tip: transaction internet protocol n proposed as an internet standard. backed by microsoft and...
TRANSCRIPT
TIP: Transaction Internet ProtocolTIP: Transaction Internet Protocol
Proposed as an Internet Standard.Proposed as an Internet Standard.• Backed by Microsoft and Tandem.Backed by Microsoft and Tandem.
Heterogeneous Transaction Managers Heterogeneous Transaction Managers can implement TIP to communicate with can implement TIP to communicate with each other.each other.
TIP: Two-pipe modelTIP: Two-pipe model
Site ASite A
ApplicationApplicationProgramProgram
TIP APITIP API
TIP txnTIP txnmanagermanager
Site BSite B
ApplicationApplicationProgramProgram
TIP APITIP API
TIP txnTIP txnmanagermanager
Pipe 1Pipe 1
Pipe 2Pipe 2
TIP commit protocolTIP commit protocol
A Browsing TransactionA Browsing Transaction
User’sWebBrowser
Server A
Server B
Server C
(1) Initiate txn
(2) txn URL
(3) PUSHtxn
(4) txnURL
(5) PULLtxn
AA
CC
PUSH ‘txn1a’PUSH ‘txn1a’
PUSH ‘txn1c’PUSH ‘txn1c’
DD
PUSH ‘txn1b’PUSH ‘txn1b’
BB
PUSH ‘txn1a’PUSH ‘txn1a’
Multiple inclusions of a siteMultiple inclusions of a site
TIP vulnerabilityTIP vulnerability
communication is pairwise point-to-communication is pairwise point-to-point.point.
Vulnerable to single link failuresVulnerable to single link failures
TIP SecurityTIP Security
Requires Secure-HTTP/SSL/TLS withRequires Secure-HTTP/SSL/TLS with• encryption and encryption and • end-to-end authentication.end-to-end authentication.
Operator intervention is needed when Operator intervention is needed when the commit protocol fouls up. the commit protocol fouls up. • How will this work on the Internet?How will this work on the Internet?
Internet Transaction SecurityInternet Transaction Security
Big value transactions will not be Big value transactions will not be conducted in this way.conducted in this way.
Thus any scams will take the form of Thus any scams will take the form of having a small effect on a large number having a small effect on a large number of tranactions. (Salami scams.)of tranactions. (Salami scams.)
SSL/TLS does NOT solve all of SSL/TLS does NOT solve all of the problemsthe problems
TIP with TLS does not ensure non-TIP with TLS does not ensure non-repudiation.repudiation.
Various Denial-of-Service attacks are Various Denial-of-Service attacks are possible.possible.
A rogue participant could block A rogue participant could block progress by refusing to commit.progress by refusing to commit.
Denial-of-ServiceDenial-of-Service
PULL-based:PULL-based:• A rogue company that knows the A rogue company that knows the
transaction ID sends a PULL to a site then transaction ID sends a PULL to a site then close the connection.close the connection.
PUSH-basedPUSH-based• Flood a sites with PUSHes so that it cannot Flood a sites with PUSHes so that it cannot
service legitimate requests.service legitimate requests.
Broken connectionBroken connection
If a site loses its connection to its If a site loses its connection to its superior, the rogue sites sends it a superior, the rogue sites sends it a RECONNECT command and tells it the RECONNECT command and tells it the wrong result of the commit.wrong result of the commit.
RepudiationRepudiation
General point about how to repudiate:General point about how to repudiate:
The site that wants to repudiate a The site that wants to repudiate a transaction can always cause itself to transaction can always cause itself to crash and then recover, meanwhile crash and then recover, meanwhile losing all information that was in losing all information that was in vulnerable storage.vulnerable storage.
RepudiationRepudiation
Interaction of 2PC and authenticated protocol messages • The semantics of the authenticated
messages only apply if the txn is committed.
RepudiationRepudiation
If a message from A to B is part of a 2PC protocol, then B’s possession of the digital signature proves nothing.• A can claim: Yes, that was sent, but the
action was rolled back. • B must prove that the action was
committed. B must also prove that the message was part of that txn.