Evicting vaults - brainstorm


#1

Should eviction of vaults be part of the design of the network? I’m not sure but hopefully a discussion can shed some light. I’m leaning towards ‘no’ but there are definitely some good arguments for having evictions.

Random Eviction

Something like every hundredth block one vault in the section is randomly killed. This prevents very old age which is both a pro and a con.

The positive side is an attacker cannot simply wait until their vaults outlive other vaults and are coincidentally colocated in the same section. They must achieve that goal within the cycle of eviction.

The negative side is there’s value in knowing the history of old vaults vs new vaults, and accumulated work is important for the operation and security of the network so it’s a shame to throw that away for ‘no reason’ via random eviction. Is there an upper limit to the value of knowing which vaults are old? Is it ok to discard that information eventually?

Overall it seems like a good idea to me since it prevents an entrenched early participant becoming dominant.

It replaces a linear history of age with a cyclical history of age, giving everyone a fair go over the course of the cycle. I think a short cycle (ie frequent evictions) is not a good idea, but a long cycle probably doesn’t hurt.

It also allows operators to evaluate the viability of their hardware at the time their vault is killed and should encourage an earlier update cycle than would happen if vaults live indefinitely.

Performance Eviction

If a vault is consistently underperforming it may be voted for eviction by other vaults in the section. This may be balanced by penalties to premature voters to prevent unfair culling. It maybe restricted to ‘times of plenty’ when losing a vault won’t cause harm to the section.

This may allow sections to detect collusion by analysing the votes being cast since similar-but-unfair voting will raise eyebrows.

But the bad side is this may also allow an existing bias to be reinforced because a participant with more votes can more likely retain their power in the section. If a single operators vaults are not concentrated in a single section this effect should not be significant.

This allows some interesting game theory depending on the voting mechanism installed. It becomes a Keynesian Beauty Contest where beauty is performance. Since performance will vary for every related vault depending on their geographical distribution (especially for latency), relative cpu power, relative bandwidth etc there is no objective single ‘most beautiful’ vault in the section.

No Eviction

Alternatively, and I think preferably, the farm rate / safecoin design alone may be enough to eventually make low performance vaults nonviable and thus eventually removed from the network by their operators. My concern is, can this be done without leading to a race-to-the-top and consequent centralising effects?

Are there other eviction techniques? Does it seem like a good idea or not?


The devil's advocate
#2

I though bad nodes were being evicted (removed from section and ignored thereafter)

100th block seems too severe. That is 100MB if all blocks are 1MB chunks.

What about Archive nodes, even if not specifically designed in they will still exist and due to them always online they will end up little read chunks I would think.

But every 100th block, do you mean in the datachain? and not stored block (chunk, message, whatever)

I would think perhaps halving of age if old enough and if baby then evict.

I would have though that as sections grow and split then all nodes eventually will become adults/elders assuming they behave.

I have not thought long enough about this to give a qualitative opinion on this though. As you say it has good points and has bad points.

This is what I expected to be happening anyhow

There has to be some

Reasons yes - Bad nodes not responding to the protocol correctly this may be caused by

  • vault on really old version
  • baddie vault
  • faulty hardware that the vault is running on
  • crap o/s and/or network protocol stack.

#3

Very interesting idea. With the schemes built up to now, the security of the network is based on two pillars, generating disorder (entropy) via randomness (churn + relocation) and a reputation system via node ageing. This system would add more disorder, which would increase security, although it would reduce the impact of the reputation system.
I like it, especially, because it can possibly be very effective against long-term targeted attacks that, in my opinion, are the most dangerous.

As everything would have to analyse the cost it would have for the network.

Another unexplored way to increase security would be to take advantage of the secure messaging passing. The neighbouring sections, which are responsible for relaying the messages, could act as a filter against inappropriate behaviour in a system that each section controls all its neighbours. It seems to me a possibility that is worth exploring.

Although as a first step, it remains to clearly define the system of punishments within a section.


#4

(we should have a title word in these posts like brainstorm, to allow anyone to shoot the breeze and actually think out loud with no repercussions or later quoted as XX said YY so it’s the law :smiley: :smiley: )

t is interesting but would probably be equally interesting to look at earnings, so say after X (10) safecoins farmed then relocate a vault (with 50% age).

I am not sure killing older vaults is smart, but I do see the reasoning, i.e. more entropy. However, as a vault reboots, it’s age will half. So the issue could be bad actors with huge uptime, much longer than a home user would expect.

Interesting thoughts @mav @digipl I think this is one (again) to keep simmering. Another one is to relocate more on age balance as well as network balance. So if there is a large age gap, then try and fill that to force older nodes to spread across the network and not congregate in one section.

