path: root/ad/f85f30a0833a0ab4e31e32038604598b10228e

Return-Path: <john@johnnewbery.com>
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 07BB6C0001
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon,  1 Mar 2021 21:04:26 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp3.osuosl.org (Postfix) with ESMTP id D3A53606D3
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon,  1 Mar 2021 21:04:25 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.768
X-Spam-Level: 
X-Spam-Status: No, score=-1.768 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
 RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 URI_DOTEDU=0.132] autolearn=no autolearn_force=no
Authentication-Results: smtp3.osuosl.org (amavisd-new);
 dkim=pass (2048-bit key)
 header.d=johnnewbery-com.20150623.gappssmtp.com
Received: from smtp3.osuosl.org ([127.0.0.1])
 by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 7kxtmUD6fTmi
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon,  1 Mar 2021 21:04:22 +0000 (UTC)
X-Greylist: delayed 00:05:21 by SQLgrey-1.8.0
Received: from mail-ed1-f47.google.com (mail-ed1-f47.google.com
 [209.85.208.47])
 by smtp3.osuosl.org (Postfix) with ESMTPS id 5CF75606CC
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon,  1 Mar 2021 21:04:22 +0000 (UTC)
Received: by mail-ed1-f47.google.com with SMTP id w21so22624468edc.7
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 01 Mar 2021 13:04:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=johnnewbery-com.20150623.gappssmtp.com; s=20150623;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
 bh=vz1CUBJyHsgYNOvOI6QvRDnnl9hxHyt4QgV3C8ivx40=;
 b=fu0ea9LxAg8FS5dA4vrIxGb+hJVpr9WyIpZyygKWSbG5biVd+mS/X2lRoePfbPkUlj
 T2S+tPLX74okaP2RAA+bzTDWwD1UgnL0klZBJ7KGlf1+1fZec7ryZi0Cb/gUTT39H/m7
 JE1X64qMuaRlMcjntzPdy/BFd46b9pm7jFKZMNLdUtWRwRhxomSvmXvCZ6fzjayjWwBY
 evohaOeBS0nMKDhVCz76MX1T129uA71nJj4jOj35t3b+pxbYh6pI3D9bWSiI4sOPmkxY
 nwz+0g32Kn9Go7JVGg77Zbef3YrXtFsbC9Zx9+nWmJI7yuElmKiWJvuMNdbqvxHY9yc6
 jUdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to;
 bh=vz1CUBJyHsgYNOvOI6QvRDnnl9hxHyt4QgV3C8ivx40=;
 b=H25utI9FFjm+zN3MhWN4DQbZcLDnPvmKxhlnbMHIugY3MEL+SJX+xvlkTOe81GYQI5
 DmXrngiiSPtNC0wCuWKRQUsqJcF3PTwFsTYKVDi+lxI3GeeqILzitlNohfvO6wQfCbmt
 35cUv14bij3CoHrTvWPAUmkNTQDHwWYMV7QJqU4jTfaNIpBzkQ/uDi+X+67XfBtrP3Ok
 cnZhyl16DS6RlPAsKqA380zK+5Xbr9Denza0WWSwvv1BMl9utWU8AHwngnPKQOZAwJI4
 UdsLzaYTddrJxf3z12FNIsypbkVQaP+E0eVajY/WcFv0juqE4S0fwSr8yPvq5Y55wdgP
 cVQg==
X-Gm-Message-State: AOAM531M/qyRWcfBJiA427i+AlsoVn/LpRW7mu0iNEgAijU+BCjNKrNf
 rfwyYyZcQcfwrCB/Eur7M+wRgyi9i3LyVOUY
X-Google-Smtp-Source: ABdhPJyu2EqOsHjGy/X4lD0iyUrybgW4B0d4tSwHWXNNUkonq4ZGh3nYpZC1gV3Rhul25jgOjG6+tA==
X-Received: by 2002:a2e:9591:: with SMTP id w17mr5367961ljh.141.1614632338743; 
 Mon, 01 Mar 2021 12:58:58 -0800 (PST)
Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com.
 [209.85.208.175])
 by smtp.gmail.com with ESMTPSA id d4sm2480330lfq.270.2021.03.01.12.58.57
 for <bitcoin-dev@lists.linuxfoundation.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Mon, 01 Mar 2021 12:58:58 -0800 (PST)
Received: by mail-lj1-f175.google.com with SMTP id h4so21005170ljl.0
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 01 Mar 2021 12:58:57 -0800 (PST)
X-Received: by 2002:a2e:a58c:: with SMTP id m12mr10512128ljp.444.1614632337565; 
 Mon, 01 Mar 2021 12:58:57 -0800 (PST)
MIME-Version: 1.0
References: <CAFp6fsE6gb2PaL3ikDRjS-hNnPLjvtWB+8qZJr3trQe2K9YN+g@mail.gmail.com>
In-Reply-To: <CAFp6fsE6gb2PaL3ikDRjS-hNnPLjvtWB+8qZJr3trQe2K9YN+g@mail.gmail.com>
From: John Newbery <john@johnnewbery.com>
Date: Mon, 1 Mar 2021 20:58:46 +0000
X-Gmail-Original-Message-ID: <CAFmfg2sT0sVVHOe5ZbDo5iDwE1Tk2oOXJiCKhNZv_hZVOVLbRw@mail.gmail.com>
Message-ID: <CAFmfg2sT0sVVHOe5ZbDo5iDwE1Tk2oOXJiCKhNZv_hZVOVLbRw@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000ec6f8805bc7fe23a"
X-Mailman-Approved-At: Mon, 01 Mar 2021 21:06:49 +0000
Subject: Re: [bitcoin-dev] Proposal for new "disabletx" p2p message
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 21:04:26 -0000

--000000000000ec6f8805bc7fe23a
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Suhas,

Thank you for this proposal. I agree with your aims, but I think a new
P2P message isn't necessary to achieve them.

# Motivation

There are two distinct (but interacting) motivations:

1. Allow a node to accept more incoming connections which will only be
   used for block propagation (no transaction relay or addr gossip),
   while minimizing resource requirements.

2. Prevent `addr` gossip messages from being sent to peers which will
   'black hole' those addrs (i.e. not relay them further).

These motivations interact because if we simply increase the number of
block-relay-only connections that nodes make without making any
allowance for the fact those connections won't gossip addr records, then
we'll increase the number of addr black holes and worsen addr gossip.

# Using fRelay=3Dfalse to signal no transaction relay.

`fRelay` is an optional field in the `version` message. There are three
BIPs concerned with `fRelay`:

- BIP 37[1] introduced the `fRelay` field to indicate to the recipient
  that they must not relay transactions over the connection until a
  `filteradd` message has been received.

- BIP 60[2] aimed to make the `fRelay` field mandatory. It is not clear
  how widely this BIP has been adopted by implementations.

- BIP 111[3] introduced a `NODE_BLOOM` service bit to indicate that
  bloom filters are served by this node. According to this BIP, "If a
  node does not support bloom filters but receives a "filterload",
  "filteradd", or "filterclear" message from a peer the node should
  disconnect that peer immediately."

Within Bitcoin Core:

- PR 1795[4] (merged in January 2013) added support for BIP 37 Bloom
  filters.

