Close
About
FAQ
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
Computer Science Technical Report Archive
/
USC Computer Science Technical Reports, no. 663 (1998)
(USC DC Other)
USC Computer Science Technical Reports, no. 663 (1998)
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
Systematic T esting of Multicast Proto col Robustness
PhD Dissertation Prop osal
b y
Ahmed AG Helm y
Computer Science Departmen t
Univ ersit y of Southern California
Los Angeles CA
email fahelm yguscedu
Decem ber
Abstract
The past few y ears ha v e witnessed unpreceden ted gro wth of the In ternet Sev eral new service
mo dels ha v e b een in tro duced since In particular the adv en t of the IP m ulticast tec hnology has
con tributed to the success of the In ternet as a medium for widearea group comm unication Mul
ticast proto cols supp ort an imp ortan t class of applications ranging from m ultimedia conferencing
to net w ork games Duetothisgro wth the degree of heterogeneit y of the net w ork comp onen ts has
radically increased leading to added complexit y in the design and testing of net w ork proto cols
In the presence of net w ork failures unexp ected com binations of ev en ts can driv e proto cols in to
undesirable states and ma y lead to errors An ticipating all suc h cases is often imp ossible and
at best ma y require extensiv e sim ulation and testing In large systems the cost of testing all
p ossible scenarios exhaustiv ely is prohibitiv e and man y unexp ected cases are not observ ed un til
deplo ymen t
This problem is ev en more complex in the con text of m ulticast Unlik e the traditional unicast
proto cols where only a single sender and a single receiv er are in v olvedam ulticast group ma y
in v olvem ultiple senders and receiv ers This c haracteristic in tro duces new c hallenges to the design
and testing of m ulticast proto cols F or suc h proto cols con v en tional formal or analytical metho ds
tend to b e complex sometimes rendering the proto col mo del in tractable
This thesis presen ts a framew ork for ev aluating m ulticast proto col b eha vior in the presence
of net w ork failures Our goal is to pro vide practical metho ds and to ols to aid in the design and
systematic testing of m ulticast proto cols
This do cumentgiv es an o v erview of the framew ork that in tegrates automatic test generation
with sim ulation and implemen tation co de and demonstrates ho w it can b e applied to m ulticast
routing proto cols Wedev elop and in v estigate three dieren t approac hes for proto col test genera
tion heuristic faultindep enden t and faultorien ted test generation W e apply these approac hes
to m ulticast routing in a limited net w ork en vironmen t Our future researc h will extend this
net w ork en vironmen t and in v estigate metho ds for studying the b eha vior of endtoend m ulticast
proto cols
Con ten ts
In tro duction Brief Ov erview of Multicast Related W ork Proto col V erication Theorem Pro ving Reac habilit y analysis Conformance T esting VLSI Chip T esting Prop osed Approac h F ramew ork Ov erview T est Generation Detailed Sim ulation Implemen tation In terface System Mo del and Denition The system mo del T est Sequence Denition T est Input P attern T est requiremen t Brief description of PIMDM The Proto col Mo del Heuristic T est Generation Ov erview Scenario Generation Sim ulation and T racing Output Analysis Case Study T op ology Equiv alence T est suites Applying the Metho d F aultindep enden tT est Generation F ormalism F aultindep enden tT est Generation Algorithm Obtaining Correct States Obtaining Error States Proto col mec hanisms Mapping error transitions in to host ev en ts
Getting to the correct state using host ev en ts Example F aultOrien ted T esting Generation F OTG Ov erview The Proto col Mo del T ransition T able State Dep endency T able F OTG details F aultorien ted Analysis of PIMDM Comparison of the Approac hes Summary and F uture W ork Con tributions F uture W ork Multicast Routing Endtoend Multicast Exp ected Con tributions P oten tial Applications of the Metho d Metho d Ev aluation A Case Study for PIMSM A PIMSM Ov erview A T est suites A Applying the Metho d A Scenario and proto col co v erage A Results A Summary of Results A Detailed Results
In tro duction
Net w ork proto col errors are often detected b y application failure or p erformance degradation Suc h errors
are hardest to diagnose when the b eha vior is unexp ected or unfamiliar Ev en if a proto col is pro v en to b e
correct in isolation its b eha vior ma y be unpredictable in an op erational net w ork where in teraction with
other proto cols and the presence of failures ma y aect its op eration
Proto col errors maybe v ery costly to repair if disco v ered after deplo ymen t Hence endea v ors should b e
made to capture proto col a ws early in the design cycle b efore deplo ymen t
Man y researc hers ha v e dev elop ed proto col v erication metho ds to ensure that certain prop erties of a
proto col hold prop erties lik e freedom from deadlo c ks or unsp ecied receptions Muc h of this w ork ho w ev er
w as based on abstract mathematical mo dels with assumptions ab out the net w ork conditions that ma ynot
alw a ys hold in to da ys In ternet and hence ma y b ecome in v alid Other approac hes suc h as reac habilit y
analysis attempt to c hec k the proto col state space and generally suer from the state explosion problem
This problem is exacerbated with the increased complexit y of the proto col
Net w ork proto cols are b ecoming more complex with the exp onen tial gro wth of the In ternet and the
in tro duction of new services at the net w ork transp ort and application lev els In particular the adv entof
IP m ulticast and the MBone enabled applications ranging from m ultipla y er games to distance learning and
teleconferencing among others T o date little eort has b een exerted to form ulate systematic metho ds and
to ols that aid in the design and c haracterization of these proto cols
In addition researc hers are observing new and obscure y et all to o frequen t failure mo des o v er the
in ternets Suc h failures are real and are b ecoming more frequen t mainly due to the increased heterogeneit y
of tec hnologies in terconnects and conguration of v arious net w ork comp onen ts Due to the synergy and
in teraction b et w een dieren t net w ork proto cols and comp onen ts errors at one la y er ma y lead to failures at
other la y ers of the proto col stac k F urthermore degraded p erformance of lo wlev el net w ork proto cols ma y
ha v e ripple eects on endtoend proto cols and applications
Topro vide an eectiv e solution to the ab o v e problems w e presen t a framew ork for the systematic design
and testing of m ulticast proto col robustness The framew ork in tegrates test generation algorithms with
sim ulation and implemen tation co de W e prop ose a suite of practical metho ds and to ols for automatic test
generation for stac ks of net w ork proto cols
Th us far w e ha v e in v estigated three approac hes for test generation The rst is a heuristic approac h
that uses top ological and ev en t equiv alence relations to reduce the problem space and is used in conjunction
with sim ulation The second approac h faultindep enden t test generation uses a forw ard searc h algorithm
to explore a subset of the proto col state space to generate the ev en t tests automatically State and fault
equiv alence relations are used in this approac h to reduce the state space The last approac h is faultorien ted
test generation that uses a mix of forw ard and bac kw ard searchtec hniques to syn thesize test ev en ts and
top ologies automatically W e ha v e also built a partial protot yp e of these metho ds in a net w ork sim ulator and applied it to t w o
m ulticast routing proto cols adopted bythe In ternet comm unit y PIMDM and PIMSM Our case studies
rev ealed sev eral design errors for whic hweha veform ulated solutions with the aid of this systematic pro cess
Areas of future w ork include quan titativ e comparison b et w een the dieren t metho ds using ric her failure
and net w ork mo dels studying the ripple eects of net w ork proto col failures on endtoend m ulticast proto cols
and in v estigating p erformance sensitivit y analysis metho ds for endtoend m ulticast applications
The rest of this do cumen t is organized as follo ws Section giv es a brief o v erview of m ulticast and
section presen ts related w ork in proto col v erication conformance testing and VLSI c hip testing Section in tro duces the prop osed framew ork then discusses the system mo del used and describ es the three test
generation approac hes concluding b y a qualitativ e comparison of these approac hes A summary of the
con tributions with a plan of the future w ork and exp ected con tributions are presen ted in section
Brief Ov erview of Multicast
Multicast proto cols are the class of proto cols that supp ort group comm unication Am ulticast group ma y
in v olvem ultiple receiv ers and one or more senders In this thesis w e address m ulticast proto cols for the In ter
net based on the IP m ulticast mo del These proto cols include m ulticast routing proto cols eg D VMRP
MOSPF PIMDM CBT and PIMSM m ulticast transp ort proto cols eg SRM R TP and R TCP and m ultipart y applications eg WB v at vic n te and sdr This study
fo cuses on m ulticast routing proto cols whichdeliv er pac k ets ecien tly to group mem b ers b y establishing
distribution trees Figure sho wsav ery simple example of a source S sending to a group of receiv ers R
i
S
R1
R2
R3
R4 R5
S: sender to the group
Ri: receiver i of the group
Figure Establishing m ulticast deliv ery tree
Multicast distribution trees ma y b e established b y either broadcastandprune or explicit join proto cols
In the former suc hasD VMRP or PIMDM a m ulticast pac k et is broadcast to all leaf subnet w orks Subnet
w orks with no lo cal mem b ers for the group send prune messages to w ards the sources of the pac k ets to stop
further broadcasts Link state proto cols suc h as MOSPF broadcast mem b ership information to all no des
In con trast in explicit join proto cols suc h as CBT or PIMSM routers send hopb yhop join messages for
the groups and sources for whic h they ha v e lo cal mem bers When receiv ed these messages build routing
state in routers and cause further messages to b e sen t upstream un til the distribution tree is established
Up on receiving a m ulticast pac k et a router forw ards the pac k et according to the routing state
W e are particularly in terested in m ulticast routing proto cols b ecause they are vulnerable to failure mo des
suc h as selectiv e loss that ha v e not b een traditionally studied in the area of proto col design
F or most m ulticast proto cols when routers are connected via a m ultiaccess net w ork or LAN
hop
b yhop messages are m ulticast on the LAN and ma y exp erience selectiv e loss ie ma y b e receiv ed bysome
no des but not others The lik eliho o d of selectiv e loss is increased b y the fact that LANs often con tain h ubs
bridges switc hes and other net w ork devices Selectiv e loss ma y aect proto col robustness
W e use the term LAN to designate a connected net w ork with resp ect to IPm ulticast This includes shared media suc has
Ethernet or FDDI h ubs switc hes etc
Similarly endtoend m ulticast proto cols and applications m ust deal with situations of selectiv e loss
This dieren tiates these applications most clearly from their unicast coun terparts and raises in teresting
robustness questions
Our case studies illustrate wh y selectiv e loss should b e considered when ev aluating proto col robustness
This lesson is lik ely to extend to the design of higher la y er proto cols that op erate on top of m ulticast and
can ha v e similar selectiv e loss
Related W ork
The related w ork falls mainly in the eld of proto col v erication and conformance testing In addition some
concepts of our w ork w ere inspired byVLSI c hip testing Most of the literature on m ulticast proto col design
addresses arc hitecture sp ecication and comparisons b et w een dieren t proto cols Weare not a w are of an y
other w ork to dev elop systematic metho ds for testing m ulticast proto col robustness
There is a large b o dy of literature dealing with v erication of comm unication proto cols Proto col v eri
cation t ypically addresses w elldened prop erties suc hassafet y prop erties freedom from deadlo c ks and
liv eness prop erties freedom from starv ation
In general the t w o main approac hes for proto col v erication are theorem pro ving and reac habilit y analysis
or mo del c hec king
Theorem pro ving systems dene a set of axioms and construct relations on these axioms Desirable
prop erties of the proto col are then pro v en mathematically Theorem pro ving includes mo delb ase d and lo gic
b ase d formalisms including rst and higher order logic
Reac habilit y analysis algorithms try to generate and insp ect all the proto col states that are
reac hable from giv en initial states Suc h algorithms suer from the state space explosion problem es
p ecially for complex proto cols T o circum v entthis problem state reduction and con trolled partial searc h
tec hniques could be used These tec hniques fo cus only on parts of the state space and ma y use
probabilistic random or guided searc hes
In section w e outline the main c haracteristics of proto col v erication approac hes and discuss the
adequacy of these approac hes for the v erication of m ulticast proto col robustness
Conformance testing is used to c hec k that a giv en implemen tation of a proto col is equiv alen t to its
sp ecication It do es not target design errors but implemen tation errors and uses searc h tec hniques to
attempt to co v er the state space of the implemen tation W e discuss conformance testing in section There is an analogy b et w een our w ork and VLSI c hip testing Chip test generation metho ds attempt to
generate test v ectors to rev eal faults in the VLSI fabrication pro cess These metho ds dene a fault mo del
and a circuit mo del for the c hip under test and usually use searc h algorithms to nd patterns exp osing
exp ected faults The BuiltInSelfT est BIST in tegrates test generation and fault detection algorithms
in one sc heme VLSI c hip testing sc hemes are discussed in section Other related w ork includes a new approachfor v erication of cac he coherence proto cols This recen t
study sho ws ho w reac habilit y analysis complexit y can b e reduced b y using equiv alence relations and sym b olic
represen tation of states A global FSM nite state mac hine mo del w as used to c haracterize the proto col
beha vior One of our approac hes in section adopts some of the principles presen ted in the ab o v e study Proto col V erication
Proto col v erication is the problem of ensuring the logical consistency of the proto col sp ecication inde
