Trampoline Routing (2021 edition) (Feature 56/57) #829
Conversation
|
Hi @t-bast can you please link to |
https://github.com/lightningnetwork/lightning-rfc/blob/trampoline-routing-no-gossip/proposals/trampoline.md is the best way to read it (with github's markdown viewer). |
|
Regarding trampoline invoices: Do you suggest to create a new tagged field for |
|
@ecdsa the proposed spec has a new tagged field |
|
Yes, I think it's better to introduce a new one, tailored for trampoline. |
|
Very nice proposal, can't wait to see this in action. The onion A rationale that I couldn't find, but I think Acinq are using this for I just have the following points that I am still a bit unclear on:
|
This is true. However, attackers have no control on what channels will be used to relay with trampoline, so this would be a blind attack against the whole network rather than targetting specific nodes (which is still concerning).
I think we want to introduce a different, more flexible invoice routing hint. Let's explore the advantages and drawbacks of using the current routing hints (let me know if I'm missing important points there):
It's also important to note that to receive trampoline payments, the recipient still needs to upgrade his software to support trampoline onion decryption, so it's a good opportunity to implement a new routing hint format at the same time. The advantages and drawbacks of using new routing hints are:
To exemplify the argument that the design space for recipient privacy would be bigger, I've been toying with the idea of short-lived tor-like circuits between mobile wallet recipients and trampoline nodes. Obviously if Bob uses a mobile wallet with private channels, Carol and Dave know that he is the final recipient when forwarding payments to him (frequent IP address changes, offline most of the time, etc). Of course, this idea is very hand-wavy for now and has a lot of holes (and maybe route blinding works better and achieves the same results), so please don't poke at it too much yet, you will find issues, but that's not the point. I'm mentioning it because it shows how more flexible routing hints can provide a wider design space for recipients, which is important IMO. |
|
The current proposal adds a single new failure message, The current Eclair implementation seems to return |
The previous proposal had a It is true that we may rely on trial-and-error and the
I think the proposal should clarify whether the values returned in the error message are relative to the current payment, or independent of the payment. (note that I have a slight preference for fixed values. If these values depend on the payment, clients might have to do more trial-and-error in order to discover them, which might result in more htlcs flying around) |
If it does that, it's a bug. It should only do that for small payments to phoenix wallets that don't have enough incoming liquidity (and thus need a new channel opened on-the-fly). For other cases it should return I think the errors returned should be the following:
Of course, trampoline nodes may also use other errors such as
I decided to remove that mechanism because it wasn't working well: it's impossible to correctly estimate fees for all possible payments. It will force clients to overpay too often, or will still need a trial-and-error when you try to minimize the overpayment. I'm now more in favour of the trial-and-error approach, where I think this approach is the most flexible one: we should leave some room for implementations to make different choices, to ensure we have a diverse network. |
In practice, wallets will be compelled to include both I guess the data in |
Yes, that's true. And the transition period during which both will be required will likely last months (hopefully not years though as non-trampoline wallets will have an incentive to migrate to the new routing hints, even if they don't want to support trampoline). I think these new routing hints will solve a few issues that the current routing hints have, so people would upgrade to use them regardless of trampoline, and once that's done the size overhead will be somewhat negligible.
They will be different for cases where current |
|
It seems to me like this proposal should be split into two: one that
This looks like a new requirement to me, since the last trampoline
We can totally do that as well, however I think upgrading the
Is this not orthogonal to the original trampoline proposal? I don't
Reusing an existing error code seems wrong to me Overall I think two smaller proposals with a single feature being |
Sounds good, I'll keep the current PR open and up-to-date for people who want
I don't see any satisfactory way of doing that... That's why I want to avoid having that scenario in the spec and prefer doing E2E If you find a satisfying way of achieving that I'm interested, but I don't think
That's a reasonable objection, I'll make a separate PR.
I mentioned this simply as an example to show that it allows a larger design
Sure, we can do that, it's more explicit that way. |
Like I said above, it would be useful to have distinct error numbers for In the first case, Trampoline A does not know about Trampoline B, and the sender should not ask TA to forward to TB again. In the second case, the sender will know that TA failed to forward a certain amount to TB, but it may be able to forward a different amount right now, or the same amount later. Perhaps even more granularity is desirable. If TA fails to find a path to TB, it might return the "capacity" it believes it can send to TB in the error message. |
|
I integrated all these requirements in the trampoline onion PR, let's discuss it there: #836. |
t-bast
changed the title
| trampoline node, and adds a trampoline node in her own neighborhood at the | ||
| beginning of the trampoline route. She includes the invoice's encrypted data | ||
| for each node in their respective trampoline payload: this is very similarly | ||
| to paying a blinded path without trampoline. |
There was a problem hiding this comment.
Just a point of double-checking following a discussion with @joostjager: blinded paths to a non-Trampoline node are meant to be the only mechanism to use Trampoline for payments to a legacy node, and the spec no longer supports legacy payment recipients without blinded paths?
There was a problem hiding this comment.
Yes, because there is no good solution that doesn't sacrifice the payment privacy when paying Bolt 11 invoices that don't support trampoline, so I don't want to introduce it to the BOLTs. As discussed during the last spec meeting, I will document how this can be done in a bLIP however, which can be used while transitioning to trampoline and/or blinded paths.
Courtesy of @SomberNight who extended my previous ASCII diagram to showcase the scenario where we also use MPP at the trampoline layer, to split payments across multiple trampoline paths.
|
Phoenix doesn't implement this version of trampoline, and doesn't support this double error encryption.
