An Investigation of the Datagram Congestion Control Protocol's Connection Management and Synchronisation Procedures

Summary Designing a new protocol has never been an easy task. Despite four decades of accu-mulated experience with protocol design, without formal methods it is difficult to designand specify a new protocol without any errors. Using a formal technique called ColouredPetri Nets (CPNs), this thesis investigates the connection management procedures of anew Internet transport protocol, the Datagram Congestion Control Protocol (DCCP),published as Request for Comments (RFC) 4340 by the Internet Engineering Task Force(IETF) in March 2006.This thesis follows the development of this Internet Standard since Internet Draft ver-sion 5. A Coloured Petri Net software package called Design/CPN has been used toconstruct, maintain and analyse a CPN model of DCCP’s connection management proce-dures. We iteratively refine the CPN model to incorporate DCCP’s detailed proceduresincluding synchronisation. The research presented in this thesis has been published in 7peer reviewed articles in international journals and conferences. These articles form thebasis of the thesis.The development of the models and their analysis has revealed several subtle prob-lems. Our early analysis results indicate that when DCCP version 5 or 6 operates overa reordering channel without loss, DCCP’s connection establishment procedures can failresulting in deadlocks where the client is CLOSED but the server is OPEN. AlthoughIETF succeeded in removing these deadlocks by modifying the procedures, the changesintroduced a serious problem called “chatter”. Chatter comprises undesired (and possiblyvery long) exchanges of messages where no progress is made until finally the system cor-rects itself. Chatter creates unnecessary traffic which adversely affects congestion in theInternet, precisely the opposite intention of DCCP. In this case we show that if the prob-lem occurred, then the probability of over 2 billion messages being needlessly exchangedwas greater than .99999. This problem was reported to IETF in September 2005 andwas corrected and re-analysed within 24 hours. A number of other problems were alsoreported to IETF in time for them to be rectified and the solutions incorporated beforethe final Internet Standard, RFC 4340, was published in March 2006. In April 2006 ourfurther analysis of RFC 4340 shows that for a certain range of initial sequence numbers(when sequence numbers wrap), DCCP can fail to establish a connection, resulting indeadlock where the client is CLOSED but the server is OPEN. These deadlocks can beremoved if the application on the server issues a close command.xviii

[1]  Jonathan Billington,et al.  Abstract Specification of the ISO Transport Service Definition using Labelled Numerical Petri Nets , 1983, Protocol Specification, Testing, and Verification.

[2]  Kenneth J. Turner,et al.  Using Formal Description Techniques: An Introduction to Estelle, Lotos, and SDL , 1993 .

[3]  Jean-Michel Couvreur,et al.  On-the-Fly Verification of Linear Temporal Logic , 1999, World Congress on Formal Methods.

[4]  Jonathan Billington,et al.  Application of Petri Nets to Communication Networks , 1999, Lecture Notes in Computer Science.

[5]  Edmund M. Clarke,et al.  Formal Methods: State of the Art and Future Directions Working Group Members , 1996 .

[6]  Gregor von Bochmann,et al.  Formal Methods in Communication Protocol Design , 1980, IEEE Trans. Commun..

[7]  Jonathan P. Bowen,et al.  Seven More Myths of Formal Methods , 1995, IEEE Softw..

[8]  Carl A. Sunshine,et al.  Connection Management in Transport Protocols , 1978, Comput. Networks.

[9]  Jeffrey D. Ullman,et al.  Introduction to automata theory, languages, and computation, 2nd edition , 2001, SIGA.

[10]  Janette Cardoso,et al.  Possibilistic Petri nets , 1999, IEEE Trans. Syst. Man Cybern. Part B.

[11]  Jonathan Billington,et al.  Using Parametric Automata for the Verification of the Stop-and-Wait Class of Protocols , 2005, ATVA.

[12]  Jonathan Billington,et al.  Verification of the Capability Exchange Signalling protocol , 2007, International Journal on Software Tools for Technology Transfer.

[13]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[14]  Anthony Hall,et al.  Seven myths of formal methods , 1990, IEEE Software.

[15]  M. Reha Civanlar,et al.  SVC Coded Video Streaming over DCCP , 2006, Eighth IEEE International Symposium on Multimedia (ISM'06).

[16]  Thomas Mailund Analysing Infinite-State Systems by Combining Equivalence Reduction and the Sweep-Line Method , 2002, ICATPN.