p enden t of an y particular implemen tation Proto col v erication t ypically addresses safety liveness and
r esp onsiveness prop erties Safet y prop erties include freedom from deadlo c ks assertion violations im
prop er terminations and unsp ecied receptions Liv eness prop erties include detection of acceptance cycles
and absence of nonprogress cycles while resp onsiv eness prop erties include timeliness and fault tolerance
whichreco v ers the system to a legal state to resume normal execution from an illegal state Most proto col
v erication systems aim to detect violations of these proto col prop erties
Although w e cannot do justice to the extensiv e body of w ork in this area w e shall dw ell up on some
of the main asp ects and common approac hes to proto col v erication There are t w o main approac hes to
proto col v erication theorem pro ving using formal metho ds and reac habilit y analysis sometimes called
mo del c hec king
Theorem Pro ving
In theorem pro ving system prop erties are expressed in logic form ulas dening a set of axioms and rules
In con trast to reac habilit y analysis and mo del c hec king theorem pro ving can deal with innite state spaces
Ho w ev er in teractiv e theorem pro v ers require h uman in terv en tion and hence are slo w and errorprone
Theorem pro ving includes mo delb ase d and lo gicb ase d formalisms Mo delbased formalisms suc h as
Z and Vienna Dev elopmen t Metho d VDM are suitable for proto col sp ecications in a succinct
manner but lackthe to ol supp ort for eectiv e pro of of prop erties The use of rst order logic allo ws the
use of theorem pro v ers suc h as the Bo y erMo ore logic pro v er Nqthm but ma y result in sp ecications
that are dicult to read Higher order logic suc h as Protot yp e V erication System PVS pro vides
expressivepo w er for clear descriptions and pro of capabilities for proto col prop erties
In general theorem pro ving systems require the denition of a set of axioms and the construction
of relations based on these axioms The n um ber of axioms and relations gro ws with the complexit y of
the proto col These systems require strong mathematical bac kground and understanding The fact that
axiomatization is not algorithmic ma y limit the use of theorem pro ving systems Moreo v er these systems
w ork with abstract sp ecication of the proto col and hence tend to abstract out some proto col mec hanisms
that ma y cause problems w e are addressing in this study Sev eral attempts to apply formal v erication to net w ork proto cols ha v e b een made F or example asser
tional pro of tec hniques w ere used to pro vedistance v ector routing path v ector routing and route
diusion algorithms and using comm unicating nite state mac hines
An example p oin ttop oin t mobile application w as pro v ed using assertional reasoning in using UNITY Axiomatic reasoning w as used in pro ving a simple transmission proto col in Algebraic systems based
on the calculus of comm unicating systems CCS ha v e b een used to pro v e CSMACD F ormal
v erication has b een applied to TCP and TTCP in
In all formal v erication metho ds ma y b e imp ortan t to proto col design Ho w ev er they ha v e not b een
applied to widearea m ulticast or complete routing proto cols Webeliev e that theorem pro ving systems will
be ev en more complex and p erhaps in tractable in the con text of m ulticast proto cols
Reac habilit y analysis
Most automated v erication systems are based on exhaustiv e reac habilit y analysis T o establish the obser
v ance of state in v arian ts it is sucien tto v erify their correctness with a test for eac h state that is reac hable
from a giv en initial system state The main problem that m ust b e addressed in the design of suchasystem
is the state space explosion problem
V erication of state prop erties includes assertion violations and improp er terminations V erication of
sequences of states includes nonprogress conditions and temp oral claims
A reac habilit y analysis algorithm attempts to generate and insp ect all the states of a distributed system
that are reac hable from a giv en initial state The three main t yp es of reac habilit y analysis algorithms are
full searc h con trolled partial searc h and random sim ulation
If full searc h exceeds the memory or time limits it eectiv ely reduces to an uncon trolled partial searc h
and the qualit y of the analysis deteriorates quic kly Con trolled partial searc h attempts to select a fraction
of the full state space that can b e searc hed within giv en time and space constrain ts Random w alk of the
state space may beusedfor v ery large state spaces where full or partial searc h is not feasible
The t ypical measures of reac habilit y analysis qualityare state co v erage the fraction of system states tested ie
Num ber of T ested States
T otal Num b er of States
error co v erage the fraction of system errors found This measure represen ts the abilit y to nd errors
and is not easily quan tied since the total n um b er of errors presen t is usually unkno wn
In practice ho w ev er these measures ma y not b e obtainable for complex proto cols
F ull State Space Searc h A nite state mac hine FSM is dened b y a nite n um b er of states and state
transitions Eac h state transition has a precondition and an eect or a p ostcondition The transition is
enabled only if the precondition holds The eect of an execution can c hange the state of the system
A reac hable state or sequence of states can be c hec k ed for general safet y conditions eg absence of
deadlo c ks or buer o v erruns or proto colsp ecic requiremen ts eg temp oral claim ab out a retransmission
discipline
States are stored and retriev ed from a w orking set W The algorithm p erforms a breadthrst BF or
a depthrst DF searc h of the state space tree BF nds the shortest error sequences rst DF requires a
smaller w ork set W in general The depth of the searc h tree dep ends on the maxim um length of a unique
execution sequence The width of the tree on the other hand is determined b y maxim um n um b er of distinct
execution sequence usually a m uc h larger n um ber F or example a proto col with successors for ev ery state
after n transitions the breadth is n
states while depth is only n states
In DF when an error is disco v ered an execution sequence leading to the error ma y b e easily pro duced
F or BF ho w ev er the execution sequence path m ust b e reconstructed
Con trolled P artial Searc h is based on the premise that in most cases of practical in terest the maxim um
n um ber of states that can be analyzed A is only a fraction of the total n um ber of reac hable states R Ob jectiv es of con trolled partial searchare to analyze precisely A states with A MS where M is the
memory a v ailable and S is the memory required to store one system state suc h that a all ma jor proto col
functions are tested and b the searc h qualityie the probabilit y of nding an ygiv en error is b etter than
the co v erage AR Some con trolled partial searc hes are based on
depthb ounds b ounds are placed on the length of the execution sequences that are analyzed limiting
the searc h to a useful subset of b eha viors ruling out degenerate cases of m ultiple o v erlapping sequences
scattersearc h executions that lead closer to poten tial error states are selected F or deadlo c k for
example an algorithm fa v ors receiv e op erations o v er send op erations since one of the requisites of a
deadlo c k is that all c hannels are empt y Hence ma y increase the probabilit y of nding errors fast
guidedsearc h the selection criterion is a cost function that is dynamically ev aluated for eac h successor
state Not m uc h has b een pro v en ab out ho w useful a cost function is
probabilistic searc h successor states are explored in decreasing order of their probabilit y of o ccurrence
T ransitions in the system are tagged b y probabilit y of o ccurrence and these are used as the selection
criterion
partial orders the main factor resp onsible for the state space explosion problem is the large n um ber of
p ossible in terlea vings of concurrentev en ts Not all in terlea vings are necessarily relev an t in the searc h
for error states The goal is to prune a w a y that part of the searchpro v en to b e irrelev an t or redundan t
One approachto ac hiev e this is the formal denition of equiv alence relations on system b eha vior
random selections simplest and ma y satisfy the ob jectiv es of con trolled partial searc h
The rst metho ds try to predict where the errors in a proto col can b e found whic hma y b e inheren tly
risky since one purp ose of automatic v erication is to capture unpredictable errors P artial orders and
random selection of successor states in principle a v oid that problem F or partial orders it is not trivial to
pro veirrelev ance F or example if pro cess A in teracts with pro cess C and B with C there ma yb e an implicit
in teraction b et w een A and B One cannot assume that A and B are disjoin t and that all p ossible in terlea vings
of their b eha viors are necessarily equiv alen t
Random Sim ulation Random sim ulation ma y be used for h uge problem sizes where the memory re
quiremen ts are larger than the a v ailable memory This approac h discards sets A the analyzed set of states
and W the w orking set and explores the state space with random sim ulation or random w alk The qualit y
of the algorithm in this case cannot b e directly measured and the state co v erage dep ends on the time giv en
for sim ulation
Recen tly sev eral researc hers dev elop ed approac hes to tac kle the state explosion problem in a more uniform
manner W e men tion here fair reac hability and leaping reac habilit y analysis In both cases the
proto col ma y b e represen ted bycomm unicating nite state mac hines CFSM
In the fair reac habilit y analysis the state reduction is ac hiev ed b y forcing the proto col to progress through
fair execution sequences and hence cutting do wn the redundancy of state exploration Ho w ev er the result
giv en in the ab o v e study only applies to the class of cyclic proto cols ie that ha v e only one input c hannel
and one output c hannel for eac h pro cess whose logical correctness is decidable Its extensibilit y to other
proto col classes and other mo dels of nite state mac hines is questionable
Leaping reac habilit y analysis forces m ultiple mac hines of the proto col to progress b y the concurren t
execution of transitions at global states hence leaping through the state space Again the assumption
underlying the study suc has FIF O queues ma ybe v ery restrictiv e for real proto cols Also these approac hes
mainly target deadlo c ks and liv eness prop erties and do not address robustness asp ects p er se
In our w ork ho w ev er w e adopt approac hes extending reac habilit y analysis for m ulticast proto cols One of
our approac hes in section is similar to con trolled partial searc h and uses reduction tec hniques based
on equiv alence relations
Conformance T esting
A giv en implemen tation ideally realizes all functions of the sp ecication o v er the range of acceptable param
eter v alues and rejects erroneous inputs A conformance test is used to c hec k that the external b eha vior of
agiv en implemen tation of a proto col is equiv alen t to its formal sp ecication A conformance test should fail
only if implemen tation and sp ecication dier In con trast v erication of the proto col m ust alw a ys rev eal
the design error
Giv en an implemen tation under test IUT sequences of input messages are pro vided and the resulting
output is observ ed The test passes only if all observ ed output matc hes those of the formal sp ecication
Another approac h of conformance testing is to establish the conformance of the con trol structure of the im
plemen tation to the structure of the sp ecication Implemen tation and sp ecication ha v e the same structure
if they mo del equiv alen t sets of states and allo w for the same state transitions
A state of the IUT is a stable condition a w aiting input signal A transition is the consumption of an
input signal the p ossible generation of an output signal and the p ossible mo v e to a new state The mo v e
m ust b e deterministic in order for the test to b e repro ducible In eac h state a complete IUT can accept and
resp ond to all input sym b ols from the complete system v o cabulary The acceptance of an input signal that
is outside the ocial input v o cabulary ma y cause a transition in to a set of states that pro duces erroneous
beha vior
The series of input sequences used this w a y is called a conformance test suite The cost of the test can
b e expressed as the length of the test suite ie the total n um ber of messages sen t to the IUT The main
problem is to nd an ecien t pro cedure for generating a conformance test suite for a giv en proto col
One p ossible solution is to generate a sequence of state transitions that passes through ev ery state and
ev ery transition at least once also kno wn as a transition tour The problem of nding a minim um length
transition tour of a nite state mac hine describ ed for instance in can b e solv ed in p olynomial time
Ho w ev er in order for this solution to w ork the state of the mac hine m ust b e c hec k ed after eac h transition
since the implemen tation ma y b e fault y This leads to the denition of UIO sequences
A Unique InputOutput UIO sequence or state signature is a sequence of transitions that can b e used
to determine the state of the IUT T obe able to v erify ev ery state in the IUT w em ust b e able to derivea
UIO sequence for ev ery state separately This approac h generally suers from the follo wing dra wbac ks a Not all UIO sequences are necessarily
dieren t It maybe p ossible to deriv e a distinguishing sequence a single UIO sequence that can b e used
to iden tify an y state in a nite state mac hine FSM b Not all FSMs ha vesuc h a distinguishing sequence
and not all states ha v e a UIO sequence c Ev en if all states in a FSM ha v e a UIO sequence the problem of
deriving UIO sequences has b een pro v ed to b e PSP A CEcomplete in ie only v ery short UIO sequences
can be found in practice and d UIO sequences can iden tify states reliably only in a correct IUT Their
beha vior for fault y IUTs is unpredictable and they cannot guaran tee that an y t yp e of fault in an IUT
remains detectable Only the presence of desirable b eha vior can b e tested b y conformance testing not the
absence of undesirable b eha vior
In conclusion conformance testing tec hniques are imp ortan t for testing proto col implemen tations Ho w
ev er it is not suitable as is to b e used in the design stage of a proto col W e consider w ork in this area as
complemen tary to the fo cus of our study VLSI Chip T esting
Chip testing uses a set of w ellestablished approac hes to generate test v ector patterns generally for detecting
ph ysical defects in the VLSI fabrication pro cess