- Since PR 2763[5] (merged in June 2013), Bitcoin Core will _always_
  include the `fRelay` flag in `version` messages that it sends. Bitcoin
  Core will tolerate the `fRelay` field being present or absent in any
  `version` message that it receives[6].

- PR 6579[7] (merged in August 2015) implemented BIP 111. From that
  point on, a Bitcoin Core node would disconnect peers that sent it
  `filter*` messages if it hadn't enabled `NODE_BLOOM`, provided the
  peer's version was >=3D 70011. In PR 7708[8] (merged in March 2016) this
  was extended to disconnect any peer that sends a `filter*` message,
  regardless of its version (in general, a 'polite disconnect' for any
  peer that requests an unsupported service is probably the best
  behaviour). In PR 16152[9] (merged in July 2019), serving Bloom
  filters was disabled by default, due to potential denial-of-service
  attacks being possible against nodes which serve bloom filters on
  public connections.

- PR 6993[10] (merged in November 2015) started reusing the `fRelay`
  field for the new `-blocksonly` mode. If Bitcoin Core is started with
  `-blocksonly` configured, then it includes `fRelay=3Dfalse` in all of
  the `version` messages it sends. In PR 15759[11] (merged  in September
  2019), this usage of `fRelay` to permanently disable tx relay was
  extended for use by the new block-relay only connection type.

The net effect is that `fRelay` is already being used to indicate that
transactions should not be relayed over a connection. In the motivation
for your BIP, you write:

> The low-bandwidth / minimal-resource nature of these connections is
> currently known only by the initiator of the connection; this is
> because the transaction relay field in the version message is not a
> permanent setting for the lifetime of the connection.  Consequently, a
> node receiving an inbound connection with transaction relay disabled
> cannot distinguish between a peer that will never enable transaction
> relay (as described in BIP 37) and one that will...

However, as AJ points out in his response [12], the Bitcoin Core node
_does_ know whether transaction relay can be supported as soon as the
`version` message is received:

> [...] you either set m_tx_relay->fRelayTxes to true via the VERSION
> message (either explicitly or by not setting fRelay), or you enable it
> later with FILTERLOAD or FILTERCLEAR, both of which will cause a
> disconnect if bloom filters aren't supported. Bloom filter support is
> (optionally?) indicated via a service bit (BIP 111), so you could
> assume you know whether they're supported as soon as you receive the
> VERSION line.

i.e. if Bitcoin Core node is running under normal configuration with
bloom filters disabled for public connections (which is both the default
setting and highly recommended due to DoS concerns), then as soon as it
receives a `version` message with `fRelay=3Dfalse`, it can be sure that
there will never be any transaction relay with that peer. If the peer
later tries to enable transaction relay by sending a `filterload`
message, then the node will disconnect that peer immediately.

In summary, we can continue using the `fRelay` field to indicate that
no transaction relay can happen for the entire lifetime of the
connection.  Bitcoin Core can postpone allocating resources for
transaction relay data structures until after the version message has
been received to minimize resource usage for incoming block-relay-only
connections. A rough implementation is here[13]. Obviously, a node that
has been configured to serve bloom filters on public connections would
not be able to take advantage of this and accept additional incoming
block-relay-only peers, but I think that's fine - we already discourage
that configuration.

I think a good counter-argument against simply using `fRelay` for this
purpose is that we shouldn't reuse a protocol feature designed for one
function to achieve a totally different aim. However, we know that nodes
on the network have been using `fRelay` to disable transaction relay
since Bitcoin Core version 0.12 (when `-blocksonly` was added), and that
usage was expanded to _all_ nodes running Bitcoin Core version 0.19 or
later (when block-relay-only connections were introduced), so using
`fRelay` to disable transaction relay is now de facto part of the p2p
protocol.

# Preventing addr black holes

Addresses of potential peers are gossiped around the p2p network using
`addr` messages. When a Bitcoin Core node learns of a new `addr` record,
it will relay that record to one or two of its peers, chosen at
random[14]. The idea is that eventually the `addr` record will reach
most of the nodes on the network.

If there are too many nodes on the network that receive `addr` records
and do not relay those records on to their peers (termed _addr black
hole_ nodes), then propagation of those `addr` records suffers -- any
individual `addr` record is unlikely to reach a large proportion of
nodes on the network.

Since a motivation for block-relay-only connections is to protect
against eclipse attacks and thwart network topology analysis, Bitcoin
Core will not relay `addr` records on those connections, and will ignore
any `addr` record received over those connections. Therefore, increasing
the number of block-relay-only connections without changing the `addr`
gossip logic is likely to increase the prevalence of addr black holes,
and negatively impact addr propagation. This is why BIP 338 includes:

> It is RECOMMENDED that a node that has sent or received a disabletx
> message to/from a peer not send any of these messages to the peer:
>
> - addr/getaddr
> - addrv2 (BIP 155)

I think a better approach would be for Bitcoin Core to only relay addr
records to an inbound peer if it has previously received an `addr` or
`addrv2` message from that peer, since that indicates definitively that
the peer actively gossips `addr` records. This approach was first
suggested by AJ in the original block-relay-only PR[15].

An advantage of this approach is that it will improve addr propagation
immediately and without any change to the P2P protocol, and will prevent
sending `addr` records to all addr black holes (such as light clients),
not just incoming block-relay-only connections.

# Conclusion

We can increase the permitted number of inbound block-relay-only peers
while minimizing resource requirement _and_ improving addr record
propagation, without any changes to the p2p protocol required.

I propose that for Bitcoin Core version 22.0:

- only initialize the transaction relay data structures after the
  `version` message is received, and only if fRelay=3Dtrue and
  `NODE_BLOOM` is not offered on this connection.
- only initialize the addr data structures for inbound connections when
  an `addr`, `addrv2` or `getaddr` message is received on the
  connection, and only consider a connection for addr relay if its addr
  data structures are initialized.
- update the inbound eviction logic to protect more inbound peers which
  do not have transaction relay data structures.

Then, in version 23.0:

- modestly increase the number of outbound block-relay-only connections.

John

[1] https://github.com/bitcoin/bips/blob/master/bip-0037.mediawiki
[2] https://github.com/bitcoin/bips/blob/master/bip-0060.mediawiki
[3] https://github.com/bitcoin/bips/blob/master/bip-0111.mediawiki
[4] https://github.com/bitcoin/bitcoin/pull/1795
[5] https://github.com/bitcoin/bitcoin/pull/2763
[6]
https://github.com/bitcoin/bitcoin/blob/e49117470b77fb7d53be122c6490ba163c6=
e304d/src/net_processing.cpp#L2582-L2583
[7] https://github.com/bitcoin/bitcoin/pull/6579
[8] https://github.com/bitcoin/bitcoin/pull/7708
[9] https://github.com/bitcoin/bitcoin/pull/16152
[10] https://github.com/bitcoin/bitcoin/pull/6993
[11] https://github.com/bitcoin/bitcoin/pull/15759
[12]
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018347=
.html
[13] https://github.com/jnewbery/bitcoin/tree/2021-02-lazy-init-peer
[14]
https://github.com/bitcoin/bitcoin/blob/e52ce9f2b312b3cf3b0837918e07d7603e2=
41d63/src/net_processing.cpp#L1696-L1700
[15] https://github.com/bitcoin/bitcoin/pull/15759#issuecomment-527012757

