This memo describes a collection of multicast communication primi- tives integrated with a mechanism for handling process failure and recovery. These primitives facilitate the implementation of fault- tolerant process groups, which can be used to provide distributed services in an environment subject to non-malicious crash failures. Unlike other process group approaches, such as Cheriton's "host groups" (RFC's 966, 988, [Cheriton]), our approach provides powerful guarantees about the behavior of the communication subsystem when process group membership is changing dynamically, for example due to process or site failures, recoveries, or migration of a process from one site to another. Our approach also addresses delivery ordering issues that arise when multiple clients communicate with a process group concurrently, or a single client transmits multiple multicast messages to a group without pausing to wait until each is received. Moreover, the cost of the approach is low. An implementation is be- ing undertaken at Cornell as part of the ISIS project.
Here, we argue that the form of "best effort" reliability provided by host groups may not address the requirements of those researchers who are building fault tolerant software. Our basic premise is that re- liable handling of failures, recoveries, and dynamic process migra- tion are important aspects of programming in distributed environ- ments, and that communication support that provides unpredictable behavior in the presence of such events places an unacceptable burden of complexity on higher level application software. This complexity does not arise when using the fault-tolerant process group alterna- tive.
This memo summarizes our approach and briefly contrasts it with other process group approaches. For a detailed discussion, together with figures that clarify the details of the approach, readers are re- ferred to the papers cited below.
This memo was adopted from a paper presented at the Asilomar workshop on fault-tolerant distributed computing, March 1986, and summarizes material from a technical report that was issued by Cornell Universi- ty, Dept. of Computer Science, in August 1985, which will appear in ACM Transactions on Computer Systems in February 1987 [Birman-b]. Copies of these paper, and other relevant papers, are available on request from the author: Dept. of Computer Science, Cornell Universi- ty, Ithaca, New York 14853. (firstname.lastname@example.org). The ISIS project also maintains a mailing list. To be added to this list, contact M. Schmizzi (email@example.com).
This work was supported by the Defense Advanced Research Projects Agency (DoD) under ARPA order 5378, Contract MDA903-85-C-0124, and by the National Science Foundation under grant DCR-8412582. The views, opinions and findings contained in this report are those of the au- thors and should not be construed as an official Department of De- fense position, policy, or decision.
At Cornell, we recently completed a prototype of the ISIS system, which transforms abstract type specifications into fault-tolerant distributed implementations, while insulating users from the mechan- isms by which fault-tolerance is achieved. This version of ISIS, re- ported in [Birman-a], supports transactional resilient objects as a basic programming abstraction. Our current work undertakes to pro- vide a much broader range of fault-tolerant programming mechanisms, including fault-tolerant distributed bulletin boards [Birman-c] and fault-tolerant remote procedure calls on process groups [Birman-b]. The approach to communication that we report here arose as part of this new version of the ISIS system.
Unreliable communication primitives, such as the multicast group com- munication primitives proposed in RFC's 966 and 988 and in [Cheri- ton], leave some uncertainty in the delivery status of a message when failures and other exceptional events occur during communication. Instead, a form of "best effort" delivery is provided, but with the possibility that some member of a group of processes did not receive the message if the group membership was changing just as communica- tion took place. When we tried to use this sort of primitive in our original work on ISIS, which must behave reliably in the presence of such events, we had to address this aspect at an application level. The resulting software was complex, difficult to reason about, and filled with obscure bugs, and we were eventually forced to abandon the entire approach as infeasible.
A wide range of reliable communication primitives have been proposed in the literature, and we became convinced that by using them, the complexity of our software could be greatly reduced. These range
Birman & Joseph [Page 2]
RFC 992 November 1986
from reliable and atomic broadcast [Chang] [Cristian] [Schneider] to Byzantine agreement [Strong]. For several reasons, however, the ex- isting work does not solve the problem at hand. The most obvious is that they do not provide a mechanism for sending a message to all the members of a group when the membership is changing dynamically (the "group addressing" problem). In addition, one can identify delivery ordering issues and questions regarding the detection of communica- tion failures that should be handled within the broadcast mechanism. These motivate a careful reexamination of the entire reliable broad- cast problem.
