Bilateral Transfer Protocol
Bilateral Transfer Protocol 2.0 (BTP/2.0)
Preface
This document describes version 2.0 of the Bilateral Transfer Protocol (BTP), a request/response protocol for bilateral WebSocket links between Interledger connectors.
Introduction
Motivation
When two Interledger connectors send ILPv4 packets over HTTP POST, they each need to act as an HTTP server at times. If one of the connectors runs behind a firewall, this may be impossible. Therefore, BTP uses WebSockets instead of HTTP. With WebSockets, only one of the connectors needs to be publicly addressable.
However, WebSockets don't provide a mechanism for relating responses to requests. BTP adds this missing request/response layer, between WebSockets and the request/response pairs exchanged by the connectors.
Scope
This document describes the flow and data format that BTP uses, but not sub-protocols. Sub-protocols include optional functionality like ledger metadata, balance, automated settlement, and dispute resolution. Some protocols are documented on the wiki page. They are carried in the protocol data of BTP packets.
The BTP packet format is described exactly in the BTP ASN.1 spec.
Terminology
BTP is the bilateral transfer protocol, as described by this document and the ASN.1 spec.
A Sub-Protocol is a protocol which isn't defined by BTP and is carried in the protocol data (see below). The first one is the primary sub-protocol, subsequent entries are secondary sub-protocols.
A BTP Connection is a websocket connection over which BTP packets are sent. Websockets (as opposed to raw TLS sockets) are used because they provide message framing and can be used from the browser.
BTP Packets are the protocol data units described in this document. They are formally defined in the BTP ASN.1 spec.
Peers are the parties on a BTP connection. Your peer is the party on the other side of the BTP connection.
The Bilateral Ledger is the ledger which the peers on a BTP connection are keeping track of. When a peer keeping Authoritative State receives a BTP packet, they process it and adjust their copy of the bilateral ledger. The bilateral ledger is not to be confused with the Underlying Ledger.
Authoritative State is the authoritative view of the Bilateral Ledger's state, maintained by one or both of the peers. Because both peers on a BTP connection can keep authoritative state, they can get into dispute if they disagree on the state of a transfer. This usually happens when network latency causes the peers to disagree about expiries. If one party keeps authoritative state, the other party must trust them not to tamper with it.
A request is In-Flight if the request has been sent out, but no response has been received yet.
Overview
BTP is broken up into one different RPC requests, which can get two different
responses. The following is a common BTP packet structure, though some types
don't have Packet Specific Data section:
+---------------+
1 | Type (1) |
+---------------+
1 | Request ID |
2 | (2) |
3 | |
4 | |
+---------------+
1 | Length Prefix |
2 | (3) |
+---------------+
| Packet- |
| Specific |
| Data |
. (4) |
. |
. |
| |
+---------------+
1 | Sub-Protocol |
2 | Count (5) |
+---------------+
| Sub-Protocol |
| Data |
. (6) |
. |
. |
| |
+---------------+
Type: A 1-byte value describing what type of BTP packet this is. The values are described below, in BTP Type IDs.
Request ID: A random 4-byte value used to correlate requests and responses. This value MAY be sequential instead of random, but care must be taken so that duplicate IDs are never in-flight at the same time.
Length Prefix: A 1-byte (if under 128) or 2-byte value, containing the combined length of the packet-specific data and protocol data sections.
Packet-Specific Data: Fields specific to the type of BTP packet. Variable length. Some types don't have this section. See ASN.1 definitions for details.
Sub-Protocol Count: Variable-length integer containing the number of sub-protocols carried by this packet.
Sub-Protocol Data: A list of protocols, containing a string (the protocol's name), a 1-byte flag (containing the MIME type), and a length-prefixed octet string (containing the protocol's data). Exact description is below in Sub-Protocol Data Format.
BTP Type IDs
| ID | Type | Request/Response |
|---|---|---|
| 1 | Response |
Response |
| 2 | Error |
Response |
| 3 | (not used) | |
| 4 | (not used) | |
| 5 | (not used) | |
| 6 | Message |
Request |
| 7 | Transfer |
Request |
Sub-Protocol Data Format
ContentType ::= INTEGER {
applicationOctetString (0),
textPlainUtf8 (1),
applicationJson (2)
} (0..255)
ProtocolData ::= SEQUENCE OF SEQUENCE {
protocolName IA5String,
contentType ContentType,
data OCTET STRING
}
Authentication
Before anything else, when a client connects to a server, it sends a special
Message request. Its primary protocolData entry MUST have name 'auth',
content type MIME_APPLICATION_OCTET_STREAM,
and empty data, and among the secondary entries, there MUST be a UTF-8
'auth_token' entry. The further secondary
protocol data entries of this Message request MAY also be used to send
additional information to the server. In situations where no authentication
is needed, the 'auth_token' data can be set to the
empty string, but it cannot be omitted.
If the client sends any BTP call that is not a Message, or sends a Message call
whose primary sub-protocol is not auth, the server should respond with an Error
and close the connection.
The server responds with a Response or Error as appropriate. Again, the
protocolData field there MAY be used to send additional information to
the client. To be clear, the server responds with an Error if:
- any other packet is sent before the auth data
- the provided authentication data is invalid or incorrect
- any of the other protocol rules are violated (e.g. having two subprotos with the same name)
- it takes too long before the authentication data is sent.
If the server sent an Error, it subsequently closes the connection.
