K. P. Birman (Cornell)
Network Working Group T. A. Joseph (Cornell)
Request for Comments: 992 November 1986
On Communication Support for Fault Tolerant Process Groups
K. P. Birman and T. A. Joseph
Dept. of Computer Science, Cornell University
Ithaca, N.Y. 14853
607-255-9199
This memo describes a collection of multicast communication primi-
tives integrated with a mechanism for handling process failure and
recovery. These primitives facilitate the implementation of fault-
tolerant process groups, which can be used to provide distributed
services in an environment subject to non-malicious crash failures.
Unlike other process group approaches, such as Cheriton's "host
groups" (RFC's 966, 988, [Cheriton]), our approach provides powerful
guarantees about the behavior of the communication subsystem when
process group membership is changing dynamically, for example due to
process or site failures, recoveries, or migration of a process from
one site to another. Our approach also addresses delivery ordering
issues that arise when multiple clients communicate with a process
group concurrently, or a single client transmits multiple multicast
messages to a group without pausing to wait until each is received.
Moreover, the cost of the approach is low. An implementation is be-
ing undertaken at Cornell as part of the ISIS project.
Here, we argue that the form of "best effort" reliability provided by
host groups may not address the requirements of those researchers who
are building fault tolerant software. Our basic premise is that re-
liable handling of failures, recoveries, and dynamic process migra-
tion are important aspects of programming in distributed environ-
ments, and that communication support that provides unpredictable
behavior in the presence of such events places an unacceptable burden
of complexity on higher level application software. This complexity
does not arise when using the fault-tolerant process group alterna-
tive.
This memo summarizes our approach and briefly contrasts it with other
process group approaches. For a detailed discussion, together with
figures that clarify the details of the approach, readers are re-
ferred to the papers cited below.
Distribution of this memo is unlimited.
Birman & Joseph [Page 1]
RFC 992 November 1986
This memo was adopted from a paper presented at the Asilomar workshop
on fault-tolerant distributed computing, March 1986, and summarizes
material from a technical report that was issued by Cornell Universi-
ty, Dept. of Computer Science, in August 1985, which will appear in
ACM Transactions on Computer Systems in February 1987 [Birman-b].
Copies of these paper, and other relevant papers, are available on
request from the author: Dept. of Computer Science, Cornell Universi-
ty, Ithaca, New York 14853. (birman@gvax.cs.cornell.edu). The ISIS
project also maintains a mailing list. To be added to this list,
contact M. Schmizzi (schiz@gvax.cs.cornell.edu).
This work was supported by the Defense Advanced Research Projects
Agency (DoD) under ARPA order 5378, Contract MDA903-85-C-0124, and by
the National Science Foundation under grant DCR-8412582. The views,
opinions and findings contained in this report are those of the au-
thors and should not be construed as an official Department of De-
fense position, policy, or decision.
At Cornell, we recently completed a prototype of the ISIS system,
which transforms abstract type specifications into fault-tolerant
distributed implementations, while insulating users from the mechan-
isms by which fault-tolerance is achieved. This version of ISIS, re-
ported in [Birman-a], supports transactional resilient objects as a
basic programming abstraction. Our current work undertakes to pro-
vide a much broader range of fault-tolerant programming mechanisms,
including fault-tolerant distributed bulletin boards [Birman-c] and
fault-tolerant remote procedure calls on process groups [Birman-b].
The approach to communication that we report here arose as part of
this new version of the ISIS system.
Unreliable communication primitives, such as the multicast group com-
munication primitives proposed in RFC's 966 and 988 and in [Cheri-
ton], leave some uncertainty in the delivery status of a message when
failures and other exceptional events occur during communication.
Instead, a form of "best effort" delivery is provided, but with the
possibility that some member of a group of processes did not receive
the message if the group membership was changing just as communica-
tion took place. When we tried to use this sort of primitive in our
original work on ISIS, which must behave reliably in the presence of
such events, we had to address this aspect at an application level.
The resulting software was complex, difficult to reason about, and
filled with obscure bugs, and we were eventually forced to abandon
the entire approach as infeasible.
A wide range of reliable communication primitives have been proposed
in the literature, and we became convinced that by using them, the
complexity of our software could be greatly reduced. These range
Birman & Joseph [Page 2]
RFC 992 November 1986
from reliable and atomic broadcast [Chang] [Cristian] [Schneider] to
Byzantine agreement [Strong]. For several reasons, however, the ex-
isting work does not solve the problem at hand. The most obvious is
that they do not provide a mechanism for sending a message to all the
members of a group when the membership is changing dynamically (the
"group addressing" problem). In addition, one can identify delivery
ordering issues and questions regarding the detection of communica-
tion failures that should be handled within the broadcast mechanism.
These motivate a careful reexamination of the entire reliable broad-
cast problem.
