ISO/IEC 15909: A Simple Example of
Protocol Specification and Verification
Jonathan Billington
Computer Systems Engineering Centre
School of Electrical and Information Engineering
University of South Australia
16 September 2003
SC7/WG19 Geneva 2003
How ISO/IEC 15909: Simple SWP Example J. Billington
Goal
To illustrate the use of ISO/IEC 15909
Use a simple stop and wait protocol
Illustrate specification and verification
Use concrete syntax of Coloured Petri Nets
Use Design/CPN for graphical representation
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 2
How ISO/IEC 15909: Simple SWP Example J. Billington
High-level Nets
Standard: ISO/IEC 15909
Part 1: Concepts, Definitions and Graphical
Notation (FDIS)
CPN semantics
Algebraic graphical form (signatures)
Part 2: Transfer Format (PNML)
XML based
First draft (Ekkart Kindler)
Part 3: Extensions (Future)
Modularity (eg hierarchical models)
Time
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 3
How ISO/IEC 15909: Simple SWP Example J. Billington
High-level Net Semantics
HLPN = (P,T,D;Type,Pre,Post,M0)
P is a finite set of Places
T is a finite set Transitions disjoint from P
D is a non-empty finite set of non-empty domains (sets)
where each element of D is called a type
Type:PUT D is a function used to assign types to places
and to determine transition modes
Pre,Post:TRANS μPLACE are the pre and post mappings
TRANS = {(t,m) | t Є T, m Є Type(t)}
PLACE = {(p,g) | p Є P, g Є Type(p)}
M0 Є μPLACE is a multiset, the initial marking of the net
μPLACE is the set of multisets over the set, PLACE
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 4
How ISO/IEC 15909: Simple SWP Example J. Billington
Stop and Wait Protocols (SWP)
Send a message and wait for ack before sending the
next message (flow control)
Recover from loss by retransmissions (ARQ)
Receiver discarding messages with bit errors
Router discarding messages due to congestion
Sequence Number included to detect duplicates
Finite maximum sequence number: MaxSeqNo
Modulo arithmetic MaxSeqNo + 1
Maximum Retransmission Counter: MaxRetrans
Medium
Initially order preserving channels (DLL Protocol)
However, part of TCP (window size of one)
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 5
How ISO/IEC 15909: Simple SWP Example J. Billington
Motivation
TCP is the dominant transport protocol in the Internet
TCP uses ARQ with 32 bit sequence numbers
Original designers were concerned about duplicates
message is delayed in reordering medium
sequence numbers wrap
then duplicate can be accepted as a new message
Proposed
3 way handshake (old connections) plus
large sequence numbers (same connection)
time to live in IP (but implemented as hop count)
Networks are getting faster – Gbit/s and beyond
How does the simplest ARQ (SWP) fail?
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 6
How ISO/IEC 15909: Simple SWP Example J. Billington
Approach
Use graphical models that allow for visualisation
Coloured Petri net models of the SWP
Lossy FIFO channel
Lossy reordering channel
Properties
Boundedness of channels
Stop and Wait Service – alternating sends and receives
Duplicate acceptance
Message Loss
Hand proofs for boundedness (general)
Reachability analysis, automata reduction and language
equivalence for the other 3 properties (limited parameter
values)
Use Design/CPN (Aarhus) and FSM (ATT)
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 7
How ISO/IEC 15909: Simple SWP Example J. Billington
Modelling Assumptions
Stop and Wait ARQ Protocol
Recovery from loss by retransmissions
Retransmission counter with limit: MaxRetrans
Transmission is aborted when limit reached – not
modelled
Bounded sequence numbers: MaxSeqNo
Message represented by sequence number only –
data independence assumption
Channels
Lossy/lossless unbounded FIFO
Lossy/lossless, re-ordering and unbounded
Lossy/lossless, re-ordering and bounded
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 8
CPN Model 1
How ISO/IEC 15909: Simple SWP Example J. Billington
SWP over Lossy FIFO Channels
Sender:
Send message as sequence number (sn)
Retransmission on timeout to limit (MaxRetrans)
Receive acks and duplicate acks
Increment sn modulo MaxSeqNo + 1
Receiver:
Receive messages (sn=rn) and discard duplicates
Send ack of next expected message (rn)
FIFO Channel:
Message loss (or not)
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 9
How ISO/IEC 15909: Simple SWP Example J. Billington
SWP over Lossy FIFO: Results
Boundedness
arbitrary MaxSeqNo and MaxRetrans
bound on FIFO length of both mess_channel
and ack_channel given by 2MaxRetrans + 1
Alternating sends and receives (sn=rn)
No duplication
No loss (except for possibly the last
message if the transmission is aborted, i.e.
MaxRetrans limit is reached)
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 10
CPN Model 2
How ISO/IEC 15909: Simple SWP Example J. Billington
SWP over Lossy Reordering Channels
Same as CPN Model 1 except for the
message and ack channels
Each channel is represented by a place,
where a token is a message (rather than a
list of messages)
Loss of any message or ack at anytime
Can switch loss off readily by use of the
guard false on the loss transitions
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 11
How ISO/IEC 15909: Simple SWP Example J. Billington
SWP over Lossy non-FIFO: Results 1
Theorem 1 For the SWP of CPN2 (lossy non-FIFO
channels), with MaxRetrans and MaxSeqNo > 0,
the message channel is unbounded.
