summaryrefslogtreecommitdiff
path: root/f9/6256658f7e739fe7563c4ca119f2e610d70d09
blob: 7adb8f33ca708c7e193a4f15f6d255e3249743c4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
Return-Path: <gloriajzhao@gmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 8A32BC002D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue,  1 Nov 2022 18:03:39 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id 5D56180C1E
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue,  1 Nov 2022 18:03:39 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 5D56180C1E
Authentication-Results: smtp1.osuosl.org;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.a=rsa-sha256 header.s=20210112 header.b=kyv0aFxd
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id dgzBPcZs7_vI
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue,  1 Nov 2022 18:03:35 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org EFF1380BAD
Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com
 [IPv6:2607:f8b0:4864:20::102b])
 by smtp1.osuosl.org (Postfix) with ESMTPS id EFF1380BAD
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue,  1 Nov 2022 18:03:34 +0000 (UTC)
Received: by mail-pj1-x102b.google.com with SMTP id
 r61-20020a17090a43c300b00212f4e9cccdso19524850pjg.5
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 01 Nov 2022 11:03:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :from:to:cc:subject:date:message-id:reply-to;
 bh=ZG3VHsf50tRFWxmXtvkV1mKkABPObL6d96DlahOVx7k=;
 b=kyv0aFxdirgkefIX8vRlpx8zPC2C6xuYBw9OoakW+Ha6uQG89WodklfUg9TB//HXiQ
 85OXTwyJYSOQ3NC/el29rjClrdw+9Xii407RWasuZc4+RR/OpkOruudK9W6tZLH3dnw5
 uv5cyq799h2kaVpakUvqt44RqsZ7PAbrSkP8dMleN67i2lHZG3MZD2WmEDM/Vb014COo
 XyBBfolXg+C1BjQ0a0/tFrVC8uSQCh4ONVZUSpuboa4KMkAapzkj+PL19GHPD/LCoCwG
 +16WpTwEyW1K64v1Q9XEcnhbarNhBtrSMBOlagrsrNDyP7LtsjqNMtqw6sFrlTyVOZo1
 XDTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=ZG3VHsf50tRFWxmXtvkV1mKkABPObL6d96DlahOVx7k=;
 b=5d/Dckq3J7k+PJ8bUuYWGN3GuCHphrDpu48z3esknO7dzDcIKskN9c5GmhwvjUG3lr
 2mNDL266V5iNhbkEJ0u5M/LboBQS4eb+b7/O4HMkezIV2PnBk6WcBTjKOcNg6YdNaayn
 WwKqKGxdMjhG4lOsT337Jd3789PhK+kr/JyiN+pmZUzf8ATLhFotaLV1VAeDMKmBHRlx
 gbwkn4oyDpLJ4noJpKe12nSCbJ1dgMJDO55rP46NMyL/5Y4lVDxgGn5ChPvGNBvvhPmE
 BY4gCwSEjkUUxFaB2ZJiUEKRGUytIn5RLyjBTQ0BeZtCfqzjH9iGE0yvxyPbAG/gh/A3
 sdJg==
X-Gm-Message-State: ACrzQf1BElylTV/HsnTcBd9rkW+JaIlYoWeY1W4ftUByigp/gJuAMWdD
 UDKqnDwfBMJgEp7tF1pqDcebvBQpB8t79IIDpdpQJ6lk1w0=
X-Google-Smtp-Source: AMsMyM5zSRg3sMoUMytiMmBegD52+w8FHd8IhRpfNVydCRbARUhaHqaMuO+igjGevXiarg1vZ7BEgUPju+Hz8jBzstw=
X-Received: by 2002:a17:90a:f001:b0:213:bf4:ee29 with SMTP id
 bt1-20020a17090af00100b002130bf4ee29mr37930716pjb.98.1667325813755; Tue, 01
 Nov 2022 11:03:33 -0700 (PDT)
MIME-Version: 1.0
References: <CAFXO6=JROe_9ih2h+_CCH-UbxehsM5RQ6YyNnPesEpveBEtdow@mail.gmail.com>
 <CALZpt+EOmet0j5OhFo5nmZxVJbPfRRnh7oCRwytxkVMbAtz0Eg@mail.gmail.com>
In-Reply-To: <CALZpt+EOmet0j5OhFo5nmZxVJbPfRRnh7oCRwytxkVMbAtz0Eg@mail.gmail.com>
From: Gloria Zhao <gloriajzhao@gmail.com>
Date: Tue, 1 Nov 2022 18:03:22 +0000
Message-ID: <CAFXO6=Jj+6tykoW=tx=QNkCocR5XYx7cGcATKLvxMOcPeEJhEg@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000da95c205ec6c8a69"
X-Mailman-Approved-At: Tue, 01 Nov 2022 18:25:47 +0000
Subject: Re: [bitcoin-dev] Package Relay Proposal
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2022 18:03:39 -0000

--000000000000da95c205ec6c8a69
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi everyone,

I've made some significant changes to my package relay proposal based on
observations while implementing, feedback on this thread, and offline
discussions [1].

The new proposal is called Ancestor Package Relay, BIP331, and PR'd at
https://github.com/bitcoin/bips/pull/1382

The major changes to the proposal are:
1. Scope reduction to receiver-initiated only
2. Scope reduction to ancestor packages only
3. Removal of block hash from package information

1.  Scope reduction to receiver-initiated only
Receiver-intiated package relay enables a node to ask for more information
when they suspect they are missing something (i.e. in this case to resolve
a missing parent tx). Sender-initiated package relay should, theoretically,
save a round trip by notifying the receiver ahead of time that "hey, this
is going to be a package, so make sure you download and submit these
transactions together." As with any proactive communication, there is a
chance that the node already knows this information, so this network
bandwidth was wasted. The logic used to decide _when_ to announce a package
proactively determines whether it is a net increase or decrease for overall
bandwidth usage. However, it's difficult to design anything to save
bandwidth without any idea of what its bandwidth usage actually looks like
in practice. We'll want to design the sender-initiated protocol carefully,
and inform the design decisions using data collected from the mainnet p2p
network. However, there is no historical transaction data to use because
the goal is to enable currently-rejected transactions to propagate. In
order to get this right, I propose we hold off on sender-initiated for now,
deploy receiver-initiated package relay, observe its usage and figure out
where we can save a round trip, and then produce a well-researched
sender-initiated package relay proposal.

2. Scope reduction to ancestor packages only
The proposal now only includes ancestor packages (previously called
tx-with-unconfirmed-ancestors or "v2" packages). The
child-with-unconfirmed-parents (previously called "v1") package has been
removed since it is a subset of ancestor packages and sender-initiated
relay has been removed. It may be relevant again in the future with
sender-initiated packages. If you were reviewing the previous proposal,
"pkginfo2" message has been renamed to "ancpkginfo" and "MSG_PKGINFO2" inv
type to "MSG_ANCPKGINFO".

3. Removal of block hash from package information
Most of the rationale is already on this thread. The block hash was an
attempt to enforce topology when chainstates differ, but isn't worth it. It
does not make much sense to drop or delay transaction data requests due to
mismatched chainstates, and the chainstate may change again between package
information and transaction data rounds. Instead, differences in chainstate
should be handled internally at the mempool validation level. The node
should de-duplicate recently-confirmed transactions and make a best effort
to validate the transactions it has already downloaded.

Thanks,
Gloria

[1]
https://diyhpl.us/wiki/transcripts/bitcoin-core-dev-tech/2022-10-11-package=
-relay/

On Fri, Jun 17, 2022 at 9:08 PM Antoine Riard <antoine.riard@gmail.com>
wrote:

> Hi Gloria,
>
> Thanks for working on that,
>
> > Always overestimating fees may sidestep this issue temporarily (while
> mempool
> > traffic is low and predictable), but this solution is not foolproof
> > and wastes users' money. The feerate market can change due to sudden
> > spikes in traffic (e.g. huge 12sat/vB dump a few days ago [9]) or
> > sustained, high volume of Bitcoin payments (e.g.  April 2021 and
> > December 2017).
>
> Even if the LN implementations started to overestimate fees based on the
> historical worst-case of block inclusion feerates, there is still room fo=
r
> exploitation due to bip125 rule#3. Indeed, as long as the adversary is ab=
le
> to stick in the mempool a higher fee package while the feerate is not
> compelling enough to get it mined, your "honest" LN package should be
> bounced off.
>
> Considering Core's `MAX_STANDARD_TX_WEIGHT` of 400000 WU, I think it's
> practical for an attacker to succeed with this pinning tactic in periods =
of
> traffic spikes. Of course, LN implementation could overestimate fees with=
 a
> target like `MAX_STANDARD_WEIGHT` * `worst_case_block_inclusion_feerate` =
to
> mitigate. However, assuming a value of 20sat for the latter, it would
> require from any LN user a minimal channel value of 2000000 satoshis to b=
e
> theoretically secure against this type of pinning.
>
> So package relay is required to mitigate efficiently and realistically
> against pinning attacks, while conserving the same level of "economic"
> openness for Lightning. Beyond, it should be also noted that package rela=
y
> is only building block of the full set of mitigations, and there should b=
e
> a yet to-find-consensus-as-of-today other policy change such as
> user-elected package limits or replace-by-feerate.
>
> Anyway, I think it would be beneficial to document the design trade-offs
> of pinning mitigations in the `Rationale` subsection, at the attention of
> future L2s devs and users ?
>
> > {|
> > |  Field Name  ||  Type  ||  Size  ||  Purpose
> > |-
> > |version || uint32_t || 4 || Denotes a package version supported by the
> > node.
> > |-
> > |max_count || uint32_t || 4 ||Specifies the maximum number of
> transactions
> > per package this node is
> > willing to accept.
> > |-
> > |max_weight || uint32_t || 4 ||Specifies the maximum total weight per
> > package this node is willing
> > to accept.
> > |-
> > |}
>
> It's unclear to me what's the purpose of `max_count` and `max_weight` in
> the overall package relay flow, if they are intended to be exposed as
> configurable settings to node operators. If those fields are present to
> allow DoS protection increase of low-performance host, I believe it would
> be better to restrain the number of consumed UTXOs or executed sigops per
> package, as DoS vectors are more likely to be CPU-based, rather than
> memory-based as package size already bounded at acceptance by
> `MAX_PACKAGE_COUNT`.
>
> Thinking more we might introduce a `MAX_SIGOPS_PER_PACKAGR` limit, as
> otherwise if we naively grant one package announcement as equal to one
> transaction announcement in our tx-request logic, we might increase our D=
oS
> surface, node ressources staying equivalent ?
>
> > {|
> > |  Field Name  ||  Type  ||  Size  ||   Purpose
> > |-
> > |txns_length||CompactSize||1 or 3 bytes|| The number of transactions
> > requested.
>
> I'm not sure if we'll ever allow 3-bytes of package size, that would be
> ~32k of transactions.
>
> > |-
> > |txns||List of wtxids||txns_length * 32|| The wtxids of each transactio=
n
> in
> > the package.
> > |}
>
> I think there is a bandwidth consumption trade-off to be aware of in the
> function of the package-relay usage. Let's consider a single issuer
> broadcasting the package to spend a shared-utxo, after the first shot the
> parent component should be spread across the network mempools. At each
> fee-bump, only the bumped CPFP will propagate on the network, the parent
> wtxid is reannounced in `pckginfo1` though there is no need to fetch it
> redundantly and waste bandwidth.
>
> However, I think the bandwidth saving does not hold in case of competing
> transaction issuers to spend a shared-utxo. In that case, the parent migh=
t
> differ at each broadcast and the list of wtxid is dissemblable at every
> claim of the shared-utxo. We could save the 32 bytes * number of packages
> elements by announcing a package_id, computed from the list of wtxids.