Common test v ector generation metho ds detect singlestuc k faults where the v alue of a line in the circuit
is alw a ys at logic or T est v ectors are generated based on a mo del of the circuit and a giv en fault
mo del The cost of the test generation dep ends on the complexit y of the circuit to b e tested as w ell as the
metho d of test generation Random v ector generation is simple but in general p erforms p o orly in terms of
fault co v erage if the v ector set is not large In con trast deterministic v ector generation pro duces shorter
and higher qualit y tests b y pro cessing a mo del of the circuit and hence is more exp ensiv e Deterministic
v ector generation can be faultindep enden t or faultorien ted In a faultorien ted pro cess test v ectors are
generated for sp ecied faults as dened b y the fault mo del On the other hand a faultindep enden t pro cess
w orks without targeting individual faults
In the faultorien ted pro cess the t w o fundamen tal steps in generating a test v ector are a to activ ate or
excite the fault and b to propagate the resulting error to an observ able output Activ ating a fault in v olv es
a line justication step that is setting circuit input v alues to cause a line l in the circuit to ha v e a sp ecic
v alue T o propagate the error to an output a path from l to the output needs to b e sensitized A line whose
v alue in the test t c hanges in the presence of the fault f is said to b e sensitized to the fault f b y the test
t A path comp osed of sensitized lines is called a sensitized path Sev eral algorithms ha v e b een dev elop ed
to solv e the path sensitization problem suc h as the Dalgorithm the V algorithm and the P athOrien ted
Decision Making PODEM algorithm
Line justication or error propagation usually in v olv e a searc h pro cedure with a bac ktrac king strategy
to resolv e or undo con tradiction in the assignmen t of line and input v alues The line assignmen ts p erformed
sometimes determine or imply other line assignmen ts The pro cess of computing the line v alues to be
consisten t with previously determined v alues is referred to as implic ation F orw ard implication is implying
v alues of lines from the fault to w ard the output while bac kw ard implication is implying v alues of lines from
the fault to w ard the circuit input
F aultindep enden t test generation attempts to generate a set of input v ectors that detect a large set of
faults without targeting individual faults One suc h metho d is the criticalpath metho d The basic steps of
a criticalpath algorithm is to a select an output and assign it to a v alue then b recursiv ely justify the
v alue of a gate output b y assigning v alues to the gate input
Another concept of VLSI testing in whic h w e are in terested is fault equiv alence Tw o faults f and g
are said to be functionally equiv alen t for a circuit C under test x i C
f
x C
g
x A test t is said to
distinguish bet w een t w o faults f and g if C
f
t C
g
t suc h faults are distinguishable The relation of
functional equiv alence partitions the set of faults in to equiv alence classes F or fault analysis it suces to
consider only one fault from ev ery equiv alen t class
Asc heme that utilizes the ab o v e concepts for online c hip testing is the BuiltInSelfT est BIST BIST pro vides a systematic tec hnique for c hip testing syn thesis A generic BIST sc heme is sho wn in gure Test
Circuit
Response
Test
Test
Inputs
Outputs
Error
Test
1
0
Multiplexer
generator
circuit
patterns
signal
under
test
signal
responses
monitor
circuit
Figure Generic BIST sc heme
This tec hnique can b e used to detect faults due to singlestuc kline BIST uses a test pattern generator
TPG to pro duce the input patterns applied to the circuit under test The test patterns are c hosen to
maximize fault co v erage with a minim um n um b er of inputs A resp onse monitor circuit is used to monitor
and detect error signals The exp ected output for VLSI c hip testing is fault co v erage vs test length curv e
W e are particularly in terested in the arc hitectural paradigm of BIST after whic hw e mo del our sim ulation
metho d Our approac hes for proto col testing use some of the ab o v e principles suc has forw ard and bac kw ard
implication faultindep enden t and faultorien ted approac hes
Ho w ev er in VLSI c hip testing the test v ectors are pro duced for a giv en circuit whereas in proto col test
generation the top ology is v ariable and a proto col should b e designed to w ork with arbitrary top ologies
Prop osed Approac h
In general the robustness of a proto col is its abilit y to resp ond correctly in the face of net w ork failures
and pac k et loss This thesis presen ts a metho dology for studying and ev aluating robustness of m ulticast
proto cols Supp orted b y a set of to ols for automatic test generation and syn thesis the metho d in tegrates
proto col mo deling sim ulation and implemen tation in a single framew ork
In doing this w e adopt a systems approac h to failure and beha vioral analysis That is instead of
studying proto col b eha vior in isolation w e incorp orate m ultiple proto col la y ers with net w ork dynamics and
failures in order to rev eal more realistic b eha vior of proto cols in op eration
This section presen ts an o v erview of the framew ork and its constituen t comp onen ts The mo del used to
represen t the proto col and the system is presen ted along with denitions of the terms used Then a thorough
explanation of the automatic test generation algorithms is giv en along with a case study for eac h algorithm
The section concludes b y giving a qualitativ e comparativ e analysis of the dieren t algorithms in v estigated
F ramew ork Ov erview
Our framew ork in tegrates test generation with sim ulation and implemen tation co de It is used for Systematic
Testing of Robustness by Evaluation of Synthesize d Sc enarios STRESS As the name implies systematic
metho ds for scenario syn thesis are a core part of the framew ork W e use the term scenarios to denote the
testsuite consisting of the top ology and ev en ts Scenarios will b e discussed in more detail in section The input to this framew ork is the sp ecication of a proto col its correctness requiremen ts and a denition
of its robustness Usually robustness is dened in terms of net w ork dynamics or fault mo dels A fault mo del
represen ts v arious comp onen t faults suchaspac k et loss corruption reordering or mac hine crashes The
desired output is a set of testsuites that stress the proto col mec hanisms according to the robustness criteria
The STRESS framew ork includes the follo wing comp onen ts see gure Automatic test generation and top ology syn thesis algorithms
Detailed sim ulator driv en b y the syn thesized test patterns and scenarios and
Proto col implemen tation driv en through an em ulation in terface to the sim ulator
T est Generation
The core con tribution of our w ork lies in the dev elopmen t of systematic test generation algorithms for
proto col robustness Wein v estigate three suc h algorithms eac h using a dieren t approac h
In general there are t w o approac hes for test generation TG random TG R TG and deterministic
TG R TG in v olv es only the generation of random test patterns see section for the denition of test
patterns and hence is simple Ho w ev er a large set of test patterns is needed to ac hiev e a high measure of
error co v erage and ev en then determining the test qualityma y b e exp ensiv e Also the cost of running long
test sequences maybe high R TG generally do es not takein to accoun t the function or the structure of the
proto col under test and do es not attempt to minimize the test length
Heuristics ma y b e dev elop ed ho w ev er to increase the test qualit y Our rst approac h utilizes top ological
and ev en t equiv alences to establish an initial set of tests This set is then expanded to include the p ossible
fault scenarios eg message loss according to the proto col robustness W e use a sim ulationbased metho d
to run the tests analyze erroneous b eha vior and collect co v erage information The heuristic approachand
the sim ulation metho d are describ ed in section Deterministic TG on the other hand pro duces tests based on a mo del of the proto col Hence it ma ybe
more exp ensiv e than R TG Ho w ev er the kno wledge built in to the proto col mo del enables the pro duction of
shorter and higherqualit y test sequences Deterministic TG can b e man ual or automatic In this study w e
fo cus on automatic TG A TG
Deterministic TG can b e a faultindep enden t or b faultorien ted F aultindep enden tTGw orks without
targeting individual faults as dened b y the fault mo del Suchanapproachma y emplo y a forw ard searc h
tec hnique to insp ect the proto col state space or an equiv alen t subset thereof after in tegrating the fault
in to the proto col mo del In this sense it ma y b e considered a v arian t of reac habilit y analysis with sym b olic
represen tation and state and fault equiv alence used to reduce the state space Section describ es our
faultindep enden t approac h
In con trast faultorien ted tests are generated for sp ecied faults F aultorien ted test generation starts
from the fault eg a lost message and syn thesizes the necessary top ology and sequence of ev en ts that
trigger the error This algorithm uses a mix of forw ard and bac kw ard searc hes W e presen t our fault
orien ted algorithm in section W e will presen t these algorithms in more detail later in this section along with sev eral case studies The
case studies are applied to PIMDM to illustrate dierences b et w een the approac hes and pro vide a basis for
comparison In addition w e apply the heuristic approac h to PIMSM to illustrate ho w test generation can
b e applied to dieren ta v ors of m ulticast routing
Detailed Sim ulation
Usually automatic test generation is p erformed on a proto col mo del that sometimes abstracts out some
c haracteristics of the proto col An error that ma y be exp erienced in the abstract mo del ma y not be
exp erienced in a more detailed mo del of the proto col suc h as a detailed sim ulation F or this reason the test
sequences generated from the abstract mo del are further v alidated b y driving a sim ulator and analyzing the
output
Also the rst algorithm based on heuristics uses the sim ulator as an in tegrated part to generate the
tests In a later stage these tests are applied to the implemen tation co de
Weha v e implemen ted detailed sim ulators for PIMDM and PIMSM in the net w ork sim ulator NS and
used them for parts of our case studies Section describ es ho w the sim ulation en vironmentis in tegrated
with the test generation
F or our future w ork w e plan to use the sim ulationbased analysis to study the ripple eects of net w ork
proto cols suc h as unicast and m ulticast routing on endtoend proto cols and applications In addition
weplantoin v estigate proto col p erformance proling and sensitivit y analysis with the aid of our sim ulation
en vironmen t
Automatic
Test
Generation (ATG)
Protocol Analysis through
Simulation
Test Patterns and
Scenarios
Emulation
Interface
Design
refinement
Protocol Implementation
Test Signals
Testing
Analysis
and refinement
- Establish a protocol model (e.g. FSM)
- Obtain test sequences to stress certain
(e.g. robustness to message loss, or crashes)
aspects of the model
- Develop detailed protocol simulation
- Study the behavior under the stress
test-suites
- Implement the protocol
- Debug and study behavior using
the simulator output test signals
- Evaluate the test quality (e.g. using
code coverage)
Figure The STRESS framew ork
Implemen tation In terface
In order to observehowthe actual implemen tation of the proto col b eha v es under the generated tests w e
plan to use an em ulation in terface to the sim ulator
This will enable us to a conduct conformance tests b y applying conformance testsuites through the em
ulator and b p erform thorough analysis of the correctness and p erformance of the proto col implemen tation
under test
Weha v e dev elop ed a detailed implemen tation for PIMSM pimd and plan to use it as our rst target
for future studies The em ulation in terface w e plan to use is the one pro vided b y NS with some extensions
to supp ort the appropriate pac k et formats
In the remainder of this section w e rst describ e our system mo del and denition Then w e presen t what w e
consider to b e our main con tribution th us far namely the automatic test generation metho ds W e start with
the heuristicbased metho d follo w ed b y the faultindep enden t algorithm then the faultorien ted algorithm
Eac h metho d is applied to a case study that illustrates ho w the metho d can be used W e conclude b y
presen ting a qualitativ e comparison b et w een these metho ds based on our observ ations in the case studies
System Mo del and Denition
The system mo del
The system mo del consists of the net w ork elemen ts top ology elemen ts and the fault mo del
Elemen ts of the net w ork The net w ork consists of links and no des routers and hosts A link maybe
poin ttop oin torm ultiaccess eg LAN In this do cumen tw e assume bidirectional links with symmetric
dela ys while future w ork will address unidirectional and asymmetric links A no de runs a set of net w ork
proto cols suc h as unicast and m ulticast routing W e assume the existence of a MACla y er proto col to resolv e
media access and collision issues but w e do not mo del suc h proto col A host runs endtoend proto cols or
applications
Elemen ts of the top ology In this do cumen t w e consider only lo cal top ology Nrouter LAN mo deled
at the net w ork lev el ie connecting h ubs switc hes bridges and other datalinkla y er devices are abstracted
out The b oundary of our top ology is the m ulticast routing domain whic h con tains only a single m ulticast
routing proto col Ho w ev er the top ology ma yspan m ultiple unicast routing domains or Autonomous Systems
ASs Cascade of LANs or uniform top ologies are men tioned in the future w ork section
The fault mo del W e distinguish b et w een the terms err or and fault An error is a failure of the proto col
as dened in the proto col design requiremen t and sp ecication F or example duplication in pac k et deliv ery
is an error for m ulticast routing A fault is a lo w lev el eg ph ysical la y er anomalous b eha vior that ma y
aect the b eha vior of the proto col under test and include for example pac k et loss or unicast route apping
among others Note that a fault ma y not necessarily b e an error for the lowlev el proto col
The fault mo del ma y include
Loss of pac k ets mo del pac k et loss on a link due to an y queue congestion o v ero w link failures or pac k et
corruption in the in terconnect devices suc h as net w ork in terfaces switc hes h ubs etc W e assume that
the pac k ets are either deliv ered correctly or are dropp ed ie pac k et corruption is disco v ered using