If the server sent a Response, the BTP connection is open, until either
one of the parties closes it. At the BTP level, the client and server play
identical roles.
If the client does not send an Auth packet within a reasonable time, the
server optionally sends a Message informing the client that the authentication timed out,
and then closes the connection. If the client did send an Auth packet, but
got neither a Response nor an Error back from the server, the client
closes the connection.
If the connection is ever dropped and reconnected then it must be re-authenticated.
Sub-protocols
In order to understand the different BTP calls, it is necessary to distinguish between the first ("primary") and subsequent ("secondary") sub-protocol entries. The primary sub-protocol entry defines what type of action or information is requested of the recipient of the message. The secondary sub-protocols should not request additional actions or information. If multiple actions or pieces of information are required, multiple separate Messages should be sent. The secondary sub-protocols should only modify the request made in the primary sub-protocol, or provide additional contextual data which can be consumed in a readonly way (without affecting the result).
For example, the primary sub-protocol entry of a Message might represent a quote request, while one additional secondary sub-protocol entry may be present, indicating this request was forwarded by a proxy.
Likewise, only the primary sub-protocol data in a Response indicates whether result of the request from the Message being responded to actually succeeded or not.
In Error calls, the distinction between primary and secondary sub-protocol entries is less strict.
Flow
BTP uses a simple RPC flow. A request-type BTP packet is sent, and a
response-type BTP packet is sent in response with the same request ID. The
request types are Message and Transfer, and the
response types are Response and Error.
Because it would be too slow to atomically save all requestIds that are processed, they are not idempotent. It is the responsibility of the requestor to make sure they don't duplicate requestIds. The implementation should ensure that no two in-flight requests are sent out with the same requestId. The responder should always send back a response to a request with the same requestId.
There are also a couple of tricky cases to handle:
- If an unexpected BTP packet is received, no response should be sent. An unexpected BTP packet is a response for which a request was not sent, or a response for a request which has already been responded to.
- If an unreadable BTP packet is received, no response should be sent. An unreadable BTP packet is one which is structurally invalid, i.e. terminates before length prefixes dictate or contains illegal characters.
These behaviors are important for preventing accidental feedback loops. If an unexpected packet triggered an error, that error may be unexpected to the sender. The sender would reply with another unexpected error, causing an infinite loop. Unreadable packets must be ignored too. If an application got onto a BTP connection and spoke the wrong protocol, it would trigger an error from BTP. This might trigger an error from the application, and it would devolve into another infinite loop.
Message
Message ::= SEQUENCE {
protocolData ProtocolData
}
Message is used for sending information to the peer. It contains no
packet-specific data, only protocol data. ILP packets are attached under the
protocol name ilp with content-type application/octet-stream.
Responseis returned if the peer acknowledges theMessage. If the peer has data to send in reply (e.g. a quote response), it is carried in the protocol data.Erroris returned if the peer is not able to process theMessage, or there was an unexpected error and furtherMessages should not be sent. This does not include ILP errors such as "No quote found", only the cases in which theMessagecannot be sent/processed at all.
Error
Error ::= SEQUENCE {
-- Standardized error code
code IA5String (SIZE (3)),
-- Corresponding error code
name IA5String,
-- Time of emission
triggeredAt GeneralizedTime,
-- Additional data
data OCTET STRING (SIZE (0..8192)),
--
protocolData ProtocolData
}
Error is a response-type message, returned when an error occurs on the BTP
level. It has packet-specific data which resembles the ILP Error
format,
but irrelevant fields have been taken off and new error codes have been
written:
Error Codes
Errors marked with a T are temporary, and can be retried after a short
(1-60s) wait. If a retry fails again with a temporary error, a BTP client
SHOULD wait longer before trying again. Errors marked with F are final, and
the same request MUST NOT be retried.
| Code | Name | Description |
|---|---|---|
| T00 | UnreachableError | Temporary error, indicating that the connector cannot process this request at the moment. Try again later. |
| F00 | NotAcceptedError | Data were symantically invalid. |
| F01 | InvalidFieldsError | At least one field contained structurally invalid data, e.g. timestamp full of garbage characters. |
| F03 | TransferNotFoundError | The transferId included in the packet does not reference an existing transfer. |
| F04 | InvalidFulfillmentError | The fulfillment included in the packet does not match the transfer's condition. |
| F05 | DuplicateIdError | The transferId and method match a previous request, but other data do not. |
| F06 | AlreadyRolledBackError | The transfer cannot be fulfilled because it has already been rejected or expired. |
| F07 | AlreadyFulfilledError | The transfer cannot be rejected because it has already been fulfilled. |
| F08 | InsufficientBalanceError | The transfer cannot be prepared because there is not enough available liquidity. |
Transfer
Transfer ::= SEQUENCE {
amount UInt64,
--
protocolData ProtocolData
}
Transfer is used to send proof of payment, payment channel claims, or other
settlement information to the other connector.
The amount should indicate the additional value of this settlement state (compared to the
previous settlement state), in a unit that was agreed out-of-band.
Responseis returned if the peer acknowledges theTransfer. This means the transfer is now completed and has been applied to the balance. If aResponsehas been returned, balances MUST have been updated.Erroris returned if the peer does not accept the transfer. This could be because some protocol data are malformed, or because the peer believes that the sender's balance is insufficient. If anErrorhas been returned, the peer MUST NOT have updated their balance.