The multicast primitives we report here are designed to respect
several sorts of ordering constraints, and have cost and latency that
varies depending on the nature of the constraint required [Birman-b]
[Joseph-a] [Joseph-b]. Failure and recovery are integrated into the
communication subsystem by treating these events as a special sort of
multicast issued on behalf of a process that has failed or recovered.
The primitives are presented in the context of fault tolerant process
groups: groups of processes that cooperate to implement some distri-
buted algorithm or service, and which need to see consistent order-
ings of system events in order to achieve mutually consistent
behavior. Such groups are similar to the host groups of the V system
and the ones described in RFC's 966 and 988, but provide guarantees
of consistency in just the situations where a host group provides a
"best effort" delivery which may sometimes be erroneous.
It is helpful to think of our primitives as providing a logical or
"virtual" form of reliability: rather than addressing physical
delivery issues, they ensure that a client will never observe a sys-
tem state "inconsistent" with the assumption that reliable delivery
has occurred. Readers familiar with serializability theory may want
to think of this as a weaker analog: in serializability, one allows
interleaved executions of operations provided that the resulting sys-
tem state is consistent with the assumption that execution was
sequential. Similarly, reliable communication primitives permit de-
viations from the reliable delivery abstraction provided that the
resulting system state is indistinguishable from one in which reli-
able delivery actually did occur.
Using our primitives, the ISIS system achieved both high levels of
concurrency and suprisingly good performance. Equally important, its
structure was made suprisingly simple, making it feasible to reason
about the correctness of the algorithms that are needed to maintain
high availability even when failures, recoveries, or process migra-
tion occurs. More recently, we have applied the same approach to a
variety of other problems in distributed computing, and even designed
a consistent, fault tolerant, distributed bulletin board data struc-
ture (a generalized version of the blackboards used in artificial in-
telligence programs), with equally good results [Birman-c]. Thus, we
feel that the approach has been shown to work in a variety of set-
tings where unreliable primitives simply could not be used.
Birman & Joseph [Page 3]
RFC 992 November 1986
In the remainder of this memo we summarize the issues and alterna-
tives that the designer of a distributed system is presented with,
focusing on two styles of support for fault-tolerant computing: re-
mote procedure calls coupled with a transactional execution facility,
such as is used in the ARGUS system [Liskov], and the fault-tolerant
process group mechanism mentioned above. We argue that transactional
interactions are too restrictive to support the sort of mechanism
needed, and then show how our primitives can be used to provide such
a mechanism. We conclude by speculating on future directions in
which this work might be taken.
The difficulty of constructing fault-tolerant distributed software
can be traced to a number of interrelated issues. The list that fol-
lows is not exhaustive, but attempts to touch on the principal con-
siderations that must be addressed in any such system:
[1]Synchronization. Distributed systems offer the potential for
large amounts of concurrency, and it is usually desirable to
operate at as high a level of concurrency as possible. However,
when we move from a sequential execution environment to a con-
current one, it becomes necessary to synchronize actions that may
conflict in their access to shared data or entail communication
with overlapping sets of processes. Thus, a mechanism is needed
for ordering conflicting events. Additional problems that can
arise in this context include deadlock avoidance or detection,
livelock avoidance, etc.
[2]Failure detection. It is usually necessary for a fault-
tolerant application to have a consistent picture of which com-
ponents fail, and in what order. Timeout, the most common mechan-
ism for detecting failure, is unsatisfactory, because there are
many situations in which a healthy component can timeout with
respect to one component without this being detected by some
another. Failure detection under more rigorous requirements
requires an agreement protocol that is related to Byzantine agree-
ment [Strong] [Hadzilacos]. Regardless of how this problem is
solved, some sort of reliable failure detection mechanism will be
needed in any fault-tolerant distributed system.
[3] Consistency. When a group of processes cooperate in a distri-
buted system, it is necessary to ensure that the operational
processes have consistent views of the state of the group as a
whole. For example, if process p believes that some property A
holds, and on the basis of this interacts with process q, the
state of q should not contradict the fact that p believes A to be
true. This problem is closely related to notions of knowledge and
consistency in distributed systems [Halpern] [Lamport]. In our
context, A will often be the assertion that a multicast has been
received by q, or that q saw some sequence of events occur in the
Birman & Joseph [Page 4]
RFC 992 November 1986
same order as did p. Thus, it is necessary to be able to specify
the precise consistency constraints on a distributed software sys-
tem, and system support should be available to facilitate the
attainment of these constraints.
[4] Serializability. Many distributed systems are partitioned
into data manager processes, which implement shared variables, and
transaction manager processes, which issue requests to data
managers [Bernstein]. If transaction managers can execute con-
currently, it is desirable to ensure that transactions produce
serializable outcomes [Eswaren] [Papadimitrou]. Serializability
is increasingly viewed as an important property in "object-
oriented" distributed systems that package services as abstract
objects with which clients communicate by remote procedure calls
(RPC). On the other hand, there are systems for which serializa-
bility is either too strong a constraint, or simply inappropriate.