c hec ksum or other error detection co des
Loss of state suc h m ulticast andor unicast routing tables due to failure of the routing proto col
crashes or insucien t memory resources
The dela y mo del Dela ys in the net w ork ma y b e due to transmission propagation or queuing dela ys
W e assume that the pro cessing dela ys are negligible wrt thetimegran ularit y the analysis is address
ing Sometimes dela y fault problems ma y be translated in to ev en t sequencing problems as w e will
showb y example in section Unicast routing anomalies suc h as route inconsistencies oscillations or apping In section w e
consider route inconsistency as part of the routed top ologybut w e do not target it as the failure mo del
for that sp ecic study Usually a fault mo del is dened in conjunction with the robustness criteria for the proto col under study
in our case PIM A fault mo del ma y include a single fault or m ultiple faults In our study w e adopt
a singlefault mo del where only a single fault ma y occur during a scenario or a test sequence A design
requiremen t for PIM is b eing robust to single proto col message loss
F uture w ork will consider other fault mo dels suc h as loss of state or unicast route apping
F or PIM b eing robust to a single message loss implies that transitions causing the proto col to mo v e from one stable state
T est Sequence Denition
Giv en t w o sequences T e
e
e
n
where e
i
is an ev en t and T
e
e
e
k
fe
j
a
n
where f is a fault
Let P q T b e the sequence of states and stim uli of proto col P under test T starting
from the initial state q According to one of the follo wing denitions T
ma y b e said to b e a test sequence if
P q T P q T
This means that the b eha vior of the system in the presence of the fault is dieren t
than that without the fault Note that this denition ma y include sequences that including and
excluding the fault pro duce same correct nal states but with dieren t transien t b eha vior or
Final P q T P q T
ie the stable state after the o ccurrence of the fault is dieren t for the t w o
outputs This denition ignores transien t beha vior but ma y include sequences that including and
excluding the fault pro duce dieren t correct nal states or
Final P q T
is incorrect
ie the stable state reac hed after the o ccurrence of the fault do es not
satisfy the correctness conditions irresp ectiv eof P q T In case of a faultfree sequence where T T
the error is attributed to a proto col design error Whereas when T T
and nal P q T is correct
the error is manifested b y the fault
Since w e are only concerned with the stable ie nontransien t b eha vior of a proto col w e will only use
the second and third denition for our study T est Input P attern
A test input pattern is dened b y a list of host ev en ts Ev a top ology T and a fault mo del F W e dene
a test input pattern as a tuple Ev T F Ev en ts Ev ev
ev
ev
n
is a list of host ev en ts host scenarios or call patterns Eachev en t
ev
j
consists of action time where action is thehostor no de ev entinput for example join
lea v e send pac k et etc
T op ology T N L is the routed top ology of set of no des N and links L N n
n
n
k
is the list of no des eac h running a set of proto cols A proto col ma y b e mo deled b y
timer s messag es stateV ar s mechanisms L l
l
l
m
are the links connecting the no des t w o in case of a p oin ttop oin t link or more for
LANs A link has a dela y and a bandwidth This mo del ma y b e extended to representv arious dela ys
and bandwidths b et w een pairs of no des b y using a virtual LAN matrix see future w ork section F aults F is the fault mo del used to inject the fault in to the test According to our singlemessage
loss mo del for example a fault ma y denote the loss of the second message tra v ersing link l
i
of t yp e
pr une Kno wing the lo cation and the triggering action of the fault is imp ortan t in analyzing the
proto col b eha vior
to another b e correct ev en in the presence of single message loss F or the sak e of analyzing erroneous b eha vior ho w ev er w e
consider single message loss p er test sequence T est sequences and stable states are describ ed in later sections
The fault maybe emptyin whic h case T T
Correctness is dened b y the proto col sp ecication See section
T est requiremen t
reac habilit y the test should driv e the proto col in to erroneous states reac hable from a giv en initial
state
con trollabilit yor con trolled fault mo del the test should not in tro duce additional faults except those
sp ecied b y the fault mo del F or example no loss should o ccur due to queue o v ero ws This maybe
realized in a sim ulator b y using virtually innite queue lengths
observ abilit y or error propagation unless otherwise sp ecied b y the proto col a data pac k et that is
lost duplicated in a LAN top ology is not repro duced absorb ed b y the net w ork and hence can b e
observ ed b y the endp oin ts
Brief description of PIMDM
As a case studyw e apply our automatic test generation algorithms to a v ersion of the Proto col Indep enden t
MulticastDense Mo de or PIMDM
PIMDM uses broadcastandprune to establish the m ulticast distribution trees In this mo de of op era
tion a m ulticast pac k et is broadcast to all leaf subnet w orks Subnet w orks with no lo cal mem b ers send prune
messages to w ards the sources of the pac k ets to stop further broadcasts
Routers with new mem b ers joining the group trigger Gr aft messages to w ards previously pruned sources
to reestablish the branc hes of the deliv ery tree Gr aft messages are ac kno wledged explicitly at eac h hop
using the Gr aftA ck message
PIMDM uses the underlying unicast routing tables to get the nexthop information needed for the RPF
rev ersepathforw arding c hec ks This ma y lead to situations where there are m ultiple forw arders for a LAN
The Assert mec hanism prev en ts these situations and ensures there is at most one forw arder for a LAN
PIM Proto col Errors In this study w e target proto col design and sp ecication errors Weare in terested
mainly in erroneous stable ie nontransien t states W e assume that these errors are pro vided b y the
proto col designer or the proto col sp ecication
The proto col errors are dened in terms of the endtoend b eha vior and ma y b e used to capture the error
in a sim ulation en vironmen t where the endp oin t traces ma y b e obtained for example see section A
proto col error ma y manifest itself in one of the follo wing w a ys
black holes consecutivepac k et loss b et w een p erio ds of pac k et deliv ery p acket lo oping the same pac k et tra v erses the same set of links m ultiple times
p acket duplic ation m ultiple copies of the same pac k et are receiv ed b y the same receiv ers
join latency time tak en b y a receiv er joining the group to start receiving pac k ets destined to the group
The heuristic test generation w as also applied to PIMSparse Mo de see app endix A W e use the term PIM to indicate
b oth PIMDM and PIMSM
le ave latency time tak en after a receiv er lea v es the group to stop the pac k ets from o wing do wn the
branc hes that no longer lead to receiv ers
Some of these manifestations concern the correct deliv ery of pac k ets while others eg lea v e latency
concern eciency and conserv ation of net w ork resources
Correctness Conditions W e assume that correctness conditions are pro vided b y the proto col designer
or the proto col sp ecication These conditions are necessary to a v oid the ab o v e proto col errors in a LAN
en vironmen t and include
If one or more of the routers is exp ecting to receivepac k ets from the link ie ha ving the link as
their nexthop then one other router m ust be a forw arder for the link Violation of this condition
ma y lead to data pac k et loss eg join latency or blac k holes
The link m ust ha v e at most one forw arder at a time Violation of this condition ma y lead to data
pac k et duplication
The deliv ery tree m ust b e lo opfree
a An y router should accept pac k ets for SG from one incoming in terface only This condition is
enforced b y the RPF Rev erse P ath F orw arding c hec k
b The underlying unicast top ology should b e lo opfree
Violation of this condition ma y lead to data pac k et lo oping
If one of the routers is a forw arder for the link then there m ust b e at least one router exp ecting pac k ets
from the link ie ha ving the link as their nexthop Violation of this condition ma y lead to lea v e
latency These are the correctness conditions for stable states ie not during transien ts and are dened in terms
of proto col states as opp osed to end poin t b eha vior They are used in the faultindep enden t and fault
orien ted test generation where the proto col mo del do es not capture end poin t traces W e also use these
conditions for top ological equiv alence in the heuristic test generation
The Proto col Mo del
As men tioned earlier the deterministic test generation whether faultindep enden t or faultorien ted requires
the denition of a proto col mo del F ormallyw e presen t the proto col b y a nite state mac hine FSM and
the LAN b y a global FSM mo del as follo ws
Some esoteric scenarios of route apping ma yleadto m ulticast lo ops in spite of RPF c hec ks Curren tly our study do es
not address this issue as it do es not p ertain to a lo calized b eha vior
I FSM mo del A deterministic nite state mac hine mo deling the b eha vior of a router R
i
is represen ted
b y the mac hine M
i
Q i
i
where
Q is a nite set of state sym bols
i
is the set of op erations causing state transitions and
i
is the state transition function Q i
Q I I Global FSM mo del With resp ect to a particular LAN the global state is dened as the comp osition
of individual router states wrt to that LAN The b eha vior ofa LANwith n routers ma y b e describ ed b y
the global FSM M
G
Q
G
G
G
where
Q
G
Q
Q
Q
n
is the global state space
G
n
S
i
i
is the set of op erations causing the transitions and
G
is the global state transition function Q
G
G
Q
G
whic h is dened as
G
u
u
u
n
q
q
q
n
x u
q
x
n
u
n
q
n
x
Heuristic T est Generation
In this section wepresen t one test generation algorithm based on a heuristic top ology equiv alence relations
and sim ulation
After giving an o v erview of the approac h w e illustrate ho w it can b e applied to m ulticast routing proto cols
b y conducting t w o case studies on the Proto col Indep enden t Multicast PIM
Ov erview
The main purp ose of this approachis to iden tify a set of scenarios that ma y exp erience a proto col error in
the presence of single message loss These scenarios are c hosen from a set of represen tativ e scenarios and
top ologies obtained through equiv alence relations and heuristics The scenarios are then sim ulated and the
output is analyzed to iden tify errors
The sim ulation metho d consists of three stages sc enario gener ation prepro cessing tr acing sim ula
tion and output analysis p ostpro cessing Figure illustrates these stages The building blo c ks in the
gure are explained in detail throughout the rest of this section
Note that the engineering design pro cess is usually iterativ e where an in v estigator ma y cycle and feedbac k
in to previous stages based on hisher in tuition and insigh t sometimes gained b y the analysis of earlier
sim ulations Our metho dology do es not con tradict suc h pro cess In fact w e will showin app endix A ho w
w e iterated through the stages to guide our sim ulations The follo wing section ho w ev er only discusses the
mo dules supp orting the dieren t stages
Scenario Generation
Scenarios are comp osed of routed top ologies and sequences of ev en ts input stim uli and state transitions
and describ e the sim ulation con text that ma y cause proto col transitions Scenario parameters include the
r outedtop olo gy host sc enarios and loss sc enarios Routed top ology The routed top ology is the net w ork infrastructure up on whic h the proto col op erates
no des links and lo w lev el proto cols eg unicast routing
W e try to iden tify simple top ologies that facilitate the ev aluation of the main mec hanisms of the proto col
and to whic h other more complex top ologies ma y b e reduced
Wec ho ose a LAN with four connected routers
as the basic top ology W e showho w other top ologies are reducible to the fourr outer LAN top ology and
discuss the limitations of suc h a top ology in section W e further extend the top ology to capture
particular c haracteristics of the proto col under study PIM
Scenario
Generation
Host
Scenarios
Routed
Topology
Loss &
Failures
End Point
Tracing
Protocol
Tracing
Code
Annotation
Simulation & Tracing
Output Analysis
Identifying
End Point
Errors
Relating Errors
to Protocol
Code
Profiling
Simulation
Set-up
Link
Tracing
Simulation
Engine
Figure The blo c k diagram of the sim ulation metho d
As a comp onen t of the routed top ology unicast route inconsistencies ma y b e a common source of error
Unicast routing ma y exist in one of the follo wing three states a consisten t routing b transien t inconsisten t
routing and c long liv ed inconsistency Case a requires no c hanges The study of case b is con v ergence
analysis whic hw e do not address here W e are particularly in terested in case c
W e add an inconsisten t
unicast routing comp onen t to force the m ulticast routing proto col in to states encoun tered in suc h pathology and analyze those states
Host scenarios Host scenarios are com binations of p ossible host actions In our case study these are
dened b y the m ulticast service mo del Host actions include joining or lea ving groups or sending pac k ets
to groups F or large n um b ers of hosts and groups it is prohibitiv ely costly to explore all p ossible com binations
exhaustiv ely Tw o top ologies are said to b e reducible or equiv alen t if they driv e the proto col according to the host scenarios applied
in to the same states exp eriencing the same set of state transitions
This ma y b e caused byam ulticast region spanning more than one unicast routing AS
The heuristics used in this study do not guaran tee that all fault y scenarios for a proto col will b e co v ered
Our more practical and ac hiev able ob jectiv e is to study m ulticast proto col b eha vior for scenarios that include
the primary host ev en ts in this case joining a group lea ving a group and sending to a group F or these
scenarios w e generate all p ossible message loss cases and extract the fault y scenarios automatically Wec ho ose a simple m ulticast host scenario that has a single source S and t w o receiv ers R and R
for the same group
W e estimate all the p ossible com binations of our host mo del and try to reduce the n um ber to those
simple scenarios that supp ort the main proto col functions Wecall suc h scenarios r epr esentative sc enarios T o obtain the represen tativ e scenarios w e apply the sc enario lter sho wn in gure Host Events
Protocol Constraints
Practical Input
Symmetry &
Equivalence
Rep.