[17]  Robert T. Braden,et al.  Requirements for Internet Hosts - Communication Layers , 1989, RFC.

[18]  Edmund M. Clarke,et al.  State space reduction using partial order techniques , 1999, International Journal on Software Tools for Technology Transfer.

[19]  Sally Floyd,et al.  Determining an appropriate sending rate over an underutilized network path , 2007, Comput. Networks.

[20]  Antti Valmari,et al.  Putting Advanced Reachability Analysis Techniques Together: the "ARA" Tool , 1993, FME.

[21]  Jonathan Billington,et al.  Analysis of open systems interconnection transport protocol standard , 1985 .

[22]  Sally Floyd,et al.  Promoting the use of end-to-end congestion control in the Internet , 1999, TNET.

[23]  Jonathan Billington,et al.  Tackling the Infinite State Space of a Multimedia Control Protocol Service Specification , 2002, ICATPN.

[24]  Jonathan P. Bowen,et al.  Ten Commandments of Formal Methods , 1995, Computer.

[25]  Jonathan Billington,et al.  Modelling the Datagram Congestion Control Protocol's Connection Management and Synchronization Procedures , 2007, ICATPN.

[26]  Richard L. Tenney Tutorial on Estelle and Early Testing , 2000 .

[27]  Patrice Godefroid,et al.  Partial-Order Methods for the Verification of Concurrent Systems , 1996, Lecture Notes in Computer Science.

[28]  Carl A. Sunshine,et al.  Formal Techniques for Protocol Specification and Verification , 1979, Computer.

[29]  Marco Ajmone Marsan,et al.  Modelling with Generalized Stochastic Petri Nets , 1995, PERV.

[30]  Antti Valmari A stubborn attack on state explosion , 1992, Formal Methods Syst. Des..

[31]  Lars Michael Kristensen,et al.  A Sweep-Line Method for State Space Exploration , 2001, TACAS.

[32]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[33]  C. A. R. Hoare,et al.  Communicating Sequential Processes (Reprint) , 1983, Commun. ACM.

[34]  Mark Allman,et al.  On making TCP more robust to packet reordering , 2002, CCRV.

[35]  Chris Blondia,et al.  Performance of Constant Quality Video Applications using the DCCP Transport Protocol , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[36]  Jonathan Billington,et al.  Automated protocol verification , 1985, PSTV.

[37]  William A. Barrett,et al.  Compiler Construction: Theory and Practice , 1979 .

[38]  Kurt Jensen,et al.  Coloured Petri Nets: Basic Concepts, Analysis Methods and Practical Use. Vol. 2, Analysis Methods , 1992 .

[39]  Gerard J. Holzmann,et al.  An Analysis of Bitstate Hashing , 1995, Formal Methods Syst. Des..

[40]  Gabriel Ciobanu,et al.  Specifications and verification of network protocols by process algebra , 2005, Seventh International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC'05).

[41]  Lars Michael Kristensen,et al.  Coloured Petri Nets and CPN Tools for modelling and validation of concurrent systems , 2007, International Journal on Software Tools for Technology Transfer.

[42]  Robert E. Milne,et al.  The formal description technique LOTOS : By P.H.J. van Eijk, C.A. Vissers and M. Diaz, eds. North-Holland, Amsterdam, Netherlands, 1989, Price $102.50 (hardback), ISBN 0-444-87267-1. , 1990 .

[43]  Jon Postel,et al.  User Datagram Protocol , 1980, RFC.

[44]  Kurt Jensen Condensed state spaces for symmetrical Coloured Petri Nets , 1996, Formal Methods Syst. Des..

[45]  Fulvio Babich,et al.  Formal methods for specification and analysis of communication protocols , 2002, IEEE Communications Surveys & Tutorials.

[46]  Daniel Schwabe Formal specification and verification of a connection establishment protocol , 1981, SIGCOMM 1981.

[47]  Jonathan Billington,et al.  Effect of Sequence Number Wrap on DCCP Connection Establishment , 2006, 14th IEEE International Symposium on Modeling, Analysis, and Simulation.

[48]  Jonathan Billington,et al.  Verification of a Revised WAP Wireless Transaction Protocol , 2002, ICATPN.

[49]  Jean-Pierre Courtiat,et al.  Petri nets are good for protocols , 1984, Comput. Commun. Rev..

[50]  Colin Perkins,et al.  Rtp and the Datagram Congestion Control Protocol , 2006, 2006 IEEE International Conference on Multimedia and Expo.