> Hi,
>
> I'm proposing the addition of a new, optional p2p message to allow peers
to communicate that they do not want to send or receive (loose)
transactions for the lifetime of a connection.
>
> The goal of this message is to help facilitate connections on the network
over which only block-related data (blocks/headers/compact blocks/etc) are
relayed, to create low-resource connections that help protect against
partition attacks on the network.  In particular, by adding a network
message that communicates that transactions will not be relayed for the
life of the connection, we ease the implementation of software that could
have increased inbound connection limits for such peers, which in turn will
make it easier to add additional persistent block-relay-only connections on
the network -- strengthening network security for little additional
bandwidth.
>
> Software has been deployed for over a year now which makes such
connections, using the BIP37/BIP60 "fRelay" field in the version message to
signal that transactions should not be sent initially.  However, BIP37
allows for transaction relay to be enabled later in the connection's
lifetime, complicating software that would try to distinguish inbound peers
that will never relay transactions from those that might.
>
> This proposal would add a single new p2p message, "disabletx", which (if
used at all) must be sent between version and verack.  I propose that this
message is valid for peers advertising protocol version 70017 or higher.
Software is free to implement this BIP or ignore this message and remain
compatible with software that does implement it.
>
> Full text of the proposed BIP is below.
>
> Thanks,
> Suhas
>
> ---------------------------------------------------
>
> <pre>
>   BIP: XXX
>   Layer: Peer Services
>   Title: Disable transaction relay message
>   Author: Suhas Daftuar <sdaftuar@chaincode.com>
>   Comments-Summary: No comments yet.
>   Comments-URI:
>   Status: Draft
>   Type: Standards Track
>   Created: 2020-09-03
>   License: BSD-2-Clause
> </pre>
>
> =3D=3DAbstract=3D=3D
>
> This BIP describes a change to the p2p protocol to allow a node to tell a
peer
> that a connection will not be used for transaction relay, to support
> block-relay-only connections that are currently in use on the network.
>
> =3D=3DMotivation=3D=3D
>
> For nearly the past year, software has been deployed[1] which initiates
> connections on the Bitcoin network and sets the transaction relay field
> (introduced by BIP 37 and also defined in BIP 60) to false, to prevent
> transaction relay from occurring on the connection. Additionally, addr
messages
> received from the peer are ignored by this software.
>
> The purpose of these connections is two-fold: by making additional
> low-bandwidth connections on which blocks can propagate, the robustness
of a
> node to network partitioning attacks is strengthened.  Additionally, by
not
> relaying transactions and ignoring received addresses, the ability of an
> adversary to learn the complete network graph (or a subgraph) is
reduced[2],
> which in turn increases the cost or difficulty to an attacker seeking to
carry
> out a network partitioning attack (when compared with having such
knowledge).
>
> The low-bandwidth / minimal-resource nature of these connections is
currently
> known only by the initiator of the connection; this is because the
transaction
> relay field in the version message is not a permanent setting for the
lifetime
> of the connection.  Consequently, a node receiving an inbound connection
with
> transaction relay disabled cannot distinguish between a peer that will
never
> enable transaction relay (as described in BIP 37) and one that will.
Moreover,
> the node also cannot determine that the incoming connection will ignore
relayed
> addresses; with that knowledge a node would likely choose other peers to
> receive announced addresses instead.
>
> This proposal adds a new, optional message that a node can send a peer
when
> initiating a connection to that peer, to indicate that connection should
not be
> used for transaction-relay for the connection's lifetime. In addition,
without
> a current mechanism to negotiate whether addresses should be relayed on a
> connection, this BIP suggests that address messages not be sent on links
where
> tx-relay has been disabled.
>
> =3D=3DSpecification=3D=3D
>
> # A new disabletx message is added, which is defined as an empty message
where pchCommand =3D=3D "disabletx".
> # The protocol version of nodes implementing this BIP must be set to
70017 or higher.
> # If a node sets the transaction relay field in the version message to a
peer to false, then the disabletx message MAY also be sent in response to a
version message from that peer if the peer's protocol version is >=3D 70017=
.
If sent, the disabletx message MUST be sent prior to sending a verack.
> # A node that has sent or received a disabletx message to/from a peer
MUST NOT send any of these messages to the peer:
> ## inv messages for transactions
> ## getdata messages for transactions
> ## getdata messages for merkleblock (BIP 37)
> ## filteradd/filterload/filterclear (BIP 37)
> ## mempool (BIP 35)
> # It is RECOMMENDED that a node that has sent or received a disabletx
message to/from a peer not send any of these messages to the peer:
> ## addr/getaddr
> ## addrv2 (BIP 155)
> # The behavior regarding sending or processing other message types is not
specified by this BIP.
> # Nodes MAY decide to not remain connected to peers that send this
message (for example, if trying to find a peer that will relay
transactions).
>
> =3D=3DCompatibility=3D=3D
>
> Nodes with protocol version >=3D 70017 that do not implement this BIP, an=
d
nodes
> with protocol version < 70017, will continue to remain compatible with
> implementing software: transactions would not be relayed to peers sending
the
> disabletx message (provided that BIP 37 or BIP 60 has been implemented),
and while
> periodic address relay may still take place, software implementing this
BIP
> should not be disconnecting such peers solely for that reason.
>
> Disabling address relay is suggested but not required by this BIP, to
allow for
> future protocol extensions that might specify more carefully how address
relay
> is to be negotiated. This BIP's recommendations for software to not relay
> addresses is intended to be interpreted as guidance in the absence of any
such
> future protocol extension, to accommodate existing software behavior.
>
> Note that all messages specified in BIP 152, including blocktxn and
> getblocktxn, are permitted between peers that have sent/received a
disabletx
> message, subject to the feature negotiation of BIP 152.
>
> =3D=3DImplementation=3D=3D
>
> TBD
>
> =3D=3DReferences=3D=3D
>
> # Bitcoin Core has [https://github.com/bitcoin/bitcoin/pull/15759
implemented this functionality] since version 0.19.0.1, released in
November 2019.
> # For example, see https://www.cs.umd.edu/projects/coinscope/coinscope.pd=
f
and https://arxiv.org/pdf/1812.00942.pdf.
>
> =3D=3DCopyright=3D=3D
>
> This BIP is licensed under the 2-clause BSD license.

