Let me see if I can still comment on the original VatTP design.
The design document is available at:
<
http://www.erights.org/elib/distrib/vattp/DataComm_startup.html>.
Note that in this document, "Crossed Hellos" are called "Crossed Connections".
The most important reason for only allowing 1 connection between
vats is ensuring that messages between two objects, one on each
vat, arrive in the order they were sent.
Note that the E comm system did not allow vat C to relay
messages between vats A and B. This avoids the traffic analysis
attack that C could perform.
On 2/10/21 at 10:54 AM,
cwe...@dustycloud.org (Christopher
Lemmer Webber) wrote:
>heHELLOllo,
>
>Today I'm thinking about the "crossed hellos" problem, I guess also
>called the "crossed wires" problem in the original VatTP literature, but
>MarkM and Dean Tribble on a recent call suggested a preference for
>"crossed hellos" and that makes sense to me in a way that "crossed
>wires" did not quite as clearly.
>
>Let's see if I can lay out the problem appropriately:
>
>A combination CapTP/VatTP type system prefers to reuse bidirectional
>connections between two vats/machines for two reasons: (1) to reduce
>superfluous connections and (2) to provide shortening (which is extra
>important for eq?-like identity checks).
>
>However, if Machine A and Machine B would both like to start
>connections to each other, and begin reaching out at the same time, we
>have a race condition: should we choose the session that Machine A
>initiates, or the session that Machine B initiates?
This is the Crossed Connection/Crossed Hellos situation.
>In a sense then, we really are looking at a case of the Two Generals
>Problem, which shows we're already in a tough spot. Yikes!
I don't think the two generals problem applies here. The
protocol discovers that the situation is about to occur and
takes steps to avoid it.
>My understanding of what VatTP did is something like the following: both
>sides share the potential sessions to choose amongst they currently
>*believe* they have open from their side. Both sides select a viable
>subset between what both sides have shared... and then some arbitrary
>choice is made, probably by some comparison with lowest ordered by
>byte-comparison. This was based on identity of the vats in original
>VatTP I think, and I was thinking maybe comparison of session ids in the
>same way. There may be an advantage by comparing by session ids as they
>currently exist in OCapN vs the vat-identity in Pluribus, which is that
>an extra step where the lower-identity-vat "explicitly chose" made sense
>since we were selecting based on identity of some operator... so the
>operator must "say and select". But if we can compare based on identity
>of session, both sides should be able to deterministically select the
>same choice anyway from the subset.
I don't really understand what this paragraph is saying.
Both sides of the negotiation use their respective VatIDs to
decide which vat will make the decision. Since the VatIDs, being
the hashes of the respective public keys, can be interpreted as
bit strings, a simple comparison decides which is greater, both
sides will get the same answer, and the larger VatID gets to
make the decision.
>Something feels unsettling about this solution but I can't fully model
>in my mind whether there's a further problem or not. But maybe it's
>good enough.
>
>Thoughts? Is this a good summary of the problem? Did I capture the
>solution as VatTP did it right as well?
>
>- Chris
>
-------------------------------------------------------------------------
Bill Frantz | When it comes to the world | Periwinkle
(408)348-7900 | around us, is there any choice | 150
Rivermead Rd #235
www.pwpconsult.com | but to explore? - Lisa Randall |
Peterborough, NH 03458