this point given msot ppl have pretty standarized libs 20:53:16 agreed, it just feels better, we won't have people twitting that LN is using insecure, obsolete crypto xD 20:53:33 shall we apply? 20:53:53 (They added a third round, it's now ChaChaCha... turns out ChaCha was no more secure than single-cha!) 20:54:00 t-bast: yes. 20:54:33 roasbeef/bitconner? 20:54:51 oui 20:54:58 approved 20:55:06 nice! 20:55:11 #action merge PR 20:55:22 #topic Uppercase invoices 20:55:24 #link https://github.com/lightningnetwork/lightning-rfc/pull/677 20:55:48 ack 20:56:47 this PR simply makes it explicit that uppercase invoices are ok, since it's more efficient to use in QR codes and wallet usually do that 20:57:03 Yes, more test vectors good. And they pass, so.... 20:57:05 I believe everyone already does that 20:57:59 hmm yeh dunno we don't have QR code in lnd, but I _think_ wallets on lnd do use upper case? 20:58:18 we also had a PR to lnd to "fix" what we had as a max invoice size given what can be actually encoded in QR code 20:58:24 why is calling toLowerCase before calling bolt11.decode insufficient/ 20:58:25 ? 20:58:54 doesn't seem strictly necessary to have this in the spec but either way works for me :) 20:58:55 bitconner: technically you don't have to handle mixed case? The orig bech32 code enforces only one case at decode time. 20:59:06 bitconner that's an implementation detail, but you should accept upper case ones 20:59:13 bitconner: yeah, the modified test vector is more important IMHO. 20:59:50 sgtm 21:00:25 allright, let's apply! 21:00:28 Yeah, ack from me. 21:00:45 ACK 21:00:53 #action Merge #677 21:01:09 #topic Anchor outputs (landing soon!) 21:01:21 #link https://github.com/lightningnetwork/lightning-rfc/pull/688 21:01:35 I think we cleared that last outstanding question on anchor outputs regarding closing fees 21:01:40 I've been slack on testing... we also need closure on.... um.. closing? 21:01:43 johanth are you satisfied with rusty's answer? 21:02:08 I've been able to test all normal operations and force-close scenario with lnd last week 21:03:06 Yeah, that makes it clear 21:03:20 rusty: damn, there's a conflict in #677, could you fix it and re-push? 21:03:23 t-bast: do you have a node I can test against? 21:03:28 t-bast: will fix... 21:04:02 (BTW, 024b9a1fa8e006f1e3937f65f66c408e6da8e1ca728ea43222a7381df1cc449605 my node is running --experimental-features, so has anchor output support) 21:04:04 rusty: I can get probably it deployed on our testnet node next week 21:04:35 rusty: otherwise eclair at that commit has full support: https://github.com/ACINQ/eclair/pull/1501 21:04:47 t-bast: OK, but anyway if you two have interop I'm happy to ack this! 21:04:48 rusty: but you may not want the JVM near your machines xD 21:05:14 We still have the closing fee to fix, it's the only remaining thing that still doesn't match between eclair and lnd 21:05:22 Will need to update the feature bit and the coop close fee computation, otherwise it think we are there :) 21:05:35 johanth do you think you can have something ready soon with that fixed? Once you do I can do interop testing 21:05:50 Yeah, can have it tmrw probably 21:06:10 oh great, we'll be able to finalize this quickly, let me know over slack when you have a branch I can use! 21:06:21 :+1: 21:06:42 #action johanth and t-bast to finalize interop tests this week 21:07:18 Do you want to discuss one last topic? Or shall we call it a day? 21:08:09 i have some time 21:08:24 know it's late for europe folks tho :) 21:08:33 rusty: If you do have a bit of time to laying out your ideas on better RBF/package relay there : https://github.com/bitcoin/bitcoin/issues/14895, that's welcome :) 21:08:35 (Aside #1/2: I found someone to hack on ln.dev, first I'd like to create a spec features vs major releases matrix for my own reference, so features.ln.dev or something...) 21:08:36 What topic do you want to chat about? 21:08:54 sipa was describing an idea of yours to stagger cheap replacements 21:09:12 oh yeah doing a bit of package relay is a great idea, let's bridge layers 21:09:15 (Aside #2/2: I am supposed to be giving a live thing on lnprototest in ~24 hours) 21:09:41 rusty: nice! tweet the link, we'll watch ;) 21:11:03 t-bast: I think we agree on a "few core assumptions that need to remain "loosely true" 21:11:47 like stable policy rules, and being sure they're not changed under our feets 21:12:42 Yeah, I figured that's what we were both thinking. What do you think of my suggestion of only allowing much smaller packages in mempool? 21:13:17 I can't see the usecase for allowing very long chains of unconfirmed txs in the mempool, I believe that complexity could shift to clients instead of having nodes take that burden 21:13:31 But I'm likely missing use-cases 21:13:49 t-bast: ah, we included an upper-case test-vector in another cleanup. So removing from PR. 21:14:18 rusty: got it, that's why I already had a slightly different uppercase test vector in my test suite! 21:14:25 t-bast: I'm more worried with absolute-fee-but-lower-feerate obstrucating package rather than irreplaceable packages due to limits 21:15:44 and I verify bip 125 rule 5 recently, you will hit first ancestor/descendants limits before to reach 100 descendants case 21:16:06 unless an intentional reorg, where these limits aren't applied 21:16:45 ariard: I think we need to fix both, but I was under the impression that people felt the absolute-fee-lower-feerate rule would not be too hard to lift, that's why I wanted to mention the other painful rule 21:17:11 t-bast: #677 rebased. 21:17:44 rusty: great, even more no-brainer to apply, I'll do it right now 21:20:03 ariard: what scenario uses big unconfirmed packages? 21:20:29 t-bast: potentially ctv type stuff, or anything that uses large transaction trees as part of the protocol, like duplex potentially 21:20:33 ariard: though big is vague, I only mean in number of distinct txs 21:20:38 t-bast: iterative batching where you reuse a change output to bump new spends but I think no exchange does it 21:20:45 or if ppl start using new crazy commitment schemes after some form of dynamic ocmimtment stuff is rolled out 21:20:51 roasbeef: but does CTV require these long chains to all be in the mempool? 21:20:53 also not sure what bitmex's withdrawl transaction looks like 21:21:01 t-bast: depends.... 21:21:13 roasbeef: I was under the impression that the client could get these txs locally and then broadcast batches by batches as some confirm 21:21:20 yeah it's really depends how people design this-not-yet existent things 21:21:32 but you may use the anchor trick of 1 CSV to avoid issue 21:22:08 airard: this could potentially be long but it will likely only use a few txs, it doesn't need a chain of 100 of them right> 21:22:39 t-bast: wrt to absolute-fee lifting I think it would work, but not the RBF-pinning resolution as proposed by Suhas I think 21:23:37 you mean the explicit flag he suggests wouldn't work? https://github.com/bitcoin/bitcoin/issues/14895#issuecomment-665969902 21:24:22 t-bast: you can still obstrucate at the commitment-level, like using old commitment with lower-feerate higher absolute-fee 21:24:33 this proposal requires us to go in the direction of pre-signing both sides of the HTLC outputs (claiming from the remote commitment will need to be done from a pre-signed tx) 21:24:40 so lifting the rules need to apply on oldest ancestor too, not only children 21:25:30 t-bast: no? even a malleable HTLC if low-feerate with such rules would be rejected 21:26:22 you mean it wouldn't work either way (even if we pre-signed)? 21:27:25 I didn't realize I forgot to end the meeting, looks like we're the only ones discussing this so let's stop recording 21:27:29 #endmeeting