I am not sure though, feels like older vaults should have more trust. With node age we still look for a quorum of the number of nodes (50%) and age (>50%) which we can play with as this has not been finalised. So what I mean is that a couple of older nodes on their own cannot take over a section, you do still need numbers.


#5

I like the brainstorming (and the encouraging of it).

This proposal, it seems to me would only negate effects of node aging, for a net total of 0 security increase. The reason I believe so, is that the security is also based on the actual honest elders, and if they are removed at same rate, we achieve no net positive effect.

At least that is my first impression from reading this.


#6

I think that’s the intention, but as yet does not exist to my knowledge. And actually this is a pretty tough problem… deciding who to punish and to evict them as a group is quite different to individually ignoring a vault that appears misbehaving just to yourself.

The number is just an example. I mean to say ‘after X time’ where time is measured in datachain blocks and is presumably a very long time. Don’t want to evict often, maybe vaults are evicted on average after two years?

This is a good question, and since archive nodes are still just an idea with very little info behind them I might expand a little on my own ideas for that.

I think archive nodes (or any ‘class’ system for nodes, including the ageing classes) is not going to be that great. Balancing rewards and trust and cooperation is quite hard, and more complex reward structures become harder to predict and guide desired behaviours. If the behaviour deviates and requires intervention it can bring the decentralisation and governance of the project into pretty serious doubt. Not to say it must be perfect to start with but having a good basis to start from is important.

My feeling with archive nodes is there will be nodes that choose to operate on a very aggressive policy for caching, to the point that they are virtually all cache and almost no vault. These will become defacto ‘the archive nodes’ without requiring any explicit designation since they can restart in any section and not require any initial transfer, they’ll just have what they need immediately. Instant restart, instant relocation, instant merge. The phrase I use to think of this concept is ‘opportunistic caching’. imo the power and importance of cache has been seriously misunderstood and under appreciated. Mutable data adds a lot of complexity but the power behind the opportunistic cache idea is still there. The idea that vaults only store their section/close data is (to me) a ‘basic’ idea and the real power comes from the cache. This is of course a choice for the operator but one that I think will be taken avidly (similar to why people choose to seed torrents).

Yes, the type and magnitude of punishments is important. Eviction vs age penalty is a very good idea to ponder. Could even treat eviction as simply ‘reduce age by infinite’ so all punishments are done ‘using the same dial’.

But how does the section agree on ‘underperforming’? It’s not enough for me to personally ignore/evict since then the consensus of elders / section members is inconsistent in the section. I may choose to ignore 7 elders because my connection to them is faulty, but do I use that personal info to elect for all 7 to be evicted? Group agreement for eviction is quite a lot more complex than individually ignoring.

Maybe not. Maybe there is never a need for a mechanism to agree on removing a vault. Maybe it’s a matter of waiting for relocation and seeing if it’s too slow (due to insufficient bandwidth to get new section data) which leads to a ‘natural’ dropping out; but this is not eviction. Sections have to wait for relocation before a slow vault is booted off the network, but I consider this different to eviction. Eviction is group agreement and coordinated action to remove a node.

Agreed. What actions are punishable and what is the punishment? Tough to decide. I think much tougher than the rewards and incentives aspect. But also probably much more powerful if used correctly. (Some unfortunate broader reflection of a pessimistic reality here perhaps?!)

Agreed.

I think there is a point where a node of age eg 200 is not twice as trustworthy as a node of age 100. But a node of age eg 10 is twice as trustworthy as one aged 5.

Maybe it doesn’t warrant cutting that vault back to age 0 by random eviction but I think there is some value in allowing newer participants a chance to overcome entrenched elders by cutting the oldest back a bit (randomly or whatever).


This post came out of a period of broader consideration so maybe it’s worth adding those thoughts…

I feel the existing proposal for safecoin mechanism is completely undefined. In part this is due to rfc-0012 relying on sacrificial chunks which no longer exist. But the undefined-ness relates more to the need or desire to measure spare capacity and use that as a dial for rewards. There is no specification of punishments which is a large and important question-mark.

To my mind there is no reliable way to measure spare resources and quantifying or rewarding spare resources is an undesirable path to pursue.

This got me to considering the idea of voting to determine the difficulty of farming. If correctly designed (eg there’s a cost to voting) then it could be an interesting feedback mechanism for controlling the farm rate. For an interesting similar mechanism see how the Monero Dynamic Blocksize works - they can change the blocksize but it reduces their mining reward so they only do it if they think it’s worth it.

