Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Design Philosophy in Networked Systems" by Justine Sherry

Papers_We_Love
September 15, 2016
Technology
0
1.3k

"Design Philosophy in Networked Systems" by Justine Sherry

In this talk, I will present three of the great papers on the philosophy of how one designs networked systems.

There will be no graphs or performance benchmarks! Using the Internet as a reference, we will discuss the careful reasoning behind system design choices and how they effect other computer systems, human users, and even human society.

We will start with some technical themes: How do low-level systems choices impact high-level application capabilities?

We will end with some human themes: How do low-level systems choices reflect moral choices that impact high level societal tussles?

Papers_We_Love

September 15, 2016
Tweet

More Decks by Papers_We_Love

See All by Papers_We_Love
What About the Natural Numbers by José Manuel Calderón Trilla
paperswelove
0
100
Is Program Analysis The Silver Bullet Against Software Bugs? by Karim Ali
paperswelove
1
190
On the Expressive Power of Programming Languages by Shriram Krishnamurthi
paperswelove
1
160
Anonymity in the Bitcoin Peer-to-Peer Network by Giulia Fanti
paperswelove
0
140
Building Personable Machines by Star Simpson
paperswelove
0
45
PWL SF 03/18 > Cathie Yun on "Bulletproofs: Short Proofs for Confidential Transactions and More"
paperswelove
1
320
Bonnie Eisenman on Multiphase Numerical Modeling... for Jigsaw Puzzle Generation
paperswelove
0
600
Suz Hinton on Accessible images (AIMS)
paperswelove
0
890
Hannes Frederic Sowa on "BBR: Congestion-Based Congestion Control"
paperswelove
0
1.3k

Other Decks in Technology

See All in Technology
アクセス制御にまつわる改善 / Improving access control
itkq
0
520
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
1k
Java EE/Jakarta EEの現状と将来 ―クラウドネイティブ時代にJava EEは対応できるのか?―
takakiyo
1
140
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
160
NgRx Signal Store
rainerhahnekamp
0
150
推しは推せるときに推せ! プロダクトにフィードバックしていこう
nakasho
0
290
APIファーストなプロダクトマネジメントの実践 〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform
oztick139
0
100
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
290
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
2
9.3k
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.3k
VS CodeでAWSを操作しよう
smt7174
7
1.6k
20240416_devopsdaystokyo
kzkmaeda
1
220

Featured

See All Featured
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
17
1.4k
GraphQLとの向き合い方2022年版
quramy
32
12k
Product Roadmaps are Hard
iamctodd
44
9.7k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
Into the Great Unknown - MozCon
thekraken
10
990
Practical Orchestrator
shlominoach
182
9.7k
Automating Front-end Workflow
addyosmani
1356
200k
Scaling GitHub
holman
457
140k
Faster Mobile Websites
deanohume
299
30k
For a Future-Friendly Web
brad_frost
172
9k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Documentation Writing (for coders)
carmenintech
60
3.9k

Transcript

  1. Design Philosophy in Networked Systems Justine Sherry, Carnegie Mellon University

  2. So you’re building a widget. Super Widget 2000 FEATURES!!! API

    API Other Service Other Service

  3. So you’re building a widget. Super Widget 2000 Other Service

    Other Other Service Other Other Other Service Add-on Extension Platform X Platform z

  4. Design Philosophy: Principles for thinking about the outside world and

    the impact of your widget.

  5. This is David Clark. Internet Philosopher

  6. Three Papers “The Design Philosophy of the DARPA Internet Protocols”,

    Clark, D. “END-TO-END ARGUMENTS IN SYSTEM DESIGN”, Salzer, Reed and Clark. “Tussle in Cyberspace: Defining Tomorrow’s Internet”, Clark, Wrokowski, Sollins, and Braden. Recom m ended Reading

  7. I met David Clark at a conference once. He told

    me he liked my talk. I fangirled only a little tiny bit.
  8. None

  9. Layered Design: Background

  10. Layers… Physical Link Network Transport Application

  11. Physical Link Network Transport Application “How do I make bits

    out of electricity or light or sound or radio?”

  12. Physical Link Network Transport Application How do I turn those

    bits in to messages?

