Optimal Primary-Backup Protocols

One way to implement a fault-tolerant service is to employ multiple sites that fail independently. The state of the service is replicated and distributed among these sites, and updates are coordinated so that even when a subset of the sites fail, the service remains available. A common approach to structuring such replicated services is to designate one site as the primary and all the others as backups. Clients make requests by sending messages only to the primary. If the primary fails, then a failover occurs and one of the backups takes over. This service architecture is commonly called the primary-backup or the primary-copy approach [1]. In [5] we give lower bounds for implementing primary-backup protocols under various models of failure. These lower bounds constrain the degree of replication, the t ime during which the service can be without a primary, and the amount of t ime it can take to respond to a client request. In this paper, we show that most of these lower bounds are tight by giving matching protocols. Some of the protocols that we describe have surprising properties. In one case, the optimal protocol is one in which a non-faulty pr imary is forced to relinquish control to a backup that it knows to be faulty! However, the existence of such a scenario is not peculiar to our protocol. As shown in [5], relinquishing control to a faulty backup is indeed necessary to achieve optimal protocols in some failure models. Another surprise is that in some protocols that achieve optimal response time, the site that receives the request (i.e. the primary) is not the site that sends the response to the clients. We show that this anomaly is not idiosyncratic to our protocols-i t is necessary for achieving optimal response time.