Post
%22%3E%3Crect%20x%3D%220%22%20y%3D%221%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%220%22%20y%3D%224%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%221%22%20y%3D%221%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%221%22%20y%3D%224%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%222%22%20y%3D%220%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%222%22%20y%3D%222%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%222%22%20y%3D%223%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%222%22%20y%3D%224%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%224%22%20y%3D%221%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%224%22%20y%3D%224%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%223%22%20y%3D%221%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%223%22%20y%3D%224%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3C%2Fsvg%3E)
📅 Original date posted:2022-11-25
📝 Original message:
Good morning Antoine,
> It should be noted, this current reputation-credential architectural framework assumes credentials distribution at the endpoint of the network. However, the framework should be flexible enough for the credentials to be harvested by the LSPs, and then distributed in a secondary fashion to their spokes, when they need it, or even attached transparently thanks to trampoline. So one design intuition, there is no strong attachment of the reputation to the endpoint HTLC sender, even if the protocol is described in a "flat" view for now.
This seems incorrect.
If I am an LSP, and I know my competitor LSP distributes their credentials, then I can simply apply to be a spoke on my competitor and then make several payments to my node, which I then jam up.
This reduces the reputation of my competitor LSP.
This is even worse if my competitor LSP attaches their credentials on trampolines, I do not even need to apply to be a spoke on my competitor that way.
Thus in both cases the competitor LSP needs to have a similar way of ensuring that their spokes / trampoline requesters are not also trying to jam *them* in order to drain their reputation.
Thus all reputation still rests with ultimate senders, who have to convince LSPs to sell their reputation to them, because they might secretly be competitor LSPs who have incentive to drain their reputation.
If the price of sold reputation is too high, then it is no different from upfront fees.
If the price of sold reputation is too low, then I can drain the reputation of competitor LSPs.
Regards,
ZmnSCPxj
0
0
0
%22%3E%3Crect%20x%3D%220%22%20y%3D%220%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%220%22%20y%3D%221%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%220%22%20y%3D%224%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%221%22%20y%3D%221%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%221%22%20y%3D%223%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%221%22%20y%3D%224%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%222%22%20y%3D%220%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%222%22%20y%3D%221%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%222%22%20y%3D%222%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%222%22%20y%3D%223%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%224%22%20y%3D%220%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%224%22%20y%3D%221%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%224%22%20y%3D%224%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%223%22%20y%3D%221%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%223%22%20y%3D%223%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3Crect%20x%3D%223%22%20y%3D%224%22%20width%3D%221%22%20height%3D%221%22%2F%3E%3C%2Fsvg%3E)
📅 Original date posted:2022-11-27
📝 Original message:
On 2022-11-25 13:12, ZmnSCPxj via Lightning-dev wrote:
> If I am an LSP, and I know my competitor LSP distributes their
> credentials, then I can simply apply to be a spoke on my competitor
> and then make several payments to my node, which I then jam up.
> This reduces the reputation of my competitor LSP.
I don't think this how Riard's credentials work. The credential tokens
are blinded, so forwarding nodes can't use them to determine the origin
of the payment---thus they can't assign blame.
As I understand them, credential tokens prevent DoS by each token only
allowing the one-time creation of a single HTLC, so any failed payment
reduces the sender's supply of tokens. That means, if Mallory becomes a
client of Bob's and Bob lets Mallory use some of his tokens, Mallory can
destroy those tokens. Although that's bad for Bob, he can easily limit
the damage by not giving Mallory more tokens after too many failures.
If Bob obtained his tokens at a low cost (e.g. by sending many payments
that were successful and receiving back >100% of the tokens he used to
make those payments) and if Alice has to pay a similar or greater cost
to become a client of Bob's (e.g. onchain channel open costs), then the
attack should not be economically rational.
> This is even worse if my competitor LSP attaches their credentials on
> trampolines, I do not even need to apply to be a spoke on my
> competitor that way.
I think the analysis for trampolines is the same: as long as Bob only
attaches credential tokens to trampoline payments where he knows the
origin has paid a cost (or will need to pay a cost) to abuse his
service, he can prevent any attack from becoming economically rational.
> Thus all reputation still rests with ultimate senders, who have to
> convince LSPs to sell their reputation to them, because they might
> secretly be competitor LSPs who have incentive to drain their
> reputation.
>
> If the price of sold reputation is too high, then it is no different
> from upfront fees.
>
> If the price of sold reputation is too low, then I can drain the
> reputation of competitor LSPs.
I think the statement at the top about reputation resting with ultimate
senders is true but two conditionals below it are not quite right. If
an LSP helps many clients make successful payments, those clients may
(at no additional cost to them beyond the forwarding fees they already
paid) receive more credential tokens than they'll ever need. By
allowing the LSP to instead use those tokens for other clients
("harvesting" them), it's possible for those later clients to avoid
paying for credential tokens---this is equivalent to free upfront fees.
As long as the LSP can prevent a client from using too many tokens, and
requires the client pay other inescapable costs, then it shouldn't be
possible for a competitor to substantially drain the token capital of a
LSP without losing a substantial amount of its own money.
-Dave
0
0
0