End-to-End Arguments in System Design

Slides:



Advertisements
Similar presentations
The End-to-End Principle Anthony D. Joseph Joe Hellerstein CS262a November 28, 2001.
Advertisements

Switching Techniques In large networks there might be multiple paths linking sender and receiver. Information may be switched as it travels through various.
Layering and the network layer CS168, Fall 2014 Sylvia Ratnasamy
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
IS333, Ch. 26: TCP Victor Norman Calvin College 1.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Nummenmaa & Thanish: Practical Distributed Commit in Modern Environments PDCS’01 PRACTICAL DISTRIBUTED COMMIT IN MODERN ENVIRONMENTS by Jyrki Nummenmaa.
End-to-End Arguments in System Design J.H. Saltzer, D.P. Reed and D.D Clark M.I.T. Laboratory for Computer Science Presented by Jimmy Pierce.
EEC-681/781 Distributed Computing Systems Lecture 4 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Protocols. Basics Defining Interactions VERTICAL Application Presentation Session Transport Network Data Link Physical Please do this for me OK It’s.
EEC 688/788 Secure and Dependable Computing Lecture 12 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
G Robert Grimm New York University Pulling Back: How to Go about Your Own System Project?
End-To-End Arguments in System Design J.H. Saltzer, D.P. Reed, and D. Clark Presented by: Ryan Huebsch CS294-4 P2P Systems – 9/29/03.
Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.
G Robert Grimm New York University Pulling Back: How to Go about Your Own System Project?
Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
1 Reliable Adaptive Distributed Systems Armando Fox, Michael Jordan, Randy H. Katz, David Patterson, George Necula, Ion Stoica, Doug Tygar.
Chapter 2 Architectural Models. Keywords Middleware Interface vs. implementation Client-server models OOP.
Section 11.1 Identify customer requirements Recommend appropriate network topologies Gather data about existing equipment and software Section 11.2 Demonstrate.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
J.H.Saltzer, D.P.Reed, C.C.Clark End-to-End Arguments in System Design Reading Group 19/11/03 Torsten Ackemann.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Feb 20, 2001CSCI {4,6}900: Ubiquitous Computing1 Announcements.
Jaringan Komputer Dasar OSI Transport Layer Aurelio Rahmadian.
Combining Cryptographic Primitives to Prevent Jamming Attacks in Wireless Networks.
ACM 511 Introduction to Computer Networks. Computer Networks.
Key Management. Given a computer network with n hosts, for each host to be able to communicate with any other host would seem to require as many as n*(n-1)
Advantage of File-oriented system: it provides useful historical information about how data are managed earlier. File-oriented systems create many problems.
Computer Security Workshops Networking 101. Reasons To Know Networking In Regard to Computer Security To understand the flow of information on the Internet.
Transport Layer COM211 Communications and Networks CDA College Theodoros Christophides
June 10, 1999 Discrete Event Simulation - 3 What other subsystems do we need to simulate? Although Packets are responsible for the largest amount of events,
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
End-To-End Arguments in System Design J.H. Saltzer, D.P. Reed, and D. Clark Presented by: Amit Mondal.
END-TO-END ARGUMENTS IN SYSTEM DESIGN J.H. Salter, D.P. Reed and D.D. Clark Presented by Sui-Yu Wang.
Prepared by Engr.Jawad Ali BSc(Hons)Computer Systems Engineering University of Engineering and Technology Peshawar.
Distributed Systems Distributed Algorithms – The End to End Argument p-1 “The End To End Argument In System’s Design”, Zaltzer et. al, ACM Transactions.
Reading TCP/IP Protocol. Training target: Read the following reading materials and use the reading skills mentioned in the passages above. You may also.
End-to-End Principle Brad Karp UCL Computer Science CS 6007/GC15/GA07 25 th February, 2009.
CS551: End to End Argument Saltzer88 Christos Papadopoulos (
Chapter 9 Networking & Distributed Security (Part C)
END-TO-END Arguments in System Design END-TO-END Arguments in System Design J. SaltzerD. Reed D. Clark M.I.T. Laboratory, 1981 Presented By Mohammad Malli.
End-to-End Arguments in System Design CSCI 634, Fall 2010.
Jan.19 th, 2007Seminar In Networks End-To-End Arguments in System Design Ayodele Onibokun Seminar In Networks Jan. 19 th, 2007.
CS533 - Concepts of Operating Systems End-to-End Arguments in System Design Presentation by David Florey.
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Principles of reliable data transfer 0.
Lecture 5 Page 1 Advanced Network Security Review of Cryptography: Cryptographic Keys Advanced Network Security Peter Reiher August, 2014.
Building a Reliable IP Multicast Distributed System Karl Thomas Rees CS 560.
Data Link Layer. Data link layer The communication between two machines that can directly communicate with each other. Basic property – If bit A is sent.
Tunneling Continued/ End-to-End Principle CS 4251: Computer Networking II Nick Feamster Spring 2008.
1 The utopia protocol  Unrealistic assumptions: –processing time ignored –infinite buffer space available –simplex: data transmitted in one direction.
A Classification for Access Control List To Speed Up Packet-Filtering Firewall CHEN FAN, LONG TAN, RAWAD FELIMBAN and ABDELSHAKOUR ABUZNEID Department.
The Design Philosophy of the DARPA Internet Protocols [Clark 1988] Nick McKeown CS244 Lecture 2.
OSI Model OSI MODEL. Communication Architecture Strategy for connecting host computers and other communicating equipment. Defines necessary elements for.
OSI Model OSI MODEL.
Introduction to: The Architecture of the Internet
David Wetherall Spring 2000
Presented by Muhammad Abu Saqer
Vocabulary Prototype: A preliminary sketch of an idea or model for something new. It’s the original drawing from which something real might be built or.
Introduction to: The Architecture of the Internet
The Object-Oriented Thought Process Chapter 05
Introduction to: The Architecture of the Internet
OSI Model OSI MODEL.
Introduction to: The Architecture of the Internet
CSE 542: Operating Systems
CSE 542: Operating Systems
Announcements You need to register separately for the class mailing list and online paper review system. Do it now so that we can work out any “bugs”.
Presentation transcript:

