[E-Lang] security, comms, ordering guarantees

Ralph Hartley hartley@aic.nrl.navy.mil
Mon, 23 Apr 2001 15:12:23 -0400 

shap@cs.jhu.edu wrote:

>Ralph Hartley wrote:
>
>>A channel is just like a connection, except that it can never be broken.
>>Once created, it continues to exist and function, until it is closed by
>>either the sender being destroyed and the last message sent being
>>recieved, or the reciever being destroyed (and it may continue longer,
>>it's contract is vacuous once one of those thing happens).
>>
>I haven't thought it through, but I believe that there is a resource
>exhaustion attack inherent in this design.  Either side needs to be able
>to forcibly close the channel in such a way as to say "and I intend to
>drop any remaining messages" in order to ensure reclamation.
>
When the reciever is distroyed (that is, when no one holds the RECIEVE 
capability), the channel has no remaining contract, and it can be 
garbage collected. An implementation might want to keep track and 
reclaim resourses, but need not do so to be considered correct, and an 
open, but inactive, channel may not cost much. One might consider 
notifying the sender when the reciever closes it so she can drop pending 
messages, but that gives the sender information about the reciever she 
is not really entitled to, as would keepalives. The abstraction is of a 
one way channel. The POLA makes one way channels preferable as a primitive.

I don't see any reason to let the SENDER distroy a channel with pending 
messages. Presumably, she  would not send massages if she was not 
willing to pay for delivery. Some protocols really do need 
irrivocability, that is, the sender cannot recall a message once sent. 
In the stock market example, the sender would like to cancel his buy 
order if the price goes down. If the seller is required to honor orders 
at the price current when the message was sent, the ability to cancel 
oreders would let the buyer cheat. I would like to define a message to 
be "sent" at the moment when the sender loses the ability to stop 
delivery (but this definition would mess things up if the sender 
intended a different order).

Don't think of a channel as a connection. Think of it as a mail box, 
with numbered messages.

One of the adavntages of email over the telphone(the protototype for 
connections) is reduced dependance on the state of the recipient. If I 
want to phone you I need to know you are home, awake, and your phone is 
working right now. I have to worry that I will interupt your dinner. You 
can't answer the phone without telling me (or a potential burgular) that 
you are home. Connections are expensive to maintain, if I have only one 
phone line I might not be able to call you if I am expecting a call.

In short, you can play phone tag all day.

A mail box doesn't require any conditions on your state to hold at the 
particular time I want to send you a message. You don't have to tell me 
you are home. You can process my messages at your leasure. A mail box is 
also comparitavely cheap, a query and a reply require just two 
transmissions, no keepalives, timeouts etc. . If I need a response to my 
contract offer by 6 pm, I can tell you, I don't need to stay on hold on 
the phone listening musac.

Ralph Hartley