Scenarios
Figure The scenario lter
The use of the lter sho wn in the gure is illustrated b y the follo wing example F or one source and t w o
receiv ers the v e p ossible host ev en ts are source S sending to a group or S for short receiv er joining a
group or J and J for receiv ers R and R resp ectiv ely and receiv er lea ving a group or L and
L for receiv ers R and R resp ectiv ely
F or all p ossible perm utations there exists scenarios considering that eachhost ev en t o ccurs
once Then as sho wn b y gure w e apply proto col constrain ts eg a r e c eiver do es not le ave b efor e it
joins the gr oup to reduce the n um ber of p ossible com binations to scenarios F urther
as a practical input w e assume without loss of generalit y that the sour c e sends p ackets thr oughout the
simulation to reduce the n um b er of p ossible scenarios to scenarios These six scenarios are
JJLL JJLL JLJL
JJLL JJLL JLJL
The n um b er of represen tativ e scenarios can b e further reduced if the host distribution is symmetric with
resp ect to the top ology since the follo wing scenarios will b e equiv alen t i equiv alen t to ii equiv alen t
to and iii equiv alen t to ie w e need only in v estigate dieren t host scenarios for the giv en top ology Loss and F ailures Are dened b y the fault mo del the single message loss This mo del includes selectiv e
loss where a message sen t onaLAN maybe lost byanyof the in tended receiv ers The input to the loss failures substage sho wn in gure is obtained from initial traces of sim ulations without proto col message
loss These traces guide further sim ulations to co v er all p ossible proto col message loss scenarios
Sim ulation and T racing
During this stage the proto col mec hanisms are sim ulated and traces are collected
Sim ulation One desirable approac h for sim ulating complex proto cols is to include detailed mec hanisms
of parts of the proto col while abstracting out others w e call this approac h subsetting T o main tain proto col
correctness ho w ev er an abstracted part m ust be replaced byits equiv alen t that exhibits similar external
beha vior under the study assumptions Subsetting allo ws us to fo cus on sp ecic parts of the proto col state
space and can b e based on
Pr oto c ol functions Subsetting proto col functions or mec hanisms refers to the abstraction of these
functions This maybe ac hiev ed b y replacing a complex mec hanism b y a simpler one exhibiting similar
external b eha vior under relaxed assumptions F or example wemayuse static conguration instead
of sim ulating a detailed b o otstrap algorithm This w a y w e ma y study other proto col mec hanisms
assuming correctness of the b o otstrap mec hanism
Pr oto c ol states A study ma y fo cus on sp ecic proto col states This allo ws for example the study of
m ulticast group state without dealing with sourcesp ecic state
Messages typ es This allo ws the examination of sp ecic proto col message t yp es in the absence of others
T racing T racing is the pro cess of logging information ab out ev en ts or pac k ets during the sim ulation run
Logged information is analyzed during the p ostpro cessing ie the output analysis stage In addition some
traces are used as feedbac k to the scenario generator to guide further sim ulations W e consider sev eral kinds
of tracing
Endp oin t tracing T racing endp oin ts includes logging information p ertaining to hosts sending or
receiving pac k ets and joining or lea ving m ulticast groups A detailed description of the traces is giv en in
the case study sections
T o iden tify errors and pathologies in the proto col itself w e fo cus on the eect of the m ulticast routing
proto col transitions on the endp oin t pac k et deliv ery as explained in section Proto col transition tracing A proto col can b e represen ted b y a nite state mac hine automaton
consisting of states transitions and stim uli inputs outputs and timer actions Based on kno wledge of
initial proto col states w e obtain the sequence of proto col transitions b y tracing all stim uli
W e use proto col traces to diagnose and v erify proto col b eha vior and to analyze errors
Link tracing Wek eep trackofpac k ets tra v ersing links as w ell as ev en ts of pac k et loss on links Link
tracing is mainly used for fault injection links carrying message t yp es of in terest are targeted for in ten tional
message loss in further sim ulations Weac hiev e this through feedbac k to the scenario generation stage as
sho wn in gure This reduces the n um b er of loss scenarios examined to those directly aecting the proto col
beha vior under in v estigation W e also use link tracing in output analysis and visualization
Co de annotation When placed in k ey poin ts suc h as b eginning of proto col pro cedures or co de
mo difying the state of the proto col co de annotations capture in ternal execution of the proto col mac hinery W e use co de annotation to estimate what part of the co de and subsequen tly the proto col has b een executed
and stressed co de co v erage
Output Analysis
One ma jor concern of our approac h is to iden tify pathological cases and indicate when and if an error
o ccurred and wh y This is ac hiev ed in the output analysis stage whic h consists of
Iden tifying endp oin t errors Error conditions ma y be sp ecied with resp ect to endp oin t traces as
men tioned in section If the factors during one sim ulation run are relativ ely static ie static unicast
routing static top ology and con trolled loss the endp oin t error ma y be attributed to an error in the
m ulticast routing proto col
Once the sp ecied error is iden tied b y the output analyzer the trace log is rolled bac k in time to
in v estigate the proto col traces as explained next
Relating errors to proto col After detecting an endp oin t error the output analyzer isolates p ossible
causes of suc h errors in the form of proto col traces
The output analyzer in this case is similar to a logic
analyzer allo wing the designer to na vigate bac kw ard in time and in v estigate the causes of the error
As will b e sho wn in the case studies the pro cess of iden tifying a proto col error ma y suggest xes to the
problem
Co de proling The proler captures information ab out the annotated co de suc h as whic h pro cedures
w ere or w ere not in v ok ed and the order and frequency of in v o cation This information indicates the p ortion
of the proto col stressed b y the examined scenarios
Case Study
T o ev aluate the utilit y of the heuristic approac h w e applied it to a complex m ulticast routing proto col
PIM Both PIMSM and PIMDM are considered in the case study Ho w ev er w epresen t the PIMDM study
briey in this section and presen t the details of the PIMSM in app endix A
Being robust to at least a single message loss ev en in the presence of unicast inconsistencies w as a
design goal for PIM as w as describ ed in section The PIMDM proto col w as describ ed in section Wepoin t out t w o PIM mec hanisms relev anttothisstudy Assert and pruneoverride The PIM Assert
mec hanism is the pro cess b y whic h at most one forw arder for a LAN is selected to a v oid duplicates in case of
m ultiple p oten tial forw arders due to parallel paths to the source The pruneoverride enables a do wnstream
router ie with do wnstream mem b ers to retain its established branc h of the tree in case another router
on the same LAN tries to prune that branc h
In our exp erience the cause for endp oin t errors w as often due to proto col misb eha vior in the recen t trace history of the
error
Toac hiev e this a do wnstream router receiving a prune on its incoming in terface triggers a join upstream
A
B
C
A B
C
Topology I
A B
C D
D
[3-router LAN]
Topology II
[4-router LAN;
Topology III
[4-router LAN;
downstream addition] upstream addition]
downstream
upstream
Figure The equiv alen t top ologies
The rest of this section is outlined as follo ws Section establishes the equiv alence relationship for
the top ology used for the case study Section describ es the sim ulation test suites and section
presen ts an example for applying the metho d
T op ology Equiv alence
Tw o top ologies are equiv alen t if they driv e the proto col transitions in to the same states under the same set
of ev en t sequences A top ology is reducible to another top ology with few er connections and routers if the
t w o top ologies are equiv alen t
Wesho w in this section that for single message loss scenarios the fourr outer LAN top ology adopted in
this study exp eriences the same proto col errors that an Nr outer LAN top ology exp eriences where N
and hence they are equiv alen t for PIM joins prunes and asserts F or brevit yw eonlypro v e equiv alence in
the case of prune messages and hin t to the pro of approac h in the other cases Wealso iden tify assumptions
and limitations under whic h this equiv alence relationship holds
Prunes First w e consider Nr outer LAN top ologies where N and resp ectiv ely It is trivial to
pro v e that these top ologies are not equiv alen t for hopb yhop messages
Assumption Nr outer LAN top olo gy wher e N is r e ducible to the thr e er outer LAN top olo gy for
prunes wrt single message loss sc enarios
T o justify our assumption werstpro vethat a fourr outer LAN top ology is reducible to a thr e er outer
LAN top ology Correctness condition As describ ed b y section the conditions necessary to a v oid pac k et dupli
cation and blac k holes ma y b e stated as
If a r outer on the LAN has the LAN as its inc oming interfac e
theremust b e one other r outer with the LAN in its outgoing list Once this condition is satised violating
F or brevityw e only consider blac k holes and pac k et duplicates correctness conditions
it is considered a proto col error
Next w e examine the thr e er outer LAN top ology In gure top ology I assume that A and B are
do wnstream routers and C is an upstream router
In gure top ology I router C has the LAN in its outgoing list router A has the LAN as its incoming
in terface and router B is lea ving the group and so sends a prune to w ards CThe prune is m ulticast
on the LAN
The only case where the correctness condition ma y b e violated is when C receiv es the prune while A
do es not In the other cases either the prune is not receiv ed b y C or is receiv ed b y A whic h triggers a
pruneoverride to reestablish the LAN in Cs outgoing list This is illustrated b y the follo wing selectiv e
loss pattern table for the prune message sentb y B A C
error
where a indicates noloss and indicates loss The error o ccurs where the upstream router C receiv ed the prune but the router with do wnstream mem bers A did not receiv e it
In gure top ology I I w e add another do wnstream router D The selectiv e loss pattern table follo ws
A D C
error
The only error o ccurs when the upstream router C receiv es the prune but neither of the do wnstream
routers receiv es it If the prune is receiv ed byan y of the do wnstream routers a pruneoverride w ould
reestablish the LAN in Cs outgoing list
F rom the symmetry of the loss patterns and top ology w e see that all errors are triggered b y the same
transitions exp erienced b y router A in top ology I Hence the extended top ology I I do es not in tro duce an y
This is to dieren tiate b et w een join latency whic h is not considered a proto col error and a blac k hole whic h is a proto col
error
new errors and exhibits the same external b eha viorasdoestopology I W e conclude that top ology I and
top ology I I are equiv alen t for prunes Wenowsho w that the Nr outer LAN top ology is reducible to the N case where N
With the addition of an upstream router gure top ology I I I no added error cases are encoun tered
The addition of a do wnstream router ho w ev er ma yin tro duce new error scenarios Similar to the fourr outer
LAN case w e establish the follo wing assertion the only err or c ase o c curs when al l downstr e am r outers lose
the prune and the upstr e am r outer r e c eives it If the prune w as receiv ed byanyof the do wnstream routers
the correctness condition w ould b e retained using pruneoverrides
The assertion holds in b oth top ologies Hence w e conclude that the Nr outer top ology exp eriences the
same errors as the Nr outer top ology F rom the ab o vew e see that bysim ulating the thr e er outer LAN top ology w e capture all the errors with
resp ect to selectiv e loss for the prune mec hanism that ma y b e exp erienced byan y Nr outer LAN top ology
where N
Joins and pruneo v errides F or pr une ov er r ides the only router aected b y the message is the destined
upstream router hence the equiv alence is readily established The loss of a PIMSM join ma y lead to join
latency but do es not cause blac kholes Joins leading to pac k et duplication lead to asserts that are discussed
next
Asserts In most cases pro ofs similar to the pr une case can b e applied to Asserts Ho w ev er since asserts
ma y be triggered due to parallel paths the base case is established for the fourr outer LAN top ology Figure top ology I I I represen ts the fourr outer LAN top ology where A and B are do wnstream routers
and C and D are upstream routers
