IEEE TRANSACTIONS ON COMMUNICATIONS, VOL. COM-35, NO.

12, DECEMBER 1981 1377

Automated Verification of the Connection Management is complete, the analyzer displays lists of incomplete system
Aspects of the IEEE 802.2 Logical Link Control states, deadlock system states, all system states reached, and
Protocol the maximum number of events held in a channel inany
system state. For further details on the analyzer and examples
of its use, see [4], [5].
THOMAS P. BLUMER AND DEEPINDER P. SIDHU In the following section, we present the simplifying
restrictions that were used for the first analysis of LLC, and
then present the results of this analysis. In later sections, we
Abstract-Thispaperdiscussestheverification of the connection
managementaspects of the IEEE 802.2 logical link control (LLC) discuss further analyses where these restrictions were relaxed
protocolstandard for localareanetworks. An automated protocol somewhat, and present results for these cases.
developmenttechnique is used to verify a subset of theprotocolwith 11. &J$$EYSIS 1: BASICCONNECTION MANAGEMENT
WITH NO
respect to theprotocolproperties ofcompleteness, deadlock freeness, TIMERS OR RESET
boundedness, and termination.These properties arefound to hold for the
subset of the protocol analyzed here. The techniqueis also used to derive First of all, transitions involved with the transmission and
user event sequences for some interesting subsets of the protocol, These reception of user data were not considered in this analysis.
user event sequences together make up a partial service specification of
These transitions depend on variable values and interactions
the protocol.
that are not modeled well by a finite-state machine. This
information is handled by state variables within the transition
program segments and cannot be analyzed by simply following
I. AUTOMATED
VERIFICATION OF LLC transitions through the communicating FSM’s. Also, since
In recent years, much progress has been made in creating an these data transitions can be repeated indefinitely during a
integrated set of tools for developing reliable communication protocol connection, any path analysis would give an infinite
protocols. In this paper,we discusses verification of the number of paths.
connection management fortheIEEE802.2 logical link For the first analysis of the LLC protocol, the user reset
control (LLC) protocol [l], [2] for local area networks using request transitions were disabled. These transitions greatly
an automated protocol verification tool discussed in [3]-[5]. increase the complexity of the analysis, and will be discussed
in a later section. All transitions triggered by system events,
The LLC protocol specification [l], [2] presents a finite-
state machine representing possible actions of the protocol such as timer expirations, were also disabled during the first
entity on one side of a connection. This finite-state machine analysis. These transitions will be discussed in a later section.
has 11 states and 315 transitions as written in the specification. In all of the analyses discussed here,the transitions
Since the source state of a transition in the specification may triggered by the receipt of invalid PDU’s were never used
actuallybe a set of states, these 315 transitions in the because the FSM analyzer program does not provide for the
specification actually expand into 417 transitions. generation of invalid message events.
Several simplifications were necessary in order to analyze These restrictions limited the first analysis to a reduced
the connection management aspects of the LLC protocol with automata consisting of the four protocol states: ADM,
the FSM analyzer program. Some of these simplifications SETUP, NORMAL, and D-CONN, and 18 transitions. This
were necessary because the FSM analyzer cannot adequately automata is shown in Fig. 1. The state ERROR was not used
model protocol behavior such asdata transmission. Other because of the restriction on invalid PDU’s; state RESET was
simplifications were necessary in order to limit the computa- not used because user reset requests were disabled; and states
tion time required for the analysis. BUSY,REJECT, AWAIT, AWAIT-BUSY, AND
The verification of LLC is carried out with the help of a tool AWAIT-REJECT were notused because the involve user
called the analyzer. The analyzer uses a modified reachability data transmission.
analysis technique to analyze protocols with respect to four We used a matrix notation to model states of the protocol.
properties: completeness, deadlock freeness, termination, and The entries of a state matrix for a system of two communicat-

