Parameterized model checking of Resource Reservation Protocol

1
Parameterized model checking of Resource
Reservation Protocol

• Igor V. Konnov, Vladimir A. Zakharov
• Department of Computation Mathematics and
  Cybernetics,
• Lomonosov Moscow State University

2
Outline

• Parameterized Model Checking
• Invariants and simulation
• ReSource reserVation Protocol
• RSVP model in Promela
• Checking properties on small-size instances of
  RSVP
• Finding an invariant and building simulations
• Open questions and conclusions

3
Parameterized Model Checking

• We study the verification problem for families of
  distributed systems Mn, n gt 1
• Every system Mn is composed of some distinguished
  process Q and a number of isomorphic processes
  that are instances of the same prototype process
  P
• Mn Q P P P.
• In general, there may be several prototypes

4
PMC by invariants

• We use framework of network invariants by Clarke,
  Grumberg and Jha omitting the step of abstraction
• We introduced a quasi-block simulation lt which
  is
• conservative under ACTL-X.
• For any formula ?
• if A lt B and B ? then A  ?
• monotonic.
• If A lt B and C lt D then A B lt C D.
• Then to check that Mn S holds for every n it
  is sufficient to find LTS I (invariant) such that
  Q  P lt I and I  P lt I hold, and check that
  I ?

5
Resource Reservation Protocol

• RFC 2205 defines RSVP protocol, which allows to
  reserve bandwidth capacity on a route between
  sender (producer) and receiver (consumer of
  resources).
• RSVP may be used to deliver audio or video
  traffic without visible delay.
• Models of RSVP were already been partially
  checked by Creese and Reed, Villapol.

6
RSVP execution example
Sender (Producer)
path
resv
tear
data
Router
resv
path
resv
path
tear
data
data
tear
data
tear
path
resv
tear
path
resv
data
tear
resv
path
data
tear
tear
path
path
Receiver (Consumer)
7
Previous works on RSVP

• Villapol (2003) partially described RSVP in Petri
  nets
• The model was focused on a communication between
  fixed number of processes (sender, receiver and
  several routers).
• Creese and Reed (1999) described a model
  independent of process count using process
  algebra
• However, their model was designed to preserve the
  only property reservation merging.

8
Building a model in Promela problems

• Infinite data types
• host address in unicast messaging,
• channel capacity in reservation request,
• routers channel capacity.
• Unbounded number of outgoing edges in
  communication topology.
• Simultaneous sessions.
• Dynamic network topology.
• Failure of hosts.

9
Key abstractions

• The routers and consumers form a binary tree (as
  in CreeseReed1999)
• Producers use multicast messages only
• No failures
• Routers always have resources enough to satisfy a
  reservation request
• Only one session is considered (as well as in
  CreeseReed1999 and Villapol2003)

10
Checkingseveral instances in Spin

• Specification 1
• G producer!path_tear ?
• G producer!path_tear_acknowledge
• Specification 2
• G (router1.reserved ? router1.parent!resv)
• Absence of deadlocks and livelocks (it is of
  great importance to PMC!)

11
Building simulations

• First, we concentrated on building a block
  simulation between two models not taking
  divergency (paths ending by infinite number of
  invisible transitions) into account

is simulated by
12
Optimization of block simulation

• While building block simulations we found a
  criteria on block simulation that greatly reduces
  the number of states to be checked (semi-block
  simulation)

13
Finding counter-example that breaks simulation

• If block simulation does not exist between models
  that seem to be similar?
• How to find the difference in behaviour?
• It will be great to build a counter-example
  formula or a path
• We have build a tool to find witness paths
• It is mostly an ad hoc solution
• It finds a lot of junk (false-negative paths)

14
Inconsistencies in our model

• Following inconsistencies were found while
  building block simulation (without additional
  specifications)
• Routers could close session twice (and receive
  tear_down), while receivers could not
• Routers could send data after session had been
  already closed
• Internal cycles in routers that caused livelocks

15
General inconsistencies in model that break block
simulation

• Deadlocks in models with larger number of
  processes (w.r.t. invariant)
• Livelocks in small models (breaks up divergency)
• Absense of reaction on incoming messages in
  processes
• Summary (a bit evident) small instances should
  be thoroughly checked before finding an invariant

16
Finding an invariant

• Parameterized network is described by the
  following network grammar
• P ? p 1 T
• T ? r 2 T 3 T
• T ? r 2 c 3 c
• Using the technique of invariants CGJ95, we
  tried to find an invariant among the models
  derived from non-terminal T
• Model r 2 c 3 c is not an invariant
• We made an attempt to check the model
• r 2 (r 2 c 3 c) 2 (r 2 c 3 c)

17
Invariant Model of T

• Any model derived from non-terminal T is
  simulated (in terms of semi-block and quasi-block
  simulation) by the following model

R
R
R
C
C
C
C
18
Models to compare
(1)
(2)
(5)
(3)
(4)
19
Results of buildingsemi-block simulation
20
Positive achievements

• The model of RSVP in Promela
• Testing of the technique and simulation checker
  on a large problem
• Semi-block simulation that allows to reduce the
  time of computation
• Solution to compare smaller models (slide 18)

21
Open questions

• We did not compare block simulation and branching
  bisimulation in practice
• The algorithm for computing semi-block simulation
  should be improved to cope with large state-space
  problems
• We need a more decent tool to build
  counter-examples when block simulation fails
• May be the reduction on slide 18 may be done
  automatically using theorem prover

22
Conclusions

• We successfully applied the technique of network
  invariants to an interesting protocol and
  performed parameterized model checking.
• It would be great
• to refine our model and make it less abstract,
• to deal with conditions on data types on infinite
  domains.

23
References

• E.A. Emerson, K.S. Namjoshi. Reasoning about
  rings. In Proceedings 22th ACM Conf. on
  Principles of Programming Languages, POPL95,
  1995, p. 8594.
• E.M. Clarke, O. Grumberg, and S. Jha. Verifying
  parameterized networks using abstraction and
  regular languages, In Proceedings of the 6-the
  International Conference on Concurrency Theory,
  1995.
• S.J. Creese and J. Reed. Verifying End-to-End
  Protocols Using Induction with CSP/FDR. In
  IPPS/SPDP Workshop, 1999, p. 12431257.
• M. Villapol. Modelling and Analysis of the
  Resource Reservation Protocol using Coloured
  Petri Nets. PhD Thesis, Institute for
  Telecommunications Research and Computer Systems
  Engineering Centre, University of South
  Australia, 2003.
• R. van Glabbeek, W.P. Weijland. Branching time
  and abstraction in bisimulation semantics,
  Journal of the ACM 43(3), 1996, pp. 555-600.