2
0
mirror of https://github.com/lnbook/lnbook synced 2024-11-16 21:27:59 +00:00
lnbook/contrib/wire_protocol.asciidoc
2021-07-10 14:06:19 +02:00

1086 lines
51 KiB
Plaintext

= Wire Protocol: Framing & Extensibility
== Intro
In this chapter, we'll dive into the wire protocol of the Lightning network,
and also cover all the various extensibility levers that have been built into
the protocol. By the end of this chapter, and aspiring reader should be able to
write their very own wire protocol parser for the Lighting Network. In addition
to being able to write a custom wire protocol parser, a reader of this chapter
will gain a deep understanding with respect of the various upgrade mechanisms
that have been built into the protocol.
== Wire Framing
First, we being by describing the high level structure of the wire _framing_
within the protocol. When we say framing, we mean the way that the bytes are
packed on the wire to _encode_ a particular protocol message. Without knowledge
of the framing system used in the protocol, a stirn go byters on the wirte would
resemble a series of random bytes as no structure has been imposed. By applying
proper framing to decode these bytes on the wire, we'll be able to extract
structure and finally parse this structure into protocol messages within our
higher-level language.
It's important to note that as the Lightning Network is an _end to end
encrypted_ protocol, the wire framing is itself encapsulated within an
_encrypted_ message transport layer. As we learned in chapter XXX, the Lighting
Network uses Brontide, a custom variant of the Noise protocol to handle
transport encryption. Within this chapter, whenever we give an example of wire
framing, we assume the encryption layer has already been stripped away (when
decoding), or that we haven't yet encrypted the set of bytes before we send
them on the wire (encoding).
=== High-Level Wire Framing
With that said, we're ready to being describe the high-level schema used to
encode messages on the wire:
* Messages on the wire begin with a _2 byte_ type field, followed by a
message payload.
* The message payload itself, can be up to 65 KB in size.
* All integers are encoded in big-endian (network order).
* Any bytes that follow after a defined message can be safely ignored.
Yep, that's it. As the protocol relies on an _encapsulating_ transport protocol
encryption layer, we don't need an explicit length for each message type. This
is due to the fact that transport encryption works at the _message_ level, so
by the time we're ready to decode the next message, we already know the total
number of bytes of the message itself. Using 2 bytes for the message type
(encoded in big-endian) means that the protocol can have up to `2^16 - 1` or
`65535` distinct messages. Continuing, as we know all messages _MUST_ be below
65KB, this simplifies our parsing as we can use a _fixed_ sized buffer, and
maintain strong bounds on the total amount of memory required to parse an
incoming wire message.
The final bullet point allows for a degree of _backwards_ compatibility, as new
nodes are able to provide information in the wire messages that older nodes
(which may not understand them can safely ignore). As we'll see below, this
feature combined with a very flexible wire message extensibility format also
allows the protocol to achieve _forwards_ compatibility as well.
=== Type Encoding
With this high level background provided, we'll now start at the most primitive
layer: parsing primitive types. In addition to encoding integers, the Lightning
Protocol also allows for encoding of a vast array of types including: variable
length byte slices, elliptic curve public keys, Bitcoin addresses, and
signatures. When we describe the _structure_ of wire messages later in this
chapter, we'll refer to the high-level type (the abstract type) rather than the
lower level representation of said type. In this section, we'll peel back this
abstraction layer to ensure our future wire parser is able to properly
encoding/decode any of the higher level types.
In the following table, we'll map the higher-level name of a given type to the
high-level routine used to encode/decode the type.
.High-level message types
[options="header"]
|================================================================================
| High Level Type | Framing | Comment
| `node_alias` | A 32-byte fixed-length byte slice. | When decoding, reject if contents are not a valid UTF-8 string.
| `channel_id` | A 32-byte fixed-length byte slice that maps an outpoint to a 32 byte value. | Given an outpoint, one can convert it to a `channel_id` by taking the txid of the outpoint and XOR'ing it with the index (interpreted as the lower 2 bytes).
| `short_chan_id` | An unsigned 64-bit integer (`uint64`) | Composed of the block height (24 bits), transaction index (24 bits), and output index (16 bits) packed into 8 bytes.
| `milli_satoshi` | An unsigned 64-bit integer (`uint64`) | Represents 1000th of a satoshi.
| `satoshi` | An unsigned 64-bit integer (`uint64`) | The based unit of bitcoin.
| `satoshi` | An unsigned 64-bit integer (`uint64`) | The based unit of bitcoin.
| `pubkey` | An secp256k1 public key encoded in _compressed_ format, occupying 33 bytes. | Occupies a fixed 33-byte length on the wire.
| `sig` | An ECDSA signature of the secp256k1 Elliptic Curve. | Encoded as a _fixed_ 64-byte byte slice, packed as `R \|\| S`
| `uint8` | An 8-bit integer. |
| `uint16` | A 16-bit integer. |
| `uint64` | A 64-bit integer. |
| `[]byte` | A variable length byte slice. | Prefixed with a 16-bit integer denoting the length of the bytes.
| `color_rgb` | RGB color encoding. | Encoded as a series if 8-bit integers.
| `net_addr` | The encoding of a network address. | Encoded with a 1 byte prefix that denotes the type of address, followed by the address body.
|================================================================================
In the next section, we'll describe the structure of each of the wire messages
including the prefix type of the message along with the contents of its message
body.
