A Critical Analysis of the Transaction Internet Protocol Tim Kempster ([email protected]) University of Edinburgh Scotland .

A Critical Analysis of the Transaction Internet Protocol

Tim Kempster ([email protected]) University of Edinburgh Scotland

www.dcs.ed.ac.uk

Overview of the Talk

• What is TIP and what kind of services does it provide.

• How do Internet applications enlist in Internet transactions.

• How can we model these transactions.

• Discussion of problems/features of TIP within this model.

What Is TIP?• TIP is an IETF standard proposed by

Microsoft and Tandem and supported by other vendors.

• It provides transactional semantics to a

group of actions carried out by E-Commerce

style Internet applications.• TIP provides Atomicity.

Changing Style of E-Commerce

Traditional E-Commerce• Involve a Customer

and a single Merchant.• Shopping by visiting

one Merchant at a time.

Multi-Party E-Commerce• Involve a customer and

two or more Merchants.• Merchants come

together on an ad hoc basis to provide a package of goods.

• These may be transient relationships.

E-Commerce Example I

Browser

Travel Agency

Hotel Reservation System

Airline ReservationSystem

I Only need aflight if I can

get a Hotel Room

E-Commerce Example II

Packaged financialproduct available

from a WWW broker

GovernmentBonds Broker

DOW FuturesBroker

Equities Broker

Futures Trader

The Participants In a Transaction

Application

TM

Application

TM

Application

TM

Application

TMTwo pipe connection based model.

Growing a Transaction

R

D

B C

E F

HG

I

PULL

PUSH

Push Enlistment

TM X

Application A Application B

TM Y

tip_open()

tip_push()

PUSH

TID

PUSHEDTID

TID

do_some_work(TID)

done

Pull Enlistment

TM X

Application A Application B

TM Y

PULLED

PULL(TID)

do_some_work(TID)

done

tip_open() TID

tip_pull(TID

)

e

Terminating Transaction I

Re

e = Enlistedp = prepared

Ae e

C

B

D

e

e e

e

PREPARE PREPARE

PREPARED

p

p

PREPAREPREPAREPREPARED

pp

p

pp

p

p

Terminating Transactions II

Rp

p = preparedc= committed

Ap p

C

B

D

p

p p

p

COMMIT COMMIT

COMMITED

c

c

COMMITCOMMITCOMMITED

cc

c

cc

c

A

p

Terminating Transactions III

Ra

p = prepareda= aborted

Ap p

C

B

D

p

p p

a

ABORT

ABORTABORTABORTED

aa

a

aa

a

A

ABORTED

e

Failure Before Preparation

eR

e

Be

Bp p

C D

e

a

a

ee pp

a

a

aa

a a

Failure After Preparation

pR

p

Bp

Bp p

C D

e

pp

QUERY

RECONNECT

RECONNECTED

Failure Tends to Cause Aborts

• If connections are lost between enlisted TMs this will cause the transaction to abort.

• TMs connections will often be in the enlisted state.

• Therefore the unreliability of the Internet will cause many transactions to abort.

• An enhancement to TIP should allow enlisted TMs to reconnect.

Blocking In TIP

pR

ep

pp

p p

e

Prepared transactions cannot terminate and must hold resources.

Why is Blocking Such a Problem?

• Resources (database locks) will need to be held until failure in some part of the Internet is repaired.

• A application has little control of who or where a transaction is pushed. Its resources therefore are vulnerable.

• Connection failure is common over the Internet.• Commit protocols which are less blocking exist.

Jamming a Transaction

Pension Fund

Gold Futures

GovernmentBonds

PREPARE

PREPARED

PREPARE

Government bonds dealer waits for news. If it is favorable she replies PREPARED otherwise she aborts the transaction. Thus gaining a competitive advantage. She could also fake failure to cause the abort.

Security in TIP• If A with local TM X enlists B with local

TM Y, then no other transaction can be mistakenly enlisted. Furthermore A’s identity is authenticated to B and vice versa.

• No outside parties can detect that the messages exchanged pertain to a TIP transaction.

• TIP Specification says use TLS but how ?

Secure Pull

TM X

Application A Application B

TM Y

PULLED

PULL(TID)

do_some_work(TID)

done

tip_pull(TID

)TID

Pull m

ust come from

Y

Associate TID with TM Y’s public key

Secure authenticated pipe

TM X Only Replies PULLED if PULL came from TM Y.

TM X

A

tip_pull(TID

)TID

Pull m

ust come from

Y

Associate TID with TM Y’s public key

Why Must the Application Pipe be Secure?

B

Bogus TM

TM X

Man in the Middle

MIM replaces TID with a bogus TID to hijack the transaction

ABORT

Conclusions

• TIP provides transaction atomicity across Internet applications.

• Transactions are grown dynamically and terminated using a hierarchical 2PC.

• TIP behaves badly if connections fail.• Security issues arise during transaction enlistment.• There are issues when applications are not

cooperative.