>
> I don't know about the occurrence of competing broadcasts among LN
> non-cooperative closes, where bandwidth could be potentially saved. I wou=
ld
> say it's likely low because IIRC there is nothing in the LN protocol wher=
e
> the counterparties signal to each other they're going on-chain to introdu=
ce
> a competing broadcast synchronizing event. That said, it might increase i=
n
> the future in a post-eltoo, multi-party contracting protocol world.
>
> So it might be interesting to document this design trade-off, if we seek
> bandwidth optimizations in function of a changing landscape in the type o=
f
> transaction issuers in the future.
>
> > 3. The sender provides package information using "pckginfo1",
> >    including the blockhash of the sender's best block, the wtxids of
> > the transactions in the package, their total fees and total weight.
>
> It's unclear to me how the `pckinfo1` receiver should proceed if the
> sender's best block is not in sync with the local chain tip.
>
> If the package isn't processed further, that's annoying for all the
> low-performance  LN mobile clients, their chain tips might be always behi=
nd
> by few blocks from the p2p network nodes. It sounds like their packages
> won't propagate at all.
>
> If the package is processed further whatever the sender-receiver sync on
> chain tip, what's the purpose of including the blockhash ?
>
> > A child-with-unconfirmed-parents package for a transaction should be
> > announced when it meets the peer's fee filter but one or more of its
> > parents don't; a "inv(MSG_PCKG1)" instead of "inv(WTX)" should be sent
> > for the child. Each of the parents which meet the peer's fee filter
> > should still be announced normally.
>
> I believe we might have concerns of package-feerate downgrades attacks.
> E.g, in the LN context, where your channel counterparty is aiming to jam
> the propagation of the best-feerate version of the package.
>
> Let's say you have :
> - Alice's commitment_tx, at 1s/vB
> - package A + child B, at 3s/vB
> - package A + child C, at 10s/vB
> - block inclusion feerate at 10s/vB
> - Alice and Mallory are LN channel counterparties
> - commitment_tx is using LN's anchor outputs
>
> Alice's LN node broadcasts A+C to her mempool.
> Bob's feefilter is at 3s/vB.
> Mallory broadcasts her child B in Alice's mempool.
> LN commitment does not meet Bob's feefilter.
> Package A+child B at 3s/vB meets Bob's feefilter and is announced to Bob.
> Mallory broadcasts her own commitment_tx at 4s/vB in Bob's mempool.
> When Alice's child C is relayed to Bob, it's bounced off Bob's mempool.
>
> Do you think this situation is plausible ? Of course, it might be heavily
> dependent on package-relay yet-not-implemented internal p2p logic.
> I think it could be fixable if LN removes the counterparty's
> `anchor_output` on the local node's version of the commitment transaction=
,
> once package relay is deployed.
>
> Another question, at the next fee-bump iteration, Alice rebroadcasts
> A+child D, at 12 s/vB. Her node has already marked Alice's commitment_tx =
as
> known in Bob's `m_tx_inventory_known_filter`. So when a new higher fee
> child is  discovered, should a `child-with-unconfirmed-parents` be
> announced between Alice and Bob ?
>
> Anyway, I think it would be interesting to pseudo-specify the
> package-assemblage algorithm (or if there is code already available) to s=
ee
> if it's robust against adversarial or unlucky situations ?
>
> > In fact, a package
> > of transactions may be announced using both Erlay and package relay.
> > After reconciliation, if the initiator would have announced a
> > transaction by wtxid but also has package information for it, they may
> > send "inv(MSG_PCKG)" instead of "inv(WTX)".
>
> Yes, I think this holds. Note, we might have to add to the reconciliation
> set low-fee parents succeeding the feefilter check due to a child. When t=
he
> reconcildiff, we might have to bifucarte again on feefilter to decide to
> announce missing wtixds either as `inv(MSG_PCKG)` or `inv(WTX)`.
>
> (IIRC, I've already made few feedbacks offline though good to get them in
> the public space and think more)
>
> Antoine
>
> Le mar. 17 mai 2022 =C3=A0 12:09, Gloria Zhao via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> a =C3=A9crit :
>
>> Hi everybody,
>>
>> I=E2=80=99m writing to propose a set of p2p protocol changes to enable p=
ackage
>> relay, soliciting feedback on the design and approach. Here is a link
>> to the most up-to-date proposal:
>>
>> https://github.com/bitcoin/bips/pull/1324
>>
>> If you have concept or approach feedback, *please respond on the
>> mailing list* to allow everybody to view and participate in the
>> discussion. If you find a typo or inaccurate wording, please feel free
>> to leave suggestions on the PR.
>>
>> I=E2=80=99m also working on an implementation for Bitcoin Core.
>>
>>
>> The rest of this post will include the same contents as the proposal,
>> with a bit of reordering and additional context. If you are not 100%
>> up-to-date on package relay and find the proposal hard to follow, I
>> hope you find this format more informative and persuasive.
>>
>>
>> =3D=3DBackground and Motivation=3D=3D
>>
>> Users may create and broadcast transactions that depend upon, i.e.
>> spend outputs of, unconfirmed transactions. A =E2=80=9Cpackage=E2=80=9D =
is the
>> widely-used term for a group of transactions representable by a
>> connected Directed Acyclic Graph (where a directed edge exists between
>> a transaction that spends the output of another transaction).
>>
>> Incentive-compatible mempool and miner policies help create a fair,
>> fee-based market for block space. While miners maximize transaction
>> fees in order to earn higher block rewards, non-mining users
>> participating in transaction relay reap many benefits from employing
>> policies that result in a mempool with the same contents, including
>> faster compact block relay and more accurate fee estimation.
>> Additionally, users may take advantage of mempool and miner policy to
>> bump the priority of their transactions by attaching high-fee
>> descendants (Child Pays for Parent or CPFP).  Only considering
>> transactions one at a time for submission to the mempool creates a
>> limitation in the node's ability to determine which transactions have
>> the highest feerates, since it cannot take into account descendants
>> until all the transactions are in the mempool. Similarly, it cannot
>> use a transaction's descendants when considering which of two
>> conflicting transactions to keep (Replace by Fee or RBF).
>>
>> When a user's transaction does not meet a mempool's minimum feerate
>> and they cannot create a replacement transaction directly, their
>> transaction will simply be rejected by this mempool. They also cannot
>> attach a descendant to pay for replacing a conflicting transaction.
>> This limitation harms users' ability to fee-bump their transactions.
>> Further, it presents a security issue in contracting protocols which
>> rely on **presigned**, time-sensitive transactions to prevent cheating
>> (HTLC-Timeout in LN Penalty [1] [2] [3], Unvault Cancel in Revault
>> [4], Refund Transaction in Discreet Log Contracts [5], Updates in
>> eltoo [6]). In other words, a key security assumption of many
>> contracting protocols is that all parties can propagate and confirm
>> transactions in a timely manner.
>>
>> In the past few years, increasing attention [0][1][2][3][6] has been
>> brought to **pinning attacks**, a type of censorship in which the
>> attacker uses mempool policy restrictions to prevent a transaction
>> from being relayed or getting mined.  TLDR: revocation transactions
>> must meet a certain confirmation target to be effective, but their
>> feerates are negotiated well ahead of broadcast time. If the
>> forecasted feerate was too low and no fee-bumping options are
>> available, attackers can steal money from their counterparties. I walk
>> through a concrete example for stealing Lightning HTLC outputs at
>> ~23:58 in this talk [7][8].  Note that most attacks are only possible
>> when the market for blockspace at broadcast time  demands much higher
>> feerates than originally anticipated at signing time. Always
>> overestimating fees may sidestep this issue temporarily (while mempool
>> traffic is low and predictable), but this solution is not foolproof
>> and wastes users' money. The feerate market can change due to sudden
>> spikes in traffic (e.g. huge 12sat/vB dump a few days ago [9]) or
>> sustained, high volume of Bitcoin payments (e.g.  April 2021 and
>> December 2017).
>>
>> The best solution is to enable nodes to consider packages of
>> transactions as a unit, e.g. one or more low-fee parent transactions
>> with a high-fee child, instead of separately. A package-aware mempool
>> policy can help determine if it would actually be economically
>> rational to accept a transaction to the mempool if it doesn't meet fee
>> requirements individually. Network-wide adoption of these policies
>> would create a more purely-feerate-based market for block space and
>> allow contracting protocols to adjust fees (and therefore mining
>> priority) at broadcast time.  Some support for packages has existed in
>> Bitcoin Core for years. Since v0.13, Bitcoin Core has used ancestor
>> packages instead of individual transactions to evaluate the incentive
>> compatibility of transactions in the mempool [10] and select them for
>> inclusion in blocks [11].
>>
>> Package Relay, the concept of {announcing, requesting, downloading}
>> packages between nodes on the p2p network, has also been discussed for
>> many years. The earliest public mention I can find is from 2015 [12].
>> The two most common use cases for package relay are fee-bumping
>> otherwise-too-low-fee transactions and reducing the amount of orphans.
>> It seems uncontroversial to say that everybody desires package relay
>> conceptually, with varying degrees of urgency. Lots of work has been
>> done by others over the past few years, from which I've taken
>> inspiration from [13][14][15][16].
>>
>> My approach has been to split the project into two components: (1) Packa=
ge
>> Mempool Accept, which includes validation logic and mempool policy.
>> (3) Package Relay, which includes the p2p protocol changes.
>>
>> Progress so far:
>> After discussions with various developers of contracting protocols
>> (with heavier emphasis towards LN), it was determined that a
>> package containing a child with all of its unconfirmed parents
>> (child-with-unconfirmed-parents or 1-child-multi-parent package) would
>> be sufficient for their use case, i.e. fee-bumping presigned
>> transactions. A child-with-unconfirmed-parents package has several
>> properties that make many things easier to reason about.
>>
>> A few months ago, I proposed a set of policies for safe package
>> validation and fee assessment for packages of this restricted
>> topology [17]. A series of PRs implementing this proposal have
>> been merged into Bitcoin Core [18].
>>
>> Theoretically, developing a safe and incentive-compatible package
>> mempool acceptance policy is sufficient to solve this issue. Nodes
>> could opportunistically accept packages (e.g. by trying combinations
>> of transactions rejected from their mempools), but this practice would
>> likely be inefficient at best and open new Denial of Service attacks
>> at worst. Additional p2p messages may enable nodes to request and
>> share package validation-related information with one another in a
>> more communication-efficient way.
>>
>> Given that only package RBF remains for package mempool accept, and we
>> can make progress on p2p and mempool in parallel, I think it=E2=80=99s
>> appropriate to put forward a package relay proposal.
>>
>> =3D=3DProposal=3D=3D
>>
>> This proposal contains 2 components: a =E2=80=9Cgeneric=E2=80=9D package=
 relay
>> protocol and an extension of it, child-with-unconfirmed-parents
>> packages, as version 1 package relay. Another version of packages,
>> =E2=80=9Ctx-with-unconfirmed-ancestors=E2=80=9D can be created to extend=
 package relay
>> for eliminating orphans.
>>
>> =3D=3D=3DGeneric Package Relay=3D=3D=3D
>>
>> Two main ideas are introduced:
>>
>> Download and validate packages of transactions together.
>>
>> Provide information to help peers decide whether to request and/or how
>> to validate transactions which are part of a package.
>>
>> =3D=3D=3D=3DIntended Protocol Flow=3D=3D=3D=3D
>>
>> Due to the asynchronous nature of a distributed transaction relay
>> network, nodes may not receive all of the information needed to
>> validate a transaction at once. For example, after a node completes
>> Initial Block Download (IBD) and first starts participating in
>> transaction relay with an empty mempool, it is common to receive
>> orphans. In such scenarios where a node is aware that it is missing
>> information, a ''receiver-initiated'' dialogue is appropriate:
>>
>> 1. Receiver requests package information.
>>
>> 2. The sender provides package information, including the wtxids of
>>    the transactions in the package and anything else that might be
>> relevant (e.g. total fees and size).