=== Type Length Value (TLV) Message Extensions
Earlier in this chapter we mentioned that messages can be up to 65 KB in size,
and if while parsing a messages, extra bytes are left over, then those bytes
are to be _ignored_. At an initial glance, this requirement may appear to be
somewhat arbitrary, however upon close inspection it's actually the case that
this requirement allows for de-coupled de-synchronized evolution of the Lighting
Protocol itself. We'll opine further upon this notion towards the end of the
chapter. First, we'll turn our attention to exactly what those "extra bytes" at
the end of a message can be used for.
==== The Protcol Buffer Message Format
The Protocol Buffer (protobuf) message serialization format started out as an
internal format used at Google, and has blossomed into one of the most popular
message serialization formats used by developers globally. The protobuf format
describes how a message (usually some sort of data structure related to an API)
is to be encoded on the wire and decoded on the other end. Several "protobuf
compilers" exists in dozens of languages which act as a bridge that allows any
language to encode a protobuf that will be able to decode by a compliant decode
in another language. Such cross language data structure compatibility allows
for a wide range of innovation it's possible to transmit structure and even
typed data structures across language and abstraction boundaries.
Protobufs are also known for their _flexibility_ with respect to how they
handle changes in the underlying messages structure. As long as the field
numbering schema is adhered to, then it's possible for a _newer_ write of
protobufs to include information within a protobuf that may be unknown to any
older readers. When the old reader encounters the new serialized format, if
there're types/fields that it doesn't understand, then it simply _ignores_
them. This allows old clients and new clients to _co-exist_, as all clients can
parse _some_ portion of the newer message format.
==== Forwards & Backwards Compatibility
Protobufs are extremely popular amongst developers as they have built in
support for both _forwards_ and _backwards_ compatibility. Most developers are
likely familiar with the concept of backwards computability. In simple terms,
the principles states that any changes to a message format or API should be
done in a manner that doesn't _break_ support for older clients. Within our
protobuf extensibility examples above, backwards computability is achieved by
ensuring that new additions to the proto format don't break the known portions
of older readers. Forwards computability on the other hand is just as important
for de-synchronized updates however it's less commonly known. For a change to
be forwards compatible, then clients are to simply _ignore_ any information
they don't understand. The soft for mechanism of upgrading the Bitcoin
consensus system can be said to be both forwards and backwards compatible: any
clients that don't update can still use Bitcoin, and if they encounters any
transactions they don't understand, then they simply ignore them as their funds
aren't using those new features.
==== Lighting's Protobuf Inspired Message Extension Format: `TLV`
In order to be able to upgrade messages in both a forwards and backwards
compatible manner, in addition to feature bits (more on that later), the LN
utilizes a _Custom_ message serialization format plainly called: Type Length
Value, or TLV for short. The format was inspired by the widely used protobuf
format and borrows many concepts by significantly simplifying the
implementation as well as the software that interacts with message parsing. A
curious reader might ask "why not just use protobufs"? In response, the
Lighting developers would respond that we're able to have the best of the
extensibility of protobufs while also having the benefit of a smaller
implementation and thus attacks surface in the context of Lightning. As of
version v3.15.6, the protobuf compiler weighs in at over 656,671 lines of code.
In comparison lnd's implementation of the TLV message format weighs in at only
2.3k lines of code (including tests).
With the necessary background presented, we're now ready to describe the TLV
format in detail. A TLV message extension is said to be a _stream_ of
individual TLV records. A single TLV record has three components: the type of
the record, the length of the record, and finally the opaque value of the
record:
* `type`: An integer representing the name of the record being encoded.
* `length`: The length of the record.
* `value`: The opaque value of the record.
Both the `type` and `length` are encoded using a variable sized integer that's
inspired by the variable sized integer (varint) used in Bitcoin's p2p protocol,
this variant is called `BigSize` for short. In its fullest form, a `BigSize`
integer can represent value up to 64-bits. In contrast to Bitcoin's varint
format, the `BigSize format instead encodes integers using a _big endian_ byte
ordering.
The `BigSize` varint has the components: the discriminant and the body. In the
context of the `BigSize` integer, the discriminant communicates to the decoder
the _size_ of the variable size integer. Remember that the uniquer thign about
variable sized integers is that they allow a parser to use less bytes to encode
smaller integers than larger ones. This allows message formats to safe space, as
they're able to minimally encode numbers from 8 to 6-bits. Encoding a `BigSize`
integer can be defined using a piece-wise function that branches based on the
size of the integer to be encoded.
* If the value is _less than_ `0xfd` (`253`):
* Then the discriminant isn't really used, and the encoding is simply the
integer itself.
* This value allows us to encode very small integers with no additional
overhead
* If the value is _less than or equal to_ `0xffff` (`65535`):
* Then the discriminant is encoded as `0xfd`, which indicates that the body is
that follows is larger than `0xfd`, but smaller than `0xffff`).
* The body is then encoded as a _16-bit_ integer. Including the
discriminant, then we can encode a value that is greater than 253, but
less than 65535 using `3 bytes`.
* If the value is less than `0xffffffff` (`4294967295`):
* Then the discriminant is encoded as `0xfe`.
* The body is encoded using _32-bit_ integer, Including the discriminant,
then we can encode a value that's less than `4,294,967,295` using _5
bytes_.
* Otherwise, we'll just encode the value as a fully _64-bit_ integer.
Within the context of a TLV message,
values below `2^16` are said to be _reserved_ for future use. Values beyond this
range are to be used for "custom" message extensions used by higher-level
application protocols. The `value` is defined in terms of the `type`. In other
words, it can take any forma s parzers will attempt to coalsces it into a
higher-level types (such as a signatture) depending on the context of the type
itself.