  13. Physical Link Network Transport Application How do I deliver the

    bits across the Internet?

  14. Physical Link Network Transport Application How do I make sure

    none of the bits got lost, or corrupted? And that they show up in order?

  15. Physical Link Network Transport Application How do I interpret the

    bits to do cool stuff?

  16. Physical Link Network Transport Application Physical Link Network Transport Application

    hey zeeshan check out this sweet paper!

  17. Physical Link Network Transport Application Physical Link Network Transport Application

  18. Physical Link Network Transport Application Physical Link Network Transport Application

  19. Physical Link Network Transport Application Physical Link Network Transport Application

    … 10101010 11110110 10000011 01010111

  20. Physical Link Network Transport Application Physical Link Network Transport Application

    1 2 3 label all the pieces so none go missing

  21. Physical Link Network Transport Application Physical Link Network Transport Application

    1 2 3 To: Z To: Z To: Z put an address on my envelopes/packets

  22. Physical Link Network Transport Application Physical Link Network Transport Application

    1 2 3 To: Z To: Z To: Z and send those packets down to bits

  23. 0101101110000101 Physical Link Network Transport Application Physical Link Network Transport

    Application

  24. Physical Link Network Transport Application Physical Link Network Transport Application

    1 2 3 To: Z To: Z To: Z

  25. Physical Link Network Transport Application Physical Link Network Transport Application

    1 2 3 To: Z To: Z To: Z Yep that’s me

  26. Physical Link Network Transport Application Physical Link Network Transport Application

    1 2 3 Did we get all the pieces?

  27. Physical Link Network Transport Application Physical Link Network Transport Application

    … 10101010 11110110 10000011 01010111

  28. Physical Link Network Transport Application Physical Link Network Transport Application

  29. Physical Link Network Transport Application Physical Link Network Transport Application

    sweet paper, thx justine

  30. Modular, Layered Systems • Components are implemented independently with APIs

    in between them. • Different layers may have multiple implementations (e.g. WiFi vs Wired Ethernet as your physical layer) • … and even different APIs and capabilities (e.g. TCP provides reliable, in-order delivery but UDP does not provide reliability or ordering. Both are transport protocols!) • To make the end-to-end system work, data passes through multiple layers.

  31. Networks aren’t the only systems with layers.

  32. Storage system layers…

  33. Virtualization Layers

  34. Today’s questions!

  35. How does what I implement in my layer impact the

    outside world?

  36. “Sure, I think about that when I design APIs!” Physical

    Link Network Transport Session Presentation Application

  37. Physical Link Network Transport Session Presentation Application What about all

    the other layers?

  38. Physical Link Network Transport Session Presentation Application What about the

    people on top?

  39. Without further ado, paper #1:

  40. J. H. Saltzer, D. P. Reed, and D. D. Clark.

    1984. End- to-end arguments in system design. ACM Trans. Comput. Syst. 2, 4 (November 1984), 277-288.

  41. “Careful File Transfer” A B Network Program File System Network

    Program File System at various points along the way. The application program in this case is the file transfer program, part of which runs at host A and part at host B. In order to discuss the possible threats to the file's integrity in this transaction, let us assume that the following specific steps are involved: 1. At host A the file transfer program calls upon the file system to read the file from the disk, where it resides on several tracks, and the file system passes it to the file transfer program in fixed-size blocks chosen to be disk-format independent. 2. Also at host A the file transfer program asks the data communication system to transmit the file using some communication protocol that involves splitting the data into packets. The packet size is typically different from the file block size and the disk track size. 3. The data communication network moves the packets from computer A to computer B. 4. At host B a data communication program removes the packets from the data communication protocol and hands the contained data on to a second part of the file transfer application, the part that operates within host B. 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once.

  42. “Careful File Transfer” A B Network Program File System Network

    Program File System at various points along the way. The application program in this case is the file transfer program, part of which runs at host A and part at host B. In order to discuss the possible threats to the file's integrity in this transaction, let us assume that the following specific steps are involved: 1. At host A the file transfer program calls upon the file system to read the file from the disk, where it resides on several tracks, and the file system passes it to the file transfer program in fixed-size blocks chosen to be disk-format independent. 2. Also at host A the file transfer program asks the data communication system to transmit the file using some communication protocol that involves splitting the data into packets. The packet size is typically different from the file block size and the disk track size. 3. The data communication network moves the packets from computer A to computer B. 4. At host B a data communication program removes the packets from the data communication protocol and hands the contained data on to a second part of the file transfer application, the part that operates within host B. 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once.

