Session 3: Industrial Protocols

1
Session 3 Industrial Protocols

• Jonathan Billington
• (joint with Bing Han (TCP), Chun Ouyang (IOTP))
• Computer Systems Engineering Centre
• School of Electrical and Information Engineering
• University of South Australia
• 26 September 2003

2
Introductory Remarks

• Aim give some insight into application to
  practical protocols
• Specification
• Analysis
• Service specification
• Concentrate on TCP
• Initial Results - Work in progress

3
Agenda

• TCP Connection Management specification
• TCP CM analysis
• TCP Service specification
• IOTP Specification
• Conclusions

4
TCP Connection Management Specification and
Analysis Initial Results
5
Outline

• Overview of the Transmission Control Protocol
  (TCP)
• TCP Connection Management
• CPN Model of TCP Connection Management
• Analysis Results
• Conclusions and Future Work

6
Overview of TCP
Internet

• Services provided to the application layer
• Connection-oriented service
• Reliable data transfer service
• Flow Control
• Multiplexing

7
TCP Segment Format
Source port
Dest. port
Sequence number
Acknowledgment number
URG
ACK
PSH
HLEN
RSVD
FLAG
Window
RST
SYN
FIN
Checksum
Urgent Pointer
Options (if any)
Data (if any)
8
TCP Connection Management

• TCP establishes connections using what is called
  a 3-way handshake
• Avoid the problem of old duplicates
• Once established, data can be transferred in
  either direction independently
• Connections are released gracefully
• No data is lost in either direction, but
• Connections can be aborted, in which case data
  can be lost

9
Normal Scenario
Client TCP Segments
Server
LISTEN
SYN_RECEIVED
ESTABLISHED
LAST_ACK CLOSED
CLOSED

FIN_WAIT_1 FIN_WAIT_2
CLOSED
SYN SYN , ACK
FIN
SYN_SENT
ESTABLISHED
ACK
Data Transfer
Data Transfer
FIN
CLOSE_WAIT
ACK
TIME_WAIT
ACK
10
TCP Finite State Diagram
University of South Australia
11
Examining the Functional Behaviour of
TCP (Previous Work)

• Connection management in transport protocols
  (Sunshine Dalal 1978)
• Modelling and analysis of DOD TCP/IP protocol
  using numerical Petri nets (Mehrpour Karbouiak
  1990)
• Formal verification of communication protocols
  (Smith 1996)
• An analysis of TCP connection management using
  coloured Petri nets (Han Billington 2001)

12
CPN TCP Specification

• Separate the specification into
• Connection management (CM) procedures
• Data transfer procedures
• Here only concerned with CM
• Starting point is TCP state diagram
• Enhanced by the description in section 3.9 of
  TCPs RFC 793

13
Modelling Assumptions and Abstraction

• The communication channel does not lose, corrupt
  nor duplicate packets, but may re-order packets.
• No retransmissions
• A single instance of connection no port
  numbers
• Three TCP header fields are modelled
• the sequence number,
• the acknowledgment number and
• 4 bits of the FLAG.

14
CPN Specification

• Model TCP CM using 3 levels of hierarchy
• Model both TCP entities using instances, since
  TCP is symmetrical
• Include the IP service (just re-ordering)
• Both intra and inter-object model
• Use Design/CPN to construct the model
• Net inscriptions are written in CPN ML.

15
Hierarchy Page
16
Top Level CPN Page TCP_Overview
17
Declarations - 1

• User Commands
• color COMMANDwith A_OPEN P_OPEN SEND
  CLOSE
• Transmission Control Block (TCB)
• color STATEwith CLOSED LISTEN SYN_SENT
  SYN_RCVD EST CLOSE_WAIT LAST_ACK FIN_W1
  FIN_W2 CLOSING TIME_WAIT
• color SVrecord RCV_NXT Int SND_NXT Int
  SND_UNA Int ISS Int
• var vSV
• color TCBproduct STATE SV

18
Declarations - 2

• Segments
• color CTLbitwith SYN ACK FIN RST
• color ACKflagwith on off
• color SEG_CTLproduct CTLbitACKflag
• color SEGrecord SEQ Int ACK Int CTL
  SEG_CTL
• var segSEG
• Additional Control
• color LISTENflagwith l c