>>
>> 3. The reciever uses the package information to decide how to request
>>    and validate the transactions.
>>
>> Sometimes, no matter what order transactions are received by a node,
>> validating them individually is insufficient. When the sender is aware
>> of additional information that the receiver needs to accept a package,
>> a proactive ''sender-initiated'' dialogue should be enabled:
>>
>> 1. Sender announces they have package information pertaining to a
>>    transaction that might otherwise be undesired on its own.
>>
>> 2. The receiver requests package information.
>>
>> 3. The sender provides package information, including the wtxids of
>>    the transactions in the package and anything else that might be
>> relevant (e.g. total fees and size).
>>
>> 4. The reciever uses the package information to decide how to request
>>    and validate the transactions.
>>
>> Package relay is negotiated between two peers during the version
>> handshake. Package relay requires both peers to support wtxid-based
>> relay because package transactions are referenced by their wtxid.
>>
>> =3D=3D=3D=3DNew Messages=3D=3D=3D=3D
>>
>> Three new protocol messages are added for use in any version of
>> package relay. Additionally, each version of package relay must define
>> its own inv type and "pckginfo" message version, referred to in this
>> document as "MSG_PCKG" and "pckginfo" respectively. See
>> BIP-v1-packages for a concrete example.
>>
>> =3D=3D=3D=3D=3Dsendpackages=3D=3D=3D=3D=3D
>>
>> {|
>> |  Field Name  ||  Type  ||  Size  ||  Purpose
>> |-
>> |version || uint32_t || 4 || Denotes a package version supported by the
>> node.
>> |-
>> |max_count || uint32_t || 4 ||Specifies the maximum number of
>> transactions per package this node is
>> willing to accept.
>> |-
>> |max_weight || uint32_t || 4 ||Specifies the maximum total weight per
>> package this node is willing
>> to accept.
>> |-
>> |}
>>
>> 1. The "sendpackages" message has the structure defined above, with
>>    pchCommand =3D=3D "sendpackages".
>>
>> 2. During version handshake, nodes should send a "sendpackages"
>>    message indicate they support package relay and may request
>> packages.
>>
>> 3. The message should contain a version supported by the node. Nodes
>>    should send a "sendpackages" message for each version they support.
>>
>> 4. The "sendpackages" message MUST be sent before sending a "verack"
>>    message. If a "sendpackages" message is received afer "verack", the
>> sender should be disconnected.
>>
>> 5. If 'fRelay=3D=3Dfalse' in a peer's version message, the node must not
>>    send "sendpackages" to them. If a "sendpackages" message is
>> received by a peer after sending `fRelay=3D=3Dfalse` in their version
>> message, the sender should be disconnected.
>>
>> 6.. Upon receipt of a "sendpackages" message with a version that is
>> not supported, a node must treat the peer as if it never received the
>> message.
>>
>> 7. If both peers send "wtxidrelay" and "sendpackages" with the same
>>    version, the peers should announce, request, and send package
>> information to each other.
>>
>> =3D=3D=3D=3D=3Dgetpckgtxns=3D=3D=3D=3D=3D
>>
>> {|
>> |  Field Name  ||  Type  ||  Size  ||   Purpose
>> |-
>> |txns_length||CompactSize||1 or 3 bytes|| The number of transactions
>> requested.
>> |-
>> |txns||List of wtxids||txns_length * 32|| The wtxids of each transaction
>> in the package.
>> |}
>>
>> 1. The "getpckgtxns" message has the structure defined above, with
>>    pchCommand =3D=3D "getpckgtxns".
>>
>> 2. A "getpckgtxns" message should be used to request all or some of
>>    the transactions previously announced in a "pckginfo" message,
>> specified by witness transactiosome id.
>>
>> 3. Upon receipt of a "getpckgtxns" message, a node must respond with
>>    either a "pckgtxns" containing the requested transactions or a
>> "notfound" message indicating one or more of the transactions is
>> unavailable. This allows the receiver to avoid downloading and storing
>> transactions that cannot be validated immediately.
>>
>> 4. A "getpckgtxns" message should only be sent if both peers agreed to
>>    send packages in the version handshake. If a "getpckgtxns" message
>> is received from a peer with which package relay was not negotiated,
>> the sender should be disconnected.
>>
>> =3D=3D=3D=3D=3Dpckgtxns=3D=3D=3D=3D=3D
>>
>> {|
>> |  Field Name  ||  Type  ||  Size  ||   Purpose
>> |-
>> |txns_length||CompactSize||1 or 3 bytes|| The number of transactions
>> provided.
>> |-
>> |txns||List of transactions||variable|| The transactions in the package.
>> |}
>>
>> 1. The "pckgtxns" message has the structure defined above, with
>>    pchCommand =3D=3D "pckgtxns".
>>
>> 2. A "pckgtxns" message should contain the transaction data requested
>>    using "getpckgtxns".
>>
>> 3. A "pckgtxns" message should only be sent to a peer that requested
>>    the package using "getpckgtxns". If a node receives an unsolicited
>> package, the sender should be disconnected.
>>
>> 4. A "pckgtxns" message should only be sent if both peers agreed to
>>    send packages in the version handshake. If a "pckgtxns" message is
>> received from a peer with which package relay was not negotiated, the
>> sender should be disconnected.
>>
>> =3D=3D=3DVersion 1 Packages: child-with-unconfirmed-parents=3D=3D=3D
>>
>> This extends package relay for packages consisting of one transaction
>> and all of its unconfirmed parents,by defining version 1 packages, a
>> pckginfo1 message, and a MSG_PCKG1 inv type. It enables the use case
>> in which a child pays for its otherwise-too-low-fee parents and their
>> mempool conflict(s).
>>
>> =3D=3D=3D=3DIntended Protocol Flow=3D=3D=3D=3D
>>
>> When relaying a package of low-fee parent(s) and high-fee child, the
>> sender and receiver do the following:
>>
>> 1. Sender announces they have a child-with-unconfirmed-parents package
>>    for a child that pays for otherwise-too-low-fee parent(s) using
>> "inv(MSG_PCKG1)".
>>
>> 2. The receiver requests package information using
>>    "getdata(MSG_PCKG1)".
>>
>> 3. The sender provides package information using "pckginfo1",
>>    including the blockhash of the sender's best block, the wtxids of
>> the transactions in the package, their total fees and total weight.
>>
>> 4. The reciever uses the package information to decide how to request
>>    the transactions. For example, if the receiver already has some of
>> the transactions in their mempool, they only request the missing ones.
>> They could also decide not to request the package at all based on the
>> fee information provided.
>>
>> 5. Upon receiving a "pckgtxns", the receiver submits the transactions
>>    together as a package.
>>
>> =3D=3D=3D=3DNew Messages=3D=3D=3D=3D
>>
>> A new inv type, "MSG_PCKG1", and new protocol message, "PCKGINFO1",
>> are added.
>>
>> =3D=3D=3D=3D=3Dpckginfo1=3D=3D=3D=3D=3D
>>
>> {|
>> |  Field Name  ||  Type  ||  Size  ||   Purpose
>> |-
>> |blockhash || uint256 || 32 || The chain tip at which this package is
>> defined.
>> |-
>> |pckg_fee||CAmount||4|| The sum total fees paid by all transactions in
>> the package.
>> |-
>> |pckg_weight||int64_t||8|| The sum total weight of all transactions in
>> the package.
>> |-
>> |txns_length||CompactSize||1 or 3 bytes|| The number of transactions
>> provided.
>> |-
>> |txns||List of wtxids||txns_length * 32|| The wtxids of each transaction
>> in the package.
>> |}
>>
>>
>> 1. The "pckginfo1" message has the structure defined above, with
>>    pchCommand =3D=3D "pckginfo1".
>>
>> 2. A "pckginfo1" message contains information about a version 1
>>    package (defined below), referenced by the wtxid of the transaction
>> it pertains to and the current blockhash.
>>
>> 3. Upon receipt of a "pckginfo1" message, the node should decide if it
>>    wants to validate the package, request transaction data if
>> necessary, etc.
>>
>> 4. Upon receipt of a malformed "pckginfo1" message or package that
>>    does not abide by the max_count, max_weight, or other rules
>> specified by the version agreed upon in the initial negotiation, the
>> sender should be disconnected.  If a node receives a "pckginfo1"
>> message for which the "pckg_fee" or "pckg_weight" do not reflect the
>> true total fees and weight, respectively, or the transactions in the
>> package, the message is malformed.
>>
>> 5. A node MUST NOT send a "pckginfo1" message that has not been
>>    requested by the recipient. Upon receipt of an unsolicited
>> "pckginfo1", a node should disconnect the sender.
>>
>> 6. A "pckginfo1" message should only be sent if both peers agreed to
>>    send version 1 packages in the version handshake. If a "pckginfo1"
>> message is received from a peer with which package relay was not
>> negotiated, the sender should be disconnected.
>>
>> =3D=3D=3D=3D=3DMSG_PCKG1=3D=3D=3D=3D=3D
>>
>> 1. A new inv type (MSG_PCKG1 =3D=3D 0x6) is added, for use in inv messag=
es
>>    and getdata requests pertaining to version 1 packages.
>>
>> 2. As an inv type, it indicates that both transaction data and version
>>    1 package information are available for the transaction. The
>> transaction is referenced by its wtxid. As a getdata request type, it
>> indicates that the sender wants package information for the
>> transaction.
>>
>> 3. Upon receipt of a "getdata" request for "MSG_PCKG1", the node
>>    should respond with the version 1 package corresponding to the
>> requested transaction and its current chain tip, or with NOTFOUND.
>> The node should not assume that the sender is requesting the
>> transaction data as well.
>>
>> =3D=3D=3D=3DChild With Parent Packages Rules=3D=3D=3D=3D
>>
>> A child-with-unconfirmed-parents package sent between nodes must abide
>> by the rules below, otherwise the package is malformed and the sender
>> should be disconnected.
>>
>> A version 1 or ''child-with-unconfirmed-parents'' package can be
>> defined for any transaction that spends unconfirmed inputs. The child
>> can be thought of as the "representative" of the package. This package
>> can be uniquely identified by the transaction's wtxid and the current
>> chain tip block hash.
>>
>> A ''child-with-unconfirmed-parents'' package MUST be:
>>
>> 1. ''Sorted topologically.'' For every transaction t in the package,
>>    if any of t's parents are present in the package, the parent must
>> appear somewhere in the list before t. In other words, the
>> transactions must be sorted in ascending order of the number of
>> ancestors present in the package.
>>
>> 2. ''Only 1 child with unconfirmed parents.'' The package must consist
>>    of one transaction and its unconfirmed parents. There must not be
>> any other transactions in the package. Other dependency relationships
>> may exist within the package (e.g. one parent may spend the output of
>> another parent) provided that topological order is respected.
>>
>> 3. ''All unconfirmed parents.'' All of the child's unconfirmed parents
>>    must be present.
>>
>> 4. ''No conflicts.'' None of the transactions in the package may
>>    conflict with each other (i.e.  spend the same prevout).
>>
>> 5. ''Total fees and weight.'' The 'total_fee' and 'total_weight'
>>    fields must accurately represent the sum total of all transactions'
>> fees and weights as defined in BIP141, respectively.
>>
>> Not all of the child's parents must be present; the child transaction
>> may also spend confirmed inputs. However, if the child has confirmed
>> parents, they must not be in the package.
>>
>> While a child-with-unconfirmed-parents package is perhaps most
>> relevant when the child has a higher feerate than its parents, this
>> property is not required to construct a valid package.
>>
>> =3D=3D=3D=3DClarifications=3D=3D=3D=3D
>>
>> ''Q: Under what circumstances should a sender announce a
>> child-with-unconfirmed-parents package?''
