University of South Australia CPN’05 Oct-25-2005 1 Enhancing the CES Protocol and its Verification Lin Liu 1,2 and Jonathan Billington 2 1 School of Computer

Oct-25-2005 1

University of South Australia

CPN’05

Enhancing the CES Protocol and its Verification

Lin Liu1,2 and Jonathan Billington2

1School of Computer and Information Science2Computer Systems Engineering Centre


Presented by Guy Edward Gallasch

Oct-25-2005 2


CPN’05

Background The Capability Exchange Signalling (CES) protocol is a sub-

protocol of H.245, “Control protocol for multimedia communication”, a recommendation developed by the International Telecommunication Union (ITU).

H.245 is included as one of the core standards of ITU recommendation H.323, ITU’s framework standard for multimedia over packet-based networks, including the Internet.

The original goal of the first author’s PhD thesis was to verify H.323 protocols, starting with the verification of the CES protocol.

Finally the aim of the PhD thesis has been revised to comprise: verification of the functional correctness of CES protocol, and investigation of a new approach to parametric verification of

protocols over unbounded channels, using the CES protocol as an example.

This paper reports some of the results of the first part.

Oct-25-2005 3


CPN’05

Outline

An overview of the CES protocol Verification of the CES protocol

Desired properties The CES protocol CPN and the analysis result

from previous work Language analysis on the CES protocol

The revised CES protocol Verification of the revised CES protocol

State space analysis Language analysis

Conclusion and future work

Oct-25-2005 4


CPN’05

Outline

An overview of the CES protocol Verification of the CES protocol

Desired properties The CES protocol CPN and the analysis

result from previous work Language analysis on the CES protocol

The revised CES protocol Verification of the revised CES protocol

State space analysis Language analysis

Conclusion and future work

CPN’01 paper

This paper

Contribution:

Oct-25-2005 5


CPN’05

The CES protocol

The Capability Exchange Signalling (CES) protocol is used by a communication party to inform its peer of its multimedia receive and transmit capabilities.

OK, John. Thank you.

Hi Mary, I can only transmit and receive G.711 audio.

Oct-25-2005 6


CPN’05

The CES protocol - primitives and messages

outgoing CESE

incoming CESE

Two CES Entities: Outgoing (initiator)

Incoming (responder)

Oct-25-2005 7


CPN’05

The CES protocol - primitives and messages

TRANSFER.indicationTRANSFER.request

outgoing CESE

incoming CESE

outgoing CES user

incoming CES user

underlying medium

TRANSFER.response

REJECT.request (CAUSE)

REJECT.indication (SOURCE, CAUSE)

REJECT.indication (SOURCE, CAUSE)

TRANSFER.confirm

TerminalCapabilitySetTerminalCapabilitySetRelease

TerminalCapabilitySetAckTerminalCapabilitySetReject

6 Service Primitives:4 CES messages:

Oct-25-2005 8


CPN’05

The CES protocol – CPN model

1`(1,awaiting)

1`[(1,capSet)]

1`(1,awaiting)

1`[(1,capAck)]

1`(0,idle)

TRANSFERreq

1`(0,idle)

REJECTindPoutTRANSFERind

1`[]

1`[] TRANSFERresREJECTreqTRANSFERcnf

1`(1,idle) 1`(1,idle)

Oct-25-2005 9


CPN’05

The CES protocol – CPN model

Oct-25-2005 10


CPN’05

The CES protocol – desired properties Initial state as a home state Absence of deadlocks Absence of livelocks:

the protocol must not be trapped in a set of states where useless or undesired sequences of actions occur repeatedly without ending.

No dead code Language property: the CES protocol language

must be included in the CES service language(i.e. Language Inclusion must hold)

The service language of a protocol comprises the allowable sequences of user observable events (known as service primitives).

The protocol language of a protocol comprises the sequences of service primitives implemented by the protocol.

Implies

Oct-25-2005 11


CPN’05

The CES protocol – state space analysis

The CPN model of the CES protocol has an infinite state space due to the infinite capacity of the channels.

State space analysis was applied to a restricted form of the CPN model: The maximum queue length of places forChannel

and revChannel was set to 3 respectively, and The maximum sequence number was set to 1, i.e.

the sequence numbers in use are 0 and 1.

Oct-25-2005 12


CPN’05


The CES protocol satisfies all the four general properties, i.e. deadlocks and live locks free, initial state is a home state, and no dead code.

However, further analysis of the state space reveals that the protocol could fail if wrapping of the protocol’s sequence numbers occurs.

As result, a user may be misinformed about the acceptance or otherwise of the capabilities it has just sent. This could lead to the failure of the multimedia session.

Oct-25-2005 13


CPN’05


Misinterpreted acknowledgement

Oct-25-2005 14


CPN’05


Occurrence of supposedly “dead” transitions

Oct-25-2005 15


CPN’05

The CES protocol – language analysis

Language comparison shows that there are sequences of primitives that are in the protocol language but not in the service language (illegal sequences).

The illegal sequences reveals the same CES protocol error discovered by state space analysis.

SP LL

Oct-25-2005 16


CPN’05

The CES protocol – desired properties

Initial state as a home state Absence of deadlocks Absence of livelocks No dead code Language property: the CES protocol

language must be included in the CES service language (i.e. Language Inclusion must hold)

No unexpected dead code

TRANSFERindT and REJECTindUin should be dead when underlying medium is reliable! [14]

Oct-25-2005 17


CPN’05

Revising the CES protocol

Oct-25-2005 18


CPN’05


Add a state variable to count the number of outstanding requests

Oct-25-2005 19


CPN’05


Update arcs and inscriptions appropriately

Oct-25-2005 20


CPN’05


Add a guard to prevent more than 256 outstanding requests

(when MaxSeqNo=255)

Oct-25-2005 21


CPN’05


TerminalCapabilitySetAbort message is sent when

Reject.Ind(SOURCE=PROTOCOL) occurs

Oct-25-2005 22


CPN’05


Add guards to limit channel capacity

Oct-25-2005 23


CPN’05

The revised CES protocol – state space analysis

The revised CES protocol satisfies all the four general properties, i.e. deadlocks and live locks free, initial state is a home state, and no unexpected dead code.

Oct-25-2005 24


CPN’05

The revised CES protocol – language analysis

No illegal sequences have been found in the protocol language.

The revised CES protocol implements a subset of the requirements specified in the CES service However, the missing sequences are caused by the capacity and maximum sequence number

constraints, and the way the protocol implements rejection. So the revised CES protocol is an acceptable implementation of the CES service.

Oct-25-2005 25


CPN’05

Conclusion and future work This paper

Analyses the language properties of the CES protocol Revises the protocol to eliminate the error found by state space and

language analyses Verifies the revised CES protocol by state space and language

analyses Parallel to the work presented in this paper, we have explored

parametric verification of the (revised) CES protocol (for arbitrary channel capacities), by discovering and using structural regularities of the state spaces of the systems in language analysis. It has been shown to be a very promising approach for parametric verification of a class of protocols over unbounded channels.

In the future, we shall complete the verification of the CES protocol and its revision for any values of channel capacity, and generalise our parametric verification results to other protocols over unbounded channels.

Oct-25-2005 26


CPN’05

Oct-25-2005 27


CPN’05

The revised CES protocol – language analysis

Documents

University of South Australia CPN’05 Oct-25-2005 1 Enhancing the CES Protocol and its Verification Lin Liu 1,2 and Jonathan Billington 2 1 School of Computer