19
Second Level CPN Page TCP_CM
20
Third Level CPN Page CLOSED
21
Declarations Functions

• fun SYNseg(vSV)SEGSEQISS(v), ACK0,
  CTL(SYN,off)
• fun SYNACKseg(vSV)SEGSEQISS(v),
  ACKRCV_NXT(v), CTL(SYN,on)
• fun ACKseg(vSV)SEGSEQSND_NXT(v),
  ACKRCV_NXT(v), CTL(ACK,on)
• fun FINseg(vSV)SEGSEQSND_NXT(v),
  ACKRCV_NXT(v), CTL(FIN,on)
• fun RSTackon(segSEG)SEGSEQ0,
  ACKSEQ(seg)1, CTL(RST,on)
• fun RSTackoff(segSEG)SEGSEQACK(seg), ACK0,
  CTL(RST,off)

22
Analysis Approach

• Examine the terminal states (dead markings) for
  each case through automated reachability
  analysis.
• If they are desired, then check the transition
  sequences.
• If the sequence is problematic (not desired),
  find the transitions responsible for it.
• Validate the model against the TCP definition -
  RFC 793.
• If it is a true reflection, this indicates a
  problem with the definition.
• Correct the problem, revise the model and
  re-analyse.

23
Cases and Models

• Only consider connection establishment
• Case 1 Client-server
• M0(User_1) 1A_OPEN
• M0(User_2) 1P_OPEN
• Case 2 Simultaneous Open
• M0(User_1) 1A_OPEN
• M0(User_2) 1A_OPEN
• Problems discovered in Case 2
• Model A (original)
• Model B (after first modification)
• Model C (after second modification)

24
Reachability Analysis Results
25
Simultaneous Open (RFC 793)
CLOSED SYN_SENT
SYN_RECEIVED ESTABLISHED
CLOSED SYN_SENT SYN_RECEIVED ESTABLISHED
SYN K
SYN J
SYN K, ACK J1
SYN J, ACK K1
26
Model A Unnecessary Acknowledgments
CLOSED SYN_SENT SYN_RECEIVED ESTABLISHED
CLOSED SYN_SENT
SYN_RECEIVED ESTABLISHED
SYN K
SYN J
SYN K, ACK J1
SYN J, ACK K1
ACK (K1,J1)
ACK (J1,K1)
27
Model B Simultaneous Open Fails
CLOSED SYN_SENT
SYN_RECEIVED CLOSED
CLOSED SYN_SENT SYN_RECEIVED CLOSED
SYN K
SYN J
SYN K, ACK J1
SYN J, ACK K1
RST (J1,0)
RST (K1,0)
28
Conclusions

• TCP connection management is modelled at a
  sufficient level of detail for a meaningful
  initial analysis.
• Discovered two problems with the simultaneous
  open procedure in the TCP specification (RFC
  793).
• Solutions are proposed and verified for both
  problems.

Future Work

• Connection termination, Retransmissions
• Lossy communication channel, Duplicate SYNs
• Verification against service

29
Defining the Service Provided by TCP
30
Motivation

• TCP dominant transport protocol in the Internet.
• Specified in IETF RFC 793
• narrative descriptions
• incomplete state transition diagram
• implementation oriented
• Problems with TCP
• Murphy and Shankar (1991), RFC 2525 (1999), Han
  and Billington (2002)
• Verification needed
• Is TCP a faithful refinement of the TCP service?
• Defining the service is the first step.

31
Motivation

• Previous work on defining TCP service
• RFC 983 (1986), RFC 1006 (1987), Murphy Shankar
  (1991), RFC 1859 (1995), Smith (1996), RFC 2126
  (1997)
• Inadequate in various ways
• too close to user interface definition
• some main service features not considered

32
Proposed Service Definition

• Follows the OSI service conventions
• Includes all required services
• Normal and Simultaneous open
• Normal and urgent data transfer
• Graceful connection release
• User and provider abort

33
Outline

• TCP Service Definition
• Service Primitives
• State Table for local sequences
• A CPN Specification of TCP Service
• Global Sequences
• Conclusions