On Wed, Jan 6, 2021 at 4:35 PM Suhas Daftuar via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Hi,
>
> I'm proposing the addition of a new, optional p2p message to allow peers
> to communicate that they do not want to send or receive (loose)
> transactions for the lifetime of a connection.
>
> The goal of this message is to help facilitate connections on the network
> over which only block-related data (blocks/headers/compact blocks/etc) ar=
e
> relayed, to create low-resource connections that help protect against
> partition attacks on the network.  In particular, by adding a network
> message that communicates that transactions will not be relayed for the
> life of the connection, we ease the implementation of software that could
> have increased inbound connection limits for such peers, which in turn wi=
ll
> make it easier to add additional persistent block-relay-only connections =
on
> the network -- strengthening network security for little additional
> bandwidth.
>
> Software has been deployed for over a year now which makes such
> connections, using the BIP37/BIP60 "fRelay" field in the version message =
to
> signal that transactions should not be sent initially.  However, BIP37
> allows for transaction relay to be enabled later in the connection's
> lifetime, complicating software that would try to distinguish inbound pee=
rs
> that will never relay transactions from those that might.
>
> This proposal would add a single new p2p message, "disabletx", which (if
> used at all) must be sent between version and verack.  I propose that thi=
s
> message is valid for peers advertising protocol version 70017 or higher.
> Software is free to implement this BIP or ignore this message and remain
> compatible with software that does implement it.
>
> Full text of the proposed BIP is below.
>
> Thanks,
> Suhas
>
> ---------------------------------------------------
>
> <pre>
>   BIP: XXX
>   Layer: Peer Services
>   Title: Disable transaction relay message
>   Author: Suhas Daftuar <sdaftuar@chaincode.com>
>   Comments-Summary: No comments yet.
>   Comments-URI:
>   Status: Draft
>   Type: Standards Track
>   Created: 2020-09-03
>   License: BSD-2-Clause
> </pre>
>
> =3D=3DAbstract=3D=3D
>
> This BIP describes a change to the p2p protocol to allow a node to tell a=
 peer
> that a connection will not be used for transaction relay, to support
> block-relay-only connections that are currently in use on the network.
>
> =3D=3DMotivation=3D=3D
>
> For nearly the past year, software has been deployed[1] which initiates
> connections on the Bitcoin network and sets the transaction relay field
> (introduced by BIP 37 and also defined in BIP 60) to false, to prevent
> transaction relay from occurring on the connection. Additionally, addr me=
ssages
> received from the peer are ignored by this software.
>
> The purpose of these connections is two-fold: by making additional
> low-bandwidth connections on which blocks can propagate, the robustness o=
f a
> node to network partitioning attacks is strengthened.  Additionally, by n=
ot
> relaying transactions and ignoring received addresses, the ability of an
> adversary to learn the complete network graph (or a subgraph) is reduced[=
2],
> which in turn increases the cost or difficulty to an attacker seeking to =
carry
> out a network partitioning attack (when compared with having such knowled=
ge).
>
> The low-bandwidth / minimal-resource nature of these connections is curre=
ntly
> known only by the initiator of the connection; this is because the transa=
ction
> relay field in the version message is not a permanent setting for the lif=
etime
> of the connection.  Consequently, a node receiving an inbound connection =
with
> transaction relay disabled cannot distinguish between a peer that will ne=
ver
> enable transaction relay (as described in BIP 37) and one that will.  Mor=
eover,
> the node also cannot determine that the incoming connection will ignore r=
elayed
> addresses; with that knowledge a node would likely choose other peers to
> receive announced addresses instead.
>
> This proposal adds a new, optional message that a node can send a peer wh=
en
> initiating a connection to that peer, to indicate that connection should =
not be
> used for transaction-relay for the connection's lifetime. In addition, wi=
thout
> a current mechanism to negotiate whether addresses should be relayed on a
> connection, this BIP suggests that address messages not be sent on links =
where
> tx-relay has been disabled.
>
> =3D=3DSpecification=3D=3D
>
> # A new disabletx message is added, which is defined as an empty message =
where pchCommand =3D=3D "disabletx".
> # The protocol version of nodes implementing this BIP must be set to 7001=
7 or higher.
> # If a node sets the transaction relay field in the version message to a =
peer to false, then the disabletx message MAY also be sent in response to a=
 version message from that peer if the peer's protocol version is >=3D 7001=
7. If sent, the disabletx message MUST be sent prior to sending a verack.
> # A node that has sent or received a disabletx message to/from a peer MUS=
T NOT send any of these messages to the peer:
> ## inv messages for transactions
> ## getdata messages for transactions
> ## getdata messages for merkleblock (BIP 37)
> ## filteradd/filterload/filterclear (BIP 37)
> ## mempool (BIP 35)
> # It is RECOMMENDED that a node that has sent or received a disabletx mes=
sage to/from a peer not send any of these messages to the peer:
> ## addr/getaddr
> ## addrv2 (BIP 155)
> # The behavior regarding sending or processing other message types is not=
 specified by this BIP.
> # Nodes MAY decide to not remain connected to peers that send this messag=
e (for example, if trying to find a peer that will relay transactions).
>
> =3D=3DCompatibility=3D=3D
>
> Nodes with protocol version >=3D 70017 that do not implement this BIP, an=
d nodes
> with protocol version < 70017, will continue to remain compatible with
> implementing software: transactions would not be relayed to peers sending=
 the
> disabletx message (provided that BIP 37 or BIP 60 has been implemented), =
and while
> periodic address relay may still take place, software implementing this B=
IP
> should not be disconnecting such peers solely for that reason.
>
> Disabling address relay is suggested but not required by this BIP, to all=
ow for
> future protocol extensions that might specify more carefully how address =
relay
> is to be negotiated. This BIP's recommendations for software to not relay
> addresses is intended to be interpreted as guidance in the absence of any=
 such
> future protocol extension, to accommodate existing software behavior.
>
> Note that all messages specified in BIP 152, including blocktxn and
> getblocktxn, are permitted between peers that have sent/received a disabl=
etx
> message, subject to the feature negotiation of BIP 152.
>
> =3D=3DImplementation=3D=3D
>
> TBD
>
> =3D=3DReferences=3D=3D
>
> # Bitcoin Core has [https://github.com/bitcoin/bitcoin/pull/15759 impleme=
nted this functionality] since version 0.19.0.1, released in November 2019.
> # For example, see https://www.cs.umd.edu/projects/coinscope/coinscope.pd=
f and https://arxiv.org/pdf/1812.00942.pdf.
>
> =3D=3DCopyright=3D=3D
>
> This BIP is licensed under the 2-clause BSD license.
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