One issue with the protobuf format is the encodes of the same message may
output an entirely different set of bytes when encoded by two different
versions of the compiler. Such instances of a non-cannonical encoding are not
acceptable within teh context of Lighting, was many messages contain a
signature of the message digest. If it's possible for a message to be encoded
in two different ways, then it would be possible to break the authentication of
a signature inadvertently by re-encoding a message using a slightly different
set of bytes on the wire.
In order to ensure that all encoded messages are canonical, the following
constraints are defined when encoding:
* All records within a TLV stream MUST be encoded in order of strictly
increasing type.
* All records must _minimally encode_ the `type` and `length` fields. In
orther woards, the smallest BigSIze representation for an integer MUST be
used at all times.
* Each `type` may only appear _once_ within a given TLV stream.
In addition to these writing requirements a series of higher-level
interpretation requirements are also defined based on the _arity_ of a given
`type` integer. We'll dive further into these details towards the end of the
chapter cone we talked about how the Lighting Protocol is upgraded in practice
and in theory.
=== Wire Messages
In this section, well outline the precise structure of each of the wire
messages within the protocol. We'll do so in two parts: first we'll enumerate
all the currently defined wire message types along with the message name
corresponding to that type, we',l then double back and define the structure of
each of the wire messages (partitioned into logical groupings).
First, we'll lead with an enumeration of all the currently defined types:
.Message Types
[options="header"]
|==============================================================================
| Type Integer | Message Name | Category
| 16 | `init` | Connection Establishment
| 17 | `error` | Error Communication
| 18 | `ping` | Connection Liveness
| 19 | `pong` | Connection Liveness
| 32 | `open_channel` | Channel Funding
| 33 | `accept_channel` | Channel Funding
| 34 | `funding_created` | Channel Funding
| 35 | `funding_signed` | Channel Funding
| 36 | `funding_locked` | Channel Funding + Channel Operation
| 38 | `shutdown` | Channel Closing
| 39 | `closing_signed` | Channel Closing
| 128 | `update_add_htlc` | Channel Operation
| 130 | `update_fulfill_hltc` | Channel Operation
| 131 | `update_fail_htlc` | Channel Operation
| 132 | `commit_sig` | Channel Operation
| 133 | `revoke_and_ack` | Channel Operation
| 134 | `update_fee` | Channel Operation
| 135 | `update_fail_malformed_htlc` | Channel Operation
| 136 | `channel_reestablish` | Channel Operation
| 256 | `channel_announcement` | Channel Announcement
| 257 | `node_announcement` | Channel Announcement
| 258 | `channel_update` | Channel Announcement
| 259 | `announce_signatures` | Channel Announcement
| 261 | `query_short_chan_ids` | Channel Graph Syncing
| 262 | `reply_short_chan_ids_end` | Channel Graph Syncing
| 263 | `query_channel_range` | Channel Graph Syncing
| 264 | `reply_channel_range` | Channel Graph Syncing
| 265 | `gossip_timestamp_range` | Channel Graph Syncing
|==============================================================================
In the above table, the `Category` field allows us to quickly categonize a
message based on its functionality within the protocol itself. At a high level,
we place a message into one of 8 (non exhaustive) buckets including:
* *Connection Establishment*: Sent when a peer to peer connection is first
established. Also used in order to negotiate the set of _feature_ supported
by a new connection.
* *Error Communication*: Used by peer to communicate the occurrence of
protocol level errors to each other.
* *Connection Liveness*: Used by peers to check that a given transport
connection is still live.
* *Channel Funding*: Used by peers to create a new payment channel. This
process is also known as the channel funding process.
* *Channel Operation*: The act of updating a given channel _off-chain_. This
includes sending and receiving payments, as well as forwarding payments
within the network.
* *Channel Announcement*: The process of announcing a new public channel to
the wider network so it can be used for routing purposes.
* *Channel Graph Syncing*: The process of downloading+verifying the channel
graph.
Notice how messages that belong to the same category typically share an
adjacent _message type_ as well. This is done on purpose in order to group
semantically similar messages together within the specification itself. With
this roadmap laid out, we'll now visit each message category in order to define
the precise structure and semantics of all defined messages within the LN
protocol.
==== Connection Establishment Messages
Messages in this category are the very first message sent between peers once
they establish a transport connection. At the time of writing of this chapter,
there exists only a single messages within this category, the `init` message.
The `init` message is sent by _both_ sides of the connection once it has been
first established. No other messages are to be sent before the `init` message
has been sent by both parties.
The structure of the `init` message is defined as follows:
`init` message:
* type: `16`
* fields:
* `uint16`: `global_features_len`
* `global_features_len*byte`: `global_features`
* `uint16`: `features_len`
* `features_len*byte`: `features`
* `tlv_stream_tlvs`
Structurally, the `init` message is composed of two variable size bytes slices
that each store a set of _feature bits_. As we'll see later, feature bits are a
primitive used within the protocol in order to advertise the set of protocol
features a node either understands (optional features), or demands (required
features).
Note that modern node implementations will only use the `features` field, with
items residing within the `global_features` vector for primarily _historical_
purposes (backwards compatibility).
What follows after the core message is a series of T.L.V, or Type Length Value
records which can be used to extend the message in a forwards+backwards
compatible manner in the future. We'll cover what TLV records are and how
they're used later in the chapter.
An `init` message is then examined by a peer in order to determine if the
connection is well defined based on the set of optional and required feature
bits advertised by both sides.