End-to-End Arguments in System Design J.H. Salter, D.P. Reed, and D.D. Clark MIT-LCS

Motivation1 “Choosing the proper boundaries between functions is perhaps the primary activity of the computer system designer.” “Design principles that provide guidance in this choice of function placement are among the most important tools of a system designer” The statements are from 1984. Think about software design, OO, Patterns, Frameworks, from certain perspective they are all about choosing the proper boundary is software system design.

What is this paper about? “…discusses one class of function placement that has been used for many years with neither explicit recognition nor much conviction” Comment: to some extend still true today So what is it, anyway?

Example: A system includes communication Usually we draw a modular boundary around the communication subsystem and the rest of the system. There is a list of functions to be implemented in any of several ways: by the communication subsystem? by its client? as a joint venture? both doing it, redundantly?

Function example: File Transfer How many points of failure? Disk, software, processor/memory, communication, crash… How would a “careful file transfer” application then cope with this list of threats?

Threats to the “careful FT” transaction Disk faults Software faults: file system, file transfer, communication software (buffering, copying mistakes…) Processor, memory transient errors. Packet dropping, mutation Crash in the middle of transaction …

How to cope with the threat? Reinforce each step along the way using duplicate copies, time-out and retry, carefully located redundancy for error detection, crash recovery, t=etc. Reduce the probability of each of the individual threats to an acceptable small value.

Yet, other observations Countering threat (2) requires writing correct programs, which is quite difficult. Few nontrivial large programs can claim correctness. Doing everything many times, also appear uneconomical (especially in real-time systems, and resource constrained systems).

Alternate approach End-to-end check and retry. Use end to end checksums. The file transfer application declares the transaction commited is the checksums agree. If failures are fairly rare, this technique will normally work on the first try; occasionally a second or even third try might be reqired.

How will a reliable communication subsystem help? Does it reduce the frequency of retries of the file transfer system? (thus improves performance) YES! Does it effect the correctness of the outcome? NO! Yes. No. (The correctness of the outcome is specified and achieved by the end-to-end checksum.

End-to-End Argument The function in question can completely and correctly be implemented only with the knowledge of the application standing at the endpoints of the communication system. Therefore, providing that questioned function as a feature of the communication system itself is not possible. Some times an incomplete version of the function provided by the communication system maybe useful as a performance enhancement.

A Too-Real Example Place: MIT local network What: Over a period of time many of the files were repeatedly transferred through a defective gateway. The owners were forced to do the ultimate end-to-end error check: manual comparison with old files. Why: the application programmer believed (assumed) the network was providing reliable transmission.

Performance Aspect Some low level effort does have significant effect on application performance BUT the key idea is the lower level need not to (overly spent effort to) provide “perfect” reliability. The amount of effort to put into reliability measures within the data communication system is seen to be an engineering tradeoff rather a requirement for correctness. If the communication system is beefed up with internal reliability measures, those measures also have a reali

Example2: Delivery guarantee The ack message in ARPANET was never found to be helpful to applications using ARPANET, why? Because knowing for sure that message was delivered to the target host is not very important. What the application wants to know is whether or not the target host has acted on the message!

Continue All manner of disaster might have struck after message delivery but before completion of the action requested by the message. The acknowledgement that is really desired is an end-to-end one, which can obly by the target application—”I did it”, or “I didn’t”.

Eample3: Secure Transmission of Data Use a “secure” subsystem: If the data transmission system perform encryption and decryption, it must be trusted to securely manage the required encryption keys The data will be in the clear and thus vulnerable to attacks as they pass into the subsystem and are fan out to the target application. The authenticity of the message must still be checked by the application.

Alternative The application itself performs end-to-end encryption Has its own authentication check Manages the key itself The data is never exposed to outside! So to satisfy the application of the application, there is no need for communication subsystem to provide for automatic encryption of all traffic. Automatic encryption of all traffic by the communication subsystem may be called for ensure something else: that a misbehaving user or application program does not delibrately ransmit information that should not be exposed.

Other examples Duplicate message suppression Guaranteeing FIFI message delivery. Transaction Management They applied end-to-end argument to the construction of the SWALLOW distributed data storage system, where it leads to significant reduction in overhead.

Identifying the ends Using the e2e arguments sometimes requires subtlety of analysis of application requirements. Example: if low levels of a telephone system try to accomplish bit-perfect communication, they will probably introduce uncontrolled delays in packet delivery. Such delays are disruptive to voice apps. It is better off to accept the damaged data and the participant to say “excuse me?”.

But, this strong version of e2e argument is a property of the specific application—two people in real-time conversation. In a speech message system, the argument suddenly changes its nature.

Conclusion The e2e argument is a guideline that helps in application and protocol design analysis. One must use some care to identify the end points to which the argument should be applied. It is not an absolute rule, but a kind of “Occam’s razor”. In designing a subsystem, don’t overly anticipate to “help” users by taking on more functions than necessary. Tradeoffs of function placement shall be carefully analyzed in system design.

% of app needs effort Reliability