boundedness. Completeness means that the protocol accepts
all possible inputs in each system state. The analyzer checks
completeness by checking that each event present in some
channel of a system state is received by some transition out of
that system state. Deadlock freeness means that the protocol
never gets into a system state where no more transitions or
receptions are possible, and the system stays in that state
indefinitely. The analyzer checks for deadlocks by checking
thatallnonfinal system states have at least one possible
transition out of that system state. Termination means that the
protocol always reaches the final state when started from the
initial state. If the analyzer completes its analysis and halts,
without finding any deadlock states, then termination is
assured. Boundedness means that the total number of message
events in a channel is always less than some fixed number.
Again, if the analyzer completes its analysis of the protocol,
then boundedness is assured. When the analysis of a protocol
Paper approved by the Editor for Networks of the IEEE Communications
Society. Manuscript received May 2, 1985; revised January 27, 1987.
T.P. Blumer is with Phoenix Technologies Ltd., Cambridge, MA.
D. P. Sidhu is with the Department of Computer Science, Iowa State
University, Ames, IA 50010.
IEEE Log Number 8717485.
CyNEL)
ing protocol entities are shown below:
p T - A + B
CHANNEL STATE
This state matrix defines a state of the protocol system
completely at any given time. The diagonal entries of each
matrix give the states of the protocol entities. The off-diagonal
entries give event numbers for messagesthat are in transit
from one machine to another. If no message is in transit, then
the matrix entry is an “E.”
Using the reduced automata, the FSM analyzer followed
406 paths through two communicating LLC entities. A
diagram of the 45 system states visited during the analysis is
shown in Fig. 2. Each path was found to possess the protocol
properties mentioned in the abstract.
For each protocol path encountered during the analysis, the
analyzer generated a sequence of the events visible at the
interface between the protocol user and the corresponding
protocol entity. These user event sequences represent the
possible protocol interactions as seen by the protocol users,

0090-6778/87/1200-1377$01.00 O 1987 IEEE

I378 IEEE TRANSACTIONS ON COMMUNICATIONS, VOL. COM-35, NO. 12, DECEMBER 1987

Bcr Bci
I / \
Acc' ACC Bdr
I \

Adr Ed Adr BCC Adr Adi Bdc

/ I \ / \ I / I I
.Adc Bcf BCC Bd Adr' Adc' Bdc
I I I \ I / \ I '
Bcf Adc Bdr Bdi Adc Bdr Bdi BdC
I I I I
Adc' Adc Adc Adc'
I I
BdC BdC

A = machine A cr = connect request

B = machine B dr = disconnect request
cc =connect confirm (success)
* = symmetry with respect ci = connect indication
to AB labels dc = disconnect confirm
di = disconnect indication
The 5 transitions involving stateRESET are only used for Analysis3 ri = resetindication
cf = connect confirm (failed)
@ U: connect_request I N sabme-cmd O N : dm-rsp I U: reset-confirm
O N : sabme-cmd I N: ua-rsp U: connect-indication @N: sabme-cmd I N: dm-np U: disconnect-wnfirm Fig. 3. User event sequences for analysis 1 .
O N : sabme-cmd I N: dm-rsp O N : ua-rsp I U: disconnect-wnfirm
ON: disc-cmd I N ' dm-rsp @ N: disc-cmd I N: ua-rsp and are helpful in verifying a, userservicespecification.
ON: Typically, the numberof unique user event sequences is much
sabme-cmd I N : ua-rsp
@N: ua-rsp 1 U: connect-confirm
O N . disc-cmd I N : dm-rsp U: connect-confirm
8 -
3 5 N: dm rsp I U: disconnect-confirm

5 2 U: disconnect-request I N : disc-und
@ U: reset-request1 N =he-und
smaller than the number of protocol paths, as many of the
transitions do not have associated user events, and different
8 -
1 3 N: dm
rsp I U: connect-confirm
1 7 N: sabme-cmd I N : ua-rsp

ON: ua-rsp
1 U: reset-confirm
@ N: sabme-cmd I N: ua-np U: reset-indication
@ N: sabme-und I N: dm-rsp
@ N: disc-cmd IN: ua-rsp U: disconnect-indication
transitions may have the same associated user events. In this
analysis, 110 unique user event sequences were identified,
are shown in Fig. 3. Each path from the top node (Acr*) to a
and
ON: disc-cmd I N: dm-rsp U: reset-confirm
terminal node of the tree represents a setof symmetric paths.
Fig. 1. A simplifiedautomata for LLC.
Each node marked with an (*) is a symmetry point. For any
sequence in the figure, a symmetric sequence may be obtained