--000000000000ec6f8805bc7fe23a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Suhas,<br><br>Thank you for this proposal. I agree with=
 your aims, but I think a new<br>P2P message isn&#39;t necessary to achieve=
 them.<br><br># Motivation<br><br>There are two distinct (but interacting) =
motivations:<br><br>1. Allow a node to accept more incoming connections whi=
ch will only be<br>=C2=A0 =C2=A0used for block propagation (no transaction =
relay or addr gossip),<br>=C2=A0 =C2=A0while minimizing resource requiremen=
ts.<br><br>2. Prevent `addr` gossip messages from being sent to peers which=
 will<br>=C2=A0 =C2=A0&#39;black hole&#39; those addrs (i.e. not relay them=
 further).<br><br>These motivations interact because if we simply increase =
the number of<br>block-relay-only connections that nodes make without makin=
g any<br>allowance for the fact those connections won&#39;t gossip addr rec=
ords, then<br>we&#39;ll increase the number of addr black holes and worsen =
addr gossip.<br><br># Using fRelay=3Dfalse to signal no transaction relay.<=
br><br>`fRelay` is an optional field in the `version` message. There are th=
ree<br>BIPs concerned with `fRelay`:<br><br>- BIP 37[1] introduced the `fRe=
lay` field to indicate to the recipient<br>=C2=A0 that they must not relay =
transactions over the connection until a<br>=C2=A0 `filteradd` message has =
been received.<br><br>- BIP 60[2] aimed to make the `fRelay` field mandator=
y. It is not clear<br>=C2=A0 how widely this BIP has been adopted by implem=
entations.<br><br>- BIP 111[3] introduced a `NODE_BLOOM` service bit to ind=
icate that<br>=C2=A0 bloom filters are served by this node. According to th=
is BIP, &quot;If a<br>=C2=A0 node does not support bloom filters but receiv=
es a &quot;filterload&quot;,<br>=C2=A0 &quot;filteradd&quot;, or &quot;filt=
erclear&quot; message from a peer the node should<br>=C2=A0 disconnect that=
 peer immediately.&quot;<br><br>Within Bitcoin Core:<br><br>- PR 1795[4] (m=
erged in January 2013) added support for BIP 37 Bloom<br>=C2=A0 filters.<br=
><br>- Since PR 2763[5] (merged in June 2013), Bitcoin Core will _always_<b=
r>=C2=A0 include the `fRelay` flag in `version` messages that it sends. Bit=
coin<br>=C2=A0 Core will tolerate the `fRelay` field being present or absen=
t in any<br>=C2=A0 `version` message that it receives[6].<br><br>- PR 6579[=
7] (merged in August 2015) implemented BIP 111. From that<br>=C2=A0 point o=
n, a Bitcoin Core node would disconnect peers that sent it<br>=C2=A0 `filte=
r*` messages if it hadn&#39;t enabled `NODE_BLOOM`, provided the<br>=C2=A0 =
peer&#39;s version was &gt;=3D 70011. In PR 7708[8] (merged in March 2016) =
this<br>=C2=A0 was extended to disconnect any peer that sends a `filter*` m=
essage,<br>=C2=A0 regardless of its version (in general, a &#39;polite disc=
onnect&#39; for any<br>=C2=A0 peer that requests an unsupported service is =
probably the best<br>=C2=A0 behaviour). In PR 16152[9] (merged in July 2019=
), serving Bloom<br>=C2=A0 filters was disabled by default, due to potentia=
l denial-of-service<br>=C2=A0 attacks being possible against nodes which se=
rve bloom filters on<br>=C2=A0 public connections.<br><br>- PR 6993[10] (me=
rged in November 2015) started reusing the `fRelay`<br>=C2=A0 field for the=
 new `-blocksonly` mode. If Bitcoin Core is started with<br>=C2=A0 `-blocks=
only` configured, then it includes `fRelay=3Dfalse` in all of<br>=C2=A0 the=
 `version` messages it sends. In PR 15759[11] (merged =C2=A0in September<br=
>=C2=A0 2019), this usage of `fRelay` to permanently disable tx relay was<b=
r>=C2=A0 extended for use by the new block-relay only connection type.<br><=
br>The net effect is that `fRelay` is already being used to indicate that<b=
r>transactions should not be relayed over a connection. In the motivation<b=
r>for your BIP, you write:<br><br>&gt; The low-bandwidth / minimal-resource=
 nature of these connections is<br>&gt; currently known only by the initiat=
or of the connection; this is<br>&gt; because the transaction relay field i=
n the version message is not a<br>&gt; permanent setting for the lifetime o=
f the connection.=C2=A0 Consequently, a<br>&gt; node receiving an inbound c=
onnection with transaction relay disabled<br>&gt; cannot distinguish betwee=
n a peer that will never enable transaction<br>&gt; relay (as described in =
BIP 37) and one that will...<br><br>However, as AJ points out in his respon=
se [12], the Bitcoin Core node<br>_does_ know whether transaction relay can=
 be supported as soon as the<br>`version` message is received:<br><br>&gt; =
[...] you either set m_tx_relay-&gt;fRelayTxes to true via the VERSION<br>&=
gt; message (either explicitly or by not setting fRelay), or you enable it<=
br>&gt; later with FILTERLOAD or FILTERCLEAR, both of which will cause a<br=
>&gt; disconnect if bloom filters aren&#39;t supported. Bloom filter suppor=
t is<br>&gt; (optionally?) indicated via a service bit (BIP 111), so you co=
uld<br>&gt; assume you know whether they&#39;re supported as soon as you re=
ceive the<br>&gt; VERSION line.<br><br>i.e. if Bitcoin Core node is running=
 under normal configuration with<br>bloom filters disabled for public conne=
ctions (which is both the default<br>setting and highly recommended due to =
DoS concerns), then as soon as it<br>receives a `version` message with `fRe=
lay=3Dfalse`, it can be sure that<br>there will never be any transaction re=
lay with that peer. If the peer<br>later tries to enable transaction relay =
by sending a `filterload`<br>message, then the node will disconnect that pe=
er immediately.<br><br>In summary, we can continue using the `fRelay` field=
 to indicate that<br>no transaction relay can happen for the entire lifetim=
e of the<br>connection.=C2=A0 Bitcoin Core can postpone allocating resource=
s for<br>transaction relay data structures until after the version message =
has<br>been received to minimize resource usage for incoming block-relay-on=
ly<br>connections. A rough implementation is here[13]. Obviously, a node th=
at<br>has been configured to serve bloom filters on public connections woul=
d<br>not be able to take advantage of this and accept additional incoming<b=
r>block-relay-only peers, but I think that&#39;s fine - we already discoura=
ge<br>that configuration.<br><br>I think a good counter-argument against si=
mply using `fRelay` for this<br>purpose is that we shouldn&#39;t reuse a pr=
otocol feature designed for one<br>function to achieve a totally different =
aim. However, we know that nodes<br>on the network have been using `fRelay`=
 to disable transaction relay<br>since Bitcoin Core version 0.12 (when `-bl=
ocksonly` was added), and that<br>usage was expanded to _all_ nodes running=
 Bitcoin Core version 0.19 or<br>later (when block-relay-only connections w=
ere introduced), so using<br>`fRelay` to disable transaction relay is now d=
e facto part of the p2p<br>protocol.<br><br># Preventing addr black holes<b=
r><br>Addresses of potential peers are gossiped around the p2p network usin=
g<br>`addr` messages. When a Bitcoin Core node learns of a new `addr` recor=
d,<br>it will relay that record to one or two of its peers, chosen at<br>ra=
ndom[14]. The idea is that eventually the `addr` record will reach<br>most =
of the nodes on the network.<br><br>If there are too many nodes on the netw=
ork that receive `addr` records<br>and do not relay those records on to the=
ir peers (termed _addr black<br>hole_ nodes), then propagation of those `ad=
dr` records suffers -- any<br>individual `addr` record is unlikely to reach=
 a large proportion of<br>nodes on the network.<br><br>Since a motivation f=
or block-relay-only connections is to protect<br>against eclipse attacks an=
d thwart network topology analysis, Bitcoin<br>Core will not relay `addr` r=
ecords on those connections, and will ignore<br>any `addr` record received =
