Re: Are next claims true about ILP? from Evan Schwartz on 2017-08-29 (public-interledger@w3.org from August 2017)

From: Evan Schwartz <evan@ripple.com>
Date: Tue, 29 Aug 2017 18:34:25 +0000
To: Adrian Hope-Bailie <adrian@hopebailie.com>, Enrique Arizon Benito <enrique.arizon.benito@everis.com>
Cc: Interledger Community Group <public-interledger@w3.org>
Message-ID: <CAONA2jWfYyTrRhtZ72jd5SrfUzwiVi_fkpg8GTAYPa_d2YiUig@mail.gmail.com>
> 1. Send PayPal payment to peer
> 2. Send message to peer with id of payment and ILP packet

Are you also going to send them a condition and timeout?

> 3. Get response from peer containing fulfillment

What happens if you don't get the fulfillment before the timeout?

> It's not pretty but it would work if the two entities trust each other to
do a refund in the case of an error.

All of the statements I've quoted above define a Hash Timelocked Agreement.
The agreement you've defined is: "I'll send you an unconditional transfer
and then let you know through another communication channel we've agreed
upon about the associated ILP packet, condition, and timeout. The agreement
is that if you give me a valid fulfillment for the condition before the
timeout, you keep the money. If you don't, you should send me a refund. If
you don't send me a refund I'll either stop doing business with you, take
you to court, etc."

That is an HTLA.

Now the question is would you ever do ILP *not* over an HTLA. You can
certainly send local transfers without a condition. But if you are a
connector in an internetworked system where all the other connectors are
using HTLAs, you would lose all of your money so quickly if you weren't
using an HTLA yourself (someone would just send payments through you and
cause the others to roll back and you wouldn't get your money back).

> ILP doesn't care if senders, receivers and connectors use HTLAs or not.
Those entities will choose to use them for their own benefit. Whether they
do or not has no impact on the end-to-end payment.

This is an interesting point, but I don't think it makes sense to define
ILP that way. Let's think about it coming from the perspective of someone
who wants to use ILP to connect to the rest of the Interledger. If all
connectors in the network will only forward payments for you if the
transfer uses some type of HTLA with a sha256 hashlock condition, then you
have to use that as well. Also, if you want to send a transfer that uses an
HTLA with some other type of condition and connectors won't forward it for
you, then that doesn't work. So we could say that ILP theoretically doesn't
require sha256 HTLAs but practically you need them, but I think that's
close to a meaningless distinction. Not sure this is a good analogy but you
could think of this as similar to IP's requirement that the underlying
networks be able to forward at least 68 bytes without fragmentation
<https://en.wikipedia.org/wiki/Maximum_transmission_unit#cite_note-5>.

> As I think this thread proves, there is still a belief that all transfers
in an end-to-end ILP payment MUST be secured using the same condition and
that is not true.

You can add additional conditions, as in the case with atomic mode, but I
don't think you can avoid securing your transfers with at least the same
sha256 condition as everyone else.

I very much agree with Enrique that it makes sense to include whatever
information in the spec is useful to help developers implement it
correctly. Since you will need to use at least sha256-based HTLAs in order
to join the Interledger and participate safely, I see no upside and only
downside to pretending that you don't need to use HTLAs to use ILP.

On Tue, Aug 29, 2017 at 12:14 PM Adrian Hope-Bailie <adrian@hopebailie.com>
wrote:

