TIP: Transaction Internet ProtocolTIP: Transaction Internet Protocol

Proposed as an Internet Standard.Proposed as an Internet Standard.• Backed by Microsoft and Tandem.Backed by Microsoft and Tandem.

Heterogeneous Transaction Managers Heterogeneous Transaction Managers can implement TIP to communicate with can implement TIP to communicate with each other.each other.

TIP: Two-pipe modelTIP: Two-pipe model

Site ASite A

ApplicationApplicationProgramProgram

TIP APITIP API

TIP txnTIP txnmanagermanager

Site BSite B

ApplicationApplicationProgramProgram

TIP APITIP API

TIP txnTIP txnmanagermanager

Pipe 1Pipe 1

Pipe 2Pipe 2

TIP commit protocolTIP commit protocol

A Browsing TransactionA Browsing Transaction

User’sWebBrowser

Server A

Server B

Server C

(1) Initiate txn

(2) txn URL

(3) PUSHtxn

(4) txnURL

(5) PULLtxn

AA

CC

PUSH ‘txn1a’PUSH ‘txn1a’

PUSH ‘txn1c’PUSH ‘txn1c’

DD

PUSH ‘txn1b’PUSH ‘txn1b’

BB

PUSH ‘txn1a’PUSH ‘txn1a’

Multiple inclusions of a siteMultiple inclusions of a site

TIP vulnerabilityTIP vulnerability

communication is pairwise point-to-communication is pairwise point-to-point.point.

Vulnerable to single link failuresVulnerable to single link failures

TIP SecurityTIP Security

Requires Secure-HTTP/SSL/TLS withRequires Secure-HTTP/SSL/TLS with• encryption and encryption and • end-to-end authentication.end-to-end authentication.

Operator intervention is needed when Operator intervention is needed when the commit protocol fouls up. the commit protocol fouls up. • How will this work on the Internet?How will this work on the Internet?

Internet Transaction SecurityInternet Transaction Security

Big value transactions will not be Big value transactions will not be conducted in this way.conducted in this way.

Thus any scams will take the form of Thus any scams will take the form of having a small effect on a large number having a small effect on a large number of tranactions. (Salami scams.)of tranactions. (Salami scams.)

SSL/TLS does NOT solve all of SSL/TLS does NOT solve all of the problemsthe problems

TIP with TLS does not ensure non-TIP with TLS does not ensure non-repudiation.repudiation.

Various Denial-of-Service attacks are Various Denial-of-Service attacks are possible.possible.

A rogue participant could block A rogue participant could block progress by refusing to commit.progress by refusing to commit.

Denial-of-ServiceDenial-of-Service

PULL-based:PULL-based:• A rogue company that knows the A rogue company that knows the

transaction ID sends a PULL to a site then transaction ID sends a PULL to a site then close the connection.close the connection.

PUSH-basedPUSH-based• Flood a sites with PUSHes so that it cannot Flood a sites with PUSHes so that it cannot

service legitimate requests.service legitimate requests.

Broken connectionBroken connection

If a site loses its connection to its If a site loses its connection to its superior, the rogue sites sends it a superior, the rogue sites sends it a RECONNECT command and tells it the RECONNECT command and tells it the wrong result of the commit.wrong result of the commit.

RepudiationRepudiation

General point about how to repudiate:General point about how to repudiate:

The site that wants to repudiate a The site that wants to repudiate a transaction can always cause itself to transaction can always cause itself to crash and then recover, meanwhile crash and then recover, meanwhile losing all information that was in losing all information that was in vulnerable storage.vulnerable storage.

RepudiationRepudiation

Interaction of 2PC and authenticated protocol messages • The semantics of the authenticated

messages only apply if the txn is committed.

RepudiationRepudiation

If a message from A to B is part of a 2PC protocol, then B’s possession of the digital signature proves nothing.• A can claim: Yes, that was sent, but the

action was rolled back. • B must prove that the action was

committed. B must also prove that the message was part of that txn.