>>
>> A child-with-unconfirmed-parents package for a transaction should be
>> announced when it meets the peer's fee filter but one or more of its
>> parents don't; a "inv(MSG_PCKG1)" instead of "inv(WTX)" should be sent
>> for the child. Each of the parents which meet the peer's fee filter
>> should still be announced normally.
>>
>> ''Q: What if a new block arrives in between messages?''
>>
>> A child-with-unconfirmed-parents package is defined for a transaction
>> based on the current chain state. As such, a new block extending the
>> tip may decrease the number of transactions in the package (i.e. if
>> any of the transaction's parents were included in the block). In a
>> reorg, the number of transactions in the package may decrease or
>> increase (i.e. if any of the transaction's parents were included in a
>> block in the previous chain but not the new one).
>>
>> If the new block arrives before the "getdata" or "pckginfo1", nothing
>> needs to change.
>>
>> If the new block arrives before "getpckgtxns" or before "pckgtxns",
>> the receiver may need to re-request package information if the block
>> contained a transaction in the package. If the block doesn't contain
>> any transactions in the package, whether it extends the previous tip
>> or causes a reorg, nothing needs to change.
>>
>> ''Q: Can "getpckgtxns" and "pckgtxns" messages contain only one
>> transaction?''
>>
>> Yes.
>>
>> =3D=3D=3DFurther Protocol Extensions=3D=3D=3D
>>
>> When introducing a new type of package, assign it a version number "n"
>> and use an additional "sendpackages" message during version handshake
>> to negotiate support for it. An additional package information message
>> "pckginfon" and inv type "MSG_PCKGn" should be defined for the type of
>> package.  However, "getpckgtxns" and "pckgtxns" do not need to be
>> changed.
>>
>> Example proposal for tx-with-unconfirmed-ancestors package relay: [19]
>>
>> =3D=3D=3DCompatibility=3D=3D=3D
>>
>> Older clients remain fully compatible and interoperable after this
>> change. Clients implementing this protocol will only attempt to send
>> and request packages if agreed upon during the version handshake.
>>
>> =3D=3D=3DPackage Erlay=3D=3D=3D
>>
>> Clients using BIP330 reconciliation-based transaction relay (Erlay)
>> are able to use package relay without interference. In fact, a package
>> of transactions may be announced using both Erlay and package relay.
>> After reconciliation, if the initiator would have announced a
>> transaction by wtxid but also has package information for it, they may
>> send "inv(MSG_PCKG)" instead of "inv(WTX)".
>>
>> =3D=3D=3DRationale=3D=3D=3D
>>
>> =3D=3D=3D=3DP2P Message Design=3D=3D=3D=3D
>>
>> These p2p messages are added for communication efficiency and, as
>> such, one should measure alternative solutions based on the resources
>> used to communicate (not necessarily trustworthy) information: We
>> would like to minimize network bandwidth, avoid downloading a
>> transaction more than once, avoid downloading transactions that are
>> eventually rejected, and minimize storage allocated for
>> not-yet-validated transactions.
>>
>> Consider these (plausible) scenarios in transaction relay:
>>
>> Alice (the "sender") is relaying transactions to Bob (the "receiver").
>> Alice's mempool has a minimum feerate of 1sat/vB and Bob's has a
>> minimum feerate of 3sat/vB. For simplicity, all transactions are
>> 1600Wu in virtual size and 500 bytes in serialized size. Apart from
>> the spending relationships specified, all other inputs are from
>> confirmed UTXOs.
>>
>> 1. Package {A, B} where A pays 0 satoshis and B pays 8000 satoshis in
>>    fees.
>>
>> 2. Package {C, D} where C pays 0 satoshis and D pays 1200 satoshis in
>>    fees.
>>
>> 3. Package {E, F, G, H, J} that pays 4000, 8000, 0, 2000, and 4000
>>    satoshis in fees, respectively.
>>
>> =3D=3D=3D=3DAlternative Designs Considered=3D=3D=3D=3D
>>
>> ''Package Information Only:'' Just having "pckginfo" gives enough
>> information for the receiver to accept the package. Omit the
>> "getpckgtxns" and "pckgtxns" messages. While this option is a good
>> fallback if batched transaction download fails for some reason, it
>> shouldn't be used as the default because it 'always' requires storage
>> of unvalidated transactions.
>>
>> ''No Package Information Round:'' Instead of having a package
>> information round, just use the child's wtxid to refer to the package
>> and always send the entire package together. This would cause nodes to
>> redownload duplicate transactions.
>>
>> I have also created a slidedeck exploring various alternative designs
>> and some examples in which they fall flat [20]. Please feel free to
>> suggest other alternatives.
>>
>> =3D=3D=3D=3DVersioning System=3D=3D=3D=3D
>>
>> This protocol should be extensible to support multiple types of
>> packages based on future desired use cases. Two "flavors" of
>> versioning were considered:
>>
>> 1. When package mempool acceptance is upgraded to support more types
>>    of packages, increment the version number (similar to Erlay).
>> During version handshake, peers negotiate which version of package
>> relay they will use by each sending one "sendpackages" message.
>>
>> 2. When introducing another type of package, assign a version number
>>    to it and announce it as an additional supported version (similar
>> to Compact Block Relay). During version handshake, peers send one
>> "sendpackages" message for each version supported.
>>
>> The second option was favored because it allows different parameters
>> for different versions.  For example, it should be possible to support
>> both "arbitrary topology but maximum 3-transaction" package as well as
>> "child-with-unconfirmed-parents with default mempool ancestor limits"
>> packages simultaneously.
>>
>> =3D=3DAcknowledgements=3D=3D
>>
>> I hope to have made it abundantly clear that this proposal isn=E2=80=99t
>> inventing the concept of package relay, and in fact builds upon years
>> of work by many others, including Suhas Daftuar and Antoine Riard.
>>
>> Thank you to John Newbery and Martin Zumsande for input on the design.
>>
>> Thank you to Matt Corallo, Christian Decker, David Harding, Antoine
>> Poinsot, Antoine Riard, Gregory Sanders, Chris Stewart, Bastien
>> Teinturier, and others for input on the desired interface for
>> contracting protocols.
>>
>> Looking forward to hearing your thoughts!
>>
>> Best,
>> Gloria
>>
>> [0]:
>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/019=
817.html
>> [1]:
>> https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-April/002=
639.html
>> [2]:
>> https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-June/0027=
58.html
>> [3]:
>> https://github.com/t-bast/lightning-docs/blob/master/pinning-attacks.md
>> [4]:
>> https://github.com/revault/practical-revault/blob/master/transactions.md=
#cancel_tx
>> [5]:
>> https://github.com/discreetlogcontracts/dlcspecs/blob/master/Transaction=
s.md#refund-transaction
>> [6]: https://gist.github.com/instagibbs/60264606e181451e977e439a49f69fe1
>> [7]:
>> https://btctranscripts.com/adopting-bitcoin/2021/2021-11-16-gloria-zhao-=
transaction-relay-policy/#lightning-attacks
>> [8]: https://youtu.be/fbWSQvJjKFs?t=3D1438
>> [9]:
>> https://www.reddit.com/r/Bitcoin/comments/unew4e/looks_like_70_mvb_of_tr=
ansactions_just_got_dumped/
>> [10]: https://github.com/bitcoin/bitcoin/pull/7594
>> [11]: https://github.com/bitcoin/bitcoin/pull/7600
>> [12]: https://github.com/bitcoin/bitcoin/pull/6455#issuecomment-12271682=
0
>> [13]: https://gist.github.com/sdaftuar/8756699bfcad4d3806ba9f3396d4e66a
>> [14]: https://github.com/bitcoin/bitcoin/issues/14895
>> [15]: https://github.com/bitcoin/bitcoin/pull/16401
>> [16]: https://github.com/bitcoin/bitcoin/pull/19621
>> [17]:
>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-September/0=
19464.html
>> [18]: https://github.com/users/glozow/projects/5/views/4?layout=3Dboard
>> [19]: https://gist.github.com/glozow/9b321cd3ef6505135c763112033ff2a7
>> [20]:
>> https://docs.google.com/presentation/d/1B__KlZO1VzxJGx-0DYChlWawaEmGJ9EG=
ApEzrHqZpQc/edit?usp=3Dsharing
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>

--000000000000da95c205ec6c8a69
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi everyone,<br><br><div>I&#39;ve made some significant ch=
anges to my package relay proposal based on observations while implementing=
, feedback on this thread, and offline discussions [1].</div><div><br></div=
><div>The new proposal is called Ancestor Package Relay, BIP331, and PR&#39=
;d at <a href=3D"https://github.com/bitcoin/bips/pull/1382" target=3D"_blan=
k">https://github.com/bitcoin/bips/pull/1382</a><br></div><br>The major cha=
nges to the proposal are:<br>1. Scope reduction to receiver-initiated only<=
br>2. Scope reduction to ancestor packages only<br>3. Removal of block hash=
 from package information<br><br><div>1.=C2=A0 Scope reduction to receiver-=
initiated only</div>Receiver-intiated package relay enables a node to ask f=
or more information when they suspect they are missing something (i.e. in t=
his case to resolve a missing parent tx). Sender-initiated package relay sh=
ould, theoretically, save a round trip by notifying the receiver ahead of t=
ime that &quot;hey, this is going to be a package, so make sure you downloa=
d and submit these transactions together.&quot; As with any proactive commu=
nication, there is a chance that the node already knows this information, s=
o this network bandwidth was wasted. The logic used to decide _when_ to ann=
ounce a package proactively determines whether it is a net increase or decr=
ease for overall bandwidth usage. However, it&#39;s difficult to design any=
thing to save bandwidth without any idea of what its bandwidth usage actual=
ly looks like in practice. We&#39;ll want to design the sender-initiated pr=
otocol carefully, and inform the design decisions using data collected from=
 the mainnet p2p network. However, there is no historical transaction data =
to use because the goal is to enable currently-rejected transactions to pro=
pagate. In order to get this right, I propose we hold off on sender-initiat=
ed for now, deploy receiver-initiated package relay, observe its usage and =
figure out where we can save a round trip, and then produce a well-research=
ed sender-initiated package relay proposal.<br><br>2. Scope reduction to an=
cestor packages only<br>The proposal now only includes ancestor packages (p=
reviously called tx-with-unconfirmed-ancestors or &quot;v2&quot; packages).=
 The child-with-unconfirmed-parents (previously called &quot;v1&quot;) pack=
age has been removed since it is a subset of ancestor packages and sender-i=
nitiated relay has been removed. It may be relevant again in the future wit=
h sender-initiated packages. If you were reviewing the previous proposal, &=
quot;pkginfo2&quot; message has been renamed to &quot;ancpkginfo&quot; and =
&quot;MSG_PKGINFO2&quot; inv type to &quot;MSG_ANCPKGINFO&quot;.<br><br>3. =
Removal of block hash from package information<br>Most of the rationale is =
already on this thread. The block hash was an attempt to enforce topology w=