  43. “Careful File Transfer” A B Network Program File System Network

    Program File System at various points along the way. The application program in this case is the file transfer program, part of which runs at host A and part at host B. In order to discuss the possible threats to the file's integrity in this transaction, let us assume that the following specific steps are involved: 1. At host A the file transfer program calls upon the file system to read the file from the disk, where it resides on several tracks, and the file system passes it to the file transfer program in fixed-size blocks chosen to be disk-format independent. 2. Also at host A the file transfer program asks the data communication system to transmit the file using some communication protocol that involves splitting the data into packets. The packet size is typically different from the file block size and the disk track size. 3. The data communication network moves the packets from computer A to computer B. 4. At host B a data communication program removes the packets from the data communication protocol and hands the contained data on to a second part of the file transfer application, the part that operates within host B. 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once.

  44. “Careful File Transfer” A B Network Program File System Network

    Program File System 1. At host A the file transfer program calls upon the file system to read the file from the disk, where it resides on several tracks, and the file system passes it to the file transfer program in fixed-size blocks chosen to be disk-format independent. 2. Also at host A the file transfer program asks the data communication system to transmit the file using some communication protocol that involves splitting the data into packets. The packet size is typically different from the file block size and the disk track size. 3. The data communication network moves the packets from computer A to computer B. 4. At host B a data communication program removes the packets from the data communication protocol and hands the contained data on to a second part of the file transfer application, the part that operates within host B. 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once.

  45. “Careful File Transfer” A B Network Program File System Network

    Program File System 1. At host A the file transfer program calls upon the file system to read the file from the disk, where it resides on several tracks, and the file system passes it to the file transfer program in fixed-size blocks chosen to be disk-format independent. 2. Also at host A the file transfer program asks the data communication system to transmit the file using some communication protocol that involves splitting the data into packets. The packet size is typically different from the file block size and the disk track size. 3. The data communication network moves the packets from computer A to computer B. 4. At host B a data communication program removes the packets from the data communication protocol and hands the contained data on to a second part of the file transfer application, the part that operates within host B. 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once.

  46. “Careful File Transfer” A B Network Program File System Network

    Program File System file using some communication protocol that involves splitting the data into packets. The packet size is typically different from the file block size and the disk track size. 3. The data communication network moves the packets from computer A to computer B. 4. At host B a data communication program removes the packets from the data communication protocol and hands the contained data on to a second part of the file transfer application, the part that operates within host B. 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once.

  47. “Careful File Transfer” A B Network Program File System Network

    Program File System 2. Also at host A the file transfer program asks the data communication system to transmit the file using some communication protocol that involves splitting the data into packets. The packet size is typically different from the file block size and the disk track size. 3. The data communication network moves the packets from computer A to computer B. 4. At host B a data communication program removes the packets from the data communication protocol and hands the contained data on to a second part of the file transfer application, the part that operates within host B. 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once.

  48. “Careful File Transfer” A B Network Program File System Network

    Program File System 3. The data communication network moves the packets from computer A to computer B. 4. At host B a data communication program removes the packets from the data communication protocol and hands the contained data on to a second part of the file transfer application, the part that operates within host B. 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once.

  49. What if Zeeshan later reads the file and find it

    is corrupted? What could have gone wrong?

  50. 3. The data communication network moves the packets from computer

    A to computer B. 4. At host B a data communication program removes the packets from the data communication protocol and hands the contained data on to a second part of the file transfer application, the part that operates within host B. 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once.

  51. part that operates within host B. 5. At host B,

    the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once.

  52. of host B. With this model of the steps involved,

    the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once.

  53. a careful designer might be concerned about: 1. The file,

    though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once.

