1

Data Link Protocols

By Erik Reeber

2

Goals

• Use SPIN to model-check successively more complex protocols

• Using the protocols in Tannenbaum’s 3rd Edition of Computer Networks

• Compare this approach to using other verification tools

3

Background

• Processes communicate using layers

• Each layer provides services to higher-level layers and ultimately to the user

Physical

Data Link

Network

…

User Data

A Layered Packet

4

Data Link Layer

• Sits between the physical and network layers

• For our purposes: provides non-lossy, error-free, and ordered communication for the network layer

• The physical layer will provide error-free communication, but packets may get lost.

5

Specification

• Safety: [] ! Bad_network_packet

• Liveness: [] (network_message_sent -> <> network_message_received)

• A packet is “bad” if it is not the packet expected

6

Problems with the Spec

• Ideally, requires an infinite queue to check

• Ideally, any packet can be sent. This can be implemented in SPIN with:

packet new_packet;

do:: (i < PKT_SIZE) -> if :: true-> new_packet.p[i]++ :: true-> skip fi:: else -> breakod

7

Simplifications

• Use a finite queue, that loops around

• Use a packet size of 1, and pick between 0 and 1.

0,4,812,…

1 2 3

packet new_packet;

if:: true-> new_packet.p[0]=0:: true-> new_packet.p[0]=1fi

8

Why OK?

• Finite-queue of k elements: not always ok (consider k=2, and drop 2). We must prove:

[] ((network_sent – network_received) < k).

• Packet size 1: ok, since the physical layer can only lose packets. Any packet loss or reordering can be detected with just 1 bit.

9

Protocol 1• Assumes no packets are lost by the physical layer

• Assumes receiver infinitely fast

sender() { packet buffer; frame s; do :: true -> A_from_network?to_sender(buffer); s.info.p=buffer.p; A_to_physical!to_physical(s)}

receiver() { packet pack; frame r,s; do :: true -> B_wait_for_event?to_receiver(); B_from_physical_layer?to_receiver(r); pack.info.p = r.info.p; B_to_network!to_network(pack)}

10

Notes on Protocol 1

• I use separate processes for the network, physical, and data-link processes (6 processes already!)

• Wire is multiple channel, all other communication is done with 0 width (synchronous) channels.

• Need to add a constraint to both properties: [] (num_packets_in_DLR < 2)

• With the constraint, both properties went through SPIN

11

Protocol 2

• No longer assume infinite speed receiver

• Instead, receiver sends ack back to sender

A Bframe

ack

12

Notes on Protocol 2

• Up to 8 processes!

• Model-checker getting slow (liveness proof went 252,700 states deep)

• Never more than one message being dealt with at a time

• Both checks went through

13

Protocol 2_5

• Tannenbaum mentions a simple extension to protocol 2 to make it handle dropped messages. Just set a timer on the sender, if the timer buzzes resend.

• Why doesn’t that work?• Safety proofs goes through if add the condition

that the ack is never dropped

14

Protocol 3

• Truly handle lost messages

• Add a one bit sequence number to the message and the ack. Also timeout as in 2_5.

• But how does one implement a timer in SPIN…

15

Timer Implementations

• Use the timeout keyword:

• Had problems with the timeout keyword sticking

• Use the scheduler:

timer() { do :: timeout -> A_wait_for_event!to_sender(time_out) od}

timer() { do :: true -> A_wait_for_event!to_sender(time_out) od}

16

More timer implementations

• Use non-determinism:

timer() { do :: true -> do :: true -> skip :: true -> break od; A_wait_for_event!to_sender(time_out) od}

17

Notes on protocol 3

• Proved liveness with the scheduler’s timer and safety under the timeout keyword.

• Looking for the right timer implementation

• Made a pretty and an ugly version of protocol 3. The ugly version gets rid of the physical senders

18

Protocol 4

• Bidirectional

• 1-bit windowing protocol (only 1 bit ack)

• More efficient && symmetric

• Original implementation has 12 processes: my ugly version weans this down to 6 – and still does not make it through.

19

Notes on Protocol 4

• I tried using various forms of compression, but never got a full search

• On the other hand, between my 5 implementations of protocol 4, SPIN caught a lot of errors.

20

3 More Protocols?

• There are three more data link protocols in Tannenbaum’s book. First n-bit windowing, then 1-bit sliding window, and finally the n-bit sliding window protocol

• Since Protocol 4 did not go through, …

21

Spin v. ACL2

• ACL2 proof would work at a lower level:

• + ACL2 can handle more states• - if the user can do the proof• + SPIN has a better simulator: it’s tough to simulate this type of ACL2 code.

(defun next_system_state (i system_state) (cond ((== i 0) (execute_A system_state)) (t (execute_B system_state))))...(thm (and (not (get-val ‘bad_network_packet (init_state))) (implies (not (get-val ‘bad_network_packet s)) (not (get-val ‘bad_network_packet (next_system_state i s))))

22

Conclusions

• Model-checking complex protocols is hard

• SPIN is very good at helping users find bugs. The interactive simulator is useful.

• Try combining SPIN with theorem proving

23

Future Work

• Simplify the spec: Is there something simpler that will still distinguish ordering?

• Simplify the model: 6 processes are not really necessary.

• Implement a better timer

• Prove the network protocols in ACL2 or PVS for comparison