Brian A. Coan

Using distributed topology update and preplanned configurations to achieve trunk network survivability

The authors present a new approach for trunk network survivability. This modular approach is intended for a telephone trunk network consisting of high-bandwidth fiber-optic links connected through reconfigurable digital cross-connect nodes. It works for both node and link failures. This approach comprises a distributed protocol with two parts. First, the surviving digital cross-connect nodes are caused to converge to an agreement on the topology (i.e., what is up and what is down). Second, based on the agreed topology and on a precomputed plan for that topology, the digital cross-connect nodes are reconfigured to restore as much call-carrying capacity as possible. The modularity of this approach comes from separating the problem of devising a distributed fault-tolerant protocol to determine what the failure is from the problem of designing a network reconfiguration for that failure. >

Byzantine replication under attack

Existing Byzantine-resilient replication protocols satisfy two standard correctness criteria, safety and liveness, in the presence of Byzantine faults. In practice, however, faulty processors can, in some protocols, significantly degrade performance by causing the system to make progress at an extremely slow rate. While ldquocorrectrdquo in the traditional sense, systems vulnerable to such performance degradation are of limited practical use in adversarial environments. This paper argues that techniques for mitigating such performance attacks are needed to bridge this ldquopracticality gaprdquo for intrusion-tolerant replication systems. We propose a new performance-oriented correctness criterion, and we show how failure to meet this criterion can lead to performance degradation. We present a new Byzantine replication protocol that achieves the criterion and evaluate its performance in fault-free configurations and when under attack.

A Simple and Efficient Randomized Byzantine Agreement Algorithm

A new randomized Byzantine agreement algorithm is presented. This algorithm operates in a synchronous system of n processors, at most t of which can fail. The algorithm reaches agreement in 0(t/log n) expected rounds and O(n2tf/log n) expected message bits independent of the distribution of processor failures. This performance is further improved to a constant expected number of rounds and O(n2) message bits if the distribution of processor failures is assumed to be uniform. In either event, the algorithm improves on the known lower bound on rounds for deterministic algorithms. Some other advantages of the algorithm are that it requires no cryptographic techniques, that the amount of local computation is small, and that the expected number of random bits used per processor is only one. It is argued that in many practical applications of Byzantine agreement, the randomized algorithm of this paper achieves superior performance.

Modular construction of a Byzantine agreement protocol with optimal message bit complexity

This paper presents a new Byzantine agreement protocol that tolerates t processor faults using 3t + 1 processors, t + o(t) rounds, O(t^2) total message bits, and O(t^@?) maximum message size, for any @? > 0. The protocol is optimal or near optimal in all cost measures: the number of processors is optimal, the message bit complexity is optimal, the number of rounds exceeds the lower bound by o(t), and the maximum message size exceeds the lower bound by O(t^@?). The round complexity is uniformly better than 2.(t + 1) and thus is reasonable even for small t. This is the first Byzantine agreement protocol to have optimal message bit complexity. The new protocol is constructed by recursively applying a simple, yet general, transformation that changes the number of rounds, total message bits, and maximum message size required by a Byzantine agreement protocol, but preserves correctness, number of processor faults tolerated, and total number of processors. Each application of this new transformation reduces the number of message bits sent-at the expense of adding rounds of communication. Surprisingly, the base case of the recursive construction is the agreement protocol of Lamport, Shostak, and Pease, which has a number of message bits exponential in t.

Prime: Byzantine Replication under Attack

Existing Byzantine-resilient replication protocols satisfy two standard correctness criteria, safety and liveness, even in the presence of Byzantine faults. The runtime performance of these protocols is most commonly assessed in the absence of processor faults and is usually good in that case. However, faulty processors can significantly degrade the performance of some protocols, limiting their practical utility in adversarial environments. This paper demonstrates the extent of performance degradation possible in some existing protocols that do satisfy liveness and that do perform well absent Byzantine faults. We propose a new performance-oriented correctness criterion that requires a consistent level of performance, even with Byzantine faults. We present a new Byzantine fault-tolerant replication protocol that meets the new correctness criterion and evaluate its performance in fault-free executions and when under attack.