F or our case study w e use a fourr outer LAN top ology with an added source S The o v erall ph ysical
top ology consists of v e routers four of whic h are connected via a LAN as sho wn in gure T est suites
In this section w e elab orate on the routed top ology host scenarios and loss pattern generation used for our
case study W e also describ e the simplications and subsettings applied
Ph ysical and routed top ologies The o v erall top ology used is that sho wn in gure F or the unicast
routing proto col weuse acen tralized v ersion of Dijkstras Shortest P ath First SPF algorithm
pruneo v errides are actually join messages The eect of join message loss is describ ed in section
F or PIMSM a limitation to the fourr outer LAN top ology is giv en for the esoteric case of three upstream routers and three
do wnstream routers with inconsisten t unicast routing tables This case creates one extra transition that can only b e captured
b y at least a sixr outer LAN top ology W e do not consider this a practically signican t scenario and w e consider its analysis
as a sp ecial case not captured b y the fourr outer LAN top ology Ho w ev er aside from this exception the Nr outer LAN top ology where N is equiv alentto a fourr outer LAN top ology
wrt asserts
RP
S1
S2, R2 R1
AB
CD
RP
S1
R2 R1
AB
CD
RP
S2, R2 R1
AB
CD
unicast route
to RP
Topology 1 Topology 2 Overall topology
Figure The top ology used for the case study
PIM uses the underlying unicast routing tables for building m ulticast trees Therefore unicast routing
inconsistencies aect the op eration of PIM T o in v estigate suc h in teraction w e add a comp onen t to force
inconsistentm ulticast routes b et w een PIM routers as sho wn in gure top ology Host scenarios Since proto col states for dieren t groups do not in teract w e consider only one group
Also since proto col states for dieren t sources do not in teract it suces to consider only one source S p er
sim ulation run
The source is mo deled as a constan tbit rate CBR stream with xed pac k et size The
source mo del do es not aect the correctness of the metho d Ho w ev er to assure full con trollabilityo v er the
selectiv e loss mo del w e set the data rate to ensure that no loss o ccurs due to queue o v ero w
While w e consider only a single source w e consider t w o receiv ers R and R for the same group to
accoun t for shared tree state in teractions W e use the represen tativ e host scenarios describ ed in section Loss patterns Wein v estigate all p ossible selectiv e loss scenarios for m ulticast hopb yhop PIM messages
in the equiv alen t top ology Loss mo dels are applied exhaustiv ely to those links that carry proto col messages under in v estigation
The tracing stage iden ties these links during the rst sim ulation run without pac k et loss and feeds bac k
the link information to the loss generation mo dule as sho wn in gure As wewill sho w in section A the
n um b er of represen tativ e scenarios is quite small and hence the n umberofo v erall lossy scenarios explored
is manageable
W e do not consider aggregated source or group en tries in this study
F or this w e use pac k et size of b ytes and a send in terv al of ms ie source rate of kbs this ensures no queue
drops on the Mbs links used with pac k et queue limit
T racing T race information includes the ev entt yp e send or receiv e the no de exp eriencing the ev en t the
t yp e of message sen t or receiv ed and the time at whic h the ev en t o ccurred Ev ery data pac k et is assigned a
unique sequence n um ber Applying the Metho d
This section pro vides an illustrativ e example sho wing ho w the heuristic approachma y b e used to iden tify
and analyze errors encoun tered during the sim ulation of the represen tativ e scenarios
W e ha v e implemen ted an initial v ersion of the metho d in the Net w ork Sim ulator NS NS is an
ev en tdriv en pac k etlev el sim ulator con trolled and congured via Tcl and Ob jectTcl or OTcl
T o supp ort our metho d w eha v e added mo dules to pro vide LAN supp ort con trolled selectiv e loss proto col
tracing proling capabilities and a detailed implemen tation of PIMDM and PIMSM This implemen tation
serv es as the sim ulation en vironmen t for our case study In addition the building blo c ks w ere designed to
b e reused within the same framew ork to apply this metho d to other m ulticast proto cols
T o v erify that our implemen tation conforms to the proto col sp ecication w e ran sev eral conformance
testsuites using the sim ulator
Obtaining fault y scenarios T o obtain the faulty sc enarios ie those that con tain errors w e execute the
metho d stages in order ie scenario generation sim ulation and tracing and output analysis resp ectiv ely
and then rev erse the order from the output to the traces to iden tify the fault y scenarios These phases are
automated b y the to ols pro vided and are transparen t to the user once the scenario setup is complete
The pro cess of attributing endp oin t errors to proto col actions ma y be automated only if the error
conditions are giv en in terms of suc h proto col actions In practice ho w ev er these proto col error conditions
are often not kno wn a priori b y the designer and are usually dened in terms of endp oin t errors suc has
pac k et loss or duplication The supp orting to ols iden tify endp oin t errors and pro vide a history of proto col
traces The designer then examines the traces and iden ties the proto col errors This pro cess ma y suggest
xes to the problem as w e will sho w in section A Example for PIMDM In this section w e briey describ e one example in whic h the heuristic approac h
w as used in conjunction with sim ulation to rev eal design errors in PIMDM Other examples and results that
w ere obtained using this approachare pro vided in app endix A The scenario presen ted here w as iden tied
after the sim ulation and analysis of the represen tativ e scenarios with the selectiv e loss mo del
W e used the represen tativ e scenario JJLL o v er top ology In this scenario the fault w as repre
sen ted b y the loss of the join ie pr une ov er r ide message sen tb y router Aas sho wn in gure The error in this scenario w as observ ed as a gap in the sequence n um ber of the pac k ets receiv ed b y
receiv er R indicating a blac khole The start of this gap w as sync hronized with the ev en t L ie the
lea v e of receiv er R when the router B triggered a pr une on to the LAN The failure of router A to o v erride
this pr une caused the blac khole This failure w as caused b y the loss of a single join message and hence the
robustness requiremen t for PIMDM w as not satised
F or information ab out the sim ulator see h ttpcatarinausceduvin t
R2 R1
AB
C
S1
1
R2 R1
AB
C
2
S1
3
5
4
1) R1 joins the group. B sends graft towards S1.
2) R2 joins the group. A sends graft towards S1.
3) R1 leaves the group. B multicasts prunes onto the LAN.
4) A gets the prune and sends a join to override. The join is lost.
5) C gets the prune and sends it towards S1.
Figure The pr une ov er r ide loss scenario for PIMDM
T o x this problem a second c hance should b e giv en to the do wnstream router in this case Ato o v erride
the pr une This maybe ac hiev ed for example b yha ving the lea ving router B in this case send t woprunes
when lea ving or ha v e the upstream router C send a pr une al er t in the form of a pr une on the LAN
b efore remo ving the LAN from its routing en tries
Although the heuristic approachma y capture some design errors it lac ks formalit y and do es not pro duce
the testsuites automatically W e attempt to address these issues in the other t w o approac hes the fault
indep enden t and faultorien ted test generation
F aultindep enden t T est Generation
In this section w ein v estigate a faultindep enden t approac h for automatic test generation Weuse a v arian t
of reac habilit y analysis to insp ect a reduced subset of the state space of the system for errors Wedev elop
equiv alence relations and sym b olic represen tation tec hniques to reduce the complexit y of the used algorithm
from exp onen tial to linear in the n um b er of routers on the LAN T o examine the robustness of the proto col
against single message loss w e incorp orate selectiv e loss scenarios in the insp ected space
T o illustrate the pro cedures of this metho d w e apply it to a v ersion of PIMDM
F ormalism
A formalism is used to represen t the proto col as a nite state mac hine FSM A m ultiaccess LAN is used
as the target system and is represen ted b y a global FSM
W e use the FSM mo del explained earlier in section to mo del the proto col
I FSM mo del M
i
Q i
i
A System States Q W e dene the states wrt a sp ecic LAN to whic h the router R
i
is attac hed
A router is represen ted b y its state as a forw arder or a receiv er of pac k ets to or from the LAN
The p ossible states are describ ed in the follo wing table
State Sym bol Meaning
F
i
Router i is a forw arder for the LAN
NH
i
Router i has the LAN as its nexthop
NC
i
Router i has a negativ ecac he en try p oin ting to the LAN
E
i
Router i do es not ha vean en try ie is empt y
W e also dieren tiate whether a router is upstr e am or downstr e am F or example
Q fE F g if the router is upstream fE N H N C g if the router is do wnstream B Stim uli and Ev en ts i
fG J P k P r L Pr G J g where the ev en t with paren thesis indicates the transmission of a message and the ev en t without indicates
reception G Gr af t J J oin P k P ack et P r Prune L Leav e Figure giv es a nite state mac hine for one no de implemen ting a simplied v ersion of PIMDM When
an upstream router receiv es data pac k ets from the nexthop neigh b or a Graft or Join from do wnstream
it creates a forw arding state fF g If the upstream router receiv ers a Prune from do wnstream it remo v es
the forw arding en try F or a do wnstream router data pac k ets trigger the creation of the state as follo ws
F
i
and NH
i
are equiv alen t to Router i ha ving the LAN in its outgoing in terface list or as an incoming in terface resp ectiv ely
{}
{}
{F}
Pk/G/J Pr
G/J
Pk: received a packet
G: received Graft
J: received Join
Pr: received Prune
/: or
{NH} {NC}
Pk.M/G/J (G) Pk.NM/Pr (Pr)
L/Pr (Pr)
J/G (G)
. : and
M: downstream member exists
NM: no downstream member exists
(Pr): sending a Prune upstream
(G): sending a Graft upstream
Upstream Node
Downstream Node
Figure Finite state mac hine for no de
a if there exists do wnstream mem b ers a receiving state ie fNH g is created and a Graft is triggered
upstream else b a negativ ecac he state fNC g is created and a Prune is triggered upstream Receiving a
Graft or Join creates a receiving state and triggering a Graft upstream while receiving a Prune or Lea v e
creates a negativecac he state and triggers a Prune upstream Asserts are not sho wn for simplicit y II Global FSM mo del An example global state for a top ology of routers connected to a LAN with
router as a forw arder router exp ecting pac k ets from the LAN router and ha v e negativ e cac hes and
router is empt yisgiv en b y fF
N H
N C
N C
E
g Con v enien tlyw ema y omit the empt y state E
W e ha vet w o p ossible state sym b ols for upstream routers and three for do wnstream routers hence the
total n um b er of p ossible global states for nrouter LAN is jQ
G
j
jupstr eamj
jdow nstr eamj
where
jupstr eamj jdow nstr eamj n F aultindep enden tT est Generation Algorithm
Our approac h emplo ys a v arian t of reac habilit y analysis to in v estigate the global FSM mo del dev elop ed
for the system in section W e start from a subset of the correct states and in v estigate the system
transitions according to v arious op erators in addition to selectiveloss The output if an y is a set of ev en t
sequences that driv e the system in to erroneous states The approac h includes the follo wing steps
Establish the correct states for the giv en top ology according to the correctness conditions W e use
equiv alence tec hniques to reduce the n um b er of correct states to b e insp ected
Start from a correct state and searc h for a sequence of transitions p ossibly including a selectiv e loss
scenario that lead to an erroneous state ie those nontransien t states in whic h correctness conditions
are violated The transitions obtained are those dened for the FSM and not necessarily host ev en ts
suc h as Join or Lea v e The n um ber of loss scenarios in v estigated is reduced based on equiv alence
relations
If a sequence is obtained in this step go to the next step Otherwise restart from the rst step ie
another correct state
Establish external host ev en ts leading to the transitions obtained b y the previous step Call this
sequence of ev en ts S
er r
The sequence of host ev en ts in this case maynot be unique A prune for
example maybe triggered due to v arious ev en ts a joined host lea ving or receiving pac k ets with no
do wnstream mem b ers
Establish external host ev en ts leading to the correct state Again suc h sequence of ev en ts maynot be
unique Call this sequence S
cor r
The input test pattern of ev en ts is the concatenation of S
cor r
and S
er r
ie S
cor r
S
er r