Phoenix doesn't even use the same TLVs as what is specified here, and you shouldn't expect it to implement this spec.
Since we don't have any clarity on when this PR will be accepted, we don't plan on updating Phoenix to this version of trampoline until it is merged to the BOLTs, to avoid having to deal with too many backwards-compatibility issues.
This version of trampoline is however implemented in a draft PR in eclair, waiting for the spec to be accepted.
________________________________
From: ghost43 ***@***.***>
Sent: Friday, November 21, 2025 4:55:22 PM
To: lightning/bolts ***@***.***>
Cc: Bastien Teinturier ***@***.***>; Mention ***@***.***>
Subject: Re: [lightning/bolts] Trampoline Routing (2021 edition) (Feature 56/57) (#829)
@SomberNight commented on this pull request.
________________________________
In proposals/trampoline.md<#829 (comment)>:
+
+```text
+ +---> N1 ---> N2 ---+ +---> M1 ----+
+ | | | |
+ | v | v
++-------+ +----+ +----+
+| Alice | | T1 | | T2 | (error)
++-------+ +----+ +----+
+```
+
+* T2 creates a local error and wraps it: `wrap(ss(T1,T2), wrap(tss(Alice,T2), error))`
+* T1 receives `wrap(ss(T1, M1), wrap(ss(T1,T2), wrap(tss(Alice,T2), error)))`
+* After unwrapping with the outer onion shared secrets T1 obtains: `wrap(tss(Alice,T2), error)`
+ It cannot decrypt further, so it adds its own two layers of wrapping and
+ forwards upstream `wrap(ss(Alice,T1), wrap(tss(Alice,T1), wrap(tss(Alice,T2), error)))`
+* Alice receives `wrap(ss(Alice,N1), wrap(ss(Alice,N2), wrap(ss(Alice,T1), wrap(tss(Alice,T1), wrap(tss(Alice,T2), error)))))`
However when testing a payment Electrum -> Electrum Trampoline -> Acinq -> Phoenix and letting Phoenix fail the payment Electrum can still decode the received onion error. This is confusing, so I was wondering if this scheme is even used in practice yet?
To clarify, "Electrum Trampoline" is running eclair, so the payment goes: electrum -> eclair1 -> eclair2 -> phoenix.
If e.g. electrum sends an htlc with an incorrect payment_secret, phoenix fails it with incorrect_or_unknown_payment_details. The sender electrum then decrypts it successfully using ss(electrum, eclair1). This is unexpected.
—
Reply to this email directly, view it on GitHub<#829 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AHOVCWOA4APPDOMCKHS7OGT354YWVAVCNFSM6AAAAACIUR76QSVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZTIOJTGM4DAOBVGA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
| payments before forwarding. Once the totality of the payment is received, the | ||
| trampoline node can choose the most efficient way to re-split it to reach the | ||
| next trampoline node. |
There was a problem hiding this comment.
What if the recipient created an invoice with the basic_mpp flag unset? Perhaps they want a single HTLC because they are trying to get a JIT channel opened from an LSP who requires no-MPP for JIT.
How would the trampoline forwarder know whether they are allowed to use MPP to re-split?
To increase payment reliability, it might make sense to always allow intermediate trampoline forwaders to split. So that would mean that the invoice MPP flag should only affect the last trampoline forwarder? But that would imply giving them the knowledge that they are the last forwarder.
Or does signalling for trampoline support in an invoice simply imply supporting MPP also, for a recipient?
And then for the LSP JIT usecase, we just assume that the LSP must be the last trampoline forwarder, and that it is up to them not to re-split the payment?
(note: with the "pay-to-legacy" hack, the last trampoline forwarder gets the invoice_features, so they know whether they can do MPP)
There was a problem hiding this comment.
Or does signalling for trampoline support in an invoice simply imply supporting MPP also, for a recipient?
Yes it does, we do assume support for MPP, because it's an important part of what makes trampoline efficient. We've discussed this a few times in the past, and there wasn't any good reason for a recipient to not support MPP. I should make this obvious in the spec (probably in #836 rather than here) if that's not already mentioned!
are trying to get a JIT channel opened from an LSP who requires no-MPP for JIT.
This is a deficiency in the JIT-channel spec, which is fixed by lightning/blips#36. There is no good reason for a JIT-channel protocol to be incompatible with MPP. With an on-the-fly-funding protocol that supports MPP, do you see a reason for a recipient to not want to support MPP?
This proposal allows nodes running on constrained devices to sync only a small portion of the network and leverage trampoline nodes to calculate the missing parts of the payment route while providing the same privacy as fully source-routed payments.
The main idea is to use layered onions: a normal onion contains a smaller onion for the last hop of the route, and that smaller onion contains routing information about the next trampoline hop.
This PR provides a high-level view of trampoline routing, where concepts and designs are presented in a more user-friendly format than formal spec work. This document lets reviewers see the big picture and how all the pieces work together. It also contains pretty detailed examples that should give reviewers some intuition about the subtle low-level details.
Then reviewers can move on to #836 which contains the usual spec format for the onion construction: this is where we'll work on the nitty-gritty details.
This PR supercedes #654 based on what we learnt after 1 year running trampoline in production in Phoenix and many discussions with @ecdsa while Electrum worked on their own trampoline implementation. The important changes are:
cltv_expiry_deltathat must be used for the last trampoline hopcltv_expiry_delta: since senders need at most two trampoline hops to protect their privacy (and in some cases, only one trampoline hop), this retry-on-failure approach doesn't add too much latency in practice