An optional feature means that a peer knows about a feature, but they don't
consider it critical to the operation of a new connection. An example of one
would be something like the ability to understand the semantics of a newly
added field to an existing message.
On the other hand, required feature indicate that if the other peer doesn't
know about the feature, then the connection isn't well defined. An example of
such a feature would be a theoretical new channel type within the protocol: if
your peer doesn't know of this feature, they you don't want to keep the
connection as they're unable to open your new preferred channel type.
==== Error Communication Messages
Messages in this category are used to send connection level errors between two
peers. As we'll see later, another type of error exists in the protocol: an
HTLC forwarding level error. Connection level errors may signal things like
feature bit incompatibility, or the intent to force close (unilaterally
broadcast the latest signed commitment)
The sole message in this category is the `error` message:
* type: `17`
* fields:
* `channel_id`: `chan_id`
* `uint16`: `data_len`
* `data_len*byte`: `data`
An `error` message can be sent within the scope of a particular channel by
setting the `channel_id`, to the `channel_id` of the channel under going this
new error state. Alternatively, if the error applies to the connection in
general, then the `channel_id` field should be set to all zeroes. This all zero
`channel_id` is also known as the connection level identifier for an error.
Depending on the nature of the error, sending an `error` message to a peer you
have a channel with may indicate that the channel cannot continue without
manual intervention, so the only option at that point is to force close the
channel by broadcasting the latest commitment state of the channel.
==== Connection Liveness
Messages in this section are used to probe to determine if a connection is
still live or not. As the LN protocol somewhat abstracts over the underlying
transport being used to transmit the messages, a set of protocol level `ping`
and `pong` messages are defined.
First, the `ping` message:
* type: `18`
* fields:
* `uint16`: `num_pong_bytes`
* `uint16`: `ping_body_len`
* `ping_body_len*bytes`: `ping_body`
Next it's companion, the `pong` message:
* type: `19`
* fields:
* `uint16`: `pong_body_len`
* `ping_body_len*bytes`: `pong_body`
A `ping` message can be sent by either party at any time.
The `ping` message includes a `num_pong_bytes` field that is used to instruct
the receiving node with respect to how large the payload it sends in its `pong`
message is. The `ping` message also includes a `ping_body` opaque set of bytes
which can be safely ignored. It only serves to allow a sender to pad out `ping`
messages they send, which can be useful in attempting to thwart certain
de-anonymization techniques based on packet sizes on the wire.
A `pong` message should be sent in response to a received `ping` message. The
receiver should read a set of `num_pong_bytes` random bytes to send back as the
`pong_body` field. Clever use of these fields/messages may allow a privacy
concious routing node to attempt to thwart certain classes of network
de-anonymization attempts, as they can create a "fake" transcript that
resembles other messages based on the packet sizes set across. Remember that by
default the LN uses an _encrypted_ transport, so a passive network monitor
cannot read the plaintext bytes, thus only has timing and packet sizes to go
off of.
==== Channel Funding
As we go on, we enter into the territory of the core messages that govern the
functionality and semantics of the Lightning Protocol. In this section, we'll
explore the messages sent during the process of creating a new channel. We'll
only describe the fields used as we'll leave a in in-depth analysis of the
funding process to chapter XXX.
Messages that are sent during the channel funding flow belong to the following
set of 5 messages: `open_channel`, `accept_channel`, `funding_created`,
`funding_signed`, `funding_locked`. We'll leave a description of the precise
protocol flow involving these messages for a chapter XXX. In this section,
we'll simply enumerate the set of fields and briefly describe each one.
The `open_channel` message:
* type: `32`
* fields:
* `chain_hash`:chain_hash
* `32*byte`: `temp_chan_id`
* `uint64`: `funding_satoshis`
* `uint64`: `push_msat`
* `uint64`: `dust_limit_satoshis`
* `uint64`: `max_htlc_value_in_flight_msat`
* `uint64`: `channel_reserve_satoshis`
* `uint64`: `htlc_minimum_msat`
* `uint32`: `feerate_per_kw`
* `uint16`: `to_self_delay`
* `uint16`: `max_accepted_htlcs`
* `pubkey`: `funding_pubkey`
* `pubkey`: `revocation_basepoint`
* `pubkey`: `payment_basepoint`
* `pubkey`: `delayed_payment_basepoint`
* `pubkey`: `htlc_basepoint`
* `pubkey`: `first_per_commitment_point`
* `byte`: `channel_flags`
* `tlv_stream`: `tlvs`
This is the first message sent when a node wishes to execute a new funding flow
with another node. This message contains all the necessary information required
for both peers to constructs both the funding transaction as well as the
commitment transaction.
At the time of writing of this chapter, a single TLV record is defined within
the set of optional TLV records that may be appended to the end of a defined
message:
* type: 0
* data: `upfront_shutdown_script`
The `upfront_shutdown_script` is a variable sized byte slice that MUST be a
valid public key script as accepted by the Bitcoin networks' consensus
algorithm. By providing such an address, the sending party is able to
effectively create a "closed loop" for their channel, as neither side will sign
off an cooperative closure transaction that pays to any other address. In
practice, this address is usually one derived from a cold storage wallet.
The `channel_flags` field is a bitfield of which at the time of writing, only
the _first_ bit has any sort of significance. If this bit is set, then this
denotes that this channel is to be advertised to the public network as a route
bal channel. Otherwise, the channel is considered to be unadvertised, also
commonly referred to as a "private" channel.