Thus, one needs a way to achieve serializability in applications
where it will be needed, without imposing system-wide restrictions
that would prevent the design of software subsystems for which
serializability is not needed.
Jointly, these problems render the design of fault-tolerant distri-
buted software daunting in the absence of adequate support. The
correctness of any proposed design and of its implementation become
serious, if not insurmountable, concerns. In Sec. 7, we will show
how the primitives of Sec. 6 provide simple ways to overcome all of
these issues.
If one rules out "unreliable" communication mechanisms, there are
basically two fault-tolerant alternatives that can be pursued.
The first approach is to provide mechanisms for transactional
interactions between processes that communicate using remote pro-
cedure calls [Birrell]. This has lead to work on nested transactions
(due to nested RPC's) [Moss], support for transactions at the
language level [Liskov], transactions within an operating systems
kernel [Spector] [Allchin] [Popek] [Lazowska], and transactional
access to higher-level replicated services, such as resilient objects
in ISIS or relations in database systems. The primitives in a tran-
sactional system provide mechanisms for distributing the request that
initiates the transaction, accessing data (which may be replicated),
performing concurrency control, and implementing commit or abort.
Additional mechanisms are normally needed for orphan termination,
deadlock detection, etc. The issue then arises of how these mechan-
isms should themselves be implemented.
Our work in ISIS leads us to believe that whereas transactions are
easily implemented on top of fault-tolerant process groups -- we have
done so -- the converse is much harder. Moreover, transactions
Birman & Joseph [Page 5]
RFC 992 November 1986
represent a relatively heavy-weight solution to the problems surveyed
in the previous section, and might impose an unacceptable overhead on
subsystems that need to run non-transactionally, for example because
a pair of concurrent processes needs to interact on a frequent basis.
(We are not saying that "transactional" mechanisms such as cobegins
and toplevel actions can't solve this problem, but just that they
yield a solution that is awkward and costly). This sort of reasoning
has lead us to focus on non-transactional interaction mechanisms, and
to treat transactions as a special class of mechanisms used when
processes that have been designed to employ a transactional protocol
interact.
The second approach involves the provision of a communication primi-
tive, such as atomic broadcast, which can be used as the framework on
which higher level algorithms are designed. Such a primitive seeks
to deliver messages reliably to some set of destinations, despite the
possibility that failures might occur during the execution of the
protocol. Above, we termed this the fault tolerant process group
approach, since it lends itself to the organization of cooperating
processes into groups, as described in the introduction. Process
groups are an extremely flexible abstraction, and have been employed
in the V Kernel [Cheriton] and in UNIX, and more recently in the ISIS
system. A proposal to provide Internet support for host groups was
raised in RFC's 966 and 988. However, the idea of adapting the pro-
cess group approach to work reliably in an environment subject to the
sorts of exception events and concurrency cited in the previous sec-
tion seems to be new.
As noted earlier, existing reliable communication protocols do not
address the requirements of fault-tolerant process groups. For exam-
ple, in [Schneider], an implementation of a reliable multicast primi-
tive is described. Such a primitive ensures that a designated mes-
sage will be transmitted from one site to all other operational sites
in a system; if a failure occurs but any site has received the mes-
sage, all will eventually do so. [Chang] and [Cristian] describe
implementations for atomic broadcast, which is a reliable broadcast
(sent to all sites in a system) with the additional property that
messages are delivered in the same order at all overlapping destina-
tions, and this order preserves the transmission order if messages
originate in a single site.
Atomic broadcast is a powerful abstraction, and essentially the same
behavior is provided by one of the multicast primitives we discuss in
the next section. However, it has several drawbacks which made us
hesitant to adopt it as the only primitive in the system. Most seri-
ous is the latency that is incurred in order to satisfy the delivery
ordering property. Without delving deeply into the implementations,
which are based on a token scheme in [Chang] and an acknowledgement
protocol in [Schneider], we observe that the delaying of certain mes-
sages is fundamental to the establishment of a unique global delivery
ordering; indeed, it is easy to prove on knowledge theoretic grounds
Birman & Joseph [Page 6]
RFC 992 November 1986
that this must always be the case. In [Chang] a primary goal is to
minimize the number of messages sent, and the protocol given performs
extremely well in this regard. However, a delay occurs while waiting
for tokens to arrive and the delivery latency that results may be
high. [Cristian] assumes that clocks are closely synchronized and
that message transit times are bounded by well-known constants, and
uses this to derive atomic broadcast protocols tolerant of increas-
ingly severe classes of failures. The protocols explicitly delay
delivery to achieve the desired global ordering on multicasts. For
reasons discussed below, this tends to result in high latency in typ-
ical local networking environments. An additional drawback of the
atomic broadcast protocols is that no mechanism is provided for
ensuring that all processes observe the same sequence of failures and
recoveries, or for ensuring that failures and recoveries are ordered
relative to ongoing multicasts. Since this problem arises in any
setting where one process monitors another, we felt it should be
addressed at the same level as the communication protocol. Finally,
one wants a group oriented multicast protocol, not a site oriented
broadcast, and this issue must be resolved too.
