Re: [Din] draft-mazieres-dinrg-scp-04 (page 16) Potential improvement to balloting protocol, setting cCounter
David Mazieres <dm-list-ietf-ilc@scs.stanford.edu> Sat, 03 November 2018 07:22 UTC
Return-Path: <dm-list-ietf-ilc@scs.stanford.edu>
X-Original-To: din@ietfa.amsl.com
Delivered-To: din@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C171127332 for <din@ietfa.amsl.com>; Sat, 3 Nov 2018 00:22:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=scs.stanford.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bzj3vVe1UJ8L for <din@ietfa.amsl.com>; Sat, 3 Nov 2018 00:22:21 -0700 (PDT)
Received: from market.scs.stanford.edu (www.scs.stanford.edu [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3495124BE5 for <din@irtf.org>; Sat, 3 Nov 2018 00:22:21 -0700 (PDT)
Received: from market.scs.stanford.edu (localhost [127.0.0.1]) by market.scs.stanford.edu (8.16.0.29/8.16.0.21) with ESMTP id wA37MKen049401; Sat, 3 Nov 2018 00:22:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=scs.stanford.edu; s=scs; t=1541229740; bh=U7vjEeEF922k0Sqn8IXaaeX3WLXqdsZ+yVQS7EuusaY=; h=From:To:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version; b=g7/OTTjgaZmkYNx679i7ficS3+OSxMQF5nUUXhSXdgcv5/AYHmbsz6kll37qYGn41 Y3TrR1NOKCMK9KLlsYOx4z0PwMbUfoYLKbrb5gCmUnsB/xqvlRS4kP1Xp8HupwuxZF /29GtFhlftMtziJRM/DbTgo4MpClFXN2ITO0z3JQ=
Received: (from dm@localhost) by market.scs.stanford.edu (8.16.0.29/8.16.0.29/Submit) id wA37MKEX043594; Sat, 3 Nov 2018 00:22:20 -0700 (PDT)
From: David Mazieres <dm-list-ietf-ilc@scs.stanford.edu>
To: Piers Powlesland <pierspowlesland@gmail.com>
Cc: din@irtf.org
In-Reply-To: <CAFXacXnWJN8d8SutKEj0OyvUWKnp7EgnpX-bA8SBPcX=K-zsdQ@mail.gmail.com>
References: <CAFXacXm5U6VNEyQ3ienwgcGaAj1yQ1YVJNFT1eY9EMRsNFZ9hA@mail.gmail.com> <87va5fsexn.fsf@ta.scs.stanford.edu> <CAFXacXnWJN8d8SutKEj0OyvUWKnp7EgnpX-bA8SBPcX=K-zsdQ@mail.gmail.com>
Reply-To: David Mazieres expires 2019-01-31 PST <mazieres-upwjsxfjp64x9ptkyhebxjqata@temporary-address.scs.stanford.edu>
Date: Sat, 03 Nov 2018 00:22:19 -0700
Message-ID: <875zxezkus.fsf@ta.scs.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/din/gbZKUco8UKs1yBNRdiSHDzJV_x4>
Subject: Re: [Din] draft-mazieres-dinrg-scp-04 (page 16) Potential improvement to balloting protocol, setting cCounter
X-BeenThere: din@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of distributed Internet Infrastructure approaches, aspects such as Service Federation, and underlying technologies" <din.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/din>, <mailto:din-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/din/>
List-Post: <mailto:din@irtf.org>
List-Help: <mailto:din-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/din>, <mailto:din-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Nov 2018 07:22:23 -0000
Piers Powlesland <pierspowlesland@gmail.com> writes: > I have a few things I'm not clear on. > > I don't see that this statement is correct. > >>You mean transition to voting to commit nothing? (Though still >>vote-or-confirm (n,x) for 4 <= n <= 8.) > > So following the update steps for c, first the c will be set to NULL > and then the next step will be executed. > >> * If "c == NULL" and "hCounter == ballot.counter" (meaning >> "ballot" is confirmed prepared), then set "c" to "ballot". > > Resulting in the following node state. > > ballot = (8,x) > prepared = (8,x) > preparedPrime = (4,z) > cCounter = 8 > hCounter = 8 > > Which as described in the IETF document would I think means the node > now is voting to commit(8,x) ? Oh, yes, sorry. But importantly you are no longer voting to commit (5,x) and (6,x). >> * If "cCounter != 0": "vote commit(<n, ballot.value>)" for every "cCounter <= n <= hCounter" > > Also what is "vote-or-confirm" ? Sorry, another mistake on my part. I meant vote-or-accept. > I can imagine the following scenario that seems to be allowable via > the IETF update rules that would allow a node to illegally vote for a > range of ballots that the node has never set its ballot equal to. > > The node starts with the following state. It is currently voting to > commit(2,x) among other things. > > ballot =(2,x) > prepared =(2,x) > preparedPrime =(1,y) > cCounter =2 > hCounter =2 > > Now we see blocking threshold for accept prepare(8,x) > > ballot =(8,x) // ballot.counter was also updated by the blocking threshold. > prepared =(8,x) > preparedPrime =(1,y) > cCounter =2 > hCounter =8 > > Now we see quorum threshold for accept prepare(8,x) (we have confirmed > prepared (8,x) and h.value == b.value so we set hCounter to 8) > > ballot =(8,x) > prepared =(8,x) > preparedPrime =(1,y) > cCounter =2 > hCounter =8 Sorry, what's the difference between this and above? I'm assuming you meant hCounter=2 above, and hCounter=8 here. > So now we are voting to commit, 2...8 with value == x but ballot has > never been set to a ballot with counter 3...7 and value == x. Doesn't > this make it illegal to vote to commit (3,x)...(7,x)? No, that's okay. The thing we actually need to avoid is voting to abort and commit the same ballot b. In this case that's fine because you never voted to abort any of (3,x)...(7,x). The protocol could of course keep track of very vote you have ever cast to make sure this is okay. Instead, to keep the state small, it uses the trick that you reset c to 0 whenever the ballot might contain a new value, and then you have to set c to the current ballot number, because the (conservative) assumption is that if c == 0, then you might have voted to abort any ballot less than the current ballot. Does that make sense? Maybe some of this rationale needs to go into the document... David
- [Din] draft-mazieres-dinrg-scp-04 (page 16) Poten… Piers Powlesland
- Re: [Din] draft-mazieres-dinrg-scp-04 (page 16) P… David Mazieres
- Re: [Din] draft-mazieres-dinrg-scp-04 (page 16) P… Piers Powlesland
- Re: [Din] draft-mazieres-dinrg-scp-04 (page 16) P… David Mazieres
- Re: [Din] draft-mazieres-dinrg-scp-04 (page 16) P… Piers Powlesland
- Re: [Din] draft-mazieres-dinrg-scp-04 (page 16) P… David Mazieres
- Re: [Din] draft-mazieres-dinrg-scp-04 (page 16) P… Piers Powlesland