The multicast primitives we report here are designed to respect several sorts of ordering constraints, and have cost and latency that varies depending on the nature of the constraint required [Birman-b] [Joseph-a] [Joseph-b]. Failure and recovery are integrated into the communication subsystem by treating these events as a special sort of multicast issued on behalf of a process that has failed or recovered. The primitives are presented in the context of fault tolerant process groups: groups of processes that cooperate to implement some distri- buted algorithm or service, and which need to see consistent order- ings of system events in order to achieve mutually consistent behavior. Such groups are similar to the host groups of the V system and the ones described in RFC's 966 and 988, but provide guarantees of consistency in just the situations where a host group provides a "best effort" delivery which may sometimes be erroneous.
It is helpful to think of our primitives as providing a logical or "virtual" form of reliability: rather than addressing physical delivery issues, they ensure that a client will never observe a sys- tem state "inconsistent" with the assumption that reliable delivery has occurred. Readers familiar with serializability theory may want to think of this as a weaker analog: in serializability, one allows interleaved executions of operations provided that the resulting sys- tem state is consistent with the assumption that execution was sequential. Similarly, reliable communication primitives permit de- viations from the reliable delivery abstraction provided that the resulting system state is indistinguishable from one in which reli- able delivery actually did occur.
Using our primitives, the ISIS system achieved both high levels of concurrency and suprisingly good performance. Equally important, its structure was made suprisingly simple, making it feasible to reason about the correctness of the algorithms that are needed to maintain high availability even when failures, recoveries, or process migra- tion occurs. More recently, we have applied the same approach to a variety of other problems in distributed computing, and even designed a consistent, fault tolerant, distributed bulletin board data struc- ture (a generalized version of the blackboards used in artificial in- telligence programs), with equally good results [Birman-c]. Thus, we feel that the approach has been shown to work in a variety of set- tings where unreliable primitives simply could not be used.
Birman & Joseph [Page 3]
RFC 992 November 1986
In the remainder of this memo we summarize the issues and alterna- tives that the designer of a distributed system is presented with, focusing on two styles of support for fault-tolerant computing: re- mote procedure calls coupled with a transactional execution facility, such as is used in the ARGUS system [Liskov], and the fault-tolerant process group mechanism mentioned above. We argue that transactional interactions are too restrictive to support the sort of mechanism needed, and then show how our primitives can be used to provide such a mechanism. We conclude by speculating on future directions in which this work might be taken.
The difficulty of constructing fault-tolerant distributed software can be traced to a number of interrelated issues. The list that fol- lows is not exhaustive, but attempts to touch on the principal con- siderations that must be addressed in any such system:
Synchronization. Distributed systems offer the potential for large amounts of concurrency, and it is usually desirable to operate at as high a level of concurrency as possible. However, when we move from a sequential execution environment to a con- current one, it becomes necessary to synchronize actions that may conflict in their access to shared data or entail communication with overlapping sets of processes. Thus, a mechanism is needed for ordering conflicting events. Additional problems that can arise in this context include deadlock avoidance or detection, livelock avoidance, etc.
Failure detection. It is usually necessary for a fault- tolerant application to have a consistent picture of which com- ponents fail, and in what order. Timeout, the most common mechan- ism for detecting failure, is unsatisfactory, because there are many situations in which a healthy component can timeout with respect to one component without this being detected by some another. Failure detection under more rigorous requirements requires an agreement protocol that is related to Byzantine agree- ment [Strong] [Hadzilacos]. Regardless of how this problem is solved, some sort of reliable failure detection mechanism will be needed in any fault-tolerant distributed system.
 Consistency. When a group of processes cooperate in a distri- buted system, it is necessary to ensure that the operational processes have consistent views of the state of the group as a whole. For example, if process p believes that some property A holds, and on the basis of this interacts with process q, the state of q should not contradict the fact that p believes A to be true. This problem is closely related to notions of knowledge and consistency in distributed systems [Halpern] [Lamport]. In our context, A will often be the assertion that a multicast has been received by q, or that q saw some sequence of events occur in the
Birman & Joseph [Page 4]
RFC 992 November 1986
same order as did p. Thus, it is necessary to be able to specify the precise consistency constraints on a distributed software sys- tem, and system support should be available to facilitate the attainment of these constraints.
