A Critical Analysis of the Transaction Internet Protocol Tim Kempster ([email protected]) University of Edinburgh Scotland www.dcs.ed.ac.uk
Dec 31, 2015
A Critical Analysis of the Transaction Internet Protocol
Tim Kempster ([email protected]) University of Edinburgh Scotland
www.dcs.ed.ac.uk
Overview of the Talk
• What is TIP and what kind of services does it provide.
• How do Internet applications enlist in Internet transactions.
• How can we model these transactions.
• Discussion of problems/features of TIP within this model.
What Is TIP?• TIP is an IETF standard proposed by
Microsoft and Tandem and supported by other vendors.
• It provides transactional semantics to a
group of actions carried out by E-Commerce
style Internet applications.• TIP provides Atomicity.
Changing Style of E-Commerce
Traditional E-Commerce• Involve a Customer
and a single Merchant.• Shopping by visiting
one Merchant at a time.
Multi-Party E-Commerce• Involve a customer and
two or more Merchants.• Merchants come
together on an ad hoc basis to provide a package of goods.
• These may be transient relationships.
E-Commerce Example I
Browser
Travel Agency
Hotel Reservation System
Airline ReservationSystem
I Only need aflight if I can
get a Hotel Room
E-Commerce Example II
Packaged financialproduct available
from a WWW broker
GovernmentBonds Broker
DOW FuturesBroker
Equities Broker
Futures Trader
The Participants In a Transaction
Application
TM
Application
TM
Application
TM
Application
TMTwo pipe connection based model.
Growing a Transaction
R
D
B C
E F
HG
I
PULL
PUSH
Push Enlistment
TM X
Application A Application B
TM Y
tip_open()
tip_push()
PUSH
TID
PUSHEDTID
TID
do_some_work(TID)
done
Pull Enlistment
TM X
Application A Application B
TM Y
PULLED
PULL(TID)
do_some_work(TID)
done
tip_open() TID
tip_pull(TID
)
e
Terminating Transaction I
Re
e = Enlistedp = prepared
Ae e
C
B
D
e
e e
e
PREPARE PREPARE
PREPARED
p
p
PREPAREPREPAREPREPARED
pp
p
pp
p
p
Terminating Transactions II
Rp
p = preparedc= committed
Ap p
C
B
D
p
p p
p
COMMIT COMMIT
COMMITED
c
c
COMMITCOMMITCOMMITED
cc
c
cc
c
A
p
Terminating Transactions III
Ra
p = prepareda= aborted
Ap p
C
B
D
p
p p
a
ABORT
ABORTABORTABORTED
aa
a
aa
a
A
ABORTED
e
Failure Before Preparation
eR
e
Be
Bp p
C D
e
a
a
ee pp
a
a
aa
a a
Failure After Preparation
pR
p
Bp
Bp p
C D
e
pp
QUERY
RECONNECT
RECONNECTED
Failure Tends to Cause Aborts
• If connections are lost between enlisted TMs this will cause the transaction to abort.
• TMs connections will often be in the enlisted state.
• Therefore the unreliability of the Internet will cause many transactions to abort.
• An enhancement to TIP should allow enlisted TMs to reconnect.
Blocking In TIP
pR
ep
pp
p p
e
Prepared transactions cannot terminate and must hold resources.
Why is Blocking Such a Problem?
• Resources (database locks) will need to be held until failure in some part of the Internet is repaired.
• A application has little control of who or where a transaction is pushed. Its resources therefore are vulnerable.
• Connection failure is common over the Internet.• Commit protocols which are less blocking exist.
Jamming a Transaction
Pension Fund
Gold Futures
GovernmentBonds
PREPARE
PREPARED
PREPARE
Government bonds dealer waits for news. If it is favorable she replies PREPARED otherwise she aborts the transaction. Thus gaining a competitive advantage. She could also fake failure to cause the abort.
Security in TIP• If A with local TM X enlists B with local
TM Y, then no other transaction can be mistakenly enlisted. Furthermore A’s identity is authenticated to B and vice versa.
• No outside parties can detect that the messages exchanged pertain to a TIP transaction.
• TIP Specification says use TLS but how ?
Secure Pull
TM X
Application A Application B
TM Y
PULLED
PULL(TID)
do_some_work(TID)
done
tip_pull(TID
)TID
Pull m
ust come from
Y
Associate TID with TM Y’s public key
Secure authenticated pipe
TM X Only Replies PULLED if PULL came from TM Y.
TM X
A
tip_pull(TID
)TID
Pull m
ust come from
Y
Associate TID with TM Y’s public key
Why Must the Application Pipe be Secure?
B
Bogus TM
TM X
Man in the Middle
MIM replaces TID with a bogus TID to hijack the transaction
ABORT
Conclusions
• TIP provides transaction atomicity across Internet applications.
• Transactions are grown dynamically and terminated using a hierarchical 2PC.
• TIP behaves badly if connections fail.• Security issues arise during transaction enlistment.• There are issues when applications are not
cooperative.