add decision tree for outdated commitments

ACINQ · Oct 14, 2021 · 3995135 · 3995135
1 parent 66aa1db
commit 3995135
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/docs/Advanced.md b/docs/Advanced.md
@@ -12,7 +12,21 @@ The default behavior, when our peer tells us (proves to us) that our channel com
 
 It may happen that due to a misconfiguration, the node was accidentally restarted using e.g. an old backup, and the data wasn't really lost. In that case, simply fixing the configuration and restarting eclair would prevent a mass force-close of channels.
 
-This is why an alternative behavior is to simply log an error and stop the node. However, because our peer may be lying when it tells us that our channel commitment data is outdated, there is a 10 min window after restart when this strategy applies. After that, the node reverts to the default strategy. 
+This is why an alternative behavior is to simply log an error and stop the node. However, because our peer may be lying when it tells us that our channel commitment data is outdated, there is a 10 min window after restart when this strategy applies. After that, the node reverts to the default strategy.
+
+During the 10 min window, the operator should closely monitor the node and assess, if the peer stops, whether this is really a case of using outdated data, or a peer is just lying. If it turns out that the data is really outdated due to a misconfiguration, the operator has an opportunity to fix it and restart the node. If the data is really outdated because it was simply lost, then the operator should change the strategy to the default and restart the node: this will cause the force close of outdated channels, but there no way to avoid that.
+
+Here is a decision tree:
+```
+if (node stops after restart)
+  if (false positive)
+    configure eclair to use default strategy and restart node (will force close channels to malicious peers)
+  else
+    if (more up-to-date data available)
+      configure eclair to point to proper database and restart node
+    else
+      configure eclair to use default strategy and restart node (will force close all outdated channels)
+```
 
 The alternate strategy can be configured by setting `eclair.outdated-commitment-strategy=stop`  (see [`reference.conf`](https://github.com/ACINQ/eclair/blob/master/eclair-core/src/main/resources/reference.conf)).