We now describe three multicast protocols - GBCAST, ABCAST, and
CBCAST - for transmitting a message reliably from a sender process to
some set of destination processes. Details of the protocols and
their correctness proofs can be found in [Birman-b]. The protocols
ensure "all or nothing" behavior: if any destination receives a mes-
sage, then unless it fails, all destinations will receive it. Group
addressing is discussed in Sec. 6.5.
The failure model that one adopts has a considerable impact on the
structure of the resulting system. We adopted the model of fail-stop
processors [Schneider]: when failures occur, a processor simply stops
(crashes), as do all the processes executing on it. We also assume
that individual processes can crash, and that this is detected when
it occurs by a monitoring mechanism present at each site. Further
assumptions are sometimes made about the availability of synchronized
realtime clocks. Here, we adopt the position that although reason-
ably accurate elapsed-time clocks may be available, closely synchron-
ized clocks probably will not be. For example, the 60Hz "line"
clocks commonly used on current workstations are only accurate to
16ms. On the other hand, 4-8ms inter-site message transit times are
common and 1-2ms are reported increasingly often. Thus, it is impos-
sible to synchronize clocks to better than 32-48ms, enough time for a
pair of sites to exchange between 4 and 50 messages. Even with
advancing technology, it seems safe to assume that clock skew will
remain "large" when compared to inter-site message transmission
speed. In particular, this argues against time-based protocols such
as the one used in [Cristian]
Birman & Joseph [Page 7]
RFC 992 November 1986
6.1 The GBCAST primitive
GBCAST (group multicast) is the most constrained, and costly, of
the three primitives. It is used to transmit information about
failures and recoveries to members of a process group. A recov-
ering member uses GBCAST to inform the operational ones that it
has become available. Additionally, when a member fails, the
system arranges for a GBCAST to be issued to group members on its
behalf, informing them of its failure. Arguments to GBCAST are a
message and a process group identifier, which is translated into
a set of destinations as described below (Sec. 6.5).
Our GBCAST protocol ensures that if any process receives a multi-
cast B before receiving a GBCAST G, then all overlapping destina-
tions will receive B before G <1> This is true regardless of the
type of multicast involved. Moreover, when a failure occurs, the
corresponding GBCAST message is delivered after any other multi-
casts from the failed process. Each member can therefore main-
tain a VIEW listing the membership of the process group, updating
it when a GBCAST is received. Although VIEW's are not updated
simultaneously in real time, all members observe the same
sequence of VIEW changes. Since, GBCAST's are ordered relative
to all other multicasts, all members receiving a given multicast
will have the same value of VIEW when they receive it.
Notice that GBCAST also provides a convenient way to change other
global properties of a group "atomically". In our work, we have
used GBCAST to dynamically change a ranking on the members of a
group, to request that group members establish checkpoints for
use if recovery is needed after all failure, and to implement
process migration. In each case, the ordering of GBCAST relative
to other events that makes it possible to perform the desired
action without running any additional protocol. Other uses for
GBCAST will no doubt emerge as our research continues.
Members of a process group can also use the value of VIEW to pick
a strategy for processing an incoming request, or to react to
failure or recovery without having to run any special protocol
first. Since the GBCAST ordering is the same everywhere, their
actions will all be consistent. Notice that when all the members
of a process group may have failed, GBCAST also provides an inex-
pensive way to determine the last site that failed: process group
members simply log each value of VIEW that becomes defined on
stable storage before using it; a simplified version of the algo-
rithm in [Skeen-a] can then be executed when recovering from
failure.
Birman & Joseph [Page 8]
RFC 992 November 1986
6.2 The ABCAST primitive
The GBCAST primitive is too costly to be used for general commun-
ication between process group members. This motivates the intro-
duction of weaker (less ordered) primitives, which might be used
in situations where a total order on multicast messages is not
necessary. Our second primitive, ABCAST (atomic multicast),
satisfies such a weaker constraint. Specifically, it is often
desired that if two multicasts are received in some order at a
common destination site, they be received in that order at all
other common destinations, even if this order was not predeter-
mined. For example, if a process group is being used to maintain
a replicated queue and ABCAST is used to transmit queue opera-
tions to all copies, the operations will be done in the same
order everywhere, hence the copies of the queue will remain mutu-
ally consistent. The primitive ABCAST(msg, label, dests) pro-
vides this behavior. Two ABCAST's having the same label are
delivered in the same order at all common destinations.