hen chainstates differ, but isn&#39;t worth it. It does not make much sense=
 to drop or delay transaction data requests due to mismatched chainstates, =
and the chainstate may change again between package information and transac=
tion data rounds. Instead, differences in chainstate should be handled inte=
rnally at the mempool validation level. The node should de-duplicate recent=
ly-confirmed transactions and make a best effort to validate the transactio=
ns it has already downloaded.<br><br>Thanks,<br>Gloria<br><br>[1] <a href=
=3D"https://diyhpl.us/wiki/transcripts/bitcoin-core-dev-tech/2022-10-11-pac=
kage-relay/" target=3D"_blank">https://diyhpl.us/wiki/transcripts/bitcoin-c=
ore-dev-tech/2022-10-11-package-relay/</a></div><br><div class=3D"gmail_quo=
te"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, Jun 17, 2022 at 9:08 PM A=
ntoine Riard &lt;<a href=3D"mailto:antoine.riard@gmail.com" target=3D"_blan=
k">antoine.riard@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"gma=
il_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,2=
04,204);padding-left:1ex"><div dir=3D"ltr"><div>Hi Gloria,<br><br>Thanks fo=
r working on that,<br><br>&gt; Always overestimating fees may sidestep this=
 issue temporarily (while mempool<br>&gt; traffic is low and predictable), =
but this solution is not foolproof<br>&gt; and wastes users&#39; money. The=
 feerate market can change due to sudden<br>&gt; spikes in traffic (e.g. hu=
ge 12sat/vB dump a few days ago [9]) or<br>&gt; sustained, high volume of B=
itcoin payments (e.g.=C2=A0 April 2021 and<br>&gt; December 2017).<br><br>E=
ven if the LN implementations started to overestimate fees based on the his=
torical worst-case of block inclusion feerates, there is still room for exp=
loitation due to bip125 rule#3. Indeed, as long as the adversary is able to=
 stick in the mempool a higher fee package while the feerate is not compell=
ing enough to get it mined, your &quot;honest&quot; LN package should be bo=
unced off.<br><br>Considering Core&#39;s `MAX_STANDARD_TX_WEIGHT` of 400000=
 WU, I think it&#39;s practical for an attacker to succeed with this pinnin=
g tactic in periods of traffic spikes. Of course, LN implementation could o=
verestimate fees with a target like `MAX_STANDARD_WEIGHT` * `worst_case_blo=
ck_inclusion_feerate` to mitigate. However, assuming a value of 20sat for t=
he latter, it would require from any LN user a minimal channel value of 200=
0000 satoshis to be theoretically secure against this type of pinning.<br><=
br>So package relay is required to mitigate efficiently and realistically a=
gainst pinning attacks, while conserving the same level of &quot;economic&q=
uot; openness for Lightning. Beyond, it should be also noted that package r=
elay is only building block of the full set of mitigations, and there shoul=
d be a yet to-find-consensus-as-of-today other policy change such as user-e=
lected package limits or replace-by-feerate.<br><br>Anyway, I think it woul=
d be beneficial to document the design trade-offs of pinning mitigations in=
 the `Rationale` subsection, at the attention of future L2s devs and users =
?<br><br>&gt; {|<br>&gt; | =C2=A0Field Name =C2=A0|| =C2=A0Type =C2=A0|| =
=C2=A0Size =C2=A0|| =C2=A0Purpose<br>&gt; |-<br>&gt; |version || uint32_t |=
| 4 || Denotes a package version supported by the<br>&gt; node.<br>&gt; |-<=
br>&gt; |max_count || uint32_t || 4 ||Specifies the maximum number of trans=
actions<br>&gt; per package this node is<br>&gt; willing to accept.<br>&gt;=
 |-<br>&gt; |max_weight || uint32_t || 4 ||Specifies the maximum total weig=
ht per<br>&gt; package this node is willing<br>&gt; to accept.<br>&gt; |-<b=
r>&gt; |}<br><br>It&#39;s unclear to me what&#39;s the purpose of `max_coun=
t` and `max_weight` in the overall package relay flow, if they are intended=
 to be exposed as configurable settings to node operators. If those fields =
are present to allow DoS protection increase of low-performance host, I bel=
ieve it would be better to restrain the number of consumed UTXOs or execute=
d sigops per package, as DoS vectors are more likely to be CPU-based, rathe=
r than memory-based as package size already bounded at acceptance by `MAX_P=
ACKAGE_COUNT`.<br><br>Thinking more we might introduce a `MAX_SIGOPS_PER_PA=
CKAGR` limit, as otherwise if we naively grant one package announcement as =
equal to one transaction announcement in our tx-request logic, we might inc=
rease our DoS surface, node ressources staying equivalent ?<br><br>&gt; {|<=
br>&gt; | =C2=A0Field Name =C2=A0|| =C2=A0Type =C2=A0|| =C2=A0Size =C2=A0||=
 =C2=A0 Purpose<br>&gt; |-<br>&gt; |txns_length||CompactSize||1 or 3 bytes|=
| The number of transactions<br>&gt; requested.<br><br>I&#39;m not sure if =
we&#39;ll ever allow 3-bytes of package size, that would be ~32k of transac=
tions.<br><br>&gt; |-<br>&gt; |txns||List of wtxids||txns_length * 32|| The=
 wtxids of each transaction in<br>&gt; the package.<br>&gt; |}<br><br>I thi=
nk there is a bandwidth consumption trade-off to be aware of in the functio=
n of the package-relay usage. Let&#39;s consider a single issuer broadcasti=
ng the package to spend a shared-utxo, after the first shot the parent comp=
onent should be spread across the network mempools. At each fee-bump, only =
the bumped CPFP will propagate on the network, the parent wtxid is reannoun=
ced in `pckginfo1` though there is no need to fetch it redundantly and wast=
e bandwidth.<br><br>However, I think the bandwidth saving does not hold in =
case of competing transaction issuers to spend a shared-utxo. In that case,=
 the parent might differ at each broadcast and the list of wtxid is dissemb=
lable at every claim of the shared-utxo. We could save the 32 bytes * numbe=
r of packages elements by announcing a package_id, computed from the list o=
f wtxids.<br><br>I don&#39;t know about the occurrence of competing broadca=
sts among LN non-cooperative closes, where bandwidth could be potentially s=
aved. I would say it&#39;s likely low because IIRC there is nothing in the =
LN protocol where the counterparties signal to each other they&#39;re going=
 on-chain to introduce a competing broadcast synchronizing event. That said=
, it might increase in the future in a post-eltoo, multi-party contracting =
protocol world.<br><br>So it might be interesting to document this design t=
rade-off, if we seek bandwidth optimizations in function of a changing land=
scape in the type of transaction issuers in the future.<br><br>&gt; 3. The =
sender provides package information using &quot;pckginfo1&quot;,<br>&gt; =
=C2=A0 =C2=A0including the blockhash of the sender&#39;s best block, the wt=
xids of<br>&gt; the transactions in the package, their total fees and total=
 weight.<br><br>It&#39;s unclear to me how the `pckinfo1` receiver should p=
roceed if the sender&#39;s best block is not in sync with the local chain t=
ip. <br><br>If the package isn&#39;t processed further, that&#39;s annoying=
 for all the low-performance=C2=A0 LN mobile clients, their chain tips migh=
t be always behind by few blocks from the p2p network nodes. It sounds like=
 their packages won&#39;t propagate at all.<br><br>If the package is proces=
sed further whatever the sender-receiver sync on chain tip, what&#39;s the =
purpose of including the blockhash ?<br><br>&gt; A child-with-unconfirmed-p=
arents package for a transaction should be<br>&gt; announced when it meets =
the peer&#39;s fee filter but one or more of its<br>&gt; parents don&#39;t;=
 a &quot;inv(MSG_PCKG1)&quot; instead of &quot;inv(WTX)&quot; should be sen=
t<br>&gt; for the child. Each of the parents which meet the peer&#39;s fee =
filter<br>&gt; should still be announced normally.<br><br>I believe we migh=
t have concerns of package-feerate downgrades attacks. E.g, in the LN conte=
xt, where your channel counterparty is aiming to jam the propagation of the=
 best-feerate version of the package.<br><br>Let&#39;s say you have :<br>- =
Alice&#39;s commitment_tx, at 1s/vB<br>- package A + child B, at 3s/vB<br>-=
 package A + child C, at 10s/vB<br>- block inclusion feerate at 10s/vB<br>-=
 Alice and Mallory are LN channel counterparties<br>- commitment_tx is usin=
g LN&#39;s anchor outputs<br><br>Alice&#39;s LN node broadcasts A+C to her =
mempool.<br>Bob&#39;s feefilter is at 3s/vB.<br>Mallory broadcasts her chil=
d B in Alice&#39;s mempool.<br>LN commitment does not meet Bob&#39;s feefil=
ter.<br>Package A+child B at 3s/vB meets Bob&#39;s feefilter and is announc=
ed to Bob.<br>Mallory broadcasts her own commitment_tx at 4s/vB in Bob&#39;=
s mempool.<br>When Alice&#39;s child C is relayed to Bob, it&#39;s bounced =
off Bob&#39;s mempool.<br><br>Do you think this situation is plausible ? Of=
 course, it might be heavily dependent on package-relay yet-not-implemented=
 internal p2p logic.<br>I think it could be fixable if LN removes the count=
erparty&#39;s `anchor_output` on the local node&#39;s version of the commit=
ment transaction, once package relay is deployed.<br><br>Another question, =
at the next fee-bump iteration, Alice rebroadcasts A+child D, at 12 s/vB. H=
er node has already marked Alice&#39;s commitment_tx as known in Bob&#39;s =
`m_tx_inventory_known_filter`. So when a new higher fee child is=C2=A0 disc=
overed, should a `child-with-unconfirmed-parents` be announced between Alic=
e and Bob ?<br><br>Anyway, I think it would be interesting to pseudo-specif=
y the package-assemblage algorithm (or if there is code already available) =
to see if it&#39;s robust against adversarial or unlucky situations ?<br><b=
r>&gt; In fact, a package<br>&gt; of transactions may be announced using bo=
th Erlay and package relay.<br>&gt; After reconciliation, if the initiator =
would have announced a<br>&gt; transaction by wtxid but also has package in=
formation for it, they may<br>&gt; send &quot;inv(MSG_PCKG)&quot; instead o=
f &quot;inv(WTX)&quot;.<br><br>Yes, I think this holds. Note, we might have=
 to add to the reconciliation set low-fee parents succeeding the feefilter =
check due to a child. When the reconcildiff, we might have to bifucarte aga=
in on feefilter to decide to announce missing wtixds either as `inv(MSG_PCK=
G)` or `inv(WTX)`.<br><br></div>(IIRC, I&#39;ve already made few feedbacks =
offline though good to get them in the public space and think more)<br><div=
><br>Antoine<br></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr"=
 class=3D"gmail_attr">Le=C2=A0mar. 17 mai 2022 =C3=A0=C2=A012:09, Gloria Zh=
ao via bitcoin-dev &lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.=
org" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>&gt; a =C3=
=A9crit=C2=A0:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><=
div dir=3D"ltr">Hi everybody,<br><br>I=E2=80=99m writing to propose a set o=
f p2p protocol changes to enable package<br>relay, soliciting feedback on t=
he design and approach. Here is a link<br>to the most up-to-date proposal:<=
br><br><a href=3D"https://github.com/bitcoin/bips/pull/1324" target=3D"_bla=
nk">https://github.com/bitcoin/bips/pull/1324</a><br><br>If you have concep=
t or approach feedback, *please respond on the<br>mailing list* to allow ev=
erybody to view and participate in the<br>discussion. If you find a typo or=