There are some obvious disadvantages to voting but the idea of penalties and / or voting is quite compelling, especially if the design has strong game theory behind it. Overall I’m not in favour of voting and hence started this topic to explore the idea a bit more (albeit within a simpler / different context than farming).


#7

I would favour a gentle going into the good night as a function of age, to eliminate the possibility of immortal nodes.

I’m wary of trying to reason the justification for this because I think it is something we don’t really understand and will find it hard to model - in both cases because humans are generally good at situational and short term thinking, but not so good at thinking about time, particularly when it comes to long term stuff. In part because it is a hard problem, and in part because we all die and don’t get much practice at thinking over time spans longer than our own span of capability.

The above is my main reason for supporting such a mechanism: I look to nature, and everywhere I see it taking the wise, the stupid, the best and the worst of every individual, in every species, and turning them to dust, partly at random but inevitably after a pretty clear cut off period. I don’t think humans understand why, or the consequences of changing this for the reasons already cited.

I trust what I see as nature’s wisdom more than any argument I could make. I will just say that I can see node mortality might well be a way of eliminating over centralisation with all the dangers that brings.

By analogy, I suggest that humans have been stretching the boundaries nature’s scheme by having achieved a kind of cultural immortality which has allowed us to over centralise the earth’s ecosystem, and right now that’s looking like a failure of nature - at least of evolution, which it will correct in the usual way: collapse and start again. Still, better to avoid that if we can, including with SAFEnetwork :slight_smile:

In fact, SAFEnetwork is one of the things which might help us avoid this larger threat.


#8

Really interesting ideas here. I guess the question comes down to cost benefit of randomly (and unjustly) getting rid of an elder who is performing well vs the chance of randomy getting rid of a bad guy. Since the consensus algorithm demands no more than 1/3 bad nodes, and in reality there could be a lot less, it seems somewhat cannibalistic. Is a) one extra bad node and 4 extra good nodes better than b) one less bad node and four less good nodes? Considering scale up needs I think a) yields a stronger network.

On the other hand, the same effect might be had by decreasing the tolerance as nodes age. For example, if a young node makes a few mistakes, they could be forgiven and just demoted a little. One mistake from an elder after a certain age and they’re sent back to a node age of zero.

Edit: other aspects discussed in the thread are also important. The direct application of cyclical node age rather than adding random chaos to achieve the goal may meet @mav’s objectives/concerns more readily. In other words, a node is born at age zero, matures to be an elder, and then has its voting role diminished back to zero in a vague resemblance to presumed senility and programmed cell death. Farming rates would also be effected, so that a really old node might earn the same rate as a juvenile (because their node age would be the same). Once the node gets back to a node age of zero it starts increasing again… And so on.
If you wanted, you could have a cycle counter so that nodes who have already lived through 3 or 4 cycles without committing any errors will get a farming rate bonus based on how many lives the’ve lived. Yes, instead of having really old immortal nodes, this is analogous to nodal reincarnation :wink:


#9

All unnecessary work should be left out. In my opinion already the constant relocation of nodes is wasteful and should be re-thought. Cyclical age would be even more drastic a solution just to force some artificial tying of a loose end.


#10

In what sense you mean ‘artificial’. I can imagine attacks which rely on the longevity of vaults, so this is not wasteful, but a cost of security.


#11

If you cannot use the information of good reputation to further make the network function more efficiently/securely you are doing something wrong.

If an attack costs years of behaving well to succeed it is quite a lot more expensive to pull off than just flooding the network with enough nodes momentarily until consensus breaks down.


#12

If this isn’t a completely dumb idea, then maybe it can have it’s own thread … I had a quick look and didn’t see anything, but maybe it’s already in the plans …

So what about a variable farming rate where senior trusted nodes earn more. Essentially increase the startup costs for bad actors and as they get older to where they can commit fraud and they get the boot they have to start over again at the lower rate. So basically hit the baddies in the pocketbook. For the honest players they do have higher startup, but so long as they play nice they get the full farming amount in the end.


#13

This isn’t really helping. If you can see a flaw, it would help to explain it. If you can see a solution, ditto.

Reputation is not a solution to all attacks because it can be bought. For example, to an established farmer suppose the earnings for farming level out and are no longer lucrative enough and the farmer wants out. For somebody wanting to get into farming quickly, the value of those same nodes might be more.

This creates a potential market in nodes, and where there’s potential for trading I think we should expect it to be facilitated somehow (certainly we should not assume it won’t happen when considering risk). So, given a market for nodes may exist, an attacker can in theory acquire reputable nodes and perhaps get enough to mount an attack. Reputation alone can’t mitigate this. But having nodes terminate after a lifetime creates a cost which increases the more nodes you control.