Obtaining Correct States
Theoretically all states that satisfy the correctness conditions ma y b e considered correct states Ho w ev er
not all of these states are normally reac hable F or example all do wnstream mem b ers build state whenev er
they get a data pac k et whether it is a receiving state NH or negativ e cac he NC hence for a top ology of
one upstream router and t wodo wnstream routers and the global state fF
N H
E
g although
theoretically correct is practically unreac hable
W e fo cus on the practically reac hable correct states in
this section and dev elop the follo wing algorithm to obtain those states
pro cedure pro duceReac hableCorrectStates upstreamNo des do wnstreamNo des f
add Empt ySet to setOfStates
j do wnstreamNo des
add NC
j
to State
add State to setOfStates
i upstreamNo des f
for mask to jdow nstr eamN odesj
f
add F
i
to State
p osition j do wnstreamNo des f
if p osition mask add NH
j
to State
else
add NC
j
to State
p osition p osition
under sp ecic crash scenarios this state ma y b e reac hed But with the singlefault mo del w eha v e adopted this state
cannot b e reac hed as w e assume without loss of generalit y that the fault will o ccur after the correct states one of whic hbeing
the initial state is reac hed
g
add State to setOfStates
g
g
g
The set of correct states or CS is a subset of the state space ie SC Q
G
The n um b er of reac hable
correct states generated b y the algorithm is jCS j jupstr eamj jdow nstr eamj
Reac habilit y Analysis and Reduction T ec hniques
Exhaustiv e searc h A ttempts to generate and analyze all system states that are reac hable from an
initial system state
In a system of n routers jQj m states for a router the n um ber of reac hable states in the system
is b ounded by m n
Toin v estigate all the transitions with j G
j l p ossible transitions w e obtain
l m n
state visits to complete the pro cess
Sym b olic represen tation
An alternativ e represen tation of the system ma y b e obtained through sym b olic represen tation where
r routers in state q are represen ted b y q
r
The global state for a system of n routers is represen ted b y
S q
r q
r q
r m
m
where m jQj r
i
n and r
i
is or more and ! is or more F or our case study q
i
f F N H N C E g T o satisfy correctness conditions and giv en in section the correct stable global states are
those con taining no forw arders and no routers exp ecting pac k ets or those con taining one forw arder
and one or more routers exp ecting pac k ets from the link sym b olically this is giv en b y
S F
N H
N C
E
and S F
N H
N C
E
Coun ting equiv alence Tw o system states q
q
q
n
and p
p
p
n
are strictly equiv alen t
i q
i
p
i
q
i
p
i
Q i n Ho w ev er the beha vior of all routers is giv en b y a common
deterministic FSM hence all n p erm utations of a q
q
q
n
are equiv alen t b ecause the order of
the tuple is not imp ortan t
A state for a system with n routers ma y b e represen ted as
Q
jQj
i
q
k i
i
where k
i
is the n um b er of routers
in state q
i
Q and jQj
i k
i
n Coun ting Equiv alence Two system states
Q
jQj
i q
k i
i
and
Q
jQj
i
q
l i
i
aree quivalent if k
i
l
i
i In other w ords t w o system states are equiv alen t if the n um ber of routers in a sp ecic state in one
system is equal to the n um b er of routers in the same state in the other system for all router states
In our analysis w e do not attempt to in v estigate the whole state space rather w e start from the correct
states under relaxed practical assumptions and analyze the successor stable states Ho w ev er ev en with
this approachie the reac hable correct states algorithm the n um b er of correct states gro ws exp onen tially
with the n um ber of do wnstream routers In addition w e need to in v estigate v arious loss scenarios and that
is also exp onen tial in the n um b er of routers
W e use the coun ting equiv alence to reduce the n um ber of correct states explored and the n um ber of
in v estigated loss scenarios
Exploring correct states F rom the coun ting equiv alence relationship and the symmetry giv en in the
LAN top ologyw e can reduce the complexit y of the algorithm F or example the state fF
N H
N C
g
is equiv alen t to fF
N C
N H
g since both of these states corresp onds to the sym b olic represen ta
tion F
NH
NC
Using this equiv alence relation w e mo dify the correct states algorithm as follo ws
pro cedure pro duceExploredCorrectStates upstreamNo des do wnstreamNo des f
add Empt ySet to setOfStates
j do wnstreamNo des
add NC
j
to State
add State to setOfStates
i upstreamNo des f
for mask to jdow nstr eamN odesj f
add F
i
to State
p osition j do wnstreamNo des f
if p osition mask
add NH
j
to State
else
add NC
j
to State
p osition p osition
g
add State to setOfStates
g
g
g
An example output of the ab o v e algorithm for an upstream router R
and three do wnstream routers
R
R
and R
w ould b e
ffg fNC
N C
N C
g fF
N H
N C
N C
g fF
N H
N H
N C
g fF
N H
N H
N H
gg
F or con v enience w e omit the E state
W e note that the new algorithm has a complexit y of O jupstr eamN odesj j dow nstr eamN odesj as
opp osed to O jupstr eamN odesj jdow nstr eamN odesj
for the previous algorithm W e can further re
duce this complexityb y considering all upstream routers equiv alen t hence w e can remo v e the i upstreamNo des lo op whic h giv es O jdow nstr eamN odesj complexit y Exploring selectiv e loss scenarios In general similar equiv alence relation ma y be applied to
the selectiv e loss patterns explored F or example a prune sen t b y a do wnstream router R
i
ma y
be lost b y either do wnstream routers R
j
and R
k
If both these routers ha v e the same state eg
NH
j
Gl obS tate and NH
k
Gl obS tate then the scenarios fR
j
l ostP r une R
k
R xv dP r uneg and
fR
k
l ostP r une R
j
R xv dP r uneg are equiv alen t
Obtaining Error States
T o establish the erroneous stable states w e need to dene the transition mec hanisms b et w een suc h states
W e in tro duce the concept of transition classication and completion to distinguish bet w een transien t and
stable states Then w e presen t the proto col mec hanisms and the stable state c hec king algorithm
Classication of T ransitions W e iden tify t w o t yp es of transitions external ly trigger e d ET and in
ternal ly trigger e d IT transitions The rst t yp e is stim ulated b y actions external to the system suc has
hostjoin or hostlea v e whereas the second t yp e is stim ulated b y actions in ternal to the system suc h as
prune and assert
W e note that some transitions ma y be triggered due to both in ternal and external actions dep ending
on the scenario F or example a prune ma y b e triggered due to forw arding pac k ets b y an upstream router
whic his anin ternal action or a hostlea vewhic h is an external ev en t
The global state is c hec k ed for correctness only at the end of an ET transition and after completing all
dep endentITs F ollo wing is a table of host ev en ts their dep enden t ETs and their dep endentITs Host Ev en ts Send HostJoin Lea v e
ETs F orw ard Graft Prune
ITs Assert Prune GraftAc k Join
Join
FSM Reduction Consider the transition diagram and top ology in gure When the upstream router
receiv es data pac k ets it b ecomes the forw arder fF
g Dep ending on do wnstream mem b ership status
router either a creates a receiving state NH
mo ving the global state to fF
N H
g or b creates a
negativecac he state NC
ie global state fF
N C
g then sends a Prune upstream resulting in router
remo ving its forw arding state and mo ving the global state to fNC
g
By lo oking closely at the prune mec hanism w e nd that an in teresting scenario or distinguishing sc enario is one where
R
dst
Rxv dP r une Q
i
R
i
l ostP r une i st NH
i
Gl obS tate Similarly for the join mec hanism w e nd that the only distin
guishing scenario is where R
dst
l ostJ oin where R
dst
the destination of the join regardless of loss or receipt of the join b y
others routers
{}
{F1,NC2}
{F1,NH2}
{NH2}
{NC2}
{F1}
1
2
upstream
downstream
Pk1
M2 NM2
L2
(Pr2)
J2/G2
(G2)
Pk1: Node 1 received a packet
M2: member exists downstream of Node 2
NM2: no member exists downstream of Node 2
L2: Node 2 received a leave message
J2: Node 2 received a join message
G2: Node 2 received a Graft message
(Pr2): Node 2 sends a prune upstream
(G2): Node 2 sends a Graft upstream
Figure Reac habilit y graph for a no de PIMDM
If a do wnstream mem b er joins router creates a receiving state fNH
g and send a Graft upstream
causing router to create a forw arding state and the global state b ecomes fF
N H
g W e note that Grafts are sen t reliably hence the state fNH
g is a transien t state and the transition from
state fNC
g to fF
N H
g is considered reliable
Similarly datatriggered actions suc h as prunes on poin ttop oin t links and creation of do wnstream
state whether receiving or negativecac he ma y b e considered reliable Subsequen tly the states fF
g and
fF
N C
g are also considered transien t states
As w as alluded to earlier transien t states are not c hec k ed for correctness and hence ma yb e remo v ed
from the diagram The resulting transition diagram is sho wn in gure T ransition Completion F rom the previous section w e sho w ed that transien t states can be remo v ed
from the insp ected state space based up on the reliabilit y b y whic h the transition out of these states is
accomplished It seems as though the error can b e detected b y insp ecting the nontransien t state space T o
in v estigate the ecacy of suc h approachw e analyze a top ology with some unreliable transitions suchas
that giv en in gure The reader is encouraged to view the gure in details Ho w ev er w e only concen trate on the transitions
aected b y loss One suc h transition is sho wn in gure It is apparen t from the gure that the global state fNH
N C
g can b e considered a transien t state that
ma y transit to a correct state fF
N H
N C
g in some cases and a stable error state in others and hence
cannot b e simply remo v ed from the state mac hine A t the same time an error is not encoun tered b y the
mere reac habilit y of that state ie the state should not b e alw a ys c hec k ed for correctness Whic h leads us
to in tro duce the notion of tr ansition c ompletion explained next
Toc hec k for the global system correctness all stim ulated in ternal transitions should b e completed to
1
2
upstream
downstream
{}
{NC2}
{F1,NH2}
Pk1.M2 Pk1.NM2 (Pr2)
L2 (Pr2)
J2/G2 (G2)
Pk1: Node 1 received a packet
M2: member exists downstream of Node 2
NM2: no member exists downstream of Node 2
L2: Node 2 received a leave message
J2: Node 2 received a join message
G2: Node 2 received a Graft message
(Pr2): Node 2 sends a prune upstream
(G2): Node 2 sends a Graft upstream
Figure Reduced reac habilit y graph for a no de PIMDM
bring the system in to a stable ie nontransien t state In termediate transien t states should not be
c hec k ed for correctness since in most cases they violate the correctness conditions set forth for stable states
and hence maygiv e false error indication
The pro cess of iden tifying complete transitions dep ends on the nature of the proto col In general ho w ev er
wemayiden tify a complete transition sequence as the sequence of all transitions triggered due to a single
external stim ulus eg hostjoin or hostlea v e Therefore w e should b e able to iden tify a transition based
up on its stim uli either external or in ternal
A t the end of eac h complete transition sequence the system exists in either a correct or erroneous stable
state This transition completion concept suggests that starting from a correct state only one complete
transition sequence needs to b e explored Hence if all the correct states or a subset equiv alen t thereto are
in v estigated all erroneous states will b e disco v ered
A phase con tains all transitions that are considered complete F or PIMDM the follo wing sequences of
transitions are considered complete for the purp oses of this study
sending prunes then sending joins if an y or PJ for short
sending pac k ets prune if an y join if an y asserts if an y SP J A
A PJ complete phase do es not mean that a join cannot b e lost rather an y loss pattern ma y b e applied
to the join message but the pro cessing of the join after applying the loss pattern should be completed
b efore the state is c hec k ed for correctness
Proto col mec hanisms
F ollo wing are the mec hanisms represen ting the PIMDM proto col from the p ersp ectiv e of a router R
i
con
nected to the link F or brevit yw e simplify some of the proto col mec hanisms suc h as assuming Grafts to b e
{}
1
23
{F1}
{F1,NC2,NC3}
{F1,NH2,NC3} {F1,NC2,NH3}
{F1,NH2,NH3}
{NC2,NC3}
{NH2,NC3}
LPr
LJ
{NC2,NH3}
LJ
Pk1
NM2.NM3
M2.M3
(i)
(ii)
(iii) (iv)
(v)
(vi)
(vii) (viii)
(ix)
(G2)
(G3)
(G3)
(G2)
L2
L3
L3
L2
(Pr2)
J3 J2
(Pr3)
(Pr2)/(Pr3)
M2.NM3
NM2.M3
Figure Reac habilit y graph for a no de PIMDM LAN
reliable and not considering timers
Pruning
pro cedure S endP r une
i dst
if F
dst
Gl obS tate
remo v e F
dst
from Gl obS tate ! assume only oif and dst is it !
join j dow nstr eam j i
! apply selectiv e loss !
if NH
j
Gl obS tate
join
if join
SendJoin
Chec kState ! end of a phase !
