Author: ZmnSCPxj 2023-06-29 18:13:10+00:00
Published on: 2023-06-29T18:13:10+00:00
Recently, it has been discovered that even with Noise encryption, a third-party eavesdropper can infer the content of messages exchanged between Lightning Network (LN) nodes by analyzing the sizes of IP packets transmitted. This poses a potential security risk as it enables the eavesdropper to deduce the routing of payments across the network. To address this issue, a solution proposed is to ensure that all packet sizes are uniform.The BOLT8 specification is built on top of TCP, where the receiver perceives the incoming data as a continuous stream of bytes, despite the fact that it is actually transmitted in packets at the IP level. Most implementations have an object or similar software construct responsible for encrypting messages for BOLT8 tunnels. To enhance its functionality, this object can be transformed into a "buffer" in addition to being a tunnel encrypter.The modified object would feature entry points for sending BOLT8 messages and flushing the buffer. It would maintain an internal buffer of fixed size, into which ciphertext from the "send BOLT8 message" interface is stored. When the buffer becomes full, the object utilizes the POSIX `send` API to transmit it as a packet. This ensures that packets sent are of uniform size.The "flush" entry point monitors the fill level of the buffer and appends a `pong` message to pad it until the entire buffer reaches capacity. There is a specific scenario where the buffer is almost full, and adding the mandatory 2-byte message length and 2-byte message ID might cause an overflow. The object should handle this case correctly.Since the object inserts `pong` messages, it must modify the encryptor state by incorporating the `pong` message into the stream of BOLT8 messages. This approach allows a sequence of `update_add_htlc` messages followed by a `commitment_signed` message to potentially be combined into a single fixed-size packet or a sequence of fixed-size packets. The "flush" entry point needs to be called by the implementation to ensure that the counterparty receives the complete tail end of the `commitment_signed` message.To enhance robustness against internal bugs and for defensive programming purposes, the object can be equipped with an individual randomized timer. This timer periodically triggers a self-flush operation, even if the implementation fails to initiate a flush while awaiting a response from the counterparty. This serves as a workaround for such bugs, transforming them from interop bugs into performance bugs.It is recommended that the buffer size matches the packet size of `update_add_htlc` as it is expected to fit within a single IP packet for optimal latency.
Updated on: 2023-07-14T03:09:41.413777+00:00