Oct-25-2005 1
University of South Australia
CPN’05
Enhancing the CES Protocol and its Verification
Lin Liu1,2 and Jonathan Billington2
1School of Computer and Information Science2Computer Systems Engineering Centre
University of South Australia
Presented by Guy Edward Gallasch
Oct-25-2005 2
University of South Australia
CPN’05
Background The Capability Exchange Signalling (CES) protocol is a sub-
protocol of H.245, “Control protocol for multimedia communication”, a recommendation developed by the International Telecommunication Union (ITU).
H.245 is included as one of the core standards of ITU recommendation H.323, ITU’s framework standard for multimedia over packet-based networks, including the Internet.
The original goal of the first author’s PhD thesis was to verify H.323 protocols, starting with the verification of the CES protocol.
Finally the aim of the PhD thesis has been revised to comprise: verification of the functional correctness of CES protocol, and investigation of a new approach to parametric verification of
protocols over unbounded channels, using the CES protocol as an example.
This paper reports some of the results of the first part.
Oct-25-2005 3
University of South Australia
CPN’05
Outline
An overview of the CES protocol Verification of the CES protocol
Desired properties The CES protocol CPN and the analysis result
from previous work Language analysis on the CES protocol
The revised CES protocol Verification of the revised CES protocol
State space analysis Language analysis
Conclusion and future work
Oct-25-2005 4
University of South Australia
CPN’05
Outline
An overview of the CES protocol Verification of the CES protocol
Desired properties The CES protocol CPN and the analysis
result from previous work Language analysis on the CES protocol
The revised CES protocol Verification of the revised CES protocol
State space analysis Language analysis
Conclusion and future work
CPN’01 paper
This paper
Contribution:
Oct-25-2005 5
University of South Australia
CPN’05
The CES protocol
The Capability Exchange Signalling (CES) protocol is used by a communication party to inform its peer of its multimedia receive and transmit capabilities.
OK, John. Thank you.
Hi Mary, I can only transmit and receive G.711 audio.
Oct-25-2005 6
University of South Australia
CPN’05
The CES protocol - primitives and messages
outgoing CESE
incoming CESE
Two CES Entities: Outgoing (initiator)
Incoming (responder)
Oct-25-2005 7
University of South Australia
CPN’05
The CES protocol - primitives and messages
TRANSFER.indicationTRANSFER.request
outgoing CESE
incoming CESE
outgoing CES user
incoming CES user
underlying medium
TRANSFER.response
REJECT.request (CAUSE)
REJECT.indication (SOURCE, CAUSE)
REJECT.indication (SOURCE, CAUSE)
TRANSFER.confirm
TerminalCapabilitySetTerminalCapabilitySetRelease
TerminalCapabilitySetAckTerminalCapabilitySetReject
6 Service Primitives:4 CES messages:
Oct-25-2005 8
University of South Australia
CPN’05
The CES protocol – CPN model
1`(1,awaiting)
1`[(1,capSet)]
1`(1,awaiting)
1`[(1,capAck)]
1`(0,idle)
TRANSFERreq
1`(0,idle)
REJECTindPoutTRANSFERind
1`[]
1`[] TRANSFERresREJECTreqTRANSFERcnf
1`(1,idle) 1`(1,idle)
Oct-25-2005 9
University of South Australia
CPN’05
The CES protocol – CPN model
Oct-25-2005 10
University of South Australia
CPN’05
The CES protocol – desired properties Initial state as a home state Absence of deadlocks Absence of livelocks:
the protocol must not be trapped in a set of states where useless or undesired sequences of actions occur repeatedly without ending.
No dead code Language property: the CES protocol language
must be included in the CES service language(i.e. Language Inclusion must hold)
The service language of a protocol comprises the allowable sequences of user observable events (known as service primitives).
The protocol language of a protocol comprises the sequences of service primitives implemented by the protocol.