> > As I see it, the RFC describing the protocol must be free (actually is
> encouraged)
>  to choose any detail implementation that helps in designing proper working
>  implementations (even if such details are not mandated but just
> suggested).
>
> This is fine but we must get away from the assumption that our
> implementations are the only way that a ledger layer protocol can work. In
> my opinion this has impacted the design of the protocol stack negatively.
> As I think this thread proves, there is still a belief that all transfers
> in an end-to-end ILP payment MUST be secured using the same condition and
> that is not true.
>
> If we continue to design things on the back of false assumptions then I
> expect we will have big problems down the line.
>
> On 29 August 2017 at 08:44, Adrian Hope-Bailie <adrian@hopebailie.com>
> wrote:
>
>> > What you're describing *is* a Hash Timelocked Agreement.
>>
>> Not at all. I'm talking about a transfer that ignores the condition
>> completely and had no concept of a timeout so how can it be an HTLA?
>>
>> > You're talking about sending a transfer that is conditional upon the
>> hash preimage being delivered before a timeout and an agreement that the
>> money will be returned if not.
>>
>> Please point out where the HTLA fits into this set of functions:
>> - Send a message (data)
>> - Send a transfer (value + data)
>> - Send a reply (linked to original message/transfer)
>>
>> > ILP doesn't care how you implement this agreement but it does assume
>> that it's riding on top of an HTLA (rather than plain transfers).
>>
>> No it doesn't! ILP makes ZERO assumptions about the lower layers with
>> regard to conditions and fulfillments.
>>
>> > All senders, receivers, and connectors SHOULD be using HTLAs. If they
>> don't they're going to have a bad time.
>>
>> You are mixing end-to-end concerns with host-to-host concerns. ILP
>> doesn't care if senders, receivers and connectors use HTLAs or not. Those
>> entities will choose to use them for their own benefit. Whether they do or
>> not has no impact on the end-to-end payment.
>>
>> > That is what I mean by the layer below ILP including HTLAs.
>>
>> It does include HTLAs but that is not a requirement. You can argue that
>> it would be foolish for any peers to not use an HTLA and maybe you'd be
>> right but that still doesn't make it a requirement :)
>>
>>
>> On 29 August 2017 at 06:32, Enrique Arizon Benito <
>> enrique.arizon.benito@everis.com> wrote:
>>
>>>
>>> Interledger Community Group ‎[public-interledger@w3.org]‎
>>>
>>> > I really dislike how we keep saying that ILP "requires" X or Y with
>>> regard to the HTLA or talk about protocol requirements in terms of
>>> implementation details.
>>>
>>> IMHO, this is just about pure-abstractions versus pragmatic-abstractions
>>>  on how the RFC describing the protocol must be written.
>>>
>>> As I see it, the RFC describing the protocol must be free (actually is
>>> encouraged)
>>>  to choose any detail implementation that helps in designing proper
>>> working
>>>  implementations (even if such details are not mandated but just
>>> suggested).
>>>
>>> While it's perfectly possible to describe the protocol just around
>>> communication
>>>  semantics, ignoring how the state must be kept in the host (that is,
>>> what minimum
>>>  data-structures are expected to be handled by the software
>>> implementation)
>>>   makes the job harder for anyone interested in implementing the spec.
>>> In practice,
>>>  any software implementation is supposed to keep an internal
>>> state-machine
>>> . The state  and time transitions  will be driven by the
>>> incomming/outgoing (ILP)
>>>  protocol messages. Ignoring such internal state-machine in the RFC just
>>> hurts
>>>  developers interested in implementations with no advantage for anyone
>>> else.
>>>
>>> A pure abstraction with no hints on implementation details can be great
>>> for pure
>>> mathematicians, but I'm not so sure that would be ideal for software
>>> developers.
>>>
>>>  Taking for example the original TCP RFC,
>>>  the paper is full of references detailing how the host is supposed to
>>> implement
>>>  the TCP stack, with state buffers and input/output queues. It could
>>> have been
>>>  perfectly possible to ignore such details, but for sure TCP  would have
>>> not been
>>>  that much easier to understand and port to different platforms.
>>> Note that actually the RFC does NOT "requires" but actually "imagine"
>>> some pieces in
>>>  places on the host.
>>> ( Actually those "imagined" pieces exists in 100% of TCP real
>>> implementations)
>>>
>>> Extracted from https://tools.ietf.org/rfc/rfc793.txt
>>> _____________________________________________________________
>>>
>>>       To store this information we imagine that there
>>>       is a data structure called a Transmission Control Block (TCB).
>>>       ...
>>>       Before we can discuss very much about the operation of the TCP we
>>> need
>>>       to introduce some detailed terminology. Among the variables stored
>>> in
>>>       the TCB are the local and remote socket numbers, the security and
>>>       precedence of the connection, pointers to the user's send and
>>> receive
>>>       buffers, pointers to the retransmit queue and to the current
>>> segment.
>>>       In addition several variables relating to the send and receive
>>>       sequence numbers are stored in the TCB."""
>>>      ...
>>>       TCPs consume sequence number space each time a segment is formed
>>> and
>>>         entered into the network output queue at a source host.
>>>      ...
>>> _____________________________________________________________
>>>
>>>
>>>
>>> Regards,
>>>
>>> Enrique
>>>
>>>
>>> De: Adrian Hope-Bailie [adrian@hopebailie.com]
>>>
>>> Enviado: lunes, 28 de agosto de 2017 23:25
>>>
>>> Para: Evan Schwartz
>>>
>>> CC: Enrique Arizon Benito; Interledger Community Group
>>>
>>> Asunto: Re: Are next claims true about ILP?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> I really dislike how we keep saying that ILP "requires" X or Y with
>>> regard to the HTLA or talk about protocol requirements in terms of
>>> implementation details.