6.3 The CBCAST primitive
Our third primitive, CBCAST (causal multicast), is weakest in the
sense that it involves less distributed synchronization then
GBCAST or ABCAST. CBCAST(msg, dests) atomically delivers msg to
each operational dest. The CBCAST protocol ensures that if two
multicasts are potentially causally dependent on another, then
the former is delivered after the latter at all overlapping des-
tinations. A multicast B' is potentially causally dependent on a
multicast B if both multicasts originate from the same process,
and B' is sent after B, or if there exists a chain of message
transmissions and receptions or local events by which knowledge
could have been transferred from the process that issued B to the
process that issued B' [Lamport]. For causally independent mul-
ticasts, the delivery ordering is not constrained.
CBCAST is valuable in systems like ISIS, where concurrency con-
trol algorithms are used to synchronize concurrent computations.
In these systems, if two processes communicate concurrently with
the same process the messages are almost always independent ones
that can be processed in any order: otherwise, concurrency con-
trol would have caused one to pause until the other was finished.
On the other hand, order is clearly important within a causally
linked series of multicasts, and it is precisely this sort of
order that CBCAST respects.
6.4 Other multicast primitives
A weaker multicast primitive is reliable multicast, which pro-
vides all-or-nothing delivery, but no ordering properties. The
formulation of CBCAST in [Birman-b] actually includes a mechanism
for performing multicasts of this sort, hence no special
Birman & Joseph [Page 9]
RFC 992 November 1986
primitive is needed for the purpose. Additionally, there may be
situations in which ABCAST protocols that also satisfy a CBCAST
ordering property would be valuable. Our ABCAST primitive could
be changed to respect such a rule, and we made use of a multicast
primitive that is simultaneously causal and atomic in our work on
consistent shared bulletin boards ([Birman-c]). For simplicity,
the presentation here assumes that ABCAST is completely orthogo-
nal to CBCAST, but a simple way to build an efficient "causal
atomic" multicast is described in our full-length paper. The
cost of this protocol is only slightly higher than that of
ABCAST.
6.5 Group addressing protocol
Since group membership can change dynamically, it may be diffi-
cult for a process to compute a list of destinations to which a
message should be sent, for example, as is needed to perform a
GBCAST. In [Birman-b] we report on a protocol for ensuring that
a given multicast will be delivered to all members of a process
group in the same view. This view is either the view that was
operative when the message transmission was initiated, or a view
that was defined subsequently. The algorithm is a simple itera-
tive one that costs nothing unless the group membership changes,
and permits the caching of possibly inaccurate membership infor-
mation near processes that might want to communicate with a
group. Using the protocol, a flexible message addressing scheme
can readily be supported.
Iterative addressing is only required when the process transmit-
ting a message has an inaccurate copy of the process group view.
In the implementation we are now building, this would rarely be
the case, and iteration is never needed if the view is known to
be accurate. Thus, iterated delivery should be very infrequent.
6.6 Synchronous versus asynchronous multicast abstractions
Many systems employ RPC internally, as a lowest level primitive
for interaction between processes. It should be evident that all
of our multicast primitives can be used to implement replicated
remote procedure calls [Cooper]: the caller would simply pause
until replies have been received from all the participants
(observation of a failure constitutes a reply in this case). We
term such a use of the primitives synchronous, to distinguish it
from from an asynchronous multicast in which no replies, or just
one reply, suffices.
In our work on ISIS, GBCAST and ABCAST are normally invoked syn-
chronously, to implement a remote procedure call by one member of
an object on all the members of its process group. However,
CBCAST, which is the most frequently used overall, is almost
never invoked synchronously. Asynchronous CBCAST's are the
Birman & Joseph [Page 10]
RFC 992 November 1986
primary source of concurrency in ISIS: although the delivery ord-
ering is assured, transmission can be delayed to enable a message
to be piggybacked on another, or to schedule IO within the system
as a whole. While the system cannot defer an asynchronous multi-
cast indefinitely, the ability to defer it a little, without
delaying some computation by doing so, permits load to be
smoothed. Since CBCAST respects the delivery orderings on which
a computation might depend, and is ordered with respect to
failures, the concurrency introduced does not complicate higher
level algorithms. Moreover, the protocol itself is extremely
cheap.
A problem is introduced by our decision to allow asynchronous
multicasts: the atomic reception property must now be extended to
address causally related sequences of asynchronous messages. If
a failure were to result in some multicasts being delivered to
all their destinations but others that precede them not being
delivered anywhere, inconsistency might result even if the desti-
nations do not overlap. We therefore extend the atomicity pro-
perty as follows. If process t receives a message m from process
s, and s subsequently fails, then unless t fails as well, all
messages m' that s received prior to its failure must be
delivered to their remaining operational destinations. This is
because the state of t may now depend on the contents of any such
m', hence the system state could become inconsistent if the
delivery of m' were not completed. The costs of the protocols
are not affected by this change.