Implies
Oct-25-2005 11
University of South Australia
CPN’05
The CES protocol – state space analysis
The CPN model of the CES protocol has an infinite state space due to the infinite capacity of the channels.
State space analysis was applied to a restricted form of the CPN model: The maximum queue length of places forChannel
and revChannel was set to 3 respectively, and The maximum sequence number was set to 1, i.e.
the sequence numbers in use are 0 and 1.
Oct-25-2005 12
University of South Australia
CPN’05
The CES protocol – state space analysis
The CES protocol satisfies all the four general properties, i.e. deadlocks and live locks free, initial state is a home state, and no dead code.
However, further analysis of the state space reveals that the protocol could fail if wrapping of the protocol’s sequence numbers occurs.
As result, a user may be misinformed about the acceptance or otherwise of the capabilities it has just sent. This could lead to the failure of the multimedia session.
Oct-25-2005 13
University of South Australia
CPN’05
The CES protocol – state space analysis
Misinterpreted acknowledgement
Oct-25-2005 14
University of South Australia
CPN’05
The CES protocol – state space analysis
Occurrence of supposedly “dead” transitions
Oct-25-2005 15
University of South Australia
CPN’05
The CES protocol – language analysis
Language comparison shows that there are sequences of primitives that are in the protocol language but not in the service language (illegal sequences).
The illegal sequences reveals the same CES protocol error discovered by state space analysis.
SP LL
Oct-25-2005 16
University of South Australia
CPN’05
The CES protocol – desired properties
Initial state as a home state Absence of deadlocks Absence of livelocks No dead code Language property: the CES protocol
language must be included in the CES service language (i.e. Language Inclusion must hold)
No unexpected dead code
TRANSFERindT and REJECTindUin should be dead when underlying medium is reliable! [14]
Oct-25-2005 17
University of South Australia
CPN’05
Revising the CES protocol
Oct-25-2005 18
University of South Australia
CPN’05
Revising the CES protocol
Add a state variable to count the number of outstanding requests
Oct-25-2005 19
University of South Australia
CPN’05
Revising the CES protocol
Update arcs and inscriptions appropriately
Oct-25-2005 20
University of South Australia
CPN’05
Revising the CES protocol
Add a guard to prevent more than 256 outstanding requests
(when MaxSeqNo=255)
Oct-25-2005 21
University of South Australia
CPN’05
Revising the CES protocol
TerminalCapabilitySetAbort message is sent when
Reject.Ind(SOURCE=PROTOCOL) occurs
Oct-25-2005 22
University of South Australia
CPN’05
Revising the CES protocol
Add guards to limit channel capacity
Oct-25-2005 23
University of South Australia
CPN’05
The revised CES protocol – state space analysis
The revised CES protocol satisfies all the four general properties, i.e. deadlocks and live locks free, initial state is a home state, and no unexpected dead code.
Oct-25-2005 24
University of South Australia
CPN’05
The revised CES protocol – language analysis
No illegal sequences have been found in the protocol language.
The revised CES protocol implements a subset of the requirements specified in the CES service However, the missing sequences are caused by the capacity and maximum sequence number
constraints, and the way the protocol implements rejection. So the revised CES protocol is an acceptable implementation of the CES service.
Oct-25-2005 25
University of South Australia
CPN’05
Conclusion and future work This paper
Analyses the language properties of the CES protocol Revises the protocol to eliminate the error found by state space and
language analyses Verifies the revised CES protocol by state space and language
analyses Parallel to the work presented in this paper, we have explored
parametric verification of the (revised) CES protocol (for arbitrary channel capacities), by discovering and using structural regularities of the state spaces of the systems in language analysis. It has been shown to be a very promising approach for parametric verification of a class of protocols over unbounded channels.
In the future, we shall complete the verification of the CES protocol and its revision for any values of channel capacity, and generalise our parametric verification results to other protocols over unbounded channels.
Oct-25-2005 26
University of South Australia
CPN’05
Oct-25-2005 27
University of South Australia
CPN’05
The revised CES protocol – language analysis