over those connections. Therefore, increasing<br>the number of block-relay-=
only connections without changing the `addr`<br>gossip logic is likely to i=
ncrease the prevalence of addr black holes,<br>and negatively impact addr p=
ropagation. This is why BIP 338 includes:<br><br>&gt; It is RECOMMENDED tha=
t a node that has sent or received a disabletx<br>&gt; message to/from a pe=
er not send any of these messages to the peer:<br>&gt; <br>&gt; - addr/geta=
ddr<br>&gt; - addrv2 (BIP 155)<br><br>I think a better approach would be fo=
r Bitcoin Core to only relay addr<br>records to an inbound peer if it has p=
reviously received an `addr` or<br>`addrv2` message from that peer, since t=
hat indicates definitively that<br>the peer actively gossips `addr` records=
. This approach was first<br>suggested by AJ in the original block-relay-on=
ly PR[15].<br><br>An advantage of this approach is that it will improve add=
r propagation<br>immediately and without any change to the P2P protocol, an=
d will prevent<br>sending `addr` records to all addr black holes (such as l=
ight clients),<br>not just incoming block-relay-only connections.<br><br># =
Conclusion<br><br>We can increase the permitted number of inbound block-rel=
ay-only peers<br>while minimizing resource requirement _and_ improving addr=
 record<br>propagation, without any changes to the p2p protocol required.<b=
r><br>I propose that for Bitcoin Core version 22.0:<br><br>- only initializ=
e the transaction relay data structures after the<br>=C2=A0 `version` messa=
ge is received, and only if fRelay=3Dtrue and<br>=C2=A0 `NODE_BLOOM` is not=
 offered on this connection.<br>- only initialize the addr data structures =
for inbound connections when<br>=C2=A0 an `addr`, `addrv2` or `getaddr` mes=
sage is received on the<br>=C2=A0 connection, and only consider a connectio=
n for addr relay if its addr<br>=C2=A0 data structures are initialized.<br>=
- update the inbound eviction logic to protect more inbound peers which<br>=
=C2=A0 do not have transaction relay data structures.<br><br>Then, in versi=
on 23.0:<br><br>- modestly increase the number of outbound block-relay-only=
 connections.<br><br>John<br><br>[1] <a href=3D"https://github.com/bitcoin/=
bips/blob/master/bip-0037.mediawiki">https://github.com/bitcoin/bips/blob/m=
aster/bip-0037.mediawiki</a><br>[2] <a href=3D"https://github.com/bitcoin/b=
ips/blob/master/bip-0060.mediawiki">https://github.com/bitcoin/bips/blob/ma=
ster/bip-0060.mediawiki</a><br>[3] <a href=3D"https://github.com/bitcoin/bi=
ps/blob/master/bip-0111.mediawiki">https://github.com/bitcoin/bips/blob/mas=
ter/bip-0111.mediawiki</a><br>[4] <a href=3D"https://github.com/bitcoin/bit=
coin/pull/1795">https://github.com/bitcoin/bitcoin/pull/1795</a><br>[5] <a =
href=3D"https://github.com/bitcoin/bitcoin/pull/2763">https://github.com/bi=
tcoin/bitcoin/pull/2763</a><br>[6] <a href=3D"https://github.com/bitcoin/bi=
tcoin/blob/e49117470b77fb7d53be122c6490ba163c6e304d/src/net_processing.cpp#=
L2582-L2583">https://github.com/bitcoin/bitcoin/blob/e49117470b77fb7d53be12=
2c6490ba163c6e304d/src/net_processing.cpp#L2582-L2583</a><br>[7] <a href=3D=
"https://github.com/bitcoin/bitcoin/pull/6579">https://github.com/bitcoin/b=
itcoin/pull/6579</a><br>[8] <a href=3D"https://github.com/bitcoin/bitcoin/p=
ull/7708">https://github.com/bitcoin/bitcoin/pull/7708</a><br>[9] <a href=
=3D"https://github.com/bitcoin/bitcoin/pull/16152">https://github.com/bitco=
in/bitcoin/pull/16152</a><br>[10] <a href=3D"https://github.com/bitcoin/bit=
coin/pull/6993">https://github.com/bitcoin/bitcoin/pull/6993</a><br>[11] <a=
 href=3D"https://github.com/bitcoin/bitcoin/pull/15759">https://github.com/=
bitcoin/bitcoin/pull/15759</a><br>[12] <a href=3D"https://lists.linuxfounda=
tion.org/pipermail/bitcoin-dev/2021-January/018347.html">https://lists.linu=
xfoundation.org/pipermail/bitcoin-dev/2021-January/018347.html</a><br>[13] =
<a href=3D"https://github.com/jnewbery/bitcoin/tree/2021-02-lazy-init-peer"=
>https://github.com/jnewbery/bitcoin/tree/2021-02-lazy-init-peer</a><br>[14=
] <a href=3D"https://github.com/bitcoin/bitcoin/blob/e52ce9f2b312b3cf3b0837=
918e07d7603e241d63/src/net_processing.cpp#L1696-L1700">https://github.com/b=
itcoin/bitcoin/blob/e52ce9f2b312b3cf3b0837918e07d7603e241d63/src/net_proces=
sing.cpp#L1696-L1700</a><br>[15] <a href=3D"https://github.com/bitcoin/bitc=
oin/pull/15759#issuecomment-527012757">https://github.com/bitcoin/bitcoin/p=
ull/15759#issuecomment-527012757</a><br><br>&gt; Hi,<br>&gt; <br>&gt; I&#39=
;m proposing the addition of a new, optional p2p message to allow peers to =
communicate that they do not want to send or receive (loose) transactions f=
or the lifetime of a connection. <br>&gt; <br>&gt; The goal of this message=
 is to help facilitate connections on the network over which only block-rel=
ated data (blocks/headers/compact blocks/etc) are relayed, to create low-re=
source connections that help protect against partition attacks on the netwo=
rk.=C2=A0 In particular, by adding a network message that communicates that=
 transactions will not be relayed for the life of the connection, we ease t=
he implementation of software that could have increased inbound connection =
limits for such peers, which in turn will make it easier to add additional =
persistent block-relay-only connections on the network -- strengthening net=
work security for little additional bandwidth.<br>&gt; <br>&gt; Software ha=
s been deployed for over a year now which makes such connections, using the=
 BIP37/BIP60 &quot;fRelay&quot; field in the version message to signal that=
 transactions should not be sent initially.=C2=A0 However, BIP37 allows for=
 transaction relay to be enabled later in the connection&#39;s lifetime, co=
mplicating software that would try to distinguish inbound peers that will n=
ever relay transactions from those that might.<br>&gt; <br>&gt; This propos=
al would add a single new p2p message, &quot;disabletx&quot;, which (if use=
d at all) must be sent between version and verack.=C2=A0 I propose that thi=
s message is valid for peers advertising protocol version 70017 or higher.=
=C2=A0 Software is free to implement this BIP or ignore this message and re=
main compatible with software that does implement it.<br>&gt; <br>&gt; Full=
 text of the proposed BIP is below.<br>&gt; <br>&gt; Thanks,<br>&gt; Suhas<=
br>&gt; <br>&gt; ---------------------------------------------------<br>&gt=
; <br>&gt; &lt;pre&gt;<br>&gt; =C2=A0 BIP: XXX<br>&gt; =C2=A0 Layer: Peer S=
ervices<br>&gt; =C2=A0 Title: Disable transaction relay message<br>&gt; =C2=
=A0 Author: Suhas Daftuar &lt;<a href=3D"mailto:sdaftuar@chaincode.com">sda=
ftuar@chaincode.com</a>&gt;<br>&gt; =C2=A0 Comments-Summary: No comments ye=
t.<br>&gt; =C2=A0 Comments-URI:<br>&gt; =C2=A0 Status: Draft<br>&gt; =C2=A0=
 Type: Standards Track<br>&gt; =C2=A0 Created: 2020-09-03<br>&gt; =C2=A0 Li=
cense: BSD-2-Clause<br>&gt; &lt;/pre&gt;<br>&gt; <br>&gt; =3D=3DAbstract=3D=
=3D<br>&gt; <br>&gt; This BIP describes a change to the p2p protocol to all=
ow a node to tell a peer<br>&gt; that a connection will not be used for tra=
nsaction relay, to support<br>&gt; block-relay-only connections that are cu=
rrently in use on the network.<br>&gt; <br>&gt; =3D=3DMotivation=3D=3D<br>&=
gt; <br>&gt; For nearly the past year, software has been deployed[1] which =
initiates<br>&gt; connections on the Bitcoin network and sets the transacti=
on relay field<br>&gt; (introduced by BIP 37 and also defined in BIP 60) to=
 false, to prevent<br>&gt; transaction relay from occurring on the connecti=
on. Additionally, addr messages<br>&gt; received from the peer are ignored =
by this software.<br>&gt; <br>&gt; The purpose of these connections is two-=
fold: by making additional<br>&gt; low-bandwidth connections on which block=
s can propagate, the robustness of a<br>&gt; node to network partitioning a=