  54. SALTZER ET AL. End-to-End Arguments in System Design 3 5.

    Either of the hosts may crash part way through the transaction after performing an unknown amount (perhaps all) of the transaction. How would a careful file transfer application then cope with this list of threats? One approach might be to reinforce each of the steps along the way using duplicate copies, timeout and retry, carefully located redundancy for error detection, crash recovery, etc. The goal would be to reduce the probability of each of the individual threats to an acceptably small value. Unfortunately, systematic countering of threat two requires writing correct programs, which task is quite difficult, and not all the programs that must be correct are written by the file transfer application programmer. If we assume further that all these threats are relatively low in probability – low enough that the system allows useful work to be accomplished – brute force countermeasures such as doing everything three times appear uneconomical.

  55. How do we re-design our system to make sure the

    file doesn’t get corrupted?

  56. B Network Program File System

  57. B Network Program File System

  58. B Network Program File System

  59. The End-to-End Argument [If] the function in question can completely

    and correctly be implemented with the knowledge and help of the application standing at the endpoints of the communication system: [Then] providing that questioned function as a feature of the communication system [or lower layer] is not possible. [However], sometimes an incomplete version of the function provided by the communication system may be useful as a performance enhancement.

  60. Let’s say we had a perfectly reliable network A B

    Network Program File System Network Program File System

  61. 5. At host B, the file transfer program asks the

    file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once. Would that solve our reliability problem? 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once. 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once. SALTZER ET AL. End-to-End Arguments in System Design 3 5. Either of the hosts may crash part way through the transaction after performing an unknown amount (perhaps all) of the transaction. How would a careful file transfer application then cope with this list of threats? One approach might be to reinforce each of the steps along the way using duplicate copies, timeout and retry, 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once.

  62. 5. At host B, the file transfer program asks the

    file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once. Would that solve our reliability problem? 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once. 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once. SALTZER ET AL. End-to-End Arguments in System Design 3 5. Either of the hosts may crash part way through the transaction after performing an unknown amount (perhaps all) of the transaction. How would a careful file transfer application then cope with this list of threats? One approach might be to reinforce each of the steps along the way using duplicate copies, timeout and retry, 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once.

  63. Well, that wasn’t very helpful…

  64. A B Network Program File System Network Program File System

    “End to End Check and Retry”

  65. “End to End Check and Retry” A B Network Program

    File System Network Program File System Read file and its checksum from disk. Verify file + checksum. Send File AND Checksum.

  66. A B Network Program File System Network Program File System

    “End to End Check and Retry”

  67. A B Network Program File System Network Program File System

    “End to End Check and Retry”

  68. “Careful File Transfer” A B Network Program File System Network

    Program File System file using some communication protocol that involves splitting the data into packets. The packet size is typically different from the file block size and the disk track size. 3. The data communication network moves the packets from computer A to computer B. 4. At host B a data communication program removes the packets from the data communication protocol and hands the contained data on to a second part of the file transfer application, the part that operates within host B. 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once.

  69. A B Network Program File System Network Program File System

    “End to End Check and Retry”

  70. A B Network Program File System Network Program File System

    “End to End Check and Retry” Write file and checksum to disk. Then read back and double-check that checksum + file verify.

  71. A B Network Program File System Network Program File System

    “End to End Check and Retry” If Checksum doesn’t match? Just ask Justine to re-send. (ie, try all over again!)

  72. 5. At host B, the file transfer program asks the

    file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once. Would that solve our reliability problem? 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once. 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once. SALTZER ET AL. End-to-End Arguments in System Design 3 5. Either of the hosts may crash part way through the transaction after performing an unknown amount (perhaps all) of the transaction. How would a careful file transfer application then cope with this list of threats? One approach might be to reinforce each of the steps along the way using duplicate copies, timeout and retry, 5. At host B, the file transfer program asks the file system to write the received data on the disk of host B. With this model of the steps involved, the following are some of the threats to the transaction that a careful designer might be concerned about: 1. The file, though originally written correctly onto the disk at host A, if read now may contain incorrect data, perhaps because of hardware faults in the disk storage system. 2. The software of the file system, the file transfer program, or the data communication system might make a mistake in buffering and copying the data of the file, either at host A or host B. 3. The hardware processor or its local memory might have a transient error while doing the buffering and copying, either at host A or host B. 4. The communication system might drop or change the bits in a packet, or lose a packet or deliver a packet more than once.

