ISO/IEC 15909: A Simple Example of Protocol Specification and Verification

SC7/WG19 Geneva 2003

ISO/IEC 15909: A Simple Example of Protocol Specification and

Verification

Jonathan Billington

Computer Systems Engineering CentreSchool of Electrical and Information Engineering

University of South Australia

16 September 2003

16/9/2003SC7/WG19 Geneva 2003 2

How ISO/IEC 15909: Simple SWP Example J. Billington

CSEC EIE

Goal To illustrate the use of ISO/IEC 15909 Use a simple stop and wait protocol Illustrate specification and verification Use concrete syntax of Coloured Petri

Nets Use Design/CPN for graphical

representation

16/9/2003SC7/WG19 Geneva 2003 3


CSEC EIE

High-level Nets Standard: ISO/IEC 15909

Part 1: Concepts, Definitions and Graphical Notation (FDIS)

CPN semantics Algebraic graphical form (signatures)

Part 2: Transfer Format (PNML) XML based First draft (Ekkart Kindler)

Part 3: Extensions (Future) Modularity (eg hierarchical models) Time

16/9/2003SC7/WG19 Geneva 2003 4


CSEC EIE

High-level Net SemanticsHLPN = (P,T,D;Type,Pre,Post,M0) P is a finite set of Places T is a finite set Transitions disjoint from P D is a non-empty finite set of non-empty domains (sets)

where each element of D is called a type Type:PUT D is a function used to assign types to

places and to determine transition modes Pre,Post:TRANS μPLACE are the pre and post

mappings TRANS = {(t,m) | t Є T, m Є Type(t)} PLACE = {(p,g) | p Є P, g Є Type(p)}

M0 Є μPLACE is a multiset, the initial marking of the net μPLACE is the set of multisets over the set, PLACE

16/9/2003SC7/WG19 Geneva 2003 5


CSEC EIE

Stop and Wait Protocols (SWP)

Send a message and wait for ack before sending the next message (flow control)

Recover from loss by retransmissions (ARQ) Receiver discarding messages with bit errors Router discarding messages due to congestion

Sequence Number included to detect duplicates Finite maximum sequence number: MaxSeqNo Modulo arithmetic MaxSeqNo + 1

Maximum Retransmission Counter: MaxRetrans Medium

Initially order preserving channels (DLL Protocol) However, part of TCP (window size of one)

16/9/2003SC7/WG19 Geneva 2003 6


CSEC EIE

Motivation TCP is the dominant transport protocol in the Internet TCP uses ARQ with 32 bit sequence numbers Original designers were concerned about duplicates

message is delayed in reordering medium sequence numbers wrap then duplicate can be accepted as a new message

Proposed 3 way handshake (old connections) plus large sequence numbers (same connection) time to live in IP (but implemented as hop count)

Networks are getting faster – Gbit/s and beyond How does the simplest ARQ (SWP) fail?

16/9/2003SC7/WG19 Geneva 2003 7


CSEC EIE

Approach Use graphical models that allow for visualisation Coloured Petri net models of the SWP

Lossy FIFO channel Lossy reordering channel

Properties Boundedness of channels Stop and Wait Service – alternating sends and receives Duplicate acceptance Message Loss

Hand proofs for boundedness (general) Reachability analysis, automata reduction and

language equivalence for the other 3 properties (limited parameter values)

Use Design/CPN (Aarhus) and FSM (ATT)

16/9/2003SC7/WG19 Geneva 2003 8


CSEC EIE

Modelling Assumptions Stop and Wait ARQ Protocol Recovery from loss by retransmissions Retransmission counter with limit:

MaxRetrans Transmission is aborted when limit reached –

not modelled Bounded sequence numbers: MaxSeqNo Message represented by sequence number

only – data independence assumption Channels

Lossy/lossless unbounded FIFO Lossy/lossless, re-ordering and unbounded Lossy/lossless, re-ordering and bounded

16/9/2003SC7/WG19 Geneva 2003 9


CSEC EIE

CPN Model 1 SWP over Lossy FIFO Channels

Sender: Send message as sequence number (sn) Retransmission on timeout to limit (MaxRetrans) Receive acks and duplicate acks Increment sn modulo MaxSeqNo + 1

Receiver: Receive messages (sn=rn) and discard duplicates Send ack of next expected message (rn)

FIFO Channel: Message loss (or not)

16/9/2003SC7/WG19 Geneva 2003 10


CSEC EIE

SWP over Lossy FIFO: Results Boundedness

arbitrary MaxSeqNo and MaxRetrans bound on FIFO length of both mess_channel

and ack_channel given by 2MaxRetrans + 1 Alternating sends and receives (sn=rn) No duplication No loss (except for possibly the last

message if the transmission is aborted, i.e. MaxRetrans limit is reached)

16/9/2003SC7/WG19 Geneva 2003 11


CSEC EIE

CPN Model 2 SWP over Lossy Reordering

Channels Same as CPN Model 1 except for the

message and ack channels Each channel is represented by a

place, where a token is a message (rather than a list of messages)

Loss of any message or ack at anytime Can switch loss off readily by use of

the guard false on the loss transitions

16/9/2003SC7/WG19 Geneva 2003 12


CSEC EIE

SWP over Lossy non-FIFO: Results 1

Theorem 1 For the SWP of CPN2 (lossy non-FIFO channels), with MaxRetrans and MaxSeqNo > 0, the message channel is unbounded.