ttacks is strengthened.=C2=A0 Additionally, by not<br>&gt; relaying transac=
tions and ignoring received addresses, the ability of an<br>&gt; adversary =
to learn the complete network graph (or a subgraph) is reduced[2],<br>&gt; =
which in turn increases the cost or difficulty to an attacker seeking to ca=
rry<br>&gt; out a network partitioning attack (when compared with having su=
ch knowledge).<br>&gt; <br>&gt; The low-bandwidth / minimal-resource nature=
 of these connections is currently<br>&gt; known only by the initiator of t=
he connection; this is because the transaction<br>&gt; relay field in the v=
ersion message is not a permanent setting for the lifetime<br>&gt; of the c=
onnection.=C2=A0 Consequently, a node receiving an inbound connection with<=
br>&gt; transaction relay disabled cannot distinguish between a peer that w=
ill never<br>&gt; enable transaction relay (as described in BIP 37) and one=
 that will.=C2=A0 Moreover,<br>&gt; the node also cannot determine that the=
 incoming connection will ignore relayed<br>&gt; addresses; with that knowl=
edge a node would likely choose other peers to<br>&gt; receive announced ad=
dresses instead.<br>&gt; <br>&gt; This proposal adds a new, optional messag=
e that a node can send a peer when<br>&gt; initiating a connection to that =
peer, to indicate that connection should not be<br>&gt; used for transactio=
n-relay for the connection&#39;s lifetime. In addition, without<br>&gt; a c=
urrent mechanism to negotiate whether addresses should be relayed on a<br>&=
gt; connection, this BIP suggests that address messages not be sent on link=
s where<br>&gt; tx-relay has been disabled.<br>&gt; <br>&gt; =3D=3DSpecific=
ation=3D=3D<br>&gt; <br>&gt; # A new disabletx message is added, which is d=
efined as an empty message where pchCommand =3D=3D &quot;disabletx&quot;.<b=
r>&gt; # The protocol version of nodes implementing this BIP must be set to=
 70017 or higher.<br>&gt; # If a node sets the transaction relay field in t=
he version message to a peer to false, then the disabletx message MAY also =
be sent in response to a version message from that peer if the peer&#39;s p=
rotocol version is &gt;=3D 70017. If sent, the disabletx message MUST be se=
nt prior to sending a verack.<br>&gt; # A node that has sent or received a =
disabletx message to/from a peer MUST NOT send any of these messages to the=
 peer:<br>&gt; ## inv messages for transactions<br>&gt; ## getdata messages=
 for transactions<br>&gt; ## getdata messages for merkleblock (BIP 37)<br>&=
gt; ## filteradd/filterload/filterclear (BIP 37)<br>&gt; ## mempool (BIP 35=
)<br>&gt; # It is RECOMMENDED that a node that has sent or received a disab=
letx message to/from a peer not send any of these messages to the peer:<br>=
&gt; ## addr/getaddr<br>&gt; ## addrv2 (BIP 155)<br>&gt; # The behavior reg=
arding sending or processing other message types is not specified by this B=
IP.<br>&gt; # Nodes MAY decide to not remain connected to peers that send t=
his message (for example, if trying to find a peer that will relay transact=
ions).<br>&gt; <br>&gt; =3D=3DCompatibility=3D=3D<br>&gt; <br>&gt; Nodes wi=
th protocol version &gt;=3D 70017 that do not implement this BIP, and nodes=
<br>&gt; with protocol version &lt; 70017, will continue to remain compatib=
le with<br>&gt; implementing software: transactions would not be relayed to=
 peers sending the<br>&gt; disabletx message (provided that BIP 37 or BIP 6=
0 has been implemented), and while<br>&gt; periodic address relay may still=
 take place, software implementing this BIP<br>&gt; should not be disconnec=
ting such peers solely for that reason.<br>&gt; <br>&gt; Disabling address =
relay is suggested but not required by this BIP, to allow for<br>&gt; futur=
e protocol extensions that might specify more carefully how address relay<b=
r>&gt; is to be negotiated. This BIP&#39;s recommendations for software to =
not relay<br>&gt; addresses is intended to be interpreted as guidance in th=
e absence of any such<br>&gt; future protocol extension, to accommodate exi=
sting software behavior.<br>&gt; <br>&gt; Note that all messages specified =
in BIP 152, including blocktxn and<br>&gt; getblocktxn, are permitted betwe=
en peers that have sent/received a disabletx<br>&gt; message, subject to th=
e feature negotiation of BIP 152.<br>&gt; <br>&gt; =3D=3DImplementation=3D=
=3D<br>&gt; <br>&gt; TBD<br>&gt; <br>&gt; =3D=3DReferences=3D=3D<br>&gt; <b=
r>&gt; # Bitcoin Core has [<a href=3D"https://github.com/bitcoin/bitcoin/pu=
ll/15759">https://github.com/bitcoin/bitcoin/pull/15759</a> implemented thi=
s functionality] since version 0.19.0.1, released in November 2019.<br>&gt;=
 # For example, see <a href=3D"https://www.cs.umd.edu/projects/coinscope/co=
inscope.pdf">https://www.cs.umd.edu/projects/coinscope/coinscope.pdf</a> an=
d <a href=3D"https://arxiv.org/pdf/1812.00942.pdf">https://arxiv.org/pdf/18=
12.00942.pdf</a>.<br>&gt; <br>&gt; =3D=3DCopyright=3D=3D<br>&gt; <br>&gt; T=
his BIP is licensed under the 2-clause BSD license.<br></div><br><div class=
=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Wed, Jan 6, 2021 =
at 4:35 PM Suhas Daftuar via bitcoin-dev &lt;<a href=3D"mailto:bitcoin-dev@=
lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>&gt; wr=
ote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px=
 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D=
"ltr">Hi,<div><br></div><div>I&#39;m proposing the addition of a new, optio=
nal p2p message to allow peers to communicate that they do not want to send=
 or receive (loose) transactions for the lifetime of a connection.=C2=A0</d=
iv><div><br></div><div>The goal of this message is to help facilitate=C2=A0=
connections on the network over which only block-related data (blocks/heade=
rs/compact blocks/etc) are relayed, to create low-resource connections that=
 help protect against partition attacks on the network.=C2=A0 In particular=
, by adding a network message that communicates that transactions will not =
be relayed for the life of the connection, we ease the implementation of so=
ftware that could have increased inbound connection limits for such peers, =
which in turn will make it easier to add additional persistent block-relay-=
only connections on the network -- strengthening network security for littl=
e additional bandwidth.</div><div><br></div><div>Software has been deployed=
 for over a year now which makes such connections, using the BIP37/BIP60 &q=
uot;fRelay&quot; field in the version message to signal that transactions s=
hould not be sent initially.=C2=A0 However, BIP37 allows for transaction re=
lay to be enabled=C2=A0later in the connection&#39;s lifetime, complicating=
 software that would try to distinguish inbound peers that will never relay=
 transactions from those that might.</div><div><br></div><div>This proposal=
 would add a single new p2p message, &quot;disabletx&quot;, which (if used =
at all) must be sent between version and verack.=C2=A0 I propose that this =
message is valid for peers advertising protocol version 70017 or higher.=C2=
=A0 Software=C2=A0is free to implement this BIP or ignore this message and =
remain compatible with software that does implement it.</div><div><br></div=
><div>Full text of the proposed BIP is below.</div><div><br></div><div>Than=
ks,<br></div><div>Suhas<br></div><div><br></div><div>----------------------=
-----------------------------</div><div><br></div><div><pre style=3D"color:=
rgb(0,0,0);white-space:pre-wrap">&lt;pre&gt;
  BIP: XXX
  Layer: Peer Services
  Title: Disable transaction relay message
  Author: Suhas Daftuar &lt;<a href=3D"mailto:sdaftuar@chaincode.com" targe=
t=3D"_blank">sdaftuar@chaincode.com</a>&gt;
  Comments-Summary: No comments yet.
  Comments-URI:
  Status: Draft
  Type: Standards Track
  Created: 2020-09-03
  License: BSD-2-Clause
&lt;/pre&gt;