 Serializability. Many distributed systems are partitioned into data manager processes, which implement shared variables, and transaction manager processes, which issue requests to data managers [Bernstein]. If transaction managers can execute con- currently, it is desirable to ensure that transactions produce serializable outcomes [Eswaren] [Papadimitrou]. Serializability is increasingly viewed as an important property in "object- oriented" distributed systems that package services as abstract objects with which clients communicate by remote procedure calls (RPC). On the other hand, there are systems for which serializa- bility is either too strong a constraint, or simply inappropriate. Thus, one needs a way to achieve serializability in applications where it will be needed, without imposing system-wide restrictions that would prevent the design of software subsystems for which serializability is not needed.
Jointly, these problems render the design of fault-tolerant distri- buted software daunting in the absence of adequate support. The correctness of any proposed design and of its implementation become serious, if not insurmountable, concerns. In Sec. 7, we will show how the primitives of Sec. 6 provide simple ways to overcome all of these issues.
If one rules out "unreliable" communication mechanisms, there are basically two fault-tolerant alternatives that can be pursued.
The first approach is to provide mechanisms for transactional interactions between processes that communicate using remote pro- cedure calls [Birrell]. This has lead to work on nested transactions (due to nested RPC's) [Moss], support for transactions at the language level [Liskov], transactions within an operating systems kernel [Spector] [Allchin] [Popek] [Lazowska], and transactional access to higher-level replicated services, such as resilient objects in ISIS or relations in database systems. The primitives in a tran- sactional system provide mechanisms for distributing the request that initiates the transaction, accessing data (which may be replicated), performing concurrency control, and implementing commit or abort. Additional mechanisms are normally needed for orphan termination, deadlock detection, etc. The issue then arises of how these mechan- isms should themselves be implemented.
Our work in ISIS leads us to believe that whereas transactions are easily implemented on top of fault-tolerant process groups -- we have done so -- the converse is much harder. Moreover, transactions
Birman & Joseph [Page 5]
RFC 992 November 1986
represent a relatively heavy-weight solution to the problems surveyed in the previous section, and might impose an unacceptable overhead on subsystems that need to run non-transactionally, for example because a pair of concurrent processes needs to interact on a frequent basis. (We are not saying that "transactional" mechanisms such as cobegins and toplevel actions can't solve this problem, but just that they yield a solution that is awkward and costly). This sort of reasoning has lead us to focus on non-transactional interaction mechanisms, and to treat transactions as a special class of mechanisms used when processes that have been designed to employ a transactional protocol interact.
The second approach involves the provision of a communication primi- tive, such as atomic broadcast, which can be used as the framework on which higher level algorithms are designed. Such a primitive seeks to deliver messages reliably to some set of destinations, despite the possibility that failures might occur during the execution of the protocol. Above, we termed this the fault tolerant process group approach, since it lends itself to the organization of cooperating processes into groups, as described in the introduction. Process groups are an extremely flexible abstraction, and have been employed in the V Kernel [Cheriton] and in UNIX, and more recently in the ISIS system. A proposal to provide Internet support for host groups was raised in RFC's 966 and 988. However, the idea of adapting the pro- cess group approach to work reliably in an environment subject to the sorts of exception events and concurrency cited in the previous sec- tion seems to be new.
As noted earlier, existing reliable communication protocols do not address the requirements of fault-tolerant process groups. For exam- ple, in [Schneider], an implementation of a reliable multicast primi- tive is described. Such a primitive ensures that a designated mes- sage will be transmitted from one site to all other operational sites in a system; if a failure occurs but any site has received the mes- sage, all will eventually do so. [Chang] and [Cristian] describe implementations for atomic broadcast, which is a reliable broadcast (sent to all sites in a system) with the additional property that messages are delivered in the same order at all overlapping destina- tions, and this order preserves the transmission order if messages originate in a single site.