  73. Lesson: If you can do it at the “higher” layer,

    don’t bother implementing it at a lower layer. Don’t waste your time! Avoid causing confusion.

  74. Other places to apply E2E in Networks • Encryption •

    First-in-first-out ordering • Duplicate message surpression • Multi-message transactions

  75. The End-to-End Argument [If] the function in question can completely

    and correctly be implemented with the knowledge and help of the application standing at the endpoints of the communication system: [Then] providing that questioned function as a feature of the communication system [or lower layer] is not possible. [However], sometimes an incomplete version of the function provided by the communication system may be useful as a performance enhancement. One Exception!

  76. A B Network Program File System Program File System What

    if 90% of my loss really was happening at the network layer? Network As a performance optimization, you might want to implement it in the lower layer anyway (redundantly).

  77. A B Network Program File System Network Program File System

    “End to End Check and Retry” + A Reliable Network

  78. Anyone have any other examples where this plays out?

  79. Why the heck is this the classic article networking grad

    students argue about?

  80. The “Strong” End-to-End Argument

  81. It’s not just a waste of time to put non-essential

    functionality at lower layers: it’s actually harmful.

  82. A B Network Program File System Network Program File System

    “End to End Check and Retry” + A Reliable Network Slightly less bandwidth More latency

  83. Some applications may be constrained by the new functionality.

  84. Firewalls and Intrusion Detection Good server Evil Server

  85. Firewalls and Intrusion Detection I need to protect my users!

    Web traffic, email IRC, strange port numbers

  86. Firewalls and Intrusion Detection I need to protect my users!

    Only allow web and email!

  87. Firewalls and Intrusion Detection I need to protect my users!

    But what if I have a cool new app?

  88. HTTP for Everything? “Many firewalls and intrusion detection systems only

    accept HTTP. So, we should build everything using HTTP now.”

  89. Cache + TCP Optimization

  90. Cache + TCP Optimization

  91. Cache + TCP Optimization

  92. Cache + TCP Optimization

  93. Cache + TCP Optimization What the heck half the packets

    are missing?!?!?!

  94. Can we extend existing protocols? “We tried to extend TCP

    to support multipath, but devices in the network kept rejecting our connections because they looked weird.”

  95. Quick pause (People often have complaints to share about this

    problem!)

  96. End to End Argument: Recap • Basic argument: If you

    can implement functionality correctly and completely at endpoints, do it there and not at a lower layer. • It saves on redundant work in the system, and avoids confusion later. Exceptions okay for performance optimizations. • Strong argument: Avoid putting unneeded functionality at lower layers of your system altogether because it’s harmful! • Extra functionality at low layers constrains how applications are designed at higher layers.

  97. Who decides what optimizations/ constraints are okay to deploy and

    what constraints aren’t?

  98. …bringing us to Paper #2.

  99. David D. Clark, John Wroclawski, Karen R. Sollins, and Robert

    Braden. 2005. Tussle in cyberspace: defining tomorrow's internet. IEEE/ACM Trans. Netw. 13, 3 (June 2005), 462-475.

  100. “The Internet is not a single happy family of people

    dedicated to universal packet carriage.”

  101. People want to talk in private. Government wants to wiretap

    their conversations.

  102. Conservative governments put their users behind firewalls. Users install VPNs

    to tunnel through firewalls.

  103. ISPs give users a single IP address and support “just

    one host”. Users install address translators to support multiple hosts.

  104. Tussle: “the ongoing contention among parties with conflicting interests.”

  105. “Different parties adapt a mix of mechanisms to achieve their

    conflicting goals, and others respond by adapting the mechanisms to push back.”

  106. A recent example…

  107. None
  108. None
  109. None
  110. None

  111. Actor Model of Tussle Designer User User System Design Constrain

    Constrain Adapt Workaround Redesign Redesign can both extend or restrict workaround.

  112. “There is an open question … to whether the tussle

    will be driven out of the actor network, the actors will be forced into alignment, or whether this dynamic semi-stable system of today will persist.”

  113. How do we design for tussle?

  114. Design to stay out of the tussle. Design to influence

    the tussle.

  115. “Design for variation in outcome, so that the outcome can

    be different in different places, and the tussle takes place within the design, not by distorting or violating it. Do not design so as to dictate the outcome.”