I’m not saying this is the best solution to the issue. As I noted in my first reply, I don’t think it is hard to reason about dynamics, so we should be cautious. So I give this example not to justify anything or to open up a discussion about it, but to point out that it wasn’t hard for me to think of an attack on a system that relies solely on reputation, and for which terminating nodes might be a useful security measure.


#14

Maybe we can introduce random “Humility periods” in which some elder nodes temporarily lose their voting rights. There will be attackers of many ages. Collusion among several real world entities is possible but it’s more likely one alone will coordinate a large attack. Either way random muting of their reputable nodes introduces greater complexity into their attack.

One idea would be to wait until group size has risen beyond a certain point. Possibly 13. At such a time the “Humility” protocol kicks in. A young, middle aged, and old elder is chosen for a temporary period of silence or just observation. Some or all of their power is stripped away for a few cycles. No need to reduce age or relocate. Make sense?

Random periods of STFU is what we need IMHO. :wink:

How it’s implemented might turn the tide soldiers. :beers:


#15

Being nitpicky here (and missing your point :slight_smile: ), but wouldn’t it be rather that age 6 is double as trustworthy as age 5?
Back to the point though:
I think what you suggest is that there’s a possibility that the correlation between reliability (work*time) and trustworthiness, is not linear, that perhaps at some point the level of trustworthiness is so high that there is no meaning in differentiating anymore. After a certain point, there are no more things to do that would require higher trust. It can already all be done by age x.

Perhaps so. Unless some things (important network regulating things) are made a function of age. Then we will always give higher weight to higher reliability. And then it makes sense to always regard n+1 > n. Why arbitrarily disregard some value above x? On what basis do we chose x?

Moreover, the granularity of the node age rapidly tapers off (which in effect gives a bit of the same effect I think, on the higher numbers the actual time age can be widely different), and we won’t see passing of certain numbers in our lifetimes.


#16

I agree a lot with the things you say in this post.

I must admit that I am not always so enthusiastic about referring to things being natural (present in nature, as if nature was something else than us humans) as a good argument for how SAFENetwork should work - or anything for that matter. Humans are as much nature as anything else and we as well as other parts of nature have caused pain, suffering, destruction, with no higher meaning than that it was how things unfolded.

But along with node age, I do think there’s great potential for a very “natural” thing such as node death, to actually have profound value.


#17

I agree with @mav

The duration of a nodes presence in a section should be unpredictable regardless of age. Especially as nodes get older since they move less often.

IDEA: Random section swapping of elder nodes.

Decision making nodes needn’t also be storage nodes. This eliminates the burden of relocating data chuncks while increasing uncertainty.

Regularly swap network elder node positions to retain the unpredictability of control for each section.


#18

I agree entirely with your point that humans are part of nature, but that doesn’t go to the issue.

My point (which I think you may be agreeing with) is that the ‘wisdom’ I refer to may be better suited, more likely to point to solutions, to this kind of problem. The reason being that unlike much more recently developed human problem solving, which is tuned to much shorter spans of time, that ‘wisdom’ is based on the broadest and deepest empirical design that we know. It has been tuned through rigorous testing and refinement to handle tough, dynamic problems over mind boggling spans of time. Meanwhile our genotypical thinking machinery was evolved for short term (lifetime) problems. Even our multiple lifetime cultural thinking processes have only been tuned over only thousands of lifetimes.

I’m not saying humans are incapable of finding better solutions, maybe we can. We are pretty amazing, but I think we can overestimate our abilities (if you have a hammer every problem looks like a nail) and underestimate the wisdom embodied in ‘natural’, much bigger, much much longer time span design of which we are just a brief part.

That’s the distinction I’m making, not that humans are apart from and therefore inferior to nature, as if I hold nature in a magical esteem. I think we don’t understand the nature [ahem] of this ‘big’ design process or the reasons why all the life in this planet has a short and finite lifespan. Figuring that one out could be worth a novel prize. :wink:


#19

Can’t this be avoided by design? Imagine when vault is created it has to publish/provide some mining address (or some public) key which can’t be changed ever. This way nobody would be able to sell a vault because buyer would have to use the same private keys as previous owner. And buyer can’t trust seller that he will not use his old private keys to steal from new owner. Of course I don’t know how mining is planned to be implemented so I don’t know if my idea is technically possible. But if yes, than secondary market with vaults would never happen.

Edit: Any technique which allow old owner to destroy his vault after selling it to new owner would kill secondary market.


#20

The vaults public key will be where safecoin is sent. So if an owner sells his key then it also loses the safecoin that could be earned. Also (and quite important). The vault would restart - therefor be relocated on startup to a new section with 50% age and a new public key.