 inaccurate wording, please feel free<br>to leave suggestions on the PR.<br=
><br>I=E2=80=99m also working on an implementation for Bitcoin Core.<br><di=
v><br></div><div><br></div>The rest of this post will include the same cont=
ents as the proposal,<br>with a bit of reordering and additional context. I=
f you are not 100%<br>up-to-date on package relay and find the proposal har=
d to follow, I<br><div>hope you find this format more informative and persu=
asive.</div><div><br></div><br>=3D=3DBackground and Motivation=3D=3D<br><br=
>Users may create and broadcast transactions that depend upon, i.e.<br>spen=
d outputs of, unconfirmed transactions. A =E2=80=9Cpackage=E2=80=9D is the<=
br>widely-used term for a group of transactions representable by a<br>conne=
cted Directed Acyclic Graph (where a directed edge exists between<br>a tran=
saction that spends the output of another transaction).<br><br>Incentive-co=
mpatible mempool and miner policies help create a fair,<br>fee-based market=
 for block space. While miners maximize transaction<br>fees in order to ear=
n higher block rewards, non-mining users<br>participating in transaction re=
lay reap many benefits from employing<br>policies that result in a mempool =
with the same contents, including<br>faster compact block relay and more ac=
curate fee estimation.<br>Additionally, users may take advantage of mempool=
 and miner policy to<br>bump the priority of their transactions by attachin=
g high-fee<br>descendants (Child Pays for Parent or CPFP).=C2=A0 Only consi=
dering<br>transactions one at a time for submission to the mempool creates =
a<br>limitation in the node&#39;s ability to determine which transactions h=
ave<br>the highest feerates, since it cannot take into account descendants<=
br>until all the transactions are in the mempool. Similarly, it cannot<br>u=
se a transaction&#39;s descendants when considering which of two<br>conflic=
ting transactions to keep (Replace by Fee or RBF).<br><br>When a user&#39;s=
 transaction does not meet a mempool&#39;s minimum feerate<br>and they cann=
ot create a replacement transaction directly, their<br>transaction will sim=
ply be rejected by this mempool. They also cannot<br>attach a descendant to=
 pay for replacing a conflicting transaction.<br>This limitation harms user=
s&#39; ability to fee-bump their transactions.<br>Further, it presents a se=
curity issue in contracting protocols which<br>rely on **presigned**, time-=
sensitive transactions to prevent cheating<br>(HTLC-Timeout in LN Penalty [=
1] [2] [3], Unvault Cancel in Revault<br>[4], Refund Transaction in Discree=
t Log Contracts [5], Updates in<br>eltoo [6]). In other words, a key securi=
ty assumption of many<br>contracting protocols is that all parties can prop=
agate and confirm<br>transactions in a timely manner.<br><br>In the past fe=
w years, increasing attention [0][1][2][3][6] has been<br>brought to **pinn=
ing attacks**, a type of censorship in which the<br>attacker uses mempool p=
olicy restrictions to prevent a transaction<br>from being relayed or gettin=
g mined.=C2=A0 TLDR: revocation transactions<br>must meet a certain confirm=
ation target to be effective, but their<br>feerates are negotiated well ahe=
ad of broadcast time. If the<br>forecasted feerate was too low and no fee-b=
umping options are<br>available, attackers can steal money from their count=
erparties. I walk<br>through a concrete example for stealing Lightning HTLC=
 outputs at<br>~23:58 in this talk [7][8].=C2=A0 Note that most attacks are=
 only possible<br>when the market for blockspace at broadcast time =C2=A0de=
mands much higher<br>feerates than originally anticipated at signing time. =
Always<br>overestimating fees may sidestep this issue temporarily (while me=
mpool<br>traffic is low and predictable), but this solution is not foolproo=
f<br>and wastes users&#39; money. The feerate market can change due to sudd=
en<br>spikes in traffic (e.g. huge 12sat/vB dump a few days ago [9]) or<br>=
sustained, high volume of Bitcoin payments (e.g.=C2=A0 April 2021 and<br>De=
cember 2017).<br><br>The best solution is to enable nodes to consider packa=
ges of<br>transactions as a unit, e.g. one or more low-fee parent transacti=
ons<br>with a high-fee child, instead of separately. A package-aware mempoo=
l<br>policy can help determine if it would actually be economically<br>rati=
onal to accept a transaction to the mempool if it doesn&#39;t meet fee<br>r=
equirements individually. Network-wide adoption of these policies<br>would =
create a more purely-feerate-based market for block space and<br>allow cont=
racting protocols to adjust fees (and therefore mining<br>priority) at broa=
dcast time.=C2=A0 Some support for packages has existed in<br>Bitcoin Core =
for years. Since v0.13, Bitcoin Core has used ancestor<br>packages instead =
of individual transactions to evaluate the incentive<br>compatibility of tr=
ansactions in the mempool [10] and select them for<br>inclusion in blocks [=
11].<br><br>Package Relay, the concept of {announcing, requesting, download=
ing}<br>packages between nodes on the p2p network, has also been discussed =
for<br>many years. The earliest public mention I can find is from 2015 [12]=
.<br>The two most common use cases for package relay are fee-bumping<br>oth=
erwise-too-low-fee transactions and reducing the amount of orphans.<br>It s=
eems uncontroversial to say that everybody desires package relay<br>concept=
ually, with varying degrees of urgency. Lots of work has been<br>done by ot=
hers over the past few years, from which I&#39;ve taken<br>inspiration from=
 [13][14][15][16].<br><br>My approach has been to split the project into tw=
o components: (1) Package<br>Mempool Accept, which includes validation logi=
c and mempool policy.<br>(3) Package Relay, which includes the p2p protocol=
 changes.<br><br>Progress so far:<br>After discussions with various develop=
ers of contracting protocols<br>(with heavier emphasis towards LN), it was =
determined that a<br>package containing a child with all of its unconfirmed=
 parents<br>(child-with-unconfirmed-parents or 1-child-multi-parent package=
) would<br>be sufficient for their use case, i.e. fee-bumping presigned<br>=
transactions. A child-with-unconfirmed-parents package has several<br>prope=
rties that make many things easier to reason about.<br><br>A few months ago=
, I proposed a set of policies for safe package<br>validation and fee asses=
sment for packages of this restricted<br><div>topology [17]. A series of PR=
s implementing this proposal have</div><div>been merged into Bitcoin Core [=
18].<br></div><br>Theoretically, developing a safe and incentive-compatible=
 package<br>mempool acceptance policy is sufficient to solve this issue. No=
des<br>could opportunistically accept packages (e.g. by trying combinations=
<br>of transactions rejected from their mempools), but this practice would<=
br>likely be inefficient at best and open new Denial of Service attacks<br>=
at worst. Additional p2p messages may enable nodes to request and<br>share =
package validation-related information with one another in a<br>more commun=
ication-efficient way.<br><br>Given that only package RBF remains for packa=
ge mempool accept, and we<br>can make progress on p2p and mempool in parall=
el, I think it=E2=80=99s<br>appropriate to put forward a package relay prop=
osal.<br><br>=3D=3DProposal=3D=3D<br><br>This proposal contains 2 component=
s: a =E2=80=9Cgeneric=E2=80=9D package relay<br>protocol and an extension o=
f it, child-with-unconfirmed-parents<br>packages, as version 1 package rela=
y. Another version of packages,<br>=E2=80=9Ctx-with-unconfirmed-ancestors=
=E2=80=9D can be created to extend package relay<br>for eliminating orphans=
.<br><br>=3D=3D=3DGeneric Package Relay=3D=3D=3D<br><br>Two main ideas are =
introduced:<br><br>Download and validate packages of transactions together.=
<br><br>Provide information to help peers decide whether to request and/or =
how<br>to validate transactions which are part of a package.<br><br>=3D=3D=
=3D=3DIntended Protocol Flow=3D=3D=3D=3D<br><br>Due to the asynchronous nat=
ure of a distributed transaction relay<br>network, nodes may not receive al=
l of the information needed to<br>validate a transaction at once. For examp=
le, after a node completes<br>Initial Block Download (IBD) and first starts=
 participating in<br>transaction relay with an empty mempool, it is common =
to receive<br>orphans. In such scenarios where a node is aware that it is m=
issing<br>information, a &#39;&#39;receiver-initiated&#39;&#39; dialogue is=
 appropriate:<br><br>1. Receiver requests package information.<br><br>2. Th=
e sender provides package information, including the wtxids of<br>=C2=A0 =
=C2=A0the transactions in the package and anything else that might be<br>re=
levant (e.g. total fees and size).<br><br>3. The reciever uses the package =
information to decide how to request<br>=C2=A0 =C2=A0and validate the trans=
actions.<br><br>Sometimes, no matter what order transactions are received b=
y a node,<br>validating them individually is insufficient. When the sender =
is aware<br>of additional information that the receiver needs to accept a p=
ackage,<br>a proactive &#39;&#39;sender-initiated&#39;&#39; dialogue should=
 be enabled:<br><br>1. Sender announces they have package information perta=
ining to a<br>=C2=A0 =C2=A0transaction that might otherwise be undesired on=
 its own.<br><br>2. The receiver requests package information.<br><br>3. Th=
e sender provides package information, including the wtxids of<br>=C2=A0 =
=C2=A0the transactions in the package and anything else that might be<br>re=
levant (e.g. total fees and size).<br><br>4. The reciever uses the package =
information to decide how to request<br>=C2=A0 =C2=A0and validate the trans=
actions.<br><br>Package relay is negotiated between two peers during the ve=
rsion<br>handshake. Package relay requires both peers to support wtxid-base=
d<br>relay because package transactions are referenced by their wtxid.<br><=
br>=3D=3D=3D=3DNew Messages=3D=3D=3D=3D<br><br>Three new protocol messages =
are added for use in any version of<br>package relay. Additionally, each ve=
rsion of package relay must define<br>its own inv type and &quot;pckginfo&q=
uot; message version, referred to in this<br>document as &quot;MSG_PCKG&quo=
t; and &quot;pckginfo&quot; respectively. See<br>BIP-v1-packages for a conc=
rete example.<br><br>=3D=3D=3D=3D=3Dsendpackages=3D=3D=3D=3D=3D<br><br>{|<b=
r>| =C2=A0Field Name =C2=A0|| =C2=A0Type =C2=A0|| =C2=A0Size =C2=A0|| =C2=
=A0Purpose<br>|-<br>|version || uint32_t || 4 || Denotes a package version =
supported by the node.<br>|-<br>|max_count || uint32_t || 4 ||Specifies the=
 maximum number of transactions per package this node is<br>willing to acce=
pt.<br>|-<br>|max_weight || uint32_t || 4 ||Specifies the maximum total wei=
ght per package this node is willing<br>to accept.<br>|-<br>|}<br><br>1. Th=
e &quot;sendpackages&quot; message has the structure defined above, with<br=
>=C2=A0 =C2=A0pchCommand =3D=3D &quot;sendpackages&quot;.<br><br>2. During =
