Data Link Protocols

By Erik Reeber

Goals
Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3rd Edition of Computer Networks Compare this approach to using other verification tools

Background
A Layered Packet

Processes communicate using layers Each layer provides services to higherlevel layers and ultimately to the user

Physical Data Link

Network
User Data

Data Link Layer

Sits between the physical and network layers For our purposes: provides non-lossy, errorfree, and ordered communication for the network layer The physical layer will provide error-free communication, but packets may get lost.
4

Specification
Safety: [] ! Bad_network_packet Liveness: [] (network_message_sent -> <> network_message_received) A packet is bad if it is not the packet expected

Problems with the Spec

Ideally, requires an infinite queue to check Ideally, any packet can be sent. This can be implemented in SPIN with:
packet new_packet; do :: (i < PKT_SIZE) -> if :: true-> new_packet.p[i]++ :: true-> skip fi :: else -> break od
6

Simplifications
Use a finite queue, that loops around

0,4,8 12,

Use a packet size of 1, and pick between 0 and 1.

packet new_packet; if :: true-> new_packet.p[0]=0 :: true-> new_packet.p[0]=1 fi
7

Why OK?
Finite-queue of k elements: not always ok (consider k=2, and drop 2). We must prove: [] ((network_sent network_received) < k).
Packet size 1: ok, since the physical layer can only lose packets. Any packet loss or reordering can be detected with just 1 bit.

Protocol 1
Assumes no packets are lost by the physical layer Assumes receiver infinitely fast
sender() { packet buffer; frame s; do :: true -> A_from_network?to_sender(buffer); s.info.p=buffer.p; A_to_physical!to_physical(s) } receiver() { packet pack; frame r,s; do :: true -> B_wait_for_event?to_receiver(); B_from_physical_layer?to_receiver(r); pack.info.p = r.info.p; B_to_network!to_network(pack) }

Notes on Protocol 1
I use separate processes for the network, physical, and data-link processes (6 processes already!) Wire is multiple channel, all other communication is done with 0 width (synchronous) channels. Need to add a constraint to both properties: [] (num_packets_in_DLR < 2) With the constraint, both properties went through SPIN
10

Protocol 2
No longer assume infinite speed receiver Instead, receiver sends ack back to sender
A frame B

ack

11

Notes on Protocol 2
Up to 8 processes! Model-checker getting slow (liveness proof went 252,700 states deep) Never more than one message being dealt with at a time Both checks went through

12

Protocol 2_5
Tannenbaum mentions a simple extension to protocol 2 to make it handle dropped messages. Just set a timer on the sender, if the timer buzzes resend. Why doesnt that work? Safety proofs goes through if add the condition that the ack is never dropped

13

Protocol 3
Truly handle lost messages Add a one bit sequence number to the message and the ack. Also timeout as in 2_5. But how does one implement a timer in SPIN

14

Timer Implementations
Use the timeout keyword:
timer() { do :: timeout -> A_wait_for_event!to_sender(time_out) od }

Had problems with the timeout keyword sticking Use the scheduler:
timer() { do :: true -> A_wait_for_event!to_sender(time_out) od }
15

More timer implementations

Use non-determinism:
timer() { do :: true -> do :: true -> skip :: true -> break od; A_wait_for_event!to_sender(time_out) od }

16

Notes on protocol 3
Proved liveness with the schedulers timer and safety under the timeout keyword. Looking for the right timer implementation
Made a pretty and an ugly version of protocol 3. The ugly version gets rid of the physical senders

17

Protocol 4
Bidirectional 1-bit windowing protocol (only 1 bit ack) More efficient && symmetric Original implementation has 12 processes: my ugly version weans this down to 6 and still does not make it through.

18

Notes on Protocol 4
I tried using various forms of compression, but never got a full search On the other hand, between my 5 implementations of protocol 4, SPIN caught a lot of errors.

19

3 More Protocols?
There are three more data link protocols in Tannenbaums book. First n-bit windowing, then 1-bit sliding window, and finally the n-bit sliding window protocol Since Protocol 4 did not go through,

20

Spin v. ACL2
ACL2 proof would work at a lower level:
(defun next_system_state (i system_state) (cond ((== i 0) (execute_A system_state)) (t (execute_B system_state)))) ... (thm (and (not (get-val bad_network_packet (init_state))) (implies (not (get-val bad_network_packet s)) (not (get-val bad_network_packet (next_system_state i s))))

+ ACL2 can handle more states - if the user can do the proof + SPIN has a better simulator: its tough to simulate this type of ACL2 code.
21

Conclusions
Model-checking complex protocols is hard SPIN is very good at helping users find bugs. The interactive simulator is useful. Try combining SPIN with theorem proving

22

Future Work
Simplify the spec: Is there something simpler that will still distinguish ordering? Simplify the model: 6 processes are not really necessary. Implement a better timer Prove the network protocols in ACL2 or PVS for comparison
23