Channel
Events
PE ADM]
by reversing the machine labels on a marked node and all of
the nodes below 'it.
Thereareseveralinteresting points that may be noticed
1 = SABME-CMD
2 = DISC-CUD
43 / B from thisdiagram.Several of the paths includeareset
3 = DM-RSP indication to the protocol user, even though the reset request
4 = UA-RSP event was disabled in this analysis. The path (Acr Bcr Acc
Adr Adc Bcc) seems strange because there is not a similar
path with the Ari event before theAdr. Finally, it can be seen
from the diagram that theusercannotissueadisconnect
request at any time during the connection, but only at certain
points.
111. ANALYSIS 2: CONNECTION MANAGEMENT WITH TIMERS
This analysis uses the same automata as the first analysis,
with the addition that several of the transitions triggeredby the
expiration of acknowledgmenttimersareenabled.These
transitions may be traversedat most once,torestrictthe
complexity of the analysis. Enabling these transitions added
the states RESET and ERROR to the analysis as well as 25
additional transitions involvedwith the timers, error recovery,
and resetting the connection.
Even though the timer expiration transitions could only be
traversed once, enabling these transitions increased the com-
plexity of the analysis tremendously. The numberof protocol
paths counted was over two billion,and the number of system
The notation iistands for system state n states visited was 4727. Due to thecomplexity of this analysis,
and its subtree. with the machine labels 0 CONN
A and B interchanged. [:-O
' NN AD4 [E- D-CON:] theusereventsequencescould not be generated with the
2 / 4 / a current FSM analyzer. All paths were found to possess the
protocol properties discussed earlier.
0-CON:] AD;] [;-O
' NN

I v . ANALYSIS 3: CONNECTION MANAGEMENT WITH USER RESET

REQUEST
Fig. 2. LLCsystemstates for analysis 1. This' analysis uses the same automata as the first analysis,
with the addition that the transition triggered by a user reset
IEEE TRANSACTIONS ON COMMUNICATIONS, VOL. COM-35, NO. 12, DECEMBER 1987 1379
TABLE I implementation method for protocols,” Comput. Networks, vol. 6,
PROTOCOL INTERACTION PATHS, USER EVENT SEQUENCES, AND pp. 201-217, July 1982.
SYSTEM STATES FOR LLC DISCOVERED IN AUTOMATED ANALYSES 1,2, [4] T. P. Blumer and D. P. Sidhu, “Mechanical verification and automatic
AND 3 implementation of communication protocols,” IEEE Trans. Software
Eng., V O ~ .SE-12, pp. 827-843, AUg. 1986.
Numberof Numberof . Numberof [5] D. P. Sidhu and T. P.Blumer, “Verification of NBS class 4 transport
Protocol Paths System States Event Seqences
orotocol,” IEEE Trans. Commun., vol. COM-34, pp. 781-789,

1 I 1
~~

Analysis 1 hug. 1986.

Bastc LLC 406 45 161 T.P. Blumerand D. P. Sidhu.“Automatedverification of the
.->
(noacktimers,
~ ~ ~

I I I
no reset request) connection management aspects of the IEEE 802.2 logicallink control
prot@,” #87-10, Iowa State Univ. Tech. Rep.,July 1987. (Available
Analysis 2
BasicLLC > I billion unknown 4727
froG*the apthors upon request.)
plus some timers
(no reset request)

Analysis 3
Basic LLC
plus reset request
I 7551 I 3916 I 69

(no timers)