Proof sketch: find transition sequence (cycle) that on each repetition

will increase the number of tokens in mess_channel by 1

consider: send_mess, receive_mess (sn=rn), send_ack, timeout_retrans, receive_ack

from the initial marking, a new marking with send_mess enabled and duplicate in mess_channel is obtained

repeat transition sequence every repetition of the sequence increases the

number of tokens in mess_channel by one sequence can be repeated indefinitely => unbounded.

16/9/2003SC7/WG19 Geneva 2003 13


CSEC EIE


Theorem 2 For the SWP of CPN2 with MaxRetrans and MaxSeqNo > 0, the ack channel is unbounded.

Proof: consider transition sequence: send_mess,

receive_mess(sn=rn), send_ack, timeout_retrans, receive_ack, receive_mess, send_ack

same arguments as for the proof of Theorem 1

16/9/2003SC7/WG19 Geneva 2003 14


CSEC EIE


Theorem 3 The SWP of CPN2 with MaxRetrans and MaxSeqNo > 0, does not satisfy the Stop and Wait service.

Theorem 4 For the SWP of CPN2 with MaxRetrans and MaxSeqNo > 0, duplicates may be received as new messages.

Theorem 5 For the SWP of CPN2 with MaxRetrans and MaxSeqNo > 0, messages can be lost without being detected.

16/9/2003SC7/WG19 Geneva 2003 15


CSEC EIE

Proof of Theorems 3-5 Use language analysis to consider sequences of

sends and receives: desired service is (send receive)*

send is send_mess; receive is receive_mess(sn=rn) Restricted to bounded channels (capacity = 2), but

if there are failures in this case, they will also occur for capacities > 2 (conjecture)

Set MaxRetrans = 1 = MaxSeqNo. Any incorrect behaviour also present when MaxRetrans, MaxSeqNo > 1 (conjecture)

Two cases: No message loss With message loss

16/9/2003SC7/WG19 Geneva 2003 16


CSEC EIE

FSA for Lossless Channel OG: 410 nodes and 848 arcs Minimised FSA: 14 states and 21 transitions Stop and Wait Service not satisfied as

Alternating sequences of sends and receives is violated (s=send, r=receive)

Duplicate acceptance cycles: (srr)* : 5 s 8 r 11 r 13 s 6 r 4 r 5 (srsrrr)* : 7 s 10 r 13 s 6 r 4 r 5 r 7

Loss Cycles: (sssr)* : 13 s 6 s 9 s 12 r 13 Messages lost even though channel not lossy !

Problems do not occur till SNs wrap

16/9/2003SC7/WG19 Geneva 2003 17


CSEC EIE

FSA for Lossy Channel OG: 624 nodes and 2484 arcs Minimised FSA: 29 states and 47

transitions All states are acceptance states Stop and Wait Service not satisfied Duplicate acceptance cycles Loss Cycles Problems do not occur till SNs wrap

16/9/2003SC7/WG19 Geneva 2003 18


CSEC EIE

Relevance to TCP TCP uses a sliding window mechanism with dynamic

changes to window size and 32 bit SN Reduces to a stop and wait protocol if window size is set to

one Conjecture that similar modes of loss and duplication will

occur with TCP if Sequence numbers wrap; and Duplicates still exist in the Internet

Time-to-live field in IP packets (hop count!) RFC 793 (TCP) suggests Max Seg Lifetime of 2 minutes At 1 Gbit/s effective throughput, SN wrap in 34 secs,

allowing duplicates to still be present, but need 4GB of data to send!

RFC 1323 recommends the use of 32 bit time-stamps to overcome this problem (PAWS)

64 bit SN? - at 10 Gbit/s would take 470 years to wrap

16/9/2003SC7/WG19 Geneva 2003 19


CSEC EIE

Relevance to TCP - II Unbounded channels

Will potentially unbounded growth of messages lead to congestion?

Due to retransmissions, which will occur Most duplicates will be deleted by the

receiver Remaining duplicates will be killed off after

time to live limit is reached (if implemented) Congestion control procedures already in

place Conclusion: No problem for TCP

16/9/2003SC7/WG19 Geneva 2003 20


CSEC EIE

Conclusions Shown that Stop and Wait Protocols do not work over

reordering channels in the following ways: The channels are unbounded (for any MaxRetrans, MaxSeqNo) The SWP does not satisfy its service of (sr)* Cyclic behaviour exists where:

Duplicates can be accepted as new messages Messages can be lost (unknowingly)

Congestion Lossy FIFO channels, congestion contained (2MaxRetrans + 1) Reordering channels, other mechanisms required

The last 3 problems depend on SNs wrapping For Gbit/s networks, duplicates and loss can be a problem

=> implement PAWS as per RFC 1323

16/9/2003SC7/WG19 Geneva 2003 21


CSEC EIE

Future Work Extend work to TCP mechanisms,

including PAWS Incorporate mechanisms into CPN model

for deleting old messages Formally extend results for loss and

duplication to arbitrary values of MaxRetrans, MaxSeqNo and channel capacity

Investigate duplication and loss even when (sr)* is not violated

Documents

ISO/IEC 15909: A Simple Example of Protocol Specification and Verification