A second problem arises when the user-level implications of this
atomicity rule are considered. In the event of a failure, any
suffix of a sequence of aysnchronous multicasts could be lost and
the system state would still be internally consistent. A process
that is about to take some action that may leave an externally
visible side-effect will need a way to pause until it is
guaranteed that such multicasts have actually been delivered.
For this purpose, a flush primitive is provided. Occasional
calls to flush do not eliminate the benefit of using CBCAST asyn-
chronously. Unless the system has built up a considerable back-
log of undelivered multicast messages, which should be rare,
flush will only pause while transmission of the last few multi-
casts complete.
The reliable communication primitives described above lead to simple
solutions for the problems cited in Sec. 4:
[1] Synchronization. Many synchronization problems are subsumed
into the primitives themselves. For example, consider the use of
GBCAST to implement recovery. A recovering process would issue a
GBCAST to the process group members, requesting that state
Birman & Joseph [Page 11]
RFC 992 November 1986
information be transferred to it. In addition to sending the
current state of the group to the recovering process, group
members update the process group view at this time. Subsequent
messages to the group will be delivered to the recovered process,
with all necessary synchronization being provided by the ordering
properties of GBCAST. In situations where other forms of syn-
chronization are needed, ABCAST provides a simple way to ensure
that several processes take actions in the same order, and this
form of low-level synchronization simplifies a number of higher-
level synchronization problems. For example, if ABCAST is used
to do P() and V() operations on a distributed semaphore, the
order of operations on the semaphore is set by the ABCAST, hence
all the managers of the semaphore see these operations in a fixed
order.
[2] Failure detection. Consistent failure (and recovery) detec-
tion are trivial using our primitives: a process simply waits for
the appropriate process group view to change. This facilitates
the implementation of algorithms in which one processes monitors
the status of another process. A process that acts on the basis
of a process group view change does so with the assurance that
other group members will (eventually) observe the same event and
will take consistent actions.
[3] Consistency. We believe that consistency is generally
expressible as a set of atomicity and ordering constraints on
message delivery, particularly causal ones of the sort provided
by CBCAST. Our primitives permit a process to specify the com-
munication properties needed to achieve a desired form of con-
sistency. Continued research will be needed to understand pre-
cisely how to pick the weakest primitive in a designated situa-
tion.
[4] Serializability. To achieve serializability, one implements
a concurrency control algorithm and then forces computations to
respect the serialization order that this algorithm choses. The
ABCAST primitive, as observed above, is a powerful tool for
establishing an order between concurrent events, e.g. by lock
acquisition. Having established such an order, CBCAST can be
used to distribute information about the computation and also its
termination (commit or abort). Any process that observes the
commit or abort of a computation will only be able to interact
with data managers that have received messages preceding the com-
mit or abort, hence a highly asynchronous transactional execution
results. If a process running a computation fails, this is
detected when a failure GBCAST is received instead of the commit.
Thus, executions are simple and quite deterministic.
If commit is conditional, CBCAST would be used to first interro-
gate participants to learn if they are prepared to commit, and
then to transmit the commit or abort decision (the usual two-
Birman & Joseph [Page 12]
RFC 992 November 1986
phase commit). On the other hand, conditional commits can often
be avoided using our approach. A method for building transac-
tions that will roll-forward after failure after failure is dis-
cussed in more detail in [Birman-a] [Joseph-a] [Joseph-b]. Other
forms of concurrency control, such as timestamp generation, can
similarly be implemented using ABCAST and CBCAST. We view tran-
sactional data storage as an application-level concern, which can
be handled using a version stack approach or a multi-version
store, or any other appropriate mechanism.
The communication primitives can be built in layers, starting with a
bare network providing unreliable Internet datagrams. The software
structure is, however, less mature and more complex than the one sug-
gested in RFC's 966 and 988. For example, at this stage of our
research we do not understand how to optimize our protocols to the
same extent as for the unreliable host multicast approach described
in those RFC's. Thus, the implementation we describe here should be
understood to be a prototype. A particularly intriguing question,
which we are investigating actively, concerns the use of a "best
effort" ethernet or Internet multicast as a tool to optimize the
implementation of our protocols.
Our basic approach is to view large area networks as a set of clus-
ters of sites interconnected by high speed LAN devices and intercon-
nected by slower long-haul links. We first provide protocols for use
within clusters, and then extend them to run between clusters too.