Customizable Fault Tolerance forWide-Area Replication

Constructing logical machines out of collections of physical machines is a well-known technique for improving the robustness and fault tolerance of distributed systems. We present a new, scalable replication architecture, built upon logical machines specifically designed to perform well in wide-area systems spanning multiple sites. The physical machines in each site implement a logical machine by running a local state machine replication protocol, and a wide-area replication protocol runs among the logical machines. Implementing logical machines via the state machine approach affords free substitution of the fault tolerance method used in each site and in the wide-area replication protocol, allowing one to balance performance and fault tolerance based on perceived risk. We present a new byzantine fault-tolerant protocol that establishes a reliable virtual communication link between logical machines. Our communication protocol is efficient (a necessity in wide-area environments), avoiding the need for redundant message sending during normal-case operation and allowing a logical machine to consume approximately the same wide-area bandwidth as a single physical machine. This dramatically improves the wide-area performance of our system compared to existing logical machine based approaches. We implemented a prototype system and compare its performance and fault tolerance to existing solutions.

Network QoS assurance in a multi-layer adaptive resource management scheme for mission-critical applications using the CORBA middleware framework

We present adaptive network QoS (quality of service) technology that provides ongoing, end-to-end assurance that critical traffic belonging to admitted flows has bounded queuing loss, delay, and jitter. Our technology uses a bandwidth broker to provide admission control, and leverages differentiated services and class of service functionality of high-end routers and switches for enforcement. The technology employs an integrated QoS treatment across a hybrid layer-2/layer-3 network and adapts to changes in mission requirements, work load and configurations; it uses discovery algorithms in these layers to maintain a current view of resource availability. Under the DARPA ARMS (adaptive and reflective middleware systems) program, our technology is being developed, integrated and validated in a CORBA-based multilayer resource management framework.

Efficient agreement using fault diagnosis

SummaryWe give an extremely simple Byzantine agreement protocol that usesO(t2) processors, min(f+2,t+1) rounds of communication,O(n·t·f·log|V|) total message bits, andO(log|V|) maximum message size, wheren is the total number of processors that actually participate in the protocol,t is an upper bound on the number of faulty processors,f is the number of processors that actually fail in a given execution, andV is the set of possible inputs. This protocol uses roughly the same resources as a more complex protocol due to Dolev, Reischuk, and Strong. By adding explicit fault diagnosis to our first protocol, we produce a some-what more complicated protocol that usesO(t1.5) processors, min(f+2,t+1) rounds,O(n·t2·f·log|V|) total message bits, andO(t·log|V|) maximum message size.

Building autonomic systems via configuration

Large classes of autonomic (self-managing, self-healing) systems can be created by logically integrating simpler autonomic systems. The configuration method is widely used for such integration. However, there are few formalized tools in support of this method for specification, compilation, diagnosis, reasoning, and distributed provisioning. As a result, the practice of this method is very costly and can lead to security failures. This paper presents a technique called Service Grammar for building these tools based on a novel analysis of protocols and distributed algorithms in a domain of interest. The technique is illustrated in the context of a realistic adaptive virtual private network. We show how lower-layer adaptive protocols can be composed to create adaptive behavior at a higher layer.

Simultaneity is harder than agreement

Abstract We prove a strong lower bound on the number of rounds of message exchange required to achieve simultaneity (i.e., action in the same round) in certain synchronous fault-tolerant distributed systems. Specifically, our bound holds for any randomized protocol which solves either the simultaneous agreement problem or the distributed firing squad problem. It is known that any protocol that solves either of these problems and that is resilient to t processor faults has at least one execution that lasts at least t + 1 rounds. We strengthen that bound by showing that all normal executions of such a protocol last at least t + 1 rounds. The restriction to normal executions is a technical one that excludes certain executions in which a fortuitous pattern of processor faults enables early termination. The lower bounds proved in this paper contrast with known protocols that achieve agreement on a value (without simultaneity) in fewer than t + 1 rounds in some normal executions. Our results are proved for randomized protocols, for a benign failure model (crash faults), and for a weak adversary. They apply a fortiori to deterministic protocols, more malicious failure models, and stronger adversaries.