Atomic broadcast is a powerful abstraction, and essentially the same behavior is provided by one of the multicast primitives we discuss in the next section. However, it has several drawbacks which made us hesitant to adopt it as the only primitive in the system. Most seri- ous is the latency that is incurred in order to satisfy the delivery ordering property. Without delving deeply into the implementations, which are based on a token scheme in [Chang] and an acknowledgement protocol in [Schneider], we observe that the delaying of certain mes- sages is fundamental to the establishment of a unique global delivery ordering; indeed, it is easy to prove on knowledge theoretic grounds
Birman & Joseph [Page 6]
RFC 992 November 1986
that this must always be the case. In [Chang] a primary goal is to minimize the number of messages sent, and the protocol given performs extremely well in this regard. However, a delay occurs while waiting for tokens to arrive and the delivery latency that results may be high. [Cristian] assumes that clocks are closely synchronized and that message transit times are bounded by well-known constants, and uses this to derive atomic broadcast protocols tolerant of increas- ingly severe classes of failures. The protocols explicitly delay delivery to achieve the desired global ordering on multicasts. For reasons discussed below, this tends to result in high latency in typ- ical local networking environments. An additional drawback of the atomic broadcast protocols is that no mechanism is provided for ensuring that all processes observe the same sequence of failures and recoveries, or for ensuring that failures and recoveries are ordered relative to ongoing multicasts. Since this problem arises in any setting where one process monitors another, we felt it should be addressed at the same level as the communication protocol. Finally, one wants a group oriented multicast protocol, not a site oriented broadcast, and this issue must be resolved too.
We now describe three multicast protocols - GBCAST, ABCAST, and CBCAST - for transmitting a message reliably from a sender process to some set of destination processes. Details of the protocols and their correctness proofs can be found in [Birman-b]. The protocols ensure "all or nothing" behavior: if any destination receives a mes- sage, then unless it fails, all destinations will receive it. Group addressing is discussed in Sec. 6.5.
The failure model that one adopts has a considerable impact on the structure of the resulting system. We adopted the model of fail-stop processors [Schneider]: when failures occur, a processor simply stops (crashes), as do all the processes executing on it. We also assume that individual processes can crash, and that this is detected when it occurs by a monitoring mechanism present at each site. Further assumptions are sometimes made about the availability of synchronized realtime clocks. Here, we adopt the position that although reason- ably accurate elapsed-time clocks may be available, closely synchron- ized clocks probably will not be. For example, the 60Hz "line" clocks commonly used on current workstations are only accurate to 16ms. On the other hand, 4-8ms inter-site message transit times are common and 1-2ms are reported increasingly often. Thus, it is impos- sible to synchronize clocks to better than 32-48ms, enough time for a pair of sites to exchange between 4 and 50 messages. Even with advancing technology, it seems safe to assume that clock skew will remain "large" when compared to inter-site message transmission speed. In particular, this argues against time-based protocols such as the one used in [Cristian]
GBCAST (group multicast) is the most constrained, and costly, of the three primitives. It is used to transmit information about failures and recoveries to members of a process group. A recov- ering member uses GBCAST to inform the operational ones that it has become available. Additionally, when a member fails, the system arranges for a GBCAST to be issued to group members on its behalf, informing them of its failure. Arguments to GBCAST are a message and a process group identifier, which is translated into a set of destinations as described below (Sec. 6.5).
Our GBCAST protocol ensures that if any process receives a multi- cast B before receiving a GBCAST G, then all overlapping destina- tions will receive B before G <1> This is true regardless of the type of multicast involved. Moreover, when a failure occurs, the corresponding GBCAST message is delivered after any other multi- casts from the failed process. Each member can therefore main- tain a VIEW listing the membership of the process group, updating it when a GBCAST is received. Although VIEW's are not updated simultaneously in real time, all members observe the same sequence of VIEW changes. Since, GBCAST's are ordered relative to all other multicasts, all members receiving a given multicast will have the same value of VIEW when they receive it.
Notice that GBCAST also provides a convenient way to change other global properties of a group "atomically". In our work, we have used GBCAST to dynamically change a ranking on the members of a group, to request that group members establish checkpoints for use if recovery is needed after all failure, and to implement process migration. In each case, the ordering of GBCAST relative to other events that makes it possible to perform the desired action without running any additional protocol. Other uses for GBCAST will no doubt emerge as our research continues.
Members of a process group can also use the value of VIEW to pick a strategy for processing an incoming request, or to react to failure or recovery without having to run any special protocol first. Since the GBCAST ordering is the same everywhere, their actions will all be consistent. Notice that when all the members of a process group may have failed, GBCAST also provides an inex- pensive way to determine the last site that failed: process group members simply log each value of VIEW that becomes defined on stable storage before using it; a simplified version of the algo- rithm in [Skeen-a] can then be executed when recovering from failure.