Network partitioning can be tolerated at all levels of the hierarchy
in the sense that no incorrect actions can result after network par-
titioning, although our approach will sometimes block until the par-
tition is repaired. Our protocols also tend to block within a clus-
ter while the list of operational sites for that cluster is being
changed. In normal LAN's, this happens infrequently (during site
failure or recovery), and would not pose a problem. (In failure
intensive applications, alternative protocols might be needed to
address this issue).
The lowest level of our software uses a site-to-site acknowledgement
protocol to convert the unreliable packet transport this into a
sequenced, error-free message abstraction, using timeouts to detect
apparent failures. TCP can also be used for this purpose, provided
that a "filter" is placed on the incoming message stream and certain
types of messages are handled specially. An agreement protocol is
then used to order the site-failures and recoveries consistently. If
timeouts cause a failure to be detected erroneously, the protocol
forces the affected site to undergo recovery.
Built on this is a layer that supports the primitives themselves.
CBCAST has a very light-weight implementation, based on the idea of
flooding the system with copies of a message: Each process buffers
Birman & Joseph [Page 13]
RFC 992 November 1986
copies of any messages needed to ensure the consistency of its view
of the system. If message m is delivered to process p, and m is
potentially causally dependent on a message m prime, then a copy of m
prime is sent to p as well (duplicates are discarded). A garbage
collector deletes superfluous copies after a message has reached all
its destinations. By using extensive piggybacking and a simple
scheduling algorithm to control message transmission, the cost of a
CBCAST is kept low -- often, less than one packet per destination.
ABCAST employs a two-phase protocol based on one suggested to us by
Skeen [Skeen-b]. This protocol has higher latency than CBCAST
because delivery can only occur during the second phase; ABCAST is
thus inherently synchronous. In ISIS, however, ABCAST is used
rarely; we believe that this would be the case in other systems as
well. GBCAST is implemented using a two-phase protocol similar to
the one for ABCAST, but with an additional mechanism that flushes
messages from a failed process before delivering the GBCAST announc-
ing the failure. Although GBCAST is slower than ABCAST or CBCAST, it
is used rarely enough so that performance is probably less of an
issue here -- and in any case, even GBCAST could be tuned to give
very high throughput. Preliminary performance figures appear in
[Birman-b].
Although satisfactory performance should be possible using an imple-
mentation that sits on top of a conventional Internet mechanism, it
should be noted that to achieve really high rates of communication
the layers of software described above must reside in the kernel,
because they run on behalf of large numbers of clients, run fre-
quently, and tend to execute for very brief periods before doing I/O
and pausing. A non-kernel implementation will thus incur high
scheduling and context switching overhead. Additionally, it is not
at all clear how to use ethernet style broadcast mechanisms to optim-
ize the performance of this sort of protocol, although it should be
possible. We view this as an interesting area for research.
A forthcoming paper will describe higher level software that we are
building on top of the basic fault-tolerant process group mechanism
described above.
The experience of implementing a substantial fault-tolerant system
left us with insights into the properties to be desired from a com-
munication subsystem. In particular, we became convinced that to
build a reliable distributed system, one must start with a reliable
communication subsystem. The multicast primitives described in this
memo present a simple interface, achieve a high level of concurrency,
can be used in both local and wide area networks, and are applicable
to software ranging from distributed database systems to the fault-
tolerant objects and bulletin boards provided by ISIS. Because they
are integrated with failure handling mechanisms and respect desired
event orderings, they introduce a desirable form of determinism into
Birman & Joseph [Page 14]
RFC 992 November 1986
distributed computation without compromising efficiency. A conse-
quence is that high-level algorithms are greatly simplified, reducing
the probability of error. We believe that this is a very promising
and practical approach to building large fault-tolerant distributed
systems, and it is the only one we know of that leads to a rigorous
form of confidence in the resulting software.
NOTES:
<1> A problem arises if a process p fails without receiving some mes-
sage after that message has already been delivered to some other pro-
cess q: q's VIEW when it received the message would show p to be
operational; hence, q will assume that p received the message,
although p is physically incapable of doing so. However, the state
of the system is now equivalent to one in which p did receive the
message, but failed before acting on it. In effect, there exists an
interpretation of the actual system state that is consistent with q's
assumption. Thus, GBCAST satisfies the sort of logical delivery pro-
perty cited in the introduction.
Birman & Joseph [Page 15]
RFC 992 November 1986
[RFC966] Deering, S. and Cheriton, D. Host groups: A multicast exten-
sion to the internet protocol. Stanford University, December
1985.
[RFC988] Deering, S. Host extensions for IP multicasting. Stanford
University, July 1986.
[Allchin] Allchin, J., McKendry, M. Synchronization and recovery of
actions. Proc. 2nd ACM SIGACT/SIGOPS Principles of Distributed
Computing, Montreal, Canada, 1983.
[Babaoglu] Babaoglu, O., Drummond, R. The streets of Byzantium: Network
architectures for fast reliable multicast. IEEE Trans. on
Software Engineering TSE-11, 6 (June 1985).