Proof sketch:
find transition sequence (cycle) that on each repetition
will increase the number of tokens in mess_channel by 1
consider: send_mess, receive_mess (sn=rn), send_ack,
timeout_retrans, receive_ack
from the initial marking, a new marking with send_mess
enabled and duplicate in mess_channel is obtained
repeat transition sequence
every repetition of the sequence increases the number of
tokens in mess_channel by one
sequence can be repeated indefinitely => unbounded.
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 12
How ISO/IEC 15909: Simple SWP Example J. Billington
SWP over Lossy non-FIFO: Results 2
Theorem 2 For the SWP of CPN2 with
MaxRetrans and MaxSeqNo > 0, the ack
channel is unbounded.
Proof:
consider transition sequence: send_mess,
receive_mess(sn=rn), send_ack,
timeout_retrans, receive_ack, receive_mess,
send_ack
same arguments as for the proof of Theorem 1
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 13
How ISO/IEC 15909: Simple SWP Example J. Billington
SWP over Lossy non-FIFO: Results 3
Theorem 3 The SWP of CPN2 with
MaxRetrans and MaxSeqNo > 0, does not
satisfy the Stop and Wait service.
Theorem 4 For the SWP of CPN2 with
MaxRetrans and MaxSeqNo > 0, duplicates
may be received as new messages.
Theorem 5 For the SWP of CPN2 with
MaxRetrans and MaxSeqNo > 0, messages
can be lost without being detected.
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 14
How ISO/IEC 15909: Simple SWP Example J. Billington
Proof of Theorems 3-5
Use language analysis to consider sequences of sends
and receives: desired service is (send receive)*
send is send_mess; receive is receive_mess(sn=rn)
Restricted to bounded channels (capacity = 2), but if
there are failures in this case, they will also occur for
capacities > 2 (conjecture)
Set MaxRetrans = 1 = MaxSeqNo. Any incorrect
behaviour also present when MaxRetrans, MaxSeqNo >
1 (conjecture)
Two cases:
No message loss
With message loss
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 15
How ISO/IEC 15909: Simple SWP Example J. Billington
FSA for Lossless Channel
OG: 410 nodes and 848 arcs
Minimised FSA: 14 states and 21 transitions
Stop and Wait Service not satisfied as
Alternating sequences of sends and receives is violated
(s=send, r=receive)
Duplicate acceptance cycles:
(srr)* : 5 s 8 r 11 r 13 s 6 r 4 r 5
(srsrrr)* : 7 s 10 r 13 s 6 r 4 r 5 r 7
Loss Cycles:
(sssr)* : 13 s 6 s 9 s 12 r 13
Messages lost even though channel not lossy !
Problems do not occur till SNs wrap
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 16
How ISO/IEC 15909: Simple SWP Example J. Billington
FSA for Lossy Channel
OG: 624 nodes and 2484 arcs
Minimised FSA: 29 states and 47 transitions
All states are acceptance states
Stop and Wait Service not satisfied
Duplicate acceptance cycles
Loss Cycles
Problems do not occur till SNs wrap
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 17
How ISO/IEC 15909: Simple SWP Example J. Billington
Relevance to TCP
TCP uses a sliding window mechanism with dynamic changes
to window size and 32 bit SN
Reduces to a stop and wait protocol if window size is set to one
Conjecture that similar modes of loss and duplication will occur
with TCP if
Sequence numbers wrap; and
Duplicates still exist in the Internet
Time-to-live field in IP packets (hop count!)
RFC 793 (TCP) suggests Max Seg Lifetime of 2 minutes
At 1 Gbit/s effective throughput, SN wrap in 34 secs, allowing
duplicates to still be present, but need 4GB of data to send!
RFC 1323 recommends the use of 32 bit time-stamps to
overcome this problem (PAWS)
64 bit SN? - at 10 Gbit/s would take 470 years to wrap
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 18
How ISO/IEC 15909: Simple SWP Example J. Billington
Relevance to TCP - II
Unbounded channels
Will potentially unbounded growth of messages
lead to congestion?
Due to retransmissions, which will occur
Most duplicates will be deleted by the receiver
Remaining duplicates will be killed off after time
to live limit is reached (if implemented)
Congestion control procedures already in place
Conclusion: No problem for TCP
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 19
How ISO/IEC 15909: Simple SWP Example J. Billington
Conclusions
Shown that Stop and Wait Protocols do not work over
reordering channels in the following ways:
The channels are unbounded (for any MaxRetrans, MaxSeqNo)
The SWP does not satisfy its service of (sr)*
Cyclic behaviour exists where:
Duplicates can be accepted as new messages
Messages can be lost (unknowingly)
Congestion
Lossy FIFO channels, congestion contained (2MaxRetrans + 1)
Reordering channels, other mechanisms required
The last 3 problems depend on SNs wrapping
For Gbit/s networks, duplicates and loss can be a problem
=> implement PAWS as per RFC 1323
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 20
How ISO/IEC 15909: Simple SWP Example J. Billington
Future Work
Extend work to TCP mechanisms, including
PAWS
Incorporate mechanisms into CPN model for
deleting old messages
Formally extend results for loss and duplication
to arbitrary values of MaxRetrans, MaxSeqNo
and channel capacity
Investigate duplication and loss even when
(sr)* is not violated
CSEC EIE SC7/WG19 Geneva 2003 16/9/2003 21