Implement checks amt_to_forward and outgoing_cltv_value acceptable ranges

[ariard]

Just implemented checks as described in rfc 04 Packet structure. Maybe we should check also against an older fee value as recommended in rfc 07 due to propagation delay, but if so need to log old fee somewhere?

[TheBlueMatt]

Looks like maybe the fake network tests are violating the rules somehow?

[ariard]

Yeah, it's the 6th send_payment in fake_network_test with a channel_outbound increase. I'm still digging to see if this case is right handle by get_route to generate first hop amount_msat..

[ariard]

Looking on how others implementations manage get_our_fee_base_msat, spec is unclear on what is the right way to do it.

[ariard]

Was a funny one to track :)
Amount msat in send_payment in fake_network_test were all false due to the way Router::handle_channel_update manages the msg. When this method receives a msg, it checks if it's a two_to_one or one_to_two one and completes DirectionalChannelInfo accordingly.
The problem is that cltv_expiry_delta, htlc_minimum_msat, fee_base_msat, as included in the message, aren't the policy that the source node will seen apply for its htlc but the policy it will apply for the other node policy. So we need to reverse.
If not, get_route uses this false information when adding node for Route and the final amount msat is inaccurate.
The fix is maybe a bit ugly, I think we can also fix it at route generation?

I wouldn't have fall on this if we didn't used get_our_fee_base_msat, I find it a little bit complex due to the channel_outbound case but I guess it's better than a magic default value of 1000 msat as lnd and c-lightning do.

90d626 is log stuff for NetworkMap, really useful for route bug tracking , but it's need network map fields as public so maybe not?

[TheBlueMatt]

These probably want pub(crate), not pub, and maybe a comment that they're only crate-pub for the logger's access.

[TheBlueMatt]

Hmm, can you move this check down past the existing channel_state.lock() call? It really sucks to lock, do a channel lookup, check something, unlock, then lock and do the same channel lookup again. That's likely to introduce strange races as well.

[ariard]

Done, but it's add a check to prevent the case of the HTLC being our payment

[TheBlueMatt]

Nice debugging, but sadly I think you came to the wrong conclusion. The way I read the second paragraph in https://github.com/lightningnetwork/lightning-rfc/blob/master/07-routing-gossip.md#the-channel_update-message reads to me like the original code here is correct and the issue is in the new check - fees/cltv_deltas are announced on the basis of the channel where the HTLC will be forwarded to, not the basis of which channel the HTLC came in on.

[ariard]

Yeah but seems that my code follows rfc 07 fee calculation : fee_base_msat + ( amount_msat * fee_proportional_millionths / 1000000 ) and the rfc 04 check : incoming_htlc_amt - fee >= amt_to_forward ? The amounts don't match as seen there, running cargo test fake_network_test -- --no-capture on my demo_bug_channelinfo_handling branch : https://0bin.net/paste/lixegfyl2cDb+n25#B9BdwQDf4pqNYa5S4dZuK6i1ZGM+OQMYqjIcMgSuilW

[ariard]

Yes, fees/cltv_deltas are based on the receiving node policy where the HTLC will be forwarded to, the issue is on the way handle_channel_update is recording the channel_update as one_to_two or two_to_one. When the node is one, and uses the one_to_two side, it has to use the two_to_one directional info and so the receiving node policy. That's this policy in ChannelInfo, i think, is inverted now.

[TheBlueMatt]

The information going into the channels map here looks right to me - its setting the fees on a channel on the entry that represents the outgoing hop (as indicated by it being the side with the src_node_id being equal to the node which signed the message). In order to be calculating the fee on the basis of where the payment is being forwarded to (ie if you route A -> B -> C, the fees paid are the ones that B announced for the B -> C hop) you'd need to change the check that was added to update_add_htlc.

[TheBlueMatt]

These are really awesome, but it sucks to add unused code cause it generates way more compile warnings. Honestly its probably worth adding a pub fn Router::log_network function to keep these around.

[ariard]

Why not use [allow(dead_code)] and [allow(unused_macros], seems that these attributes been there for avoid lint warnings ?

[TheBlueMatt]

Just adding allow(dead_code) doesn't resolve the issue - the point is that code should be used or it won't be kept up-to-date and probably doesn't belong in the repo at all.

[ariard]

travis failures on fuzz part due to amount in/out fee required mismatch, what is test:test_no_existing_test_breakage? it's calling handle_update_add_htlc somewhere?

[TheBlueMatt]

The new full_stack_target test tests that existing fuzz test cases aren't broken by changes in behavior. This is mostly for my tracking so I know what bits to not take until I want to restart fuzzing on all new test-cases. It will break generally when you add new feerate requests and new checks like this. If you don't feel like fiing the test case that's written out there that's find, I'd generally be fine merging things that comment it out and then fixing it myself.

There is another issue here that I forgot about - if we let routing fees charged float with network fees (which I think is prudent, but may be more complexity than its worth) then we have to pay close attention to when those fees change and send channel_update messages when the feerate info causes us to change our feerate, which is hopefully not too often.

[TheBlueMatt]

This is still wrong - we should be doing the fee checks against the place we're sending the payment (ie pending_forward_info.short_channel_id ie the channel that is looked up in the next if statement.

[TheBlueMatt]

The information going into the channels map here looks right to me - its setting the fees on a channel on the entry that represents the outgoing hop (as indicated by it being the side with the src_node_id being equal to the node which signed the message). In order to be calculating the fee on the basis of where the payment is being forwarded to (ie if you route A -> B -> C, the fees paid are the ones that B announced for the B -> C hop) you'd need to change the check that was added to update_add_htlc.

[ariard]

Aaaaah finally got it! After reading again and scrupulously this time the rfcs and lnd, c-lightning codes! Sorry for the lost time, i was perpexled at first i think by the channel_outbound estimation thing case and from then, misjudged all the rest.. At least i've seen the Router internals.

For the routing fees coupled on network fees I think that's an issue with FeeEstimator implementation to avoid too much channel_update messages. We should warn it to have an update limit for a given window time and not necessarily to echo all network fees moves (but don't know algorithm fees so surely harder to implement than to describe I guess).

[ariard]

I commented out the new fuzzing case, will dig into the fuzz tools and set it up on my environnement soon, need to understand this too

[TheBlueMatt]

Because you have a "let" here, fee is always 0 in the next if statement. Also, the pending_forward_info.onion_packet.is_some() check above is duplicative with this - if next_hop_data.hmac is 0s onion_packet is always None.

[TheBlueMatt]

Hmm, it seems weird to put the logger in log macros and then expose all these things, maybe just implement Display for these types directly instead of going through the indirection?

[ariard]

Updated, with Display trait on networkmap structs.

[TheBlueMatt]

Cool, thanks, will take as #125.