[Bernstein] Bernstein, P., Goodman, N. Concurrency control algorithms
for replicated database systems. ACM Computing Surveys 13, 2
(June 1981), 185-222.
[Birman-a] Birman, K. Replication and fault-tolerance in the ISIS sys-
tem. Proc. 10th ACM SIGOPS Symposium on Operating Systems Princi-
ples. Orcas Island, Washington, Dec. 1985, 79-86.
[Birman-b] Birman, K., Joseph, T. Reliable communication in the pres-
ence of failures. Dept. of Computer Science, Cornell Univ., TR
85-694, Aug. 1985. To appear in ACM TOCS (Feb. 1987).
[Birman-c] Birman, K., Joseph, T., Stephenson, P. Programming with
fault tolerant bulletin boards in asynchronous distributed sys-
tems. Dept. of Computer Science, Cornell Univ., TR 85-788, Aug.
1986.
[Birrell] Birrell, A., Nelson, B. Implementing remote procedure calls.
ACM Transactions on Computer Systems 2, 1 (Feb. 1984), 39-59.
[Chang] Chang, J., Maxemchuck, M. Reliable multicast protocols. ACM
TOCS 2, 3 (Aug. 1984), 251-273.
[Cheriton] Cheriton, D. The V Kernel: A software base for distributed
systems. IEEE Software 1 12, (1984), 19-43.
[Cooper] Cooper, E. Replicated procedure call. Proc. 3rd ACM Symposium
on Principles of Distributed Computing., August 1984, 220-232.
(May 1985).
[Cristian] Cristian, F. et al Atomic multicast: From simple diffusion to
Byzantine agreement. IBM Technical Report RJ 4540 (48668), Oct.
1984.
Birman & Joseph [Page 16]
RFC 992 November 1986
[Eswaren] Eswaren, K.P., et al The notion of consistency and predicate
locks in a database system. Comm. ACM 19, 11 (Nov. 1976), 624-
633.
[Hadzilacos] Hadzilacos, V. Byzantine agreement under restricted types
of failures (not telling the truth is different from telling of
lies). Tech. ARep. TR-19-83, Aiken Comp. Lab., Harvard University
(June 1983).
[Halpern] Halpern, J., and Moses, Y. Knowledge and common knowledge in
a distributed environment. Tech. Report RJ-4421, IBM San Jose
Research Laboratory, 1984.
[Joseph-a] Joseph, T. Low cost management of replicated data. Ph.D.
dissertation, Dept. of Computer Science, Cornell Univ., Ithaca
(Dec. 1985).
[Joseph-b] Joseph, T., Birman, K. Low cost management of replicated
data in fault-tolerant distributed systems. ACM TOCS 4, 1 (Feb
1986), 54-70.
[Lamport] Lamport, L. Time, clocks, and the ordering of events in a
distributed system. CACM 21, 7, July 1978, 558-565.
[Lazowska] Lazowska, E. et al The architecture of the EDEN system.
Proc. 8th Symposium on Operating Systems Principles, Dec. 1981,
148-159.
[Liskov] Liskov, B., Scheifler, R. Guardians and actions: Linguistic
support for robust, distributed programs. ACM TOPLAS 5, 3 (July
1983), 381-404.
[Moss] Moss, E. Nested transactions: An approach to reliable, distri-
buted computing. Ph.D. thesis, MIT Dept of EECS, TR 260, April
1981.
[Papadimitrou] Papadimitrou, C. The serializability of concurrent data-
base updates. JACM 26, 4 (Oct. 1979), 631-653.
[Popek] Popek, G. et al. Locus: A network transparent, high reliability
distributed system. Proc. 8th Symposium on Operating Systems
Principles, Dec. 1981, 169-177.
[Schlicting] Schlicting, R, Schneider, F. Fail-stop processors: An
approach to designing fault-tolerant distributed computing sys-
tems. ACM TOCS 1, 3, August 1983, 222-238.
[Schneider] Schneider, F., Gries, D., Schlicting, R. Reliable multicast
protocols. Science of computer programming 3, 2 (March 1984).
[Skeen-a] Skeen, D. Determining the last process to fail. ACM TOCS 3,
Birman & Joseph [Page 17]
RFC 992 November 1986
1, Feb. 1985, 15-30.
[Skeen-b] Skeen, D. A reliable multicast protocol. Unpublished.
[Spector] Spector, A., et al Distributed transactions for reliable sys-
tems. Proc. 10th ACM SIGOPS Symposium on Operating Systems Prin-
ciples, Dec. 1985, 127-146.
[Strong] Strong, H.R., Dolev, D. Byzantine agreement. Digest of papers,
Spring Compcon 83, San Francisco, CA, March 1983, 77-81.
Birman & Joseph [Page 18]