  116. Two Design Principles to Achieve This • Modularize the design

    along tussle boundaries, so that one tussle does not spill over and distort unrelated issues. • Design for choice, to permit the different players to express their preferences.

  117. Modular Design: Make the tussle battle someone else’s problem

  118. Modular Design: Bad Example

  119. Problem: DNS represents both “service ID” and “trademark” I’m just

    trying to design a globally- addressable system and now I’m supposed to be an Intellectual Property expert?

  120. Modular Design: Better Example It’s not my job to know

    what is or isn’t high priority: you tell me.

  121. Design for Choice: let the user decide

  122. That time the EU made MSFT design for choice.

  123. We’re used to thinking about design for choice • TLS

    supports multiple crypto algorithms, depending on who you trust :-) • We have many different email providers. • We have many different operating systems.

  124. What’s the difference between modular design and designing for choice?

    Modular Design: A global decision that constrains *everyone* must be made. Don’t make your system specific to any particular decision — let local government, enterprise, community decide what is right for them. Design for Choice: Decision is does not need to be the same for everyone. Make sure your system supports lots of choices side by side — every individual user gets to decide for themselves.

  125. Places where tussle plays out • Some ISPs ban users

    from hosting web servers and block port 80. User solution? Run traffic over some other port. • Residential broadband access: will we have choice between providers? • Trust: I want to communicate with you, but you don’t want to communicate with me.

  126. Can anyone think of other examples of systems designed for

    choice, or designed modularly?

  127. ing about tussle must view it as a multi-round process,

    and second, that as mechanism is drawn into an ongoing tussle, it may be used in unexpected ways, and require redesign to survive in this new role. There is no such thing as value-neutral design. What choices designers include or exclude, what interfaces are defined or not, what protocols are open or proprietary, can have a profound influence on the shape of the Internet, the motivations of the players, and the potential for distor- tion of the architecture. Don’t assume that you design the answer. You are designing a playing field, not the outcome. 3. TUSSLE SPACES In this section we discuss some specific aspects of the In- pr sl dr be to to ch pr se ic in ad al sp (D is

  128. [Editorial Note] Paper’s bias: Openness, choice, and tussle are good.

  129. A lot of pressure to end/restrict choice. • App stores

    create “walled gardens” of whose apps will be permitted and whose won’t. • Protocol standardization efforts influenced to restrict strong cryptography… preventing privacy. • Firewalls, IDSes, Filters blocking protecting — and censoring, filtering out competition, or downgrading — traffic. • Typically: corporations and governments who want to control what’s going on.

  130. Design to stay out of the tussle. Design to influence

    the tussle. In that everyone (rich, poor, citizen, government) else gets a say in how it plays out.

  131. “Evolution and enhancement of existing, mature applications is inevitable.”

  132. “Keeping the net open and transparent for new applications is

    the most important goal.”

  133. “The most we can do to protect maturing applications is

    to bias the tussle.”

  134. mic drop. Internet Philosopher

  135. Back to you and your widget.

  136. Now armed with some design principles • End-to-End design: implement

    complex functionality at high layers of your system. • Designing for choice: when multiple options about a tussle point are possible, allow users to select what’s best. • Modularity: when a choice has to be made about a tussle point, don’t bake the answer in to your system.

  137. Recommended Reading “The Design Philosophy of the DARPA Internet Protocols”,

    Clark, D. SIGCOMM 1988 “HTTP as the Narrow Waist of the Future Internet.” Lucian Popa, Ali Ghodsi, and Ion Stoica. HotNets 2010. “Is it still possible to extend TCP?” Michio Honda, Yoshifumi Nishida, Costin Raiciu, Adam Greenhalgh, Mark Handley, and Hideyuki Tokuda. Internet Measurement Conference, 2011. “The Evolution The Evolution of Layered Protocol Stacks Leads to an Hourglass-Shaped Architecture.” S. Akhshabi, C. Dovrolis. ACM SIGCOMM 2011.

  138. Are you giving your users choice, or adding constraints? Super

    Widget 2000 FEATURES!!! API API Other Service Other Service Me: @justinesherry / [email protected]