[E-Lang] remote comms: Timeouts and Connection Failure

zooko@zooko.com zooko@zooko.com
Sat, 21 Apr 2001 13:31:43 -0700 

 MarcS wrote:
>
> I would not quite say that keepalive stream depends on "correct" behavior.
> The keepalive stream will work fine in the presence of lots of kinds of
> incorrect behavior (trust me, I have lots of experience with this :-). The
> phrase "depends on correct behavior" implies a probability of failure of the
> keepalive stream far in excess of what my experience suggests.


I agree that your counterparty continuing to send fresh keepalives but never
sending the response is a rare failure, but it is a possible failure.  Failures
that occur rarely -- especially those that only occur under active attack --
are rather *more* worrying to me than those that occur often, because I am
sure that language designers and programmers will cooperate to handle the
latter kind.


The point I wish to emphasize is that if you are reasoning about the robustness
or security of your application, then when you do a locally-controlled
impatience policy, you can safely consider *only* whether the counterparty
delivers a response or not.  If you have *only* a keepalives impatience policy,
you must also consider whether the counterparty delivers the keepalives and
whether the counterparty delivers the response, resulting in twice as many
cases to analyze.

(The E comms abstraction apparently simplifies this to three cases by
guaranteeing that if the keepalives fail, then any response that arrives
afterwards will not be processed, assuming that you are using the "when
fulfilled" technique.  This has a cost -- throwing away a message which you
otherwise might have wanted, but it simplifies the analysis.  If you are
receiving your response via a different reference instead of via a return-value
then you have to consider all four cases.)


I am not arguing that this is such a big deal that it invalidates the use of
keepalive policies in all cases, only that we should examine this fact, be
aware of how it interacts with other issues, and use it either to colour our
value judgements about keepalives or to think of a new mechanism which achieves
"the best of both worlds".


Regards,

Zooko