[avalanche] Limit the size of the orphan proof pool
Summary:
This patch limits the peer manager's orphan proof tracking since orphans are
not guaranteed to have valid UTXOs nor connected nodes and therefore it's
difficult to sift out good vs bad orphan proofs.
Orphaned proofs usefulness varies by scenario:
A) IBD - We want to collect proofs as we start to establish connections to help
us build quorum. It's important to keep in mind these proofs cannot be trusted
until their UTXOs are valid, so we rely on first-seen principle to admit orphans
into the pool from the network up to the limit.
B) Reorg - We want to collect ALL proofs getting reorged so that we can
reconcile them regardless of orphan pool limit. If we do not do this, it's
trivial to force nodes to drop potentially-valid proofs during a reorg.
C) Proof received before UTXO - This is an uncommon occurrence with little
downside to dropping the proof, so we rely on best-effort (ie. the pool not
being full).
This patch implements the orphan proof pool limit in such a way that memory
is reasonably bounded under all three scenarios regardless of the
number/resourcing of malicious actors, with that bound being stricter for
orphans received from the network. Note that these assumptions hold best
with the implementation of a UTXO age limit for proofs, which has not yet
been completed. It will also be necessary to implement an expiration
mechanism so that junk orphans do not sit around forever. This is work for
future patches.
Test Plan:
ninja check-avalanche
Reviewers: #bitcoin_abc, Fabien
Reviewed By: #bitcoin_abc, Fabien
Subscribers: Fabien
Differential Revision: https://reviews.bitcoinabc.org/D11594