The `accept_channel` message is the response to the `open_channel` message:
* type: `33`
* fields:
* `32*byte`: `temp_chan_id`
* `uint64`: `dust_limit_satoshis`
* `uint64`: `max_htlc_value_in_flight_msat`
* `uint64`: `channel_reserve_satoshis`
* `uint64`: `htlc_minimum_msat`
* `uint32`: `minimum_depth`
* `uint16`: `to_self_delay`
* `uint16`: `max_accepted_htlcs`
* `pubkey`: `funding_pubkey`
* `pubkey`: `revocation_basepoint`
* `pubkey`: `payment_basepoint`
* `pubkey`: `delayed_payment_basepoint`
* `pubkey`: `htlc_basepoint`
* `pubkey`: `first_per_commitment_point`
* `tlv_stream`: `tlvs`
The `accept_channel` message is the second message sent during the funding flow
process. It serves to acknowledge an intent to open a channel with a new remote
peer. The message mostly echos the set of parameters that the responder wishes
to apply to their version of the commitment transaction. Later in Chapter XXX,
when we go into the funding process in details, we'll do a deep dive to explore
the implications of the various par maters that can be set when opening a new
channel.
In response, the initiator will send the `funding_created` message:
* type: `34`
* fields:
* `32*byte`: `temp_chan_id`
* `32*byte`: `funding_txid`
* `uint16`: `funding_output_index`
* `sig`: `commit_sig`
Once the initiator of a channel receives the `accept_channel` message from the
responder, they they have all the materials they need in order to construct the
commitment transaction, as well as the funding transaction. As channels by
default are single funder (only one side commits funds), only the initiator
needs to construct the funding transaction. As a result, in order to allow the
responder to sign a version of a commitment transaction for the initiator, the
initiator, only needs to send the funding outpoint of the channel.
To conclude the responder sends the `funding_signed` message:
* type: `34`
* fields:
* `channel_id`: `channel_id`
* `sig`: `signature`
To conclude after the responder receivers the `funding_created` message, they
now own a valid signature of the commitment transaction by the initiator. With
this signature they're able to exit the channel at any time by signing their
half of the multi-sig funding output, and broadcasting the transaction. This is
referred to as a force close. In order to give the initiator the ability to do
so was well, before the channel can be used, the responder then signs the
initiator's commitment transaction as well.
Once this message has been received by the initiator, it's safe for them to
broadcast the funding transaction, as they're now able to exit the channel
agreement unilaterally.
Once the funding transaction has received enough confirmations, the
`funding_locked` is sent:
* type: `36
* fields:
* `channel_id`: `channel_id`
* `pubkey`: `next_per_commitment_point`
Once the funding transaction obtains a `minimum_depth` number of confirmations,
then the `funding_locked` message is to be sent by both sides. Only after this
message has been received, and sent can the channel being to be used.
==== Channel Closing
* type: `38`
* fields:
[channel_id:channel_id]
[u16:len]
[len*byte:scriptpubkey]
* type: `39`
* fields:
[channel_id:channel_id]
[u64:fee_satoshis]
[signature:signature]
#### Channel Operation
In this section, we'll briefly describe the set of messages used to allow
anodes to operate a channel. By operation, we mean being able to send receive,
and forward payments for a given channel.
In order to send, receive or forward a payment over a channel, an HTLC must
first be added to both commitment transactions that comprise of a channel link.
* The `update_add_htlc` message allows either side to add a new HTLC to the
opposite commitment transaction:
* type: `128`
* fields:
* `channel_id`: `channel_id`
* `uint64`: `id`
* `uint64`: `amount_msat`
* `sha256`: `payment_hash`
* `uint32`:`cltv_expiry`
* `1366*byte:`onion_routing_packet`
Sending this message allows one party to initiate either sending a new payment,
or forwarding an existing payment that arrived via in incoming channel. The
message specifies the amount (`amount_msat`) along with the payment hash that
unlocks the payment itself. The set of forwarding instructions of the next hop
are onion encrypted within the `onion_routing_packet` field. In Chapter XXX on
multi-hop HTLC forwarding, we details the onion routing protocol used in the
Lighting Network in detail.
Note that each HTLC sent uses an auto incrementing ID which is used by any
message which modifies na HTLC (settle or cancel) to reference the HTLC in a
unique manner scoped to the channel.
The `update_fulfill_hltc` allow redemption (receipt) of an active HTLC:
* type: `130`
* fields:
* `channel_id`: `channel_id`
* `uint64`: `id`
* `32*byte`: `payment_preimage`
This message is sent by the HTLC receiver to the proposer in order to redeem an
active HTLC. The message references the `id` of the HTLC in question, and also
provides the pre-image (which unlocks the HLTC) as well.
The `update_fail_htlc` is sent to remove an HTLC from a commitment transaction:
* type: `131`
* fields:
* `channel_id`:channel_id`
* `uint64`: `id`
* `uint16`: `len`
* `len*byte`: `reason`
The `update_fail_htlc` is the opposite of the `update_fulfill_hltc` message as
it allows the receiver of an HTLC to remove the very same HTLC. This message is
typically sent when an HTLC cannot be properly routed upstream, and needs to be
sent back to the sender in order to unravel the HTLC chain. As we'll explore in
Chapter XX, the message contains an _encrypted_ failure reason (`reason`) which
may allow the sender to either adjust their payment route, or terminate if the
failure itself is a terminal one.
