End-To-End Arguments in System Design
J.H. Saltzer, D.P. Reed, and D. Clark
Presented by: Amit Mondal
Outline
The Argument Examples
Careful File Transfer Secure Transmission of Data
Performance Identify the Ends
The Argument Define when it is applicable:
“The function in question can completely and correctly be implemented only with the knowledge and help of the application standing at the endpoints of the communication system…”
Regardless of what happens in the communication systems, correct operation can only be verified by endpoints.
The Argument Define the consequence:
“… Therefore, providing that questioned function as a feature of the communication system itself is not possible…”
If you can’t do it correctly and completely, don’t do it at all.
The Argument Define the exception:
“… (Sometimes an incomplete version of the function provided by the communication system may be useful as a performance enhancement.)”
It's not an absolute rule, there are special cases where the benefit outweighs the cost.
Careful File Transfer
Copy/Move file from HD on Computer A to HD on Computer B
2 4
531
Careful File Transfer
Steps of file transfer:1. File transfer application on host A
reads file
2. Applications asks comm system for transmission
3. Comm network transmits file from A to B
4. Comm system on host B reads packets and delivers them to file transfer application on host B
5. File transfer application on host B writes file
Careful File Transfer
Possible threats to an accurate transfer: Disk error Software error (OS, File transfer
program, Network driver) Hardware error Communication system System crash
Careful File Transfer Solution 1: Point-to-Point/Hop-by-Hop
Reinforce each step of process (error detection, timeout, retry, etc.)
Goal: Reduce probability of each threat to an acceptably small value
Could be inefficient, uneconomical Solution 2: End-to-End
Store file with a checksum, transfer file, read transferred file back from disk, compute checksum, send checksum to originator to compare the two checksums.
If check fails, redo from beginning
Careful File Transfer Solution 3: Both
Point-to-Point checks in communication system (such as link level, IP, and/or TCP)
End-to-End checks must still be performed, since only one of the threats is handled
Does not reduce the overall burden to the application, but may reduce the frequency of problems
Lesson: Application must supply the guarantee in
the end
Secure Transmission of Data
Goal, move data from one machine to another such that the data on the wire is secure (encrypted)
Secure Transmission of Data Let the communication system
encrypt on entry, decrypt on exit. Problems:
Communication system needs the key Data is in the clear when
entering/exiting Authenticity must still be checked by
application End-To-End argument wins here
Other Examples
Delivery Guarantees What conformation do we need?
Duplication suppression What if the application creates the
duplicate? In-order delivery
Do we need Hop-by-Hop ordering?
Performance Remember the exception in the
argument… What if communication system is very
unreliable, file transfer could keep retrying for ever because one packet got lost!
Providing more reliability at the lower layers is a trade off betweencost & engineering effort vs. reliability
Not a simple decision
Performance Even if it simple to implement at a lower
level and doesn’t cost much Subsystem may be common to many
applications, they all must pay Subsystem has less information, may not be
able to do the best job Decision could be complicated if some
of the packet-by-packet type checks can be emulated by application Send file in chunks, each chunk is checked
for correctness
Identifying the Ends Is very subtle … Consider voice over IP
Are the ends the computers? (voice mail) Could introduce long delays
Are the ends the people? (real time) Retry = “repeat that”
Conclusion
End-to-End argument is not an absolute, but a design tool
Comm systems are often specified before the applications
Designer may be tempted to “help” users by taking on more functions than necessary
Implications of End-to-End principles
Internet Assumptions Minimal support from the underlying
network Internet can run anything (Overlay,
P2P ...) Internet + E2E
Hosts are responsible for almost anything
Comparison Telephone Network
Intelligent switches, dumb hosts
Top Related