=3D=3DAbstract=3D=3D

This BIP describes a change to the p2p protocol to allow a node to tell a p=
eer
that a connection will not be used for transaction relay, to support
block-relay-only connections that are currently in use on the network.

=3D=3DMotivation=3D=3D

For nearly the past year, software has been deployed[1] which initiates
connections on the Bitcoin network and sets the transaction relay field
(introduced by BIP 37 and also defined in BIP 60) to false, to prevent
transaction relay from occurring on the connection. Additionally, addr mess=
ages
received from the peer are ignored by this software.

The purpose of these connections is two-fold: by making additional
low-bandwidth connections on which blocks can propagate, the robustness of =
a
node to network partitioning attacks is strengthened.  Additionally, by not
relaying transactions and ignoring received addresses, the ability of an
adversary to learn the complete network graph (or a subgraph) is reduced[2]=
,
which in turn increases the cost or difficulty to an attacker seeking to ca=
rry
out a network partitioning attack (when compared with having such knowledge=
).

The low-bandwidth / minimal-resource nature of these connections is current=
ly
known only by the initiator of the connection; this is because the transact=
ion
relay field in the version message is not a permanent setting for the lifet=
ime
of the connection.  Consequently, a node receiving an inbound connection wi=
th
transaction relay disabled cannot distinguish between a peer that will neve=
r
enable transaction relay (as described in BIP 37) and one that will.  Moreo=
ver,
the node also cannot determine that the incoming connection will ignore rel=
ayed
addresses; with that knowledge a node would likely choose other peers to
receive announced addresses instead.

This proposal adds a new, optional message that a node can send a peer when
initiating a connection to that peer, to indicate that connection should no=
t be
used for transaction-relay for the connection&#39;s lifetime. In addition, =
without
a current mechanism to negotiate whether addresses should be relayed on a
connection, this BIP suggests that address messages not be sent on links wh=
ere
tx-relay has been disabled.

=3D=3DSpecification=3D=3D

# A new disabletx message is added, which is defined as an empty message wh=
ere pchCommand =3D=3D &quot;disabletx&quot;.
# The protocol version of nodes implementing this BIP must be set to 70017 =
or higher.
# If a node sets the transaction relay field in the version message to a pe=
er to false, then the disabletx message MAY also be sent in response to a v=
ersion message from that peer if the peer&#39;s protocol version is &gt;=3D=
 70017. If sent, the disabletx message MUST be sent prior to sending a vera=
ck.
# A node that has sent or received a disabletx message to/from a peer MUST =
NOT send any of these messages to the peer:
## inv messages for transactions
## getdata messages for transactions
## getdata messages for merkleblock (BIP 37)
## filteradd/filterload/filterclear (BIP 37)
## mempool (BIP 35)
# It is RECOMMENDED that a node that has sent or received a disabletx messa=
ge to/from a peer not send any of these messages to the peer:
## addr/getaddr
## addrv2 (BIP 155)
# The behavior regarding sending or processing other message types is not s=
pecified by this BIP.
# Nodes MAY decide to not remain connected to peers that send this message =
(for example, if trying to find a peer that will relay transactions).

=3D=3DCompatibility=3D=3D

Nodes with protocol version &gt;=3D 70017 that do not implement this BIP, a=
nd nodes
with protocol version &lt; 70017, will continue to remain compatible with
implementing software: transactions would not be relayed to peers sending t=
he
disabletx message (provided that BIP 37 or BIP 60 has been implemented), an=
d while
periodic address relay may still take place, software implementing this BIP
should not be disconnecting such peers solely for that reason.

Disabling address relay is suggested but not required by this BIP, to allow=
 for
future protocol extensions that might specify more carefully how address re=
lay
is to be negotiated. This BIP&#39;s recommendations for software to not rel=
ay
addresses is intended to be interpreted as guidance in the absence of any s=
uch
future protocol extension, to accommodate existing software behavior.

Note that all messages specified in BIP 152, including blocktxn and
getblocktxn, are permitted between peers that have sent/received a disablet=
x
message, subject to the feature negotiation of BIP 152.

=3D=3DImplementation=3D=3D

TBD

=3D=3DReferences=3D=3D

# Bitcoin Core has [<a href=3D"https://github.com/bitcoin/bitcoin/pull/1575=
9" target=3D"_blank">https://github.com/bitcoin/bitcoin/pull/15759</a> impl=
emented this functionality] since version 0.19.0.1, released in November 20=
19.
# For example, see <a href=3D"https://www.cs.umd.edu/projects/coinscope/coi=
nscope.pdf" target=3D"_blank">https://www.cs.umd.edu/projects/coinscope/coi=
nscope.pdf</a> and <a href=3D"https://arxiv.org/pdf/1812.00942.pdf" target=
=3D"_blank">https://arxiv.org/pdf/1812.00942.pdf</a>.

=3D=3DCopyright=3D=3D

This BIP is licensed under the 2-clause BSD license.</pre></div></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>

--000000000000ec6f8805bc7fe23a--