SALTZER ET AL. End-to-End Arguments in System Design 1END-TO-END ARGUMENTS IN SYSTEM DESIGNJ.H. Saltzer, D.P. Reed and D.D. Clark*M.I.T. Laboratory for Computer ScienceThis paper presents a design principle that helps guide placement of functions among themodules of a distributed computer system. The principle, called the end-to-end argument,suggests that functions placed at low levels of a system may be redundant or of littlevalue when compared with the cost of providing them at that low level. Examplesdiscussed in the paper include bit error recovery, security using encryption, duplicatemessage suppression, recovery from system crashes, and delivery acknowledgement. Lowlevel mechanisms to support these functions are justified only as performanceenhancements.IntroductionChoosing the proper boundaries between functions is perhaps the primary activity of thecomputer system designer. Design principles that provide guidance in this choice of functionplacement are among the most important tools of a system designer. This paper discusses oneclass of function placement argument that has been used for many years with neither explicitrecognition nor much conviction. However, the emergence of the data communication network asa computer system component has sharpened this line of function placement argument by makingmore apparent the situations in which and reasons why it applies. This paper articulates theargument explicitly, so as to examine its nature and to see how general it really is. The argumentappeals to application requirements, and provides a rationale for moving function upward in alayered system, closer to the application that uses the function. We begin by considering thecommunication network version of the argument.In a system that includes communications, one usually draws a modular boundary around thecommunication subsystem and defines a firm interface between it and the rest of the system.When doing so, it becomes apparent that there is a list of functions each of which might beimplemented in any of several ways: by the communication subsystem, by its client, as a joint* Authors' addresses: J.H. Saltzer and D.D. Clark, M.I.T. Laboratory for Computer Science, 545 TechnologySquare, Cambridge, Massachusetts 02139.: D.P. Reed, Software Arts, Inc., 27 Mica Lane, Wellesley,Massachusetts 02181.This research was supported in part by the Advanced Research Projects Agency of the U.S. Department ofDefense and monitored by the Office of Naval Research under contract number N00014-75-C-0661.Revised version of a paper from the Second International Conference on Distributed Computing Systems, Paris,France, April 8-10, 1981, pp. 509-512.: Copyright 1981 by The Institute of Electrical and ElectronicsEngineers, Inc. Reprinted with permission.Published in ACM Transactions in Computer Systems 2, 4, November, 1984, pages 277-288.Reprinted in Craig Partridge, editor Innovations in internetworking. Artech House, Norwood, MA, 1988, pages195-206. ISBN 0-89006-337-0. Also scheduled to be reprinted in Amit Bhargava, editor. Integrated broadbandnetworks. Artech House, Boston, 1991. ISBN 0-89006-483-0.Scribe/FinalWord source: http://web.mit.edu/Saltzer/www/publications/SALTZER ET AL. End-to-End Arguments in System Design 2venture, or perhaps redundantly, each doing its own version. In reasoning about this choice, therequirements of the application provide the basis for a class of arguments, which go as follows:The function in question can completely and correctly be implemented only with theknowledge and help of the application standing at the end points of the communicationsystem. Therefore, providing that questioned function as a feature of the communicationsystem itself is not possible. (Sometimes an incomplete version of the function providedby the communication system may be useful as a performance enhancement.)We call this line of reasoning against low-level function implementation the "end-to-endargument." The following sections examine the end-to-end argument in detail, first with a casestudy of a typical example in which it is used – the function in question is reliable datatransmission – and then by exhibiting the range of functions to which the same argument can beapplied. For the case of the data communication system, this range includes encryption, duplicatemessage detection, message sequencing, guaranteed message delivery, detecting host crashes,and delivery receipts. In a broader context the argument seems to apply to many other functionsof a computer operating system, including its file system. Examination of this broader contextwill be easier if we first consider the more specific data communication context, however.End-to-end caretakingConsider the problem of "careful file transfer." A file is stored by a file system, in the diskstorage of computer A. Computer A is linked by a data communication network with computerB, which also has a file system and a disk store. The object is to move the file from computer A'sstorage to computer B's storage without damage, in the face of knowledge that failures can occurat various points along the way. The application program in this case is the file transfer program,part of which runs at host A and part at host B. In order to discuss the possible threats to the file'sintegrity in this transaction, let us assume that the following specific steps are involved:1. At host A the file transfer program calls upon the file system to read the file from the disk,where it resides on several tracks, and the file system passes it to the file transfer program infixed-size blocks chosen to be disk-format independent.2. Also at host A the file transfer program asks the data communication system to transmit thefile using some communication protocol that involves splitting the data into packets. Thepacket size is typically different from the file block size and the disk track size.3. The data communication network moves the packets from computer A to computer B.4. At host B a data communication program removes the packets from the data communicationprotocol and hands the contained data on to a second part of the file transfer application, thepart that operates within host B.5. At host B, the file transfer program asks the file system to write the received data on the diskof host B.With this model of the steps involved, the following are some of the threats to the transaction thata careful designer might be concerned about:1. The file, though
View Full Document