[51]  Michel Diaz,et al.  Modeling and Analysis of Communication and Cooperation Protocols Using Petri Net Based Models , 1982, Comput. Networks.

[52]  Gerard J. Holzmann,et al.  The SPIN Model Checker - primer and reference manual , 2003 .

[53]  Randall R. Stewart,et al.  Stream Control Transmission Protocol , 2000, RFC.

[54]  Richard Lai,et al.  On Using Protean To Verify ISO FTAM Protocol , 1990, CAV.

[55]  Pierre Wolper,et al.  Simple on-the-fly automatic verification of linear temporal logic , 1995, PSTV.

[56]  Lars Michael Kristensen,et al.  Application of Coloured Petri Nets in System Development , 2003, Lectures on Concurrency and Petri Nets.

[57]  Henning Schulzrinne,et al.  RTP: A Transport Protocol for Real-Time Applications , 1996, RFC.

[58]  Jon Postel,et al.  Internet Control Message Protocol , 1981, RFC.

[59]  Dieter Hogrefe,et al.  SDL : formal object-oriented language for communicating systems , 1997 .

[60]  Jonathan Billington,et al.  PROTEAN: A High-Level Petri Net Tool for the Specification and Verification of Communication Protocols , 1988, IEEE Trans. Software Eng..

[61]  Christos G. Cassandras,et al.  Introduction to Discrete Event Systems , 1999, The Kluwer International Series on Discrete Event Dynamic Systems.

[62]  Mark Allman,et al.  Improving the Robustness of TCP to Non-Congestion Events , 2006, RFC.

[63]  Sandra Lynn Murphy Service specification and protocol construction for a layered architecture , 1990 .

[64]  P. Merlin,et al.  Recoverability of Communication Protocols - Implications of a Theoretical Study , 1976, IEEE Transactions on Communications.

[65]  Wolfgang Reisig Petri Nets: An Introduction , 1985, EATCS Monographs on Theoretical Computer Science.

[66]  Lars Michael Kristensen,et al.  A Generalised Sweep-Line Method for Safety Properties , 2002, FME.

[67]  Daniel Floreani,et al.  The Interconnection of Tactical Packet Radio Networks and BISDN , 1996 .

[68]  Amir Pnueli,et al.  Checking that finite state concurrent programs satisfy their linear specification , 1985, POPL.

[69]  Lars Michael Kristensen,et al.  Efficient Path Finding with the Sweep-Line Method Using External Storage , 2003, ICFEM.

[70]  Lars Michael Kristensen,et al.  The practitioner’s guide to coloured Petri nets , 1998, International Journal on Software Tools for Technology Transfer.

[71]  Qiang Ye,et al.  Petri net approach to improving SACK TCP resilience , 2004, Proceedings. Second Annual Conference on Communication Networks and Services Research, 2004..

[72]  Kathrin Hoffmann,et al.  Formal approach and applications of algebraic higher-order nets , 2005 .

[73]  Jonathan Billington,et al.  Sweep-Line Analysis of TCP Connection Management , 2005, ICFEM.

[74]  Eddie Kohler,et al.  Profile for Datagram Congestion Control Protocol (DCCP) Congestion Control ID 3: TCP-Friendly Rate Control (TFRC) , 2006, RFC.

[75]  David Lightfoot Formal Specification Using Z , 1991 .

[76]  Daniel Moldt,et al.  Modelling Mobility and Mobile Agents Using Nets within Nets , 2003, ICATPN.

[77]  David Burdett Internet Open Trading Protocol - IOTP Version 1.0 , 2000, RFC.

[78]  Mark Handley,et al.  Datagram Congestion Control Protocol (DCCP) , 2006, RFC.

[79]  J. Billington,et al.  Chattering behaviour in datagram congestion control protocol , 2005 .

[80]  Wolfgang Reisig,et al.  Verification of Distributed Algorithms with Algebraic Petri Nets , 1997, Foundations of Computer Science: Potential - Theory - Cognition.

[81]  Lars Eggert,et al.  Towards more expressive transport-layer interfaces , 2006, MobiArch '06.

[82]  Son T. Vuong,et al.  Formal specification and validation of ISO transport protocol components, using petri nets , 1984, Computer Communication Review.

[83]  Atanas N. Parashkevov,et al.  Space Efficient Reachability Analysis Through Use of Pseudo-Root States , 1997, TACAS.