The `commit_sig` is used to stamp the creation of a new commitment transaction:
* type: `132`
* fields:
* `channel_id`: `channel_id`
* `sig`: `signature`
* `uint16` `num_htlcs`
* `num_htlcs*sig: `htlc_signature`
In addition to sending a signature for the next commitment transaction, the
sender of this message also needs to send a signature for each HTLC that's
present on the commitment transaction. This is due to the existence of the
The `revoke_and_ack` is sent to revoke a dated commitment:
* type: `133`
* fields:
* `channel_id`: `channel_id`
* `32*byte`: `per_commitment_secret`
* `pubkey`: `next_per_commitment_point`
As the Lightning Network uses a replace-by-revoke commitment transaction, after
receiving a new commitment transaction via the `commit_sig` message, a party
must revoke their past commitment before they're able to receive another one.
While revoking a commitment transaction, the revoker then also provides the
next commitment point that's required to allow the other party to send them a
new commitment state.
The `update_fee` is sent to update the fee on the current commitment
transactions:
* type: `134`
* fields
* `channel_id`: `channel_id`
* `uint32`: `feerate_per_kw`
This message can only be sent by the initiator of the channel they're the ones
that will pay for the commitment fee of the channel as along as it's open.
The `update_fail_malformed_htlc` is sent to remove a corrupted HTLC:
* type: `135`
* fields:
* `channel_id`: `channel_id`
* `uint64`: `id`
* `sha256`: `sha256_of_onion`
* `uint16`: `failure_code`
This message is similar to the `update_fail_htlc` but it's rarely used in
practice. As mentioned above, each HTLC carries an onion encrypted routing
packet that also covers the integrity of portions of the HTLC itself. If a
party receives an onion packet that has somehow been corrupted along the way,
then it won't be able to decrypt the packet. As a result it also can't properly
forward the HTLC, therefore it'll send this message to signify that the HTLC
has been corrupted somewhere along the route back to the sender.
==== Channel Announcement
Messages in this category are used to announce components of the Channel Graph
authenticated data structure to the wider network. The Channel Graph has a
series of unique properties due to the condition that all data added to the
channel graph MUST also be anchored in the base Bitcoin blockchain. As a
result, in order to add a new entry to the channel graph, an agent must be an
on chain transaction fee. This serves as a natural spam de tenace for the
Lightning Network.
The `channel_announcement` is used to announce a new channel to the wider
network:
* type: `256`
* fields:
* `sig`: `node_signature_1`
* `sig`: `node_signature_2`
* `sig`: `bitcoin_signature_1`
* `sig`: `bitcoin_signature_2`
* `uint16`: `len`
* `len*byte`: `features`
* `chain_hash`: `chain_hash`
* `short_channel_id`: `short_channel_id`
* `pubkey`: `node_id_1`
* `pubkey`: `node_id_2`
* `pubkey`: `bitcoin_key_1`
* `pubkey`: `bitcoin_key_2`
The series of signatures and public keys in the message serves to create a
_proof_ that the channel actually exists within the base Bitcoin blockchain. As
we'll detail in Chapter XXX, each channel is uniquely identified by a locator
that encodes it's _location_ within the blockchain. This locator is called this
`short_channel_id` and can fit into a 64-bit integer.
The `node_announcement` allows a node to announce/update it's vertex within the
greater Channel Graph:
* type: `257`
* fields:
* `sig`:`signature`
* `uint64`: `flen`
* `flen*byte`: `features`
* `uint32`: `timestamp`
* `pubkey`: `node_id`
* `3*byte`: `rgb_color`
* `32*byte`: `alias`
* `uint16`: `addrlen`
* `addrlen*byte`: `addresses`
Note that if a node doesn't have any advertised channel within the Channel
Graph, then this message is ignored in order to ensure that adding an item to
the Channel Graph bares an on-chain cost. In this case, the on-chain cost will
the cost of creating the channel which this node is connected to.
In addition to advertising its feature set, this message also allows a node to
announce/update the set of network `addresses` that it can be reached at.
The `channel_update` messages is sent to update the properties and policies of
an active channel edge within the Channel graph:
* type: `258:
* fields:
* `signature`: `signature`
* `chain_hash`: `chain_hash`
* `short_channel_id`: `short_channel_id`
* `uint32`: `timestamp`
* `byte`: `message_flags`
* `byte`: `channel_flags`
* `uint16`: `cltv_expiry_delta`
* `uint64`: `htlc_minimum_msat`
* `uint32`: `fee_base_msat`
* `uint32`: `fee_proportional_millionths`
* `uint16`: `htlc_maximum_msat`
In addition to being able to enable/disable a channel this message allows a
node to update it's routing fees as well as other fields that shape the type of
payment that is permitted to flow through this channel.
The `announce_signatures` message is exchange by channel peers in order to
assemble the set of signatures required to produce a `channel_announcement`
message:
* type: `259`
* fields:
* `channel_id`: `channel_id`
* `short_channel_id`: `short_channel_id`
* `sig`: `node_signature`
* `sig`: `bitcoin_signature`
After the `funding_locked` message has been sent, if both sides wish to
advertise their channel to the network, then they'll each send the
`announce_signatures` message which allows both sides to emplace the 4
signatures required to generate a `announce_signatures` message.
==== Channel Graph Syncing
The `query_short_chan_ids` allows a peer to obtain the channel information
related to a series of short channel IDs:
* type: `261:
* fields:
* `chain_hash`: `chain_hash`
* `u16`: `len`
* `len*byte`: `encoded_short_ids`
* `query_short_channel_ids_tlvs`: `tlvs`
As we'll learn in Chapter XXX, these channel IDs may be a series of channels
that were new to the sender, or were out of date which allows the sender to
obtain the latest set of information for a set of channels.