version handshake, nodes should send a &quot;sendpackages&quot;<br>=C2=A0 =
=C2=A0message indicate they support package relay and may request<br>packag=
es.<br><br>3. The message should contain a version supported by the node. N=
odes<br>=C2=A0 =C2=A0should send a &quot;sendpackages&quot; message for eac=
h version they support.<br><br>4. The &quot;sendpackages&quot; message MUST=
 be sent before sending a &quot;verack&quot;<br>=C2=A0 =C2=A0message. If a =
&quot;sendpackages&quot; message is received afer &quot;verack&quot;, the<b=
r>sender should be disconnected.<br><br>5. If &#39;fRelay=3D=3Dfalse&#39; i=
n a peer&#39;s version message, the node must not<br>=C2=A0 =C2=A0send &quo=
t;sendpackages&quot; to them. If a &quot;sendpackages&quot; message is<br>r=
eceived by a peer after sending `fRelay=3D=3Dfalse` in their version<br>mes=
sage, the sender should be disconnected.<br><br>6.. Upon receipt of a &quot=
;sendpackages&quot; message with a version that is<br>not supported, a node=
 must treat the peer as if it never received the<br>message.<br><br>7. If b=
oth peers send &quot;wtxidrelay&quot; and &quot;sendpackages&quot; with the=
 same<br>=C2=A0 =C2=A0version, the peers should announce, request, and send=
 package<br>information to each other.<br><br>=3D=3D=3D=3D=3Dgetpckgtxns=3D=
=3D=3D=3D=3D<br><br>{|<br>| =C2=A0Field Name =C2=A0|| =C2=A0Type =C2=A0|| =
=C2=A0Size =C2=A0|| =C2=A0 Purpose<br>|-<br>|txns_length||CompactSize||1 or=
 3 bytes|| The number of transactions requested.<br>|-<br>|txns||List of wt=
xids||txns_length * 32|| The wtxids of each transaction in the package.<br>=
|}<br><br>1. The &quot;getpckgtxns&quot; message has the structure defined =
above, with<br>=C2=A0 =C2=A0pchCommand =3D=3D &quot;getpckgtxns&quot;.<br><=
br>2. A &quot;getpckgtxns&quot; message should be used to request all or so=
me of<br>=C2=A0 =C2=A0the transactions previously announced in a &quot;pckg=
info&quot; message,<br>specified by witness transactiosome id.<br><br>3. Up=
on receipt of a &quot;getpckgtxns&quot; message, a node must respond with<b=
r>=C2=A0 =C2=A0either a &quot;pckgtxns&quot; containing the requested trans=
actions or a<br>&quot;notfound&quot; message indicating one or more of the =
transactions is<br>unavailable. This allows the receiver to avoid downloadi=
ng and storing<br>transactions that cannot be validated immediately.<br><br=
>4. A &quot;getpckgtxns&quot; message should only be sent if both peers agr=
eed to<br>=C2=A0 =C2=A0send packages in the version handshake. If a &quot;g=
etpckgtxns&quot; message<br>is received from a peer with which package rela=
y was not negotiated,<br>the sender should be disconnected.<br><br>=3D=3D=
=3D=3D=3Dpckgtxns=3D=3D=3D=3D=3D<br><br>{|<br>| =C2=A0Field Name =C2=A0|| =
=C2=A0Type =C2=A0|| =C2=A0Size =C2=A0|| =C2=A0 Purpose<br>|-<br>|txns_lengt=
h||CompactSize||1 or 3 bytes|| The number of transactions provided.<br>|-<b=
r>|txns||List of transactions||variable|| The transactions in the package.<=
br>|}<br><br>1. The &quot;pckgtxns&quot; message has the structure defined =
above, with<br>=C2=A0 =C2=A0pchCommand =3D=3D &quot;pckgtxns&quot;.<br><br>=
2. A &quot;pckgtxns&quot; message should contain the transaction data reque=
sted<br>=C2=A0 =C2=A0using &quot;getpckgtxns&quot;.<br><br>3. A &quot;pckgt=
xns&quot; message should only be sent to a peer that requested<br>=C2=A0 =
=C2=A0the package using &quot;getpckgtxns&quot;. If a node receives an unso=
licited<br>package, the sender should be disconnected.<br><br>4. A &quot;pc=
kgtxns&quot; message should only be sent if both peers agreed to<br>=C2=A0 =
=C2=A0send packages in the version handshake. If a &quot;pckgtxns&quot; mes=
sage is<br>received from a peer with which package relay was not negotiated=
, the<br>sender should be disconnected.<br><br>=3D=3D=3DVersion 1 Packages:=
 child-with-unconfirmed-parents=3D=3D=3D =C2=A0<br><br>This extends package=
 relay for packages consisting of one transaction<br>and all of its unconfi=
rmed parents,by defining version 1 packages, a<br>pckginfo1 message, and a =
MSG_PCKG1 inv type. It enables the use case<br>in which a child pays for it=
s otherwise-too-low-fee parents and their<br>mempool conflict(s).<br><br>=
=3D=3D=3D=3DIntended Protocol Flow=3D=3D=3D=3D<br><br>When relaying a packa=
ge of low-fee parent(s) and high-fee child, the<br>sender and receiver do t=
he following:<br><br>1. Sender announces they have a child-with-unconfirmed=
-parents package<br>=C2=A0 =C2=A0for a child that pays for otherwise-too-lo=
w-fee parent(s) using<br>&quot;inv(MSG_PCKG1)&quot;.<br><br>2. The receiver=
 requests package information using<br>=C2=A0 =C2=A0&quot;getdata(MSG_PCKG1=
)&quot;.<br><br>3. The sender provides package information using &quot;pckg=
info1&quot;,<br>=C2=A0 =C2=A0including the blockhash of the sender&#39;s be=
st block, the wtxids of<br>the transactions in the package, their total fee=
s and total weight.<br><br>4. The reciever uses the package information to =
decide how to request<br>=C2=A0 =C2=A0the transactions. For example, if the=
 receiver already has some of<br>the transactions in their mempool, they on=
ly request the missing ones.<br>They could also decide not to request the p=
ackage at all based on the<br>fee information provided.<br><br>5. Upon rece=
iving a &quot;pckgtxns&quot;, the receiver submits the transactions<br>=C2=
=A0 =C2=A0together as a package.<br><br>=3D=3D=3D=3DNew Messages=3D=3D=3D=
=3D<br><br>A new inv type, &quot;MSG_PCKG1&quot;, and new protocol message,=
 &quot;PCKGINFO1&quot;,<br>are added.<br><br>=3D=3D=3D=3D=3Dpckginfo1=3D=3D=
=3D=3D=3D<br><br>{|<br>| =C2=A0Field Name =C2=A0|| =C2=A0Type =C2=A0|| =C2=
=A0Size =C2=A0|| =C2=A0 Purpose<br>|-<br>|blockhash || uint256 || 32 || The=
 chain tip at which this package is defined.<br>|-<br>|pckg_fee||CAmount||4=
|| The sum total fees paid by all transactions in the package.<br>|-<br>|pc=
kg_weight||int64_t||8|| The sum total weight of all transactions in the pac=
kage.<br>|-<br>|txns_length||CompactSize||1 or 3 bytes|| The number of tran=
sactions provided.<br>|-<br>|txns||List of wtxids||txns_length * 32|| The w=
txids of each transaction in the package.<br>|}<br><br><br>1. The &quot;pck=
ginfo1&quot; message has the structure defined above, with<br>=C2=A0 =C2=A0=
pchCommand =3D=3D &quot;pckginfo1&quot;.<br><br>2. A &quot;pckginfo1&quot; =
message contains information about a version 1<br>=C2=A0 =C2=A0package (def=
ined below), referenced by the wtxid of the transaction<br>it pertains to a=
nd the current blockhash.<br><br>3. Upon receipt of a &quot;pckginfo1&quot;=
 message, the node should decide if it<br>=C2=A0 =C2=A0wants to validate th=
e package, request transaction data if<br>necessary, etc.<br><br>4. Upon re=
ceipt of a malformed &quot;pckginfo1&quot; message or package that<br>=C2=
=A0 =C2=A0does not abide by the max_count, max_weight, or other rules<br>sp=
ecified by the version agreed upon in the initial negotiation, the<br>sende=
r should be disconnected.=C2=A0 If a node receives a &quot;pckginfo1&quot;<=
br>message for which the &quot;pckg_fee&quot; or &quot;pckg_weight&quot; do=
 not reflect the<br>true total fees and weight, respectively, or the transa=
ctions in the<br>package, the message is malformed.<br><br>5. A node MUST N=
OT send a &quot;pckginfo1&quot; message that has not been<br>=C2=A0 =C2=A0r=
equested by the recipient. Upon receipt of an unsolicited<br>&quot;pckginfo=
1&quot;, a node should disconnect the sender.<br><br>6. A &quot;pckginfo1&q=
uot; message should only be sent if both peers agreed to<br>=C2=A0 =C2=A0se=
nd version 1 packages in the version handshake. If a &quot;pckginfo1&quot;<=
br>message is received from a peer with which package relay was not<br>nego=
tiated, the sender should be disconnected.<br><br>=3D=3D=3D=3D=3DMSG_PCKG1=
=3D=3D=3D=3D=3D<br><br>1. A new inv type (MSG_PCKG1 =3D=3D 0x6) is added, f=
or use in inv messages<br>=C2=A0 =C2=A0and getdata requests pertaining to v=
ersion 1 packages.<br><br>2. As an inv type, it indicates that both transac=
tion data and version<br>=C2=A0 =C2=A01 package information are available f=
or the transaction. The<br>transaction is referenced by its wtxid. As a get=
data request type, it<br>indicates that the sender wants package informatio=
n for the<br>transaction.<br><br>3. Upon receipt of a &quot;getdata&quot; r=
equest for &quot;MSG_PCKG1&quot;, the node<br>=C2=A0 =C2=A0should respond w=
ith the version 1 package corresponding to the<br>requested transaction and=
 its current chain tip, or with NOTFOUND.<br>The node should not assume tha=
t the sender is requesting the<br>transaction data as well.<br><br>=3D=3D=
=3D=3DChild With Parent Packages Rules=3D=3D=3D=3D<br><br>A child-with-unco=
nfirmed-parents package sent between nodes must abide<br>by the rules below=
, otherwise the package is malformed and the sender<br>should be disconnect=
ed.<br><br>A version 1 or &#39;&#39;child-with-unconfirmed-parents&#39;&#39=
; package can be<br>defined for any transaction that spends unconfirmed inp=
uts. The child<br>can be thought of as the &quot;representative&quot; of th=
e package. This package<br>can be uniquely identified by the transaction&#3=
9;s wtxid and the current<br>chain tip block hash.<br><br>A &#39;&#39;child=
-with-unconfirmed-parents&#39;&#39; package MUST be:<br><br>1. &#39;&#39;So=
rted topologically.&#39;&#39; For every transaction t in the package,<br>=
=C2=A0 =C2=A0if any of t&#39;s parents are present in the package, the pare=
nt must<br>appear somewhere in the list before t. In other words, the<br>tr=
ansactions must be sorted in ascending order of the number of<br>ancestors =
present in the package.<br><br>2. &#39;&#39;Only 1 child with unconfirmed p=
arents.&#39;&#39; The package must consist<br>=C2=A0 =C2=A0of one transacti=
on and its unconfirmed parents. There must not be<br>any other transactions=
 in the package. Other dependency relationships<br>may exist within the pac=
kage (e.g. one parent may spend the output of<br>another parent) provided t=
hat topological order is respected.<br><br>3. &#39;&#39;All unconfirmed par=
ents.&#39;&#39; All of the child&#39;s unconfirmed parents<br>=C2=A0 =C2=A0=
must be present.<br><br>4. &#39;&#39;No conflicts.&#39;&#39; None of the tr=
ansactions in the package may<br>=C2=A0 =C2=A0conflict with each other (i.e=
. =C2=A0spend the same prevout).<br><br>5. &#39;&#39;Total fees and weight.=
&#39;&#39; The &#39;total_fee&#39; and &#39;total_weight&#39;<br>=C2=A0 =C2=
=A0fields must accurately represent the sum total of all transactions&#39;<=
br>fees and weights as defined in BIP141, respectively.<br><br>Not all of t=
he child&#39;s parents must be present; the child transaction<br>may also s=
pend confirmed inputs. However, if the child has confirmed<br>parents, they=
 must not be in the package.<br><br>While a child-with-unconfirmed-parents =
package is perhaps most<br>relevant when the child has a higher feerate tha=
n its parents, this<br>property is not required to construct a valid packag=
e.<br><br>=3D=3D=3D=3DClarifications=3D=3D=3D=3D<br><br>&#39;&#39;Q: Under =
what circumstances should a sender announce a<br>child-with-unconfirmed-par=
ents package?&#39;&#39;<br><br>A child-with-unconfirmed-parents package for=