The GBCAST primitive is too costly to be used for general commun- ication between process group members. This motivates the intro- duction of weaker (less ordered) primitives, which might be used in situations where a total order on multicast messages is not necessary. Our second primitive, ABCAST (atomic multicast), satisfies such a weaker constraint. Specifically, it is often desired that if two multicasts are received in some order at a common destination site, they be received in that order at all other common destinations, even if this order was not predeter- mined. For example, if a process group is being used to maintain a replicated queue and ABCAST is used to transmit queue opera- tions to all copies, the operations will be done in the same order everywhere, hence the copies of the queue will remain mutu- ally consistent. The primitive ABCAST(msg, label, dests) pro- vides this behavior. Two ABCAST's having the same label are delivered in the same order at all common destinations.
Our third primitive, CBCAST (causal multicast), is weakest in the sense that it involves less distributed synchronization then GBCAST or ABCAST. CBCAST(msg, dests) atomically delivers msg to each operational dest. The CBCAST protocol ensures that if two multicasts are potentially causally dependent on another, then the former is delivered after the latter at all overlapping des- tinations. A multicast B' is potentially causally dependent on a multicast B if both multicasts originate from the same process, and B' is sent after B, or if there exists a chain of message transmissions and receptions or local events by which knowledge could have been transferred from the process that issued B to the process that issued B' [Lamport]. For causally independent mul- ticasts, the delivery ordering is not constrained.
CBCAST is valuable in systems like ISIS, where concurrency con- trol algorithms are used to synchronize concurrent computations. In these systems, if two processes communicate concurrently with the same process the messages are almost always independent ones that can be processed in any order: otherwise, concurrency con- trol would have caused one to pause until the other was finished. On the other hand, order is clearly important within a causally linked series of multicasts, and it is precisely this sort of order that CBCAST respects.
A weaker multicast primitive is reliable multicast, which pro- vides all-or-nothing delivery, but no ordering properties. The formulation of CBCAST in [Birman-b] actually includes a mechanism for performing multicasts of this sort, hence no special
Birman & Joseph [Page 9]
RFC 992 November 1986
primitive is needed for the purpose. Additionally, there may be situations in which ABCAST protocols that also satisfy a CBCAST ordering property would be valuable. Our ABCAST primitive could be changed to respect such a rule, and we made use of a multicast primitive that is simultaneously causal and atomic in our work on consistent shared bulletin boards ([Birman-c]). For simplicity, the presentation here assumes that ABCAST is completely orthogo- nal to CBCAST, but a simple way to build an efficient "causal atomic" multicast is described in our full-length paper. The cost of this protocol is only slightly higher than that of ABCAST.
Since group membership can change dynamically, it may be diffi- cult for a process to compute a list of destinations to which a message should be sent, for example, as is needed to perform a GBCAST. In [Birman-b] we report on a protocol for ensuring that a given multicast will be delivered to all members of a process group in the same view. This view is either the view that was operative when the message transmission was initiated, or a view that was defined subsequently. The algorithm is a simple itera- tive one that costs nothing unless the group membership changes, and permits the caching of possibly inaccurate membership infor- mation near processes that might want to communicate with a group. Using the protocol, a flexible message addressing scheme can readily be supported.
Iterative addressing is only required when the process transmit- ting a message has an inaccurate copy of the process group view. In the implementation we are now building, this would rarely be the case, and iteration is never needed if the view is known to be accurate. Thus, iterated delivery should be very infrequent.
6.6 Synchronous versus asynchronous multicast abstractions
Many systems employ RPC internally, as a lowest level primitive for interaction between processes. It should be evident that all of our multicast primitives can be used to implement replicated remote procedure calls [Cooper]: the caller would simply pause until replies have been received from all the participants (observation of a failure constitutes a reply in this case). We term such a use of the primitives synchronous, to distinguish it from from an asynchronous multicast in which no replies, or just one reply, suffices.