The `reply_short_chan_ids_end` message is sent after a peer finishes responding
to a prior `query_short_chan_ids` message:
* type; `262`
* fields:
* `chain_hash`: `chain_hash`
* `byte`: `full_information`
This message signals to the receiving party that if they wish to send another
query message, they can now do so.
The `query_channel_range` message allows a node to query for the set of channel
opened within a block range:
* type: `263:
* fields:
* `chain_hash`: `chain_hash`
* `u32`: `first_blocknum`
* `u32`: `number_of_blocks`
* `query_channel_range_tlvs`: `tlvs`
As channels are represented using a short channel ID that encodes the location
of a channel in the chain, a node on the network can use a block height as a
sort of _cursor_ to seek through the chain in order to discover a set of newly
opened channels. In Chapter XXX, we'll go through the protocol peers use to
sync the channel graph in more detail.
The `reply_channel_range` message is the response to `query_channel_range` and
includes the set of short channel IDs for known channels within that range:
* type: `264`
* fields:
* `chain_hash`: `chain_hash`
* `u32`: `first_blocknum`
* `u32`: `number_of_blocks`
* `byte`: `sync_complete`
* `u16`: `len`
* `len*byte`: `encoded_short_ids`
* `reply_channel_range_tlvs`: `tlvs`
As a response to `query_channel_range`, this message sends back the set of
channels that were opened within that range. This process can be repeated with
the requester advancing their cursor further down the chain in order to
continue syncing the Channel Graph.
The `gossip_timestamp_range` message allows a peer to start receiving new
incoming gossip messages on the network:
* type: `265:
* fields:
* `chain_hash`: `chain_hash`
* `u32`: `first_timestamp`
* `u32`: `timestamp_range`
Once a peer has synced the channel graph, they can send this message if they
wish to receive real-time updates on changes in the Channel Graph. They can
also set the `first_timestamp` and `timestamp_range` fields if they wish to
receive a backlog of updates they may have missed while they were down.
== Feature Bits & Protocol Extensibility
As the Lighting Network is a decentralized system, no one entity can enforce a
protocol change or modification upon all the users of the system. This
characteristic is also seen in other decentralized networks such as Bitcoin.
However, unlike Bitcoin overwhelming consensus *is not* require to change a
subset of the Lightning Network. Lighting is able to evolve at will without a
strong requirement of coordination, as unlike Bitcoin, there is no *global&
consensus required in the Lightning Network. Due to this fact and the several
upgrade mechanisms embedded in the Lighting Network, at most, only the
participants that wish to use these new Lighting Network feature need to
upgrade, and then they are able to interact w/ each other.
In this section, we'll explore the various ways that developers and users are
able to design, roll out, deploy new features to the Lightning Network. The
designers of the origin Lightning Network knew at the time of drafting the
initial specification, that there were many possible future directions the
network could evolves towards. As a results, they made sure to emplace several
extensibility mechanisms within the network which can be used to upgrade the
network partially or fully in a decoupled, desynchronized, decentralized
manner.
=== Feature Bits as an Upgrade Discoverability Mechanism
An astute reader may have noticed the various locations that "feature bits" are
included within the Lightning Protocol. A "feature bit" is a bitfield that can
be used to advertise understanding or adherence to a possible network protocol
update. Feature bits are commonly assigned in *pairs*, meaning that each
potential new feature/upgrade always defines *two* bits within the bitfield.
One bit signals that the advertised feature is _optional_, meaning that the
node knows a about the feature, and can use it if compelled, but doesn't
consider it required for normal operation. The other bit signals that the
feature is instead *required*, meaning that the node will not continue
operation if a prospective peer doesn't understand that feature.
Using these two bits optional and required, we can construct a simple
compatibility matrix that nodes/users can consult in order to determine if a
peer is compatible with a desired feature:
.Feature Bit Compatability Matrix
[options="header"]
|========================================================
|Bit Type|Remote Optional|Remote Required|Remote Unknown
|Local Optional|✅|✅|✅
|Local Required|✅|✅|❌
|Local Unknown|✅|❌|❌
|========================================================
From this simplified compatibility matrix, we can see that as long as the other
party *knows* about our feature bit, then can interact with them using the
protocol. If the party doesn't even know about what bit we're referring to
*and* they require the feature, then we are incompatible with them. Within the
network, optional features are signalled using an _odd bit number_ while
required feature are signalled using an _even bit number_. As an example, if a
peer signals that they known of a feature that uses bit _15_, then we know that
this is an _optional_ feature, and we can interact with them or respond to
their messages even if we don't know about the feature. On the other hand, if
they instead signalled the feature using bit _16_, then we know this is a
required feature, and we can't interact with them unless our node also
understands that feature.
The Lighting developers have come up with an easy to remember phrase that
encodes this matrix: "it's OK to be odd". This simple rule set allows for a
rich set of interactions within the protocol, as a simple bitmask operation
between two feature bit vectors allows peers to determine if certain
interactions are compatible with each other or not. In other words, feature
bits are used as an upgrade discoverability mechanism: they easily allow to
peers to understand if they are compatible or not based on the concepts of
optional, required, and unknown feature bits.
Feature bits are found in the: `node_announcement`, `channel_announcement`, and
`init` messages within the protocol. As a result, these three messages can be
used to *signal* the knowledge and/or understanding of in-flight protocol
updates within the network. The feature bits found in the `node_announcement`
message can allow a peer to determine if their _connections_ are compatible or
not. The feature bits within the `channel_announcement` messages allows a peer
to determine if a given payment ype or HTLC can transit through a given peer or
not. The feature bits within the `init` message all peers to understand kif
they can maintain a connection, and also which features are negotiated for the
lifetime of a given connection.