 a transaction should be<br>announced when it meets the peer&#39;s fee filt=
er but one or more of its<br>parents don&#39;t; a &quot;inv(MSG_PCKG1)&quot=
; instead of &quot;inv(WTX)&quot; should be sent<br>for the child. Each of =
the parents which meet the peer&#39;s fee filter<br>should still be announc=
ed normally.<br><br>&#39;&#39;Q: What if a new block arrives in between mes=
sages?&#39;&#39;<br><br>A child-with-unconfirmed-parents package is defined=
 for a transaction<br>based on the current chain state. As such, a new bloc=
k extending the<br>tip may decrease the number of transactions in the packa=
ge (i.e. if<br>any of the transaction&#39;s parents were included in the bl=
ock). In a<br>reorg, the number of transactions in the package may decrease=
 or<br>increase (i.e. if any of the transaction&#39;s parents were included=
 in a<br>block in the previous chain but not the new one).<br><br>If the ne=
w block arrives before the &quot;getdata&quot; or &quot;pckginfo1&quot;, no=
thing<br>needs to change.<br><br>If the new block arrives before &quot;getp=
ckgtxns&quot; or before &quot;pckgtxns&quot;,<br>the receiver may need to r=
e-request package information if the block<br>contained a transaction in th=
e package. If the block doesn&#39;t contain<br>any transactions in the pack=
age, whether it extends the previous tip<br>or causes a reorg, nothing need=
s to change.<br><br>&#39;&#39;Q: Can &quot;getpckgtxns&quot; and &quot;pckg=
txns&quot; messages contain only one<br>transaction?&#39;&#39;<br><br>Yes.<=
br><br>=3D=3D=3DFurther Protocol Extensions=3D=3D=3D<br><br>When introducin=
g a new type of package, assign it a version number &quot;n&quot;<br>and us=
e an additional &quot;sendpackages&quot; message during version handshake<b=
r>to negotiate support for it. An additional package information message<br=
>&quot;pckginfon&quot; and inv type &quot;MSG_PCKGn&quot; should be defined=
 for the type of<br>package.=C2=A0 However, &quot;getpckgtxns&quot; and &qu=
ot;pckgtxns&quot; do not need to be<br>changed.<br><br>Example proposal for=
 tx-with-unconfirmed-ancestors package relay: [19] <br><br>=3D=3D=3DCompati=
bility=3D=3D=3D<br><br>Older clients remain fully compatible and interopera=
ble after this<br>change. Clients implementing this protocol will only atte=
mpt to send<br>and request packages if agreed upon during the version hands=
hake.<br><br>=3D=3D=3DPackage Erlay=3D=3D=3D<br><br>Clients using BIP330 re=
conciliation-based transaction relay (Erlay)<br>are able to use package rel=
ay without interference. In fact, a package<br>of transactions may be annou=
nced using both Erlay and package relay.<br>After reconciliation, if the in=
itiator would have announced a<br>transaction by wtxid but also has package=
 information for it, they may<br>send &quot;inv(MSG_PCKG)&quot; instead of =
&quot;inv(WTX)&quot;.<br><br>=3D=3D=3DRationale=3D=3D=3D<br><br>=3D=3D=3D=
=3DP2P Message Design=3D=3D=3D=3D<br><br>These p2p messages are added for c=
ommunication efficiency and, as<br>such, one should measure alternative sol=
utions based on the resources<br>used to communicate (not necessarily trust=
worthy) information: We<br>would like to minimize network bandwidth, avoid =
downloading a<br>transaction more than once, avoid downloading transactions=
 that are<br>eventually rejected, and minimize storage allocated for<br>not=
-yet-validated transactions.<br><br>Consider these (plausible) scenarios in=
 transaction relay:<br><br>Alice (the &quot;sender&quot;) is relaying trans=
actions to Bob (the &quot;receiver&quot;).<br>Alice&#39;s mempool has a min=
imum feerate of 1sat/vB and Bob&#39;s has a<br>minimum feerate of 3sat/vB. =
For simplicity, all transactions are<br>1600Wu in virtual size and 500 byte=
s in serialized size. Apart from<br>the spending relationships specified, a=
ll other inputs are from<br>confirmed UTXOs.<br><br>1. Package {A, B} where=
 A pays 0 satoshis and B pays 8000 satoshis in<br>=C2=A0 =C2=A0fees.<br><br=
>2. Package {C, D} where C pays 0 satoshis and D pays 1200 satoshis in<br>=
=C2=A0 =C2=A0fees.<br><br>3. Package {E, F, G, H, J} that pays 4000, 8000, =
0, 2000, and 4000<br>=C2=A0 =C2=A0satoshis in fees, respectively.<br><br>=
=3D=3D=3D=3DAlternative Designs Considered=3D=3D=3D=3D<br><br>&#39;&#39;Pac=
kage Information Only:&#39;&#39; Just having &quot;pckginfo&quot; gives eno=
ugh<br>information for the receiver to accept the package. Omit the<br>&quo=
t;getpckgtxns&quot; and &quot;pckgtxns&quot; messages. While this option is=
 a good<br>fallback if batched transaction download fails for some reason, =
it<br>shouldn&#39;t be used as the default because it &#39;always&#39; requ=
ires storage<br>of unvalidated transactions.<br><br>&#39;&#39;No Package In=
formation Round:&#39;&#39; Instead of having a package<br>information round=
, just use the child&#39;s wtxid to refer to the package<br>and always send=
 the entire package together. This would cause nodes to<br>redownload dupli=
cate transactions.<br><br>I have also created a slidedeck exploring various=
 alternative designs<br>and some examples in which they fall flat [20]. Ple=
ase feel free to<br>suggest other alternatives.<br><br>=3D=3D=3D=3DVersioni=
ng System=3D=3D=3D=3D<br><br>This protocol should be extensible to support =
multiple types of<br>packages based on future desired use cases. Two &quot;=
flavors&quot; of<br>versioning were considered:<br><br>1. When package memp=
ool acceptance is upgraded to support more types<br>=C2=A0 =C2=A0of package=
s, increment the version number (similar to Erlay).<br>During version hands=
hake, peers negotiate which version of package<br>relay they will use by ea=
ch sending one &quot;sendpackages&quot; message.<br><br>2. When introducing=
 another type of package, assign a version number<br>=C2=A0 =C2=A0to it and=
 announce it as an additional supported version (similar<br>to Compact Bloc=
k Relay). During version handshake, peers send one<br>&quot;sendpackages&qu=
ot; message for each version supported.<br><br>The second option was favore=
d because it allows different parameters<br>for different versions.=C2=A0 F=
or example, it should be possible to support<br>both &quot;arbitrary topolo=
gy but maximum 3-transaction&quot; package as well as<br>&quot;child-with-u=
nconfirmed-parents with default mempool ancestor limits&quot;<br>packages s=
imultaneously.<br><br>=3D=3DAcknowledgements=3D=3D<br><br>I hope to have ma=
de it abundantly clear that this proposal isn=E2=80=99t<br>inventing the co=
ncept of package relay, and in fact builds upon years<br>of work by many ot=
hers, including Suhas Daftuar and Antoine Riard.<br><br>Thank you to John N=
ewbery and Martin Zumsande for input on the design.<br><br>Thank you to Mat=
t Corallo, Christian Decker, David Harding, Antoine<br>Poinsot, Antoine Ria=
rd, Gregory Sanders, Chris Stewart, Bastien<br>Teinturier, and others for i=
nput on the desired interface for<br>contracting protocols.<br><br><div>Loo=
king forward to hearing your thoughts!</div><div><br></div><div>Best,</div>=
<div>Gloria<br></div><div><br></div>[0]: <a href=3D"https://lists.linuxfoun=
dation.org/pipermail/bitcoin-dev/2022-January/019817.html" target=3D"_blank=
">https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/0198=
17.html</a><br>[1]: <a href=3D"https://lists.linuxfoundation.org/pipermail/=
lightning-dev/2020-April/002639.html" target=3D"_blank">https://lists.linux=
foundation.org/pipermail/lightning-dev/2020-April/002639.html</a><br>[2]: <=
a href=3D"https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-Ju=
ne/002758.html" target=3D"_blank">https://lists.linuxfoundation.org/piperma=
il/lightning-dev/2020-June/002758.html</a><br>[3]: <a href=3D"https://githu=
b.com/t-bast/lightning-docs/blob/master/pinning-attacks.md" target=3D"_blan=
k">https://github.com/t-bast/lightning-docs/blob/master/pinning-attacks.md<=
/a><br>[4]: <a href=3D"https://github.com/revault/practical-revault/blob/ma=
ster/transactions.md#cancel_tx" target=3D"_blank">https://github.com/revaul=
t/practical-revault/blob/master/transactions.md#cancel_tx</a><br>[5]: <a hr=
ef=3D"https://github.com/discreetlogcontracts/dlcspecs/blob/master/Transact=
ions.md#refund-transaction" target=3D"_blank">https://github.com/discreetlo=
gcontracts/dlcspecs/blob/master/Transactions.md#refund-transaction</a><br>[=
6]: <a href=3D"https://gist.github.com/instagibbs/60264606e181451e977e439a4=
9f69fe1" target=3D"_blank">https://gist.github.com/instagibbs/60264606e1814=
51e977e439a49f69fe1</a><br>[7]: <a href=3D"https://btctranscripts.com/adopt=
ing-bitcoin/2021/2021-11-16-gloria-zhao-transaction-relay-policy/#lightning=
-attacks" target=3D"_blank">https://btctranscripts.com/adopting-bitcoin/202=
1/2021-11-16-gloria-zhao-transaction-relay-policy/#lightning-attacks</a><br=
>[8]: <a href=3D"https://youtu.be/fbWSQvJjKFs?t=3D1438" target=3D"_blank">h=
ttps://youtu.be/fbWSQvJjKFs?t=3D1438</a><br>[9]: <a href=3D"https://www.red=
dit.com/r/Bitcoin/comments/unew4e/looks_like_70_mvb_of_transactions_just_go=
t_dumped/" target=3D"_blank">https://www.reddit.com/r/Bitcoin/comments/unew=
4e/looks_like_70_mvb_of_transactions_just_got_dumped/</a><br>[10]: <a href=
=3D"https://github.com/bitcoin/bitcoin/pull/7594" target=3D"_blank">https:/=
/github.com/bitcoin/bitcoin/pull/7594</a><br>[11]: <a href=3D"https://githu=
b.com/bitcoin/bitcoin/pull/7600" target=3D"_blank">https://github.com/bitco=
in/bitcoin/pull/7600</a><br>[12]: <a href=3D"https://github.com/bitcoin/bit=
coin/pull/6455#issuecomment-122716820" target=3D"_blank">https://github.com=
/bitcoin/bitcoin/pull/6455#issuecomment-122716820</a><br>[13]: <a href=3D"h=
ttps://gist.github.com/sdaftuar/8756699bfcad4d3806ba9f3396d4e66a" target=3D=
"_blank">https://gist.github.com/sdaftuar/8756699bfcad4d3806ba9f3396d4e66a<=
/a><br>[14]: <a href=3D"https://github.com/bitcoin/bitcoin/issues/14895" ta=
rget=3D"_blank">https://github.com/bitcoin/bitcoin/issues/14895</a><br>[15]=
: <a href=3D"https://github.com/bitcoin/bitcoin/pull/16401" target=3D"_blan=
k">https://github.com/bitcoin/bitcoin/pull/16401</a><br>[16]: <a href=3D"ht=
tps://github.com/bitcoin/bitcoin/pull/19621" target=3D"_blank">https://gith=
ub.com/bitcoin/bitcoin/pull/19621</a><br>[17]: <a href=3D"https://lists.lin=
uxfoundation.org/pipermail/bitcoin-dev/2021-September/019464.html" target=
=3D"_blank">https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-Se=
ptember/019464.html</a><br>[18]: <a href=3D"https://github.com/users/glozow=
/projects/5/views/4?layout=3Dboard" target=3D"_blank">https://github.com/us=
ers/glozow/projects/5/views/4?layout=3Dboard</a><br>[19]: <a href=3D"https:=
//gist.github.com/glozow/9b321cd3ef6505135c763112033ff2a7" target=3D"_blank=
">https://gist.github.com/glozow/9b321cd3ef6505135c763112033ff2a7</a><br>[2=
0]: <a href=3D"https://docs.google.com/presentation/d/1B__KlZO1VzxJGx-0DYCh=
lWawaEmGJ9EGApEzrHqZpQc/edit?usp=3Dsharing" target=3D"_blank">https://docs.=
google.com/presentation/d/1B__KlZO1VzxJGx-0DYChlWawaEmGJ9EGApEzrHqZpQc/edit=
?usp=3Dsharing</a></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
</blockquote></div>

--000000000000da95c205ec6c8a69--