In our work on ISIS, GBCAST and ABCAST are normally invoked syn- chronously, to implement a remote procedure call by one member of an object on all the members of its process group. However, CBCAST, which is the most frequently used overall, is almost never invoked synchronously. Asynchronous CBCAST's are the
Birman & Joseph [Page 10]
RFC 992 November 1986
primary source of concurrency in ISIS: although the delivery ord- ering is assured, transmission can be delayed to enable a message to be piggybacked on another, or to schedule IO within the system as a whole. While the system cannot defer an asynchronous multi- cast indefinitely, the ability to defer it a little, without delaying some computation by doing so, permits load to be smoothed. Since CBCAST respects the delivery orderings on which a computation might depend, and is ordered with respect to failures, the concurrency introduced does not complicate higher level algorithms. Moreover, the protocol itself is extremely cheap.
A problem is introduced by our decision to allow asynchronous multicasts: the atomic reception property must now be extended to address causally related sequences of asynchronous messages. If a failure were to result in some multicasts being delivered to all their destinations but others that precede them not being delivered anywhere, inconsistency might result even if the desti- nations do not overlap. We therefore extend the atomicity pro- perty as follows. If process t receives a message m from process s, and s subsequently fails, then unless t fails as well, all messages m' that s received prior to its failure must be delivered to their remaining operational destinations. This is because the state of t may now depend on the contents of any such m', hence the system state could become inconsistent if the delivery of m' were not completed. The costs of the protocols are not affected by this change.
A second problem arises when the user-level implications of this atomicity rule are considered. In the event of a failure, any suffix of a sequence of aysnchronous multicasts could be lost and the system state would still be internally consistent. A process that is about to take some action that may leave an externally visible side-effect will need a way to pause until it is guaranteed that such multicasts have actually been delivered. For this purpose, a flush primitive is provided. Occasional calls to flush do not eliminate the benefit of using CBCAST asyn- chronously. Unless the system has built up a considerable back- log of undelivered multicast messages, which should be rare, flush will only pause while transmission of the last few multi- casts complete.
The reliable communication primitives described above lead to simple solutions for the problems cited in Sec. 4:
 Synchronization. Many synchronization problems are subsumed into the primitives themselves. For example, consider the use of GBCAST to implement recovery. A recovering process would issue a GBCAST to the process group members, requesting that state
Birman & Joseph [Page 11]
RFC 992 November 1986
information be transferred to it. In addition to sending the current state of the group to the recovering process, group members update the process group view at this time. Subsequent messages to the group will be delivered to the recovered process, with all necessary synchronization being provided by the ordering properties of GBCAST. In situations where other forms of syn- chronization are needed, ABCAST provides a simple way to ensure that several processes take actions in the same order, and this form of low-level synchronization simplifies a number of higher- level synchronization problems. For example, if ABCAST is used to do P() and V() operations on a distributed semaphore, the order of operations on the semaphore is set by the ABCAST, hence all the managers of the semaphore see these operations in a fixed order.
 Failure detection. Consistent failure (and recovery) detec- tion are trivial using our primitives: a process simply waits for the appropriate process group view to change. This facilitates the implementation of algorithms in which one processes monitors the status of another process. A process that acts on the basis of a process group view change does so with the assurance that other group members will (eventually) observe the same event and will take consistent actions.
 Consistency. We believe that consistency is generally expressible as a set of atomicity and ordering constraints on message delivery, particularly causal ones of the sort provided by CBCAST. Our primitives permit a process to specify the com- munication properties needed to achieve a desired form of con- sistency. Continued research will be needed to understand pre- cisely how to pick the weakest primitive in a designated situa- tion.
 Serializability. To achieve serializability, one implements a concurrency control algorithm and then forces computations to respect the serialization order that this algorithm choses. The ABCAST primitive, as observed above, is a powerful tool for establishing an order between concurrent events, e.g. by lock acquisition. Having established such an order, CBCAST can be used to distribute information about the computation and also its termination (commit or abort). Any process that observes the commit or abort of a computation will only be able to interact with data managers that have received messages preceding the com- mit or abort, hence a highly asynchronous transactional execution results. If a process running a computation fails, this is detected when a failure GBCAST is received instead of the commit. Thus, executions are simple and quite deterministic.
If commit is conditional, CBCAST would be used to first interro- gate participants to learn if they are prepared to commit, and then to transmit the commit or abort decision (the usual two-
Birman & Joseph [Page 12]
RFC 992 November 1986
phase commit). On the other hand, conditional commits can often be avoided using our approach. A method for building transac- tions that will roll-forward after failure after failure is dis- cussed in more detail in [Birman-a] [Joseph-a] [Joseph-b]. Other forms of concurrency control, such as timestamp generation, can similarly be implemented using ABCAST and CBCAST. We view tran- sactional data storage as an application-level concern, which can be handled using a version stack approach or a multi-version store, or any other appropriate mechanism.