>>>
>>>
>>>
>>>
>>> For example, I disagree with with 1. ILP does not have any requirements
>>> with regards to implementation details like where the HTLA status is kept.
>>> If we say ILP requires it be kept in the ledger or connector plugin that is
>>> incorrect because those are implementation
>>>  details. ILP only requires that the condition and fulfillment are
>>> passed along.
>>>
>>>
>>>
>>>
>>> I agree with 2 because that is a functional requirement not an
>>> implementation requirement.
>>>
>>>
>>>
>>>
>>> I think Enrique is correct regarding 3.2. The protocol has no
>>> requirement that connectors use the conditions and fulfillments. An ILP
>>> payment will still work if one of the host-to-host transfers in the middle
>>> ignores the condition and fulfillment with
>>>  respect to the validity of the transfer and simply passes them on to
>>> the next host.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 25 August 2017 at 06:50, Evan Schwartz
>>> <evan@ripple.com> wrote:
>>>
>>>
>>> 1-3.1 are correct.
>>>
>>>
>>>
>>> 3.2 Connectors use conditions and fulfillments even in trustlines. They
>>> only update their balance with their peer when they agree that the (valid)
>>> fulfillment has been submitted before the timeout.
>>>
>>>
>>>
>>> 4 is kind of correct. The current view is that the most important thing
>>> to standardize are the protocols that will be used across ILP "Autonomous
>>> Systems", and that's more likely to be universal mode than atomic. Atomic
>>> is very useful for removing connector
>>>  risk but since it requires commonly trusted parties anyway, it's
>>> slightly less important to have widespread standards for how you do it.
>>> That said, I think there will be standards for atomic ILP, so if others are
>>> interested in working on that we can definitely
>>>  start some discussion about it.
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Aug 25, 2017 at 3:39 AM Enrique Arizon Benito <
>>> enrique.arizon.benito@everis.com>
>>>  wrote:
>>>
>>>
>>>
>>> Hi,
>>>
>>>
>>>
>>> Trying to keep in sync with this long thread "An attempt to clean up the
>>> protocol architecture" and the current state of ILP in general, I just
>>> would appreciate if someone can correct me about next claims:
>>>
>>>
>>>
>>> 1. During the payment process, ILP requires to keep the current HTLA
>>> status in a ledger (using the escrow).
>>>
>>>
>>>
>>>   1.1 If the ledger does not support HTLA this status must be kept in
>>> the connector plugin.
>>>
>>>
>>>
>>> 2. During the payment process, fulfillments and errors must be returned
>>> through the same payment path that initiated the payment (same set of
>>> connectors/ledger) forcing to keep an status on each connector mapping
>>> incomming to outgoing transfers.
>>>
>>>
>>>
>>> 3. For  trust-lines, connectors can connect without a "real"
>>> intermediate  ledger, but they will still use a plugin that certainly will
>>> act as a virtual ledger to keep balances.
>>>
>>>
>>>
>>>   3.1 That means a ledger always exists, either real or virtual.
>>>
>>>
>>>
>>>   3.2 For trust-lines, connectors are allowed to ignore
>>> conditions/fulfillments but must still forward them.
>>>
>>>
>>>
>>> 4. There is no support for atomic mode in ILP, but can be build in a
>>> non-standard (non-ILP-defined) way on-top of it using for example an
>>> external arbiter for all connectors in the payment proccess.
>>>
>>>
>>>
>>> Regards,
>>>
>>>
>>>
>>> Enrique
>>>
>>>
>>>
>>> ________________________________
>>>
>>>
>>>
>>> AVISO DE CONFIDENCIALIDAD.
>>>
>>> Este correo y la información contenida o adjunta al mismo es privada y
>>> confidencial y va dirigida exclusivamente a su destinatario. everis informa
>>> a quien pueda haber recibido este correo por error que contiene información
>>> confidencial cuyo uso, copia, reproducción
>>>  o distribución está expresamente prohibida. Si no es Vd. el
>>> destinatario del mismo y recibe este correo por error, le rogamos lo ponga
>>> en conocimiento del emisor y proceda a su eliminación sin copiarlo,
>>> imprimirlo o utilizarlo de ningún modo.
>>>
>>>
>>>
>>> CONFIDENTIALITY WARNING.
>>>
>>> This message and the information contained in or attached to it are
>>> private and confidential and intended exclusively for the addressee. everis
>>> informs to whom it may receive it in error that it contains privileged
>>> information and its use, copy, reproduction
>>>  or distribution is prohibited. If you are not an intended recipient of
>>> this E-mail, please notify the sender, delete it and do not read, act upon,
>>> print, disclose, copy, retain or redistribute any portion of this E-mail.
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>>
>>>
>>> Evan Schwartz
>>>
>>>
>>>
>>>
>>>
>>>
>>> Software Engineer
>>> Managing Director of Ripple Luxembourg
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ________________________________
>>>
>>> AVISO DE CONFIDENCIALIDAD.
>>> Este correo y la información contenida o adjunta al mismo es privada y
>>> confidencial y va dirigida exclusivamente a su destinatario. everis informa
>>> a quien pueda haber recibido este correo por error que contiene información
>>> confidencial cuyo uso, copia, reproducción o distribución está expresamente
>>> prohibida. Si no es Vd. el destinatario del mismo y recibe este correo por
>>> error, le rogamos lo ponga en conocimiento del emisor y proceda a su
>>> eliminación sin copiarlo, imprimirlo o utilizarlo de ningún modo.
>>>
>>> CONFIDENTIALITY WARNING.
>>> This message and the information contained in or attached to it are
>>> private and confidential and intended exclusively for the addressee. everis
>>> informs to whom it may receive it in error that it contains privileged
>>> information and its use, copy, reproduction or distribution is prohibited.
>>> If you are not an intended recipient of this E-mail, please notify the
>>> sender, delete it and do not read, act upon, print, disclose, copy, retain
>>> or redistribute any portion of this E-mail.
>>>
>>
>>
> --

Evan Schwartz
Software Engineer
Managing Director of Ripple Luxembourg
<http:> <http:>
Received on Tuesday, 29 August 2017 18:35:00 UTC