=== Utilizing TLV Records for Forwards+Backwards Compatibility
As we learned earlier in the chapter, Type Length Value, or TLV records can be
used to extend messages in a forwards and backwards compatible manner.
Overtime, these records have been used to _extend_ existing messages without
breaking the protocol by utilizing the "undefined" area within a message beyond
that set of known bytes.
As an example, the original Lighting Protocol didn't have a concept of the
_largest_ HTLC that could traverse through a channel as dictated by a routing
policy. Later on, the `max_htlc` field was added to the `channel_update`
message to phase in such a concept over time. Peers that held a
`channel_update` that set such a field but didn't even know the upgrade existed
where unaffected by the change, but may see their HTLCs rejected if they are
beyond the said limit. Newer peers on the other hand are able to parse, verify
and utilize the new field at will.
Those familiar with the concept of soft-forks in Bitcoin may now see some
similarities between the two mechanism. Unlike Bitcoin consensus-level
soft-forks, upgrades to the Lighting Network don't require overwhelming
consensus in order to adopt. Instead, at minimum, only two peers within the
network need to understand new upgrade in order to start utilizing it without
any permission. Commonly these tow peers may be the receiver and sender of a
payment, or it may the initiator and responder of a new payment channel.
=== A Taxonomy of Upgrade Mechanisms
Rather than there being a single widely utilized upgrade mechanism within the
network (such as soft forks for base layer Bitcoin), there exist a wide
gradient of possible upgrade mechanisms within the Lighting Network. In this
section, we'll enumerate the various upgrade mechanism within the network, and
provide a real-world example of their usage in the past.
==== Internal Network Upgrades
We'll start with the upgrade type that requires the most extra protocol-level
coordination: internal network upgrades. An internal network upgrade is
characterized by one that requires *every single node* within a prospective
payment path to understand the new feature. Such an upgrade is similar to any
upgrade within the known internet that requires hardware level upgrades within
the core relay portion of the upgrade. In the context of LN however, we deal
with pure software, so such upgrades are easier to deploy, yet they still
require much more coordination than any other upgrade type utilize within the
network.
One example of such an upgrade within the network was the move to using a TLV
encoding for the routing information encoded within the onion encrypted routing
packets utilized within the network. The prior format used a hand encoded
format to communicate information such as the next hop to send the payment to.
As this format was _fixed_ it meant that new protocol-level upgrades such as
extensions that allowed feature such as packet switching weren't possible
without. The move to encoding the information using the more flexible TLV
format meant that after the single upgrade, then any sort of feature that
modified the _type_ of information communicated at each hop could be rolled out
at will.
It's worth mentioning that the TLV onion upgrade was a sort of "soft" internal
network upgrade, in that if a payment wasn't using any _new_ feature beyond
that new routing information encoding, then a payment could be transmitted
using a _mixed_ set of nodes, as no new information would be transmitted that
are required to forward the payment. However, if a new upgrade type instead
changed the _HTLC_ format, then the entire path would need to be upgraded,
otherwise the payment wouldn't be able to be fulfilled.
==== End to End Upgrades
To contrast the internal network upgrade, in this section we'll describe the
_end to end_ network upgrade. This upgrade type differs from the internal
network upgrade in that it only requires the "ends" of the payment, the sender
and receiver to upgrade in order to be utilized. This type of upgrade allows
for a wide array of unrestricted innovation within the network, as due to the
onion encrypted nature of payments within the network, those forwarding HTLCs
within the center of the network may not even know that new feature are being
utilized.
One example of an end to end upgrade within the network was the roll out of
MPP, or multi-path payments. MPP is a protocol-level feature that enables a
single payment to be split into multiple parts or paths, to be assembled at the
receiver for settlement. The roll out our MPP was coupled with a new
`node_announcement` level feature bit that indicates that the receiver knows
how to handle partial payments. Assuming a sender and receiver know about each
other (possibly via a BOLT 11 invoice), then they're able to use the new
feature without any further negotiation.
Anothert example of an end to end upgrade are the various types of
_spontaneous_ payments deployed within the network. One early type of
spontaneous payments called "keysend" worked by simply placing the pre-image of
a payment within the encrypted onion packet that is only decrypted by the
destination o of the payment. Upon receipt, the destination would decrypt the
pre-image, then use that to settle the payment. As the entire packet is end to
end encrypted, this payment type was safe, since none of the intermediate nodes
are able to fully unwrap the onion to uncover the payment pre-image that
corresponded to that payment hash.
==== Channel Construction Level Updates
The final broad category of updates within the network are those that happen at
the channel construction level, but which don't modify the structure of the
HTLC used widely within the network. When we say channel construction, we mean
_how_ the channel is funded or created. As an example, the eltoo channel type
can be rolled out within the network using a new `node_announcement` level
feature bit as well as a `channel_announcement` level feature bit. Only the two
peers on the sides of the channels needs to understand and advertise these new
features. This channel pair can then be used to forward any payment type
granted the channel supports it.
The "anchor outputs" channel format which allows the commitment fee to be
bumped via CPFP, and second-level HTLCs aggregated amongst other transactions
was rolled out in such a manner. Using the implicit feature bit negotiation, if
both sides established a connection, and advertised knowledge of the new
channel type, then it would be used for any future channel funding attempts in
that channel.