The communication primitives can be built in layers, starting with a bare network providing unreliable Internet datagrams. The software structure is, however, less mature and more complex than the one sug- gested in RFC's 966 and 988. For example, at this stage of our research we do not understand how to optimize our protocols to the same extent as for the unreliable host multicast approach described in those RFC's. Thus, the implementation we describe here should be understood to be a prototype. A particularly intriguing question, which we are investigating actively, concerns the use of a "best effort" ethernet or Internet multicast as a tool to optimize the implementation of our protocols.
Our basic approach is to view large area networks as a set of clus- ters of sites interconnected by high speed LAN devices and intercon- nected by slower long-haul links. We first provide protocols for use within clusters, and then extend them to run between clusters too. Network partitioning can be tolerated at all levels of the hierarchy in the sense that no incorrect actions can result after network par- titioning, although our approach will sometimes block until the par- tition is repaired. Our protocols also tend to block within a clus- ter while the list of operational sites for that cluster is being changed. In normal LAN's, this happens infrequently (during site failure or recovery), and would not pose a problem. (In failure intensive applications, alternative protocols might be needed to address this issue).
The lowest level of our software uses a site-to-site acknowledgement protocol to convert the unreliable packet transport this into a sequenced, error-free message abstraction, using timeouts to detect apparent failures. TCP can also be used for this purpose, provided that a "filter" is placed on the incoming message stream and certain types of messages are handled specially. An agreement protocol is then used to order the site-failures and recoveries consistently. If timeouts cause a failure to be detected erroneously, the protocol forces the affected site to undergo recovery.
Built on this is a layer that supports the primitives themselves. CBCAST has a very light-weight implementation, based on the idea of flooding the system with copies of a message: Each process buffers
Birman & Joseph [Page 13]
RFC 992 November 1986
copies of any messages needed to ensure the consistency of its view of the system. If message m is delivered to process p, and m is potentially causally dependent on a message m prime, then a copy of m prime is sent to p as well (duplicates are discarded). A garbage collector deletes superfluous copies after a message has reached all its destinations. By using extensive piggybacking and a simple scheduling algorithm to control message transmission, the cost of a CBCAST is kept low -- often, less than one packet per destination. ABCAST employs a two-phase protocol based on one suggested to us by Skeen [Skeen-b]. This protocol has higher latency than CBCAST because delivery can only occur during the second phase; ABCAST is thus inherently synchronous. In ISIS, however, ABCAST is used rarely; we believe that this would be the case in other systems as well. GBCAST is implemented using a two-phase protocol similar to the one for ABCAST, but with an additional mechanism that flushes messages from a failed process before delivering the GBCAST announc- ing the failure. Although GBCAST is slower than ABCAST or CBCAST, it is used rarely enough so that performance is probably less of an issue here -- and in any case, even GBCAST could be tuned to give very high throughput. Preliminary performance figures appear in [Birman-b].
Although satisfactory performance should be possible using an imple- mentation that sits on top of a conventional Internet mechanism, it should be noted that to achieve really high rates of communication the layers of software described above must reside in the kernel, because they run on behalf of large numbers of clients, run fre- quently, and tend to execute for very brief periods before doing I/O and pausing. A non-kernel implementation will thus incur high scheduling and context switching overhead. Additionally, it is not at all clear how to use ethernet style broadcast mechanisms to optim- ize the performance of this sort of protocol, although it should be possible. We view this as an interesting area for research.
A forthcoming paper will describe higher level software that we are building on top of the basic fault-tolerant process group mechanism described above.
The experience of implementing a substantial fault-tolerant system left us with insights into the properties to be desired from a com- munication subsystem. In particular, we became convinced that to build a reliable distributed system, one must start with a reliable communication subsystem. The multicast primitives described in this memo present a simple interface, achieve a high level of concurrency, can be used in both local and wide area networks, and are applicable to software ranging from distributed database systems to the fault- tolerant objects and bulletin boards provided by ISIS. Because they are integrated with failure handling mechanisms and respect desired event orderings, they introduce a desirable form of determinism into
Birman & Joseph [Page 14]
RFC 992 November 1986
distributed computation without compromising efficiency. A conse- quence is that high-level algorithms are greatly simplified, reducing the probability of error. We believe that this is a very promising and practical approach to building large fault-tolerant distributed systems, and it is the only one we know of that leads to a rigorous form of confidence in the resulting software.
