230 likes | 386 Views
A Critical Analysis of the Transaction Internet Protocol. Tim Kempster (tdk@dcs.ed.ac.uk) University of Edinburgh Scotland www.dcs.ed.ac.uk. Overview of the Talk. What is TIP and what kind of services does it provide. How do Internet applications enlist in Internet transactions.
E N D
A Critical Analysis of the Transaction Internet Protocol Tim Kempster (tdk@dcs.ed.ac.uk) University of Edinburgh Scotland www.dcs.ed.ac.uk
Overview of the Talk • What is TIP and what kind of services does it provide. • How do Internet applications enlist in Internet transactions. • How can we model these transactions. • Discussion of problems/features of TIP within this model.
What Is TIP? • TIP is an IETF standard proposed by Microsoft and Tandem and supported by other vendors. • It provides transactional semantics to a group of actions carried out by E-Commerce style Internet applications. • TIP provides Atomicity.
Traditional E-Commerce Involve a Customer and a single Merchant. Shopping by visiting one Merchant at a time. Multi-Party E-Commerce Involve a customer and two or more Merchants. Merchants come together on an ad hoc basis to provide a package of goods. These may be transient relationships. Changing Style of E-Commerce
E-Commerce Example I Hotel Reservation System Airline Reservation System I Only need a flight if I can get a Hotel Room Travel Agency Browser
E-Commerce Example II Government Bonds Broker Futures Trader Packaged financial product available from a WWW broker DOW Futures Broker Equities Broker
Two pipe connection based model. TM TM TM Application Application Application The Participants In a Transaction TM Application
B C E F G H I Growing a Transaction PULL R PUSH D
PUSH TM X TM Y TID PUSHED tip_open() tip_push() TID TID do_some_work(TID) Application B Application A done Push Enlistment
PULLED TM X TM Y PULL(TID) tip_open() tip_pull(TID) TID do_some_work(TID) Application B Application A done Pull Enlistment
PREPARE PREPARE PREPARED A e e PREPARE PREPARE PREPARED p p Terminating Transaction I e = Enlisted R p = prepared e p p e e p p e B p p e e C D
COMMIT COMMIT COMMITED A p p COMMIT COMMIT COMMITED c c Terminating Transactions II p = prepared R c= committed c p p c p c p c A B c c p p C D
ABORT A p p ABORT ABORT ABORTED a a Terminating Transactions III p = prepared R a= aborted a p a ABORTED p a a A B a a p p C D
R e e a a a a p a a p p a a p Failure Before Preparation e e B B e e e C D
QUERY RECONNECT RECONNECTED Failure After Preparation R p p e p B B p p p p C D
Failure Tends to Cause Aborts • If connections are lost between enlisted TMs this will cause the transaction to abort. • TMs connections will often be in the enlisted state. • Therefore the unreliability of the Internet will cause many transactions to abort. • An enhancement to TIP should allow enlisted TMs to reconnect.
R p p e Blocking In TIP Prepared transactions cannot terminate and must hold resources. p p e p p
Why is Blocking Such a Problem? • Resources (database locks) will need to be held until failure in some part of the Internet is repaired. • A application has little control of who or where a transaction is pushed. Its resources therefore are vulnerable. • Connection failure is common over the Internet. • Commit protocols which are less blocking exist.
PREPARE PREPARED PREPARE Jamming a Transaction Gold Futures Pension Fund Government Bonds Government bonds dealer waits for news. If it is favorable she replies PREPARED otherwise she aborts the transaction. Thus gaining a competitive advantage. She could also fake failure to cause the abort.
Security in TIP • If A with local TM X enlists B with local TM Y, then no other transaction can be mistakenly enlisted. Furthermore A’s identity is authenticated to B and vice versa. • No outside parties can detect that the messages exchanged pertain to a TIP transaction. • TIP Specification says use TLS but how ?
PULLED TM X TM Y PULL(TID) Pull must come from Y tip_pull(TID) TID do_some_work(TID) Application B Application A done Secure Pull Associate TID with TM Y’s public key TM X Only Replies PULLED if PULL came from TM Y. Secure authenticated pipe
ABORT Pull must come from Y tip_pull(TID) TID Man in the Middle MIM replaces TID with a bogus TID to hijack the transaction Why Must the Application Pipe be Secure? Associate TID with TM Y’s public key TM X TM X Bogus TM A B
Conclusions • TIP provides transaction atomicity across Internet applications. • Transactions are grown dynamically and terminated using a hierarchical 2PC. • TIP behaves badly if connections fail. • Security issues arise during transaction enlistment. • There are issues when applications are not cooperative.