[84]  Jonathan Billington,et al.  A Coloured Petri Net Approach to Protocol Verification , 2003, Lectures on Concurrency and Petri Nets.

[85]  Jonathan Lee,et al.  Modeling uncertainty reasoning with possibilistic Petri nets , 2003, IEEE Trans. Syst. Man Cybern. Part B.

[86]  Jonathan P. Bowen,et al.  Ten Commandments of Formal Methods ...Ten Years Later , 2006, Computer.

[87]  Doron A. Peled,et al.  All from One, One for All: on Model Checking Using Representatives , 1993, CAV.

[88]  Jonathan Billington,et al.  Closed Form Expressions for the State Space of TCP's Data Transfer Service Operating over Unbounded Channels , 2004, ACSC.

[89]  David L. Dill,et al.  Better verification through symmetry , 1996, Formal Methods Syst. Des..

[90]  Douglas Thorby,et al.  1 – Basic Concepts , 2008 .

[91]  Gérard Berthelot,et al.  Petri Nets Theory for the Correctness of Protocols , 1982, PSTV.

[92]  C. Petri Kommunikation mit Automaten , 1962 .

[93]  Kurt Jensen,et al.  Coloured Petri Nets , 1997, Monographs in Theoretical Computer Science An EATCS Series.

[94]  Jonathan Billington,et al.  Checking safety properties on-the-fly with the sweep-line method , 2007, International Journal on Software Tools for Technology Transfer.

[95]  Orna Kupferman,et al.  Model Checking of Safety Properties , 1999, Formal Methods Syst. Des..

[96]  Pierre Wolper,et al.  An Automata-Theoretic Approach to Automatic Program Verification (Preliminary Report) , 1986, LICS.

[97]  Rajeev Alur,et al.  Deciding Global Partial-Order Properties , 2005, Formal Methods Syst. Des..

[98]  Jonathan Billington,et al.  Termination Properties of TCP's Connection Management Procedures , 2005, ICATPN.

[99]  Carl A. Sunshine,et al.  Survey of protocol definition and verification techniques , 1978, CCRV.

[100]  Qiang Ye,et al.  SACK TCP resilience , 2007, Canadian Journal of Electrical and Computer Engineering.

[101]  Reinhard German,et al.  Performance analysis of communication systems - modelling with non-Markovian stochastic Petri nets , 2000, Wiley-Interscience series in systems and optimization.

[102]  Jonathan Billington,et al.  On Defining the Service Provided by TCP , 2003, ACSC.

[103]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[104]  Hassane Alla,et al.  Discrete, continuous, and hybrid Petri Nets , 2004 .

[105]  Jonathan Billington,et al.  Analysis of the Datagram Congestion Control Protocol’s connection management procedures using the sweep-line method , 2007, International Journal on Software Tools for Technology Transfer.

[106]  Guy Edward Gallasch,et al.  Parametric Verification of the Class of Stop-and-Wait Protocols , 2007 .

[107]  Mark Handley,et al.  Problem Statement for the Datagram Congestion Control Protocol (DCCP) , 2006, RFC.

[108]  Philip Meir Merlin,et al.  A study of the recoverability of computing systems. , 1974 .

[109]  Emmanuel Lochin,et al.  Study and Enhancement of DCCP over DiffServ Assured Forwarding Class , 2007, Fourth European Conference on Universal Multiservice Networks (ECUMN'07).

[110]  Kurt Lautenbach,et al.  System Modelling with High-Level Petri Nets , 1981, Theor. Comput. Sci..

[111]  P. Merlin,et al.  Specification and Validation of Protocols , 1979, IEEE Trans. Commun..

[112]  Antti Valmari,et al.  The State Explosion Problem , 1996, Petri Nets.

[113]  Pierre Wolper,et al.  Reliable Hashing without Collosion Detection , 1993, CAV.

[114]  Jonathan Billington,et al.  Discovering Chatter and Incompleteness in the Datagram Congestion Control Protocol , 2005, FORTE.

[115]  Lars Michael Kristensen,et al.  A Compositional Sweep-Line State Space Exploration Method , 2002, FORTE.

[116]  Paul D. Amer,et al.  A success story of formal description techniques: Estelle specification and test generation for MIL-STD 188-220 , 2000, Comput. Commun..

[117]  Maria Elena Villapol Blanco Modelling and Analysis of the Resource Reservation Protocol Using Coloured Petri Nets , 2003 .

