The reverse path forwarding algorithm is a protocol for distributing messages throughout networks. The intention is to preserve correctness - messages sent will eventually be received by all nodes in the originator's connected component - whilst minimising the number of propagations of each message. We use a variety of analysis techniques to identify necessary additional constraints, and to prove correctness under these conditions. In particular we present counter examples found by the model-checkers FDR and the Alloy Analyzer, illustrating that the protocol is incorrect if the cost of links is dependent upon the node using that link. We then consider the case where the cost of links is independent of the node using that link; we use a special-purpose network sampling program to increase confidence in the correctness of this stricter protocol, and then perform a hand-proof to verify correctness. We conclude with a discussion of the suitability of these techniques for reasoning about protocols of this complexity.
[1]
C. A. R. Hoare,et al.
Communicating sequential processes
,
1978,
CACM.
[2]
Andrew William Roscoe,et al.
Model-checking CSP
,
1994
.
[3]
J. Michael Spivey,et al.
The Z notation - a reference manual
,
1992,
Prentice Hall International Series in Computer Science.
[4]
Andrew William Roscoe,et al.
The Theory and Practice of Concurrency
,
1997
.
[5]
Robert Metcalfe,et al.
Reverse path forwarding of broadcast packets
,
1978,
CACM.
[6]
Radia Perlman.
Interconnections: Bridges and Routers
,
1992
.
[7]
Manu Sridharan,et al.
A micromodularity mechanism
,
2001,
ESEC/FSE-9.
[8]
Maria Sorea,et al.
Model checking a fault-tolerant startup algorithm: from design exploration to exhaustive fault simulation
,
2004,
International Conference on Dependable Systems and Networks, 2004.
[9]
Edmund M. Clarke,et al.
Model Checking
,
1999,
Handbook of Automated Reasoning.