<1> A problem arises if a process p fails without receiving some mes- sage after that message has already been delivered to some other pro- cess q: q's VIEW when it received the message would show p to be operational; hence, q will assume that p received the message, although p is physically incapable of doing so. However, the state of the system is now equivalent to one in which p did receive the message, but failed before acting on it. In effect, there exists an interpretation of the actual system state that is consistent with q's assumption. Thus, GBCAST satisfies the sort of logical delivery pro- perty cited in the introduction.
[Cheriton] Cheriton, D. The V Kernel: A software base for distributed systems. IEEE Software 1 12, (1984), 19-43.
[Cooper] Cooper, E. Replicated procedure call. Proc. 3rd ACM Symposium on Principles of Distributed Computing., August 1984, 220-232. (May 1985).
[Cristian] Cristian, F. et al Atomic multicast: From simple diffusion to Byzantine agreement. IBM Technical Report RJ 4540 (48668), Oct. 1984.
Birman & Joseph [Page 16]
RFC 992 November 1986
[Eswaren] Eswaren, K.P., et al The notion of consistency and predicate locks in a database system. Comm. ACM 19, 11 (Nov. 1976), 624- 633.
[Hadzilacos] Hadzilacos, V. Byzantine agreement under restricted types of failures (not telling the truth is different from telling of lies). Tech. ARep. TR-19-83, Aiken Comp. Lab., Harvard University (June 1983).
[Halpern] Halpern, J., and Moses, Y. Knowledge and common knowledge in a distributed environment. Tech. Report RJ-4421, IBM San Jose Research Laboratory, 1984.
[Joseph-a] Joseph, T. Low cost management of replicated data. Ph.D. dissertation, Dept. of Computer Science, Cornell Univ., Ithaca (Dec. 1985).
[Joseph-b] Joseph, T., Birman, K. Low cost management of replicated data in fault-tolerant distributed systems. ACM TOCS 4, 1 (Feb 1986), 54-70.
[Lamport] Lamport, L. Time, clocks, and the ordering of events in a distributed system. CACM 21, 7, July 1978, 558-565.
[Lazowska] Lazowska, E. et al The architecture of the EDEN system. Proc. 8th Symposium on Operating Systems Principles, Dec. 1981, 148-159.
[Liskov] Liskov, B., Scheifler, R. Guardians and actions: Linguistic support for robust, distributed programs. ACM TOPLAS 5, 3 (July 1983), 381-404.
[Moss] Moss, E. Nested transactions: An approach to reliable, distri- buted computing. Ph.D. thesis, MIT Dept of EECS, TR 260, April 1981.
[Papadimitrou] Papadimitrou, C. The serializability of concurrent data- base updates. JACM 26, 4 (Oct. 1979), 631-653.
[Popek] Popek, G. et al. Locus: A network transparent, high reliability distributed system. Proc. 8th Symposium on Operating Systems Principles, Dec. 1981, 169-177.
[Schlicting] Schlicting, R, Schneider, F. Fail-stop processors: An approach to designing fault-tolerant distributed computing sys- tems. ACM TOCS 1, 3, August 1983, 222-238.
[Schneider] Schneider, F., Gries, D., Schlicting, R. Reliable multicast protocols. Science of computer programming 3, 2 (March 1984).
[Skeen-a] Skeen, D. Determining the last process to fail. ACM TOCS 3,
Birman & Joseph [Page 17]
RFC 992 November 1986
1, Feb. 1985, 15-30.
[Skeen-b] Skeen, D. A reliable multicast protocol. Unpublished.
[Spector] Spector, A., et al Distributed transactions for reliable sys- tems. Proc. 10th ACM SIGOPS Symposium on Operating Systems Prin- ciples, Dec. 1985, 127-146.
[Strong] Strong, H.R., Dolev, D. Byzantine agreement. Digest of papers, Spring Compcon 83, San Francisco, CA, March 1983, 77-81.