[118]  Carl G. Looney,et al.  Fuzzy Petri nets for rule-based decisionmaking , 1988, IEEE Trans. Syst. Man Cybern..

[119]  Mark Handley,et al.  Designing DCCP: congestion control without reliability , 2006, SIGCOMM 2006.

[120]  Jonathan Billington,et al.  A Parametric State Space for the Analysis of the Infinite Class of Stop-and-Wait Protocols , 2006, SPIN.

[121]  Peter J. Haas,et al.  Stochastic Petri Nets: Modelling, Stability, Simulation , 2002 .

[122]  Jonathan Billington,et al.  Modelling and analysing the functional behaviour of TCP’s connection management procedures , 2007, International Journal on Software Tools for Technology Transfer.

[123]  Jonathan Billington,et al.  Validating TCP connection management , 2002, FME 2002.

[124]  Michael Welzl Passing Corrupt Data Across Network Layers: An Overview of Recent Developments and Issues , 2005, EURASIP J. Adv. Signal Process..

[125]  Gerard J. Holzmann,et al.  State-space caching revisited , 1995, Formal Methods Syst. Des..

[126]  Jan A. Bergstra,et al.  Algebra of Communicating Processes with Abstraction , 1985, Theor. Comput. Sci..

[127]  Eddie Kohler,et al.  Profile for Datagram Congestion Control Protocol (DCCP) Congestion Control ID 2: TCP-like Congestion Control , 2006, RFC.

[128]  A. E. Karbowiak,et al.  Modelling and analysis of DOD TCP/IP protocol using numerical Petri nets , 1990, IEEE TENCON'90: 1990 IEEE Region 10 Conference on Computer and Communication Systems. Conference Proceedings.

[129]  Jorge C. A. de Figueiredo,et al.  Using Coloured Petri Nets to Investigate Behavioural and Performance Issues of TCP Protocols , 1999 .

[130]  Dexter Kozen,et al.  Automata and Computability , 1997, Undergraduate Texts in Computer Science.

[131]  Lawrence Charles Paulson,et al.  ML for the working programmer , 1991 .

[132]  Lars Michael Kristensen,et al.  Specification and Validation of an Edge Router Discovery Protocol for Mobile Ad Hoc Networks , 2004, SoftSpez Final Report.

[133]  Robin Milner,et al.  Definition of standard ML , 1990 .

[134]  Kurt Jensen An Introduction to the Theoretical Aspects of Coloured Petri Nets , 1994 .

[135]  Jin-Fu Chang,et al.  Knowledge Representation Using Fuzzy Petri Nets , 1990, IEEE Trans. Knowl. Data Eng..

[136]  A. Prasad Sistla,et al.  Symmetry and model checking , 1996, Formal Methods Syst. Des..

[137]  Jeffrey D. Ullman Elements of ML programming , 1994 .

[138]  Gerard J. Holzmann,et al.  Design and validation of computer protocols , 1991 .

[139]  Jonathan Billington,et al.  Exploiting equivalence reduction and the sweep-line method for detecting terminal states , 2004, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[140]  Tadao Murata,et al.  Petri nets: Properties, analysis and applications , 1989, Proc. IEEE.

[141]  Pierre Wolper,et al.  Partial-Order Methods for Temporal Verification , 1993, CONCUR.

[142]  Lars Michael Kristensen,et al.  State Space Methods for Coloured Petri Nets , 2000 .

[143]  James F. Kurose,et al.  The Specification and Verification of a Connection Establishment Protocol Using Temporal Logic , 1982, PSTV.

[144]  Lars Michael Kristensen,et al.  Question-guided stubborn set methods for state properties , 2006, Formal Methods Syst. Des..

[145]  Michael C. McFarland,et al.  Formal verification of sequential hardware: a tutorial , 1993, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[146]  Rajesh Krishnan,et al.  Explicit transport error notification (ETEN) for error-prone wireless and satellite networks , 2004, Comput. Networks.

[147]  Karsten Schmidt Automated Generation of a Progress Measure for the Sweep-Line Method , 2004 .

[148]  Tommaso Bolognesi,et al.  Tableau methods to describe strong bisimilarity on LOTOS processes involving pure interleaving and enabling , 1994, FORTE.

[149]  Antoni W. Mazurkiewicz Petri Nets Without Tokens , 2007, ICATPN.

[150]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[151]  H. Paul Lin Modeling a transport layer protocol using first-order logic , 1986, SIGCOMM '86.