IETF Logo Mail Archive

Re: [Ilc] Clarifications and thoughts purpose of ILC list

David Mazieres <dm-list-ietf-ilc@scs.stanford.edu> Thu, 23 February 2017 19:25 UTC

Return-Path: <dm-list-ietf-ilc@scs.stanford.edu>
X-Original-To: ilc@ietfa.amsl.com
Delivered-To: ilc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E1F21296B4 for <ilc@ietfa.amsl.com>; Thu, 23 Feb 2017 11:25:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kkn8glCHz0NZ for <ilc@ietfa.amsl.com>; Thu, 23 Feb 2017 11:25:44 -0800 (PST)
Received: from market.scs.stanford.edu (www.scs.stanford.edu [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 211FB129982 for <ilc@ietf.org>; Thu, 23 Feb 2017 11:25:44 -0800 (PST)
Received: from market.scs.stanford.edu (localhost [127.0.0.1]) by market.scs.stanford.edu (8.15.2/8.15.2) with ESMTP id v1NJPhxD015528; Thu, 23 Feb 2017 11:25:43 -0800 (PST)
Received: (from dm@localhost) by market.scs.stanford.edu (8.15.2/8.15.2/Submit) id v1NJPhxm036962; Thu, 23 Feb 2017 11:25:43 -0800 (PST)
From: David Mazieres <dm-list-ietf-ilc@scs.stanford.edu>
To: Tony Arcieri <bascule@gmail.com>
In-Reply-To: <CAHOTMV+_4E-Cf=7aKPiKpfT_dievyiABVMbkD=U81MJePttD4A@mail.gmail.com>
References: <87bmu194rx.fsf@ta.scs.stanford.edu> <CAHOTMV+qx_a44MNAaFN-M7YzA-rkmtRCRS_nNGeSibgNHUshrA@mail.gmail.com> <87poiaf5h5.fsf@ta.scs.stanford.edu> <CAHOTMV+_4E-Cf=7aKPiKpfT_dievyiABVMbkD=U81MJePttD4A@mail.gmail.com>
Date: Thu, 23 Feb 2017 11:25:43 -0800
Message-ID: <87ino0d808.fsf@ta.scs.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/ilc/CIBcXCR1sIUXbyJxbZtBX-YewRA>
Cc: ilc@ietf.org
Subject: Re: [Ilc] Clarifications and thoughts purpose of ILC list
X-BeenThere: ilc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: David Mazieres expires 2017-05-24 PDT <mazieres-esgdmdyb3ht2bf46xbpvnxe97n@temporary-address.scs.stanford.edu>
List-Id: "Discussion of mechanisms and applications for Internet-level consensus." <ilc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ilc>, <mailto:ilc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ilc/>
List-Post: <mailto:ilc@ietf.org>
List-Help: <mailto:ilc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ilc>, <mailto:ilc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 19:25:45 -0000

Tony Arcieri <bascule@gmail.com> writes:

> Like many things in this space, "Satoshi consensus" is an ill-defined
> buzzword. In part I think it means incorporating programs into the
> consensus decision, which seems like fairly novel and interesting work to
> me (and somewhat similar to e.g. Trillian's "personalities"). In this
> space, yes incorporating consensus programs into (P)BFT-like schemes such
> as Tendermint is interesting.

Okay, then by that definition, "Satoshi consensus" is only one possible
approach among several to realizing Internet-level consensus.

> However, above I was using it specifically to refer to the proof-of-work
> scheme for consensus. "CP" versus "AP" of course both assume "P", a
> property Bitcoin (and systems using a similar proof-of-work consensus
> model) do not have. Under a network partition in Bitcoin, the system will
> both make progress and be available for reading (where CP systems will fail
> closed if they can't reach a quorum). When the partition is healed,
> acknowledge writes are lost and data is clobbered. Systems which truly
> uphold "CP" or "AP" semantics do not clobber data this way.

I agree about CP, but not AP.  AP systems are not safe, and hence will
clobber data.

Perhaps CAP is not the best way to categorize these systems, though.  It
may be better just to assume an asynchronous communication model (which
subsumes temporary partitions as equivalent to slow nodes).  Then we can
just talk about safety (agreement + validity), liveness (termination),
and fault tolerance.

> This sort of split-brain behavior can be exploited by attackers who are
> able to arbitrarily create network partitions. Eclipse attacks are a common
> example.

Right, so basically you are saying any Internet-level consensus
mechanism should guarantee safety even in an asynchronous communication
model where you can't distinguish slow from failed nodes.  I agree,
personally.  However, reasonable people might push for greater
availability.  It would be interesting to see if list members have
"rough consensus" (non-technical meaning) on this point, or
alternatively if makes sense to layer a less safe but more available
"short-term" system on top of one that guarantees safety for long-term
events (e.g., for certificates issued over a week ago).  We may want to
revisit this question down the line after discussing more applications.

David

v2.23.0 | Report a Bug | By Email