34
TCP Service Concept
Initiator
Responder
TCPS-user
TCPS-user
Submit
Deliver
Deliver
Submit
Request
Response
indication
Confirm
SAP2
SAP1
TCP Service Provider
35
TCP Service Primitives
36
Normal Client-Server Scenario
SAP1 SP SAP2
Connection Establishment
TCP-CONNECT req
TCP-CONNECT ind
TCP-CONNECT cnf
TCP-CONNECT res
Data Transfer
TCP-DATA req
TCP-DATA ind
TCP-RELEASE req
Connection Release
TCP-RELEASE ind
TCP-RELEASE cnf
TCP-RELEASE res
37
Global Opening Scenarios
SAP1 SP SAP2
TCP-CONNECT req
Normal Connection Establishment
TCP-CONNECT ind
TCP-CONNECT cnf
TCP-CONNECT res
TCP-CONNECT req
TCP-CONNECT req
Simultaneous Connection Establishment
TCP-CONNECT cnf
TCP-CONNECT cnf
38
Local Sequencing Constraints

• Need to define the sequences of primitives at
  each service access point
• Define using a state table (following OSI
  conventions)
• Based on OSI Transport and Session Services

39
Interface State Definition
40
TCP Service State Table
41
The FSA for A Local SAP
42
Client SAP State Table
43
CPN Model - Hierarchy Page
44
TCP Service Overview
45
Connection Establishment Service
46
Connection Establishment Service

CON

IDLE
OCP
IDLE
ICP

47
Two Features of the CPN Model

• Urgent data can overtake any amount of normal
  data in the queue.
• When aborts are entered in the queue, any amount
  of data may be discarded.

DATA,DATA,UDATA..DATA,UDATA,DATA
...ABORT
48
Data Transfer Service
49
Connection Release Service
50
Abort Service
51
CPN Model - Aborting Service
hd(rev(q))ABORT
52
Global Primitive Sequences

• Restrict to
• Connection Establishment
• Connection Release
• Abort
• Implies
• Finite state space
• Finite sequences
• Can use OG and FSA minimisation
• What about Data Transfer ?
• later

53
State Space Statistics
Client-Server
Abort
Simultaneous
Abort
54
Minimised FSA Statistics
Client-Server
Abort
Simultaneous
Abort
55
Service Primitives Abbreviations
CREQ CIND CRES CCNF
creq cind cres ccnf
rreq rind rres rcnf areq aind pind
RREQ RIND RRES RCNF AREQ AIND PIND
56
(No Transcript)
57
Global Sequences of TCP CM Service Primitives
Automata Reduction Technique
Reachability Graph
Service Language
58
A Connection Opening and Closing Scenario
SAP1 SP SAP2
TCP-CONNECT req
TCP-CONNECT ind
TCP-CONNECT cnf
TCP-CONNECT res
TCP-RELEASE req
TCP-RELEASE ind
TCP-RELEASE cnf
TCP-RELEASE res
59
Conclusions and Future Work

• The advantage of our TCP Service Definition
• Implementation independent
• Includes all service features
• The TCP service is formalised using CPNs
• The global sequences are specified
• Verification of CM
• Need comprehensive CPN model of TCP Connection
  Management
• Data Transfer Service
• Infinite state space, but
• Parameterise channel capacity

60
Internet Open Trading ProtocolColoured Petri Net
Model
61
Overview

• Hierarchy page

62
Top Level

• IOTP_TopLevel page

color TRxTRxMQ product tradingrole trading
role MsgQueue

• Four IOTP entities (trading roles) communicate
  with each other via a simple model of the
  underlying transport medium (HTTP service)

63
Trading Roles

• Example Consumer page

64
Transaction Level

• Examples Authentication transaction pages

AuthTr_C page
AuthTr_M page
65
Exchange Level (I)

• Examples Authentication document exchange pages

Authenticatee page
66
Exchange Level (II)
Authenticator page
67
Final Remarks

• Specification of industrially relevant protocols
  (TCP, WAP, IOTP, RSVP, H.245)
• using hierarchical HLNs such as CPNs
• is feasible
• Analysis and Verification
• Feasible for CM and transaction protocols for
  small parameter values

68
Challenges

• General results for all values of parameters for
  connection management and transaction protocols
• Data transfer protocols
• Arbitrary channel capacity
• Parameters
• sequence numbers
• window sizes
• retransmission counters

69
Challenges - 2

• Verification techniques lifted to HLNs
• McMillans prefix (unfoldings)
• Structural properties (traps)
• On the fly comparison
• Data independence
• Different equivalences?
• Service specifications
• Inclusion PL subset of SL
• How do you specify acceptable subsets?
• e.g. IOTP