Transmitter-Oriented Code Assignment for Multihop

request was also enabled. This transition was limited to one Packet Radio
traversal, to restrict the complexity of the analysis. Enabling
this transition added the stateRESET t o the analysisas well as
TAREK MAKANSI
five transitions involved with the transmission of messages
associated with the reset request. There were 69 system states
visited during this analysis, and 3916 unique user event A~~stract-Quasi-orthogonalcodes areassigned to transmittersina
sequences were counted. As in the other analyses, all paths packet radio network such that interference caused by hidden terminals
is
were found to possess theprotocolproperties discussed eliminated. In addition, a handshaking protocol permits random access
earlier. between nodes. Simple mathematical models and simulation indicate a
The results of the $above three analyses are summarizedin potential throughput advantage over slotted ALOHA and CSMA.
Table I.
INTRODUCTION
V. CONCLUSIONS
Multihop packet radio networks operating under random
We have discussed themechanical verification of a subset of access protocols are susceptible to two types of interference:
the logical link control protocol using automated tools of a direct collisions where two neighboring nodes transmit to each
protocol development system [3]-[5]. ‘One of these tools, the other at roughly the same time, and interference by hidden
FSM analyzer, ‘was used to verify several properties for the terminals where the transmissions of radios separated by two
connection management aspects of the LLC protocol. These hops overlap at the intermediate node. For ground packet radio
properties included completeness, deadlock freeness, termina- switching, direct coliisions are minimized by short propaga-
tion, and boundedness. Each of the protocol subsets analyzed tion and carrier sense times. This paper will neglect direct
was found to possess these properties. collisions, and treat hidden terminal interferenceusing a novel
The FSM analyzer was applied’ to three different subsets of capacity assignment scheme.
the LLC protocol.Inordertolimit the complexity of the The primary purposeis to investigate assignment of (quasi-)
analysis, transitions involving the transmission and reception orthogonalcodestotransmitters such that interference by
of user data were disabled, and transitions triggered by the hidden terminals is eliminated. Fig. 1 illustrates such a code
arrival of invalid PDU’s were disabled. The first analysis also assignment for an eight-node ring network. The transmissions
disabled the user reset request and all system events such as of all pairs of nodes sharing a neighbor (i.e., those separated
timer expirations. In thiscase,theanalyzer was ableto by two hops) are orthogonal by code assignment. Note hpw,
generate the sequence of userevents associated with each codes cl and c2 are reused spatiallyto maximize spectral
protocol path. These sequences arepresented in the paper and efficiency.
point out several interesting facts about the behavior of the Transmitter-oriented code assignment (henceforth abbrevi-
protocol as seen by the protocol users. ated asTOCA) is distinctivefromthemoretraditional
The second analysis alsodisabled the user reset request,but receiver-oriented code assignment (ROCA). TOCA requires
did enable seyeralof the transitions triggeredby the expiration receivers to be dynamically tunable so a receiver can detect
of acknowledgment timers. In this case, several billion paths and receive waveforms of differing codes from its neighbors.
were analyzed and checked for the protocol properties,but the Conversely, ROCA requirestransmittersto be capable of
analysis was too complex to allow the generation of user event transmitting multiple codes. The hardware implementation is
sequences. more demandingforTOCA because both receivers and
In the third analysis thesystem events were disabled,but the transmitters must be capable of using every code in the code
user reset requesttransitionswereenabled.User event set. ROCA, on the other hand, requires only transmitters to
sequences were generated for this case. For further details, see
[GI..
Paper approved by the Editor for Random Access Systems of the IEEE
Communications Society. Manuscriptreceived March 18, 1986;revised April
REFERENCES 30, 1987. This workwas supported by the Nation4 Science Foundation under
[I] “Draft Standard IEEE P802.2 logical link control,” Sept. 1983. Grant ECS 8214860, SRI International, the California MICRO Program, Bell
[2] T.P. Blumerand D. P.Sidhu,“Formalization of the IEEE 802.2 Laboratories, Digital Equipment Corporation, and Hewlett-Packard Corpora-
logical link control protocol,” #854, Iowa State Univ. Tech., Rep., tion.
Feb.1985.(Availablefromtheauthors upon request,preparedfor Theauthor iswiththeMagnetic RecordingInstitute,GeneralProducts
IEEE 802 Standards Committee.) Division, IBM Corporation, San Jose, CA 95193.
[3] T. P. Blumer and R. L. Tenney, “A formal specification techniqueand IEEE Log Number 8717481.

0090-6778/87/1200-1379$01.00 @ 1987 IEEE