Joining Pruneo v erriding
pro cedure S endJ oin
i dst
! apply message loss !
{F1,NH2,NC3}
loss
{NH2,NC3} {NH2,NC3}
loss
LPr1.(J2)/LPr1.LPr2 (Pr3)
LPr1
(J2) LJ1
no loss
no loss
Error
Transient
LPri: loss of Prune by Node i
LJi: loss of Join by Node i
(J2): Node 2 sends Join upstream
(Pr3): Node 3 sends Prune upstream
Figure P artial detailed reac habilit y graph for a no de PIMDM
if F
dst
Gl obS tate
add F
dst
to Gl obS tate Grafting
pro cedure Send Graft
if F
dst
Gl obS tate
add F
dst
to Gl obS tate Chec kState ! end of a phase !
Asserting
pro cedure Send Assert
j upstr eam
if j max
remo v e F
j
from Gl obS tate ! max address wins assert !
Receiving data pac k ets
pro cedure F orwardP ack ets
i
if F
i
Gl obS tate
add F
i
to Gl obS tate assert k upstr eam
if F
k
Gl obS tate
{F1,NH2,NC3}
{NH2,NC3}
(Pr3).LPr2/
(Pr3).(J2).LJ1
LPr1.LPr2/
(Pr3).LPr1/
(Pr3).(J2)
LPri: loss of Prune by Node i
LJi: loss of Join by Node i
(J2): Node 2 sends Join upstream
(Pr3): Node 3 sends Prune upstream
Figure P artial detailed reac habilit y graph for a no de PIMDM
add F
k
to Gl obS tate assert
if assert
SendAssert
prune j dow nstr eam
if NC
j
Gl obS tate
prune
else if NH
j
Gl obS tate
add NH
j
to Gl obS tate if prune
SendPrune
Chec kState ! end of a phase !
Chec kState Gl obS tate oifs j upstr eam
if F
j
Gl obS tate
oifs
if oifs Error
iifs k dow nstr eam
if NH
k
Gl obS tate
iifs
if iifs and oifs Error
else if oifs and iifs Error
Mapping error transitions in to host ev en ts
Externally triggered ev en ts leading to the error are recorded then translated in to host ev en ts according to
the follo wing rules i ev ery forw ardP ac k ets ev en t is preceded b y a sendP ac k ets ev en t ii ev ery sendPrune
ev en t is preceded byaLea veev en t and iii ev ery sendJoin ev en t is preceded b y a HostJoin ev en t
Getting to the correct state using host ev en ts
T o obtain the sequence of host ev en ts leading to a sp ecic correct global state with upstream routers upstr m
and do wnstream routers dnstr mw e use the follo wing simple pro cedure
i dnstr m
if NH
i
g l obstate
add H ostJ oin
i
to S
cor r
else if NC
i
g l obstate
add Leav e
i
to S
cor r
j upstr m
if F
j
g l obstate
add sendP ack ets
j
to S
cor r
Note that the pro cedure is straigh tforw ard due to the simplicit y of the mo del used It ma y not b e that
simple obtaining the sequence of ev en ts leading to a state as w e will see in the next section where w e
in v estigate bac kw ard searchtec hniques
Example
F or brevit yw e will only presen t one example illustrating the approac h Our future w ork will presen t a more
complete list of the errors disco v ered using this approac h F ollo wing is one case where w e captured a design
error using the faultindep enden t approac h
The top ology has one upstream router R
and t wodo wnstream routers R
R
Starting from the correct
state fF
N H
N C
g the follo wing sequence of ev en ts w as found to drivethe system in to the error state
fNH
N C
g F or w ar dP ack et
sendP r une
sendJ oin
R
l ostJ oin
The externally triggered ev en ts from the ab o v e list are the forw arding and the loss ev en ts The F or w ar dP ack et
maps in to a sendP ack et
host ev en t Hence S
er r
fsendP ack et
R
l ostJ oing T o get to the correct state weha v e S
cor r
fH ostJ oin
Leav e
sendP ack et
g The test sequence is fH ostJ oin
Leav e
sendP ack et
sendP ack et
R
lostJ oing Before w e discuss the next approac h one last commen t on the faultindep enden tapproac h is that the top ology
is an input to the algorithms in the form of upstream no des and do wnstream no des T op ology syn thesis is
not part of this approac h W e will sho w in the next section ho w this problem is solv ed
F aultOrien ted T esting Generation
In this section w e in v estigate faultorien ted automatic test generation where the tests are generated for
sp ecic faults In this approac h the test generation algorithm starts from the faults and searc hes for a
p ossible error establishing the necessary top ology and conditions to pro duce the error Once the error is
established a bac kw ard searchtec hnique pro duces a test sequence leading to the erroneous state if suc ha
state is reac hable W e use the FSM formalism presen ted in section to represen t the proto col
The rest of this section is organized as follo ws Section pro vides an o v erview of faultorien ted test
generation F OTG The proto col mo del is presen ted and applied to PIMDM in section F aultorien ted
analysis of PIMDM is giv en in section F OTG Ov erview
F aultorien ted test generation F OTG targets sp ecic faults Starting from a giv en fault F OTG attempts
to syn thesize minimal top ologyies that ma y exp erience an error and a sequence of ev en ts leading to the
error
The fault studied here is single message loss in whic h case the algorithm is run for a sp ecic message
and is rep eated for other proto col messages F or a giv en message the algorithm iden ties a set of stim uli
and states needed to stim ulate that message and the p ossible states and stim uli elicited b y the message
The set of states form the system state to b e insp ected and the system comp onen ts required to represen t
these states form a top ology that ma y be vulnerable to error The proto col mo del is used to deriv e this
information
Subsequen t system states are obtained through a pro cess called forwar d implic ation after the fault is
included in the implication rules F orw ard implication is the pro cess of inferring subsequen t states from a
giv en state The subsequen t stable state is c hec k ed for errors
If an error o ccurs an attempt is made to obtain a sequence of ev en ts leading to the insp ected state if
suc h a state is reac hable from an initial state Suc h pro cess is called b ackwar d implic ation Details of these algorithms are presen ted in section
The Proto col Mo del
W e represen t the proto col as a nite state mac hine FSM and extend it to capture the proto col LAN
en vironmen t as a global FSM
I FSM mo del M
i
Q
i
i
i
F ollo wing is an FSM mo del of a simplied v ersion of PIMDM F or a sp ecic sourcegroup pair w e dene
the states wrt a sp ecic LAN to whic h the router R
i
is attac hed F or example a state ma y indicate that
a router is a forw arder for or receiv er exp ecting pac k ets from the LAN
A System States Q The p ossible states in whic h a router in the system ma y exist are describ ed in
the follo wing table
State Sym bol Meaning
F
i
Router i is a forw arder for the LAN
F
i T imer
i forw arder with Timer
Timer
running
NF
i
Upstream router i is not a forw arder but has en try
NH
i
Router i has the LAN as its nexthop
NH
i T imer
same as NH
i
with the Timer
Timer
running
NC
i
Router i has a negativ ecac he en try p oin ting to the LAN
EU
i
Upstream router i do es not ha veanen try ie is empt y
ED
i
Do wnstream router i do es not ha vean en try ie is empt y
M
i
Do wnstream leaf router with no state and an attac hed mem ber
NM
i
Do wnstream leaf router with no state and no attac hed mem bers
The p ossible states for upstr e am and downstr e am routers are as follo ws
Q
i
fF
i
F
i T imer
N F
i
EU
i
g if the router is upstream fNH
i
N H
i Timer
N C
i
M
i
N M
i
ED
i
g if the router is do wnstream B Stim uli and Ev en ts The stim uli and system ev en ts considered here include transmitting
and receiving proto col messages timer ev en ts and external host ev en ts Only ev en ts leading to c hange
of state or stim ulation of other ev en ts are considered F or example transmitting messages per set vs
receiving messages do es not cause an yc hange of state except for the case of transmitting a Gr af t message
F ollo wing are the ev en ts considered in our study
T ransmitting messages Graft transmission Gr af t
Tx
Receiving messages Graft reception Gr af t
Rcv
Join reception Join Prune reception Prune
Graft Ac kno wledgemen t reception GAck Assert reception Asser t and forw arded pac k ets reception
FPkt Timer ev en ts these ev en ts o ccur due to timer expiration Exp and include the Graft retransmission
timer Rtx the ev en t of its expiration R txE xp the forw arderdeletion timer
Del and the ev en t
of its expiration DelE xp W e note here that the expiration ev en t of a timer is implied when a timer is set This ev en t is referred
to as T imer I mpl ication External host ev en ts abbreviated as Ext include host sending pac k ets SP k t host joining a group
H J oin or HJ and host lea ving a group Leav e or L fJ oin P r une Gr af t
Tx
Graf t
Rcv
GAck Asser t F P k t R tx D el S P k t H J oin Leav e g
This is referred to as OifDeletion timer in the PIM sp ecication
II Global FSM mo del An example global state for a top ology of routers connected to a LAN with
router as a forw arder router exp ecting pac k ets from the LAN and routers and ha v e negativecac hes
is giv en b y fF
N H
N C
N C
g T ransition T able
The global state transition ma y b e represen ted in sev eral w a ys Here w ec ho ose a transition table represen
tation that emphasizes the eect of the stim uli on the system and hence facilitates top ology syn thesis as
will b e sho wn The transition table describ es for eac h stim ulus or ev en t the conditions of its o ccurrence
A condition is giv en as stim ulus and state or transition denoted b y stimulusstatetr ans where the tran
sition is giv en as star tS tate endS tate A precondition for an ev en t is a sucien t condition to trigger
the ev en t In con trast a p ostcondition for a stim ulus is an ev en t andor transition that is triggered b y
the stim ulus in the absence of faults eg message loss A p indicates a p ossible transition or stim ulus
and represen ts a branc hing p oin t in the searc h space F ollo wing is the transition table for the global FSM
discussed earlier
Stim ulus Preconditions stim ulusstatetrans P ostconditions sim ulusstatetrans
J oin P r une
other
N H
or ig
F
dst Del
F
dst
N F
dst
F
dst
Prune LN C F P k tN C F
dst
F
dst Del
p Join
other
Gr af t
Tx
HJ NC NH RtxExp NH
Rtx
NH Gr af t
Rcv
NH NH
Rtx
Gr af t
Rcv
Gr af t
Tx
NH NH
Rtx
GAck NF
dst
F
dst
GAck Gr af t
Rcv
F NH
dst Rtx
NH
dst
Asser t FPkt
other
F
or ig
Asser t
other
F
or ig
p F
other
NF
other
p Asser t
other
FPkt S pk tF P r une NM NC ED NH M NH EU
other
F
other
p Asser t
Rtx R txExp Gr af t
Tx
NH
or ig Rtx
NH
or ig
Del DelExp F
or ig Del
NF
or ig
SP k t Ext FPkt EU
or ig
F
or ig
H J oin Ext NM M Gr af t
Tx
NC NH Leav e Ext M N M P r une NH NC P r une NH
Rtx
NC State Dep endency T able
Toaid in test sequence syn thesis through the bac kw ard implication pro cedure w e construct what w e call
a state dep endency table This table do es not con tain additional information ab out the proto col b eha vior
to that giv en b y the transition table and can be inferred automatically therefrom W e use this table to
impro v e the p erformance of the algorithm and for illustration
F or eac h state the dep endency table con tains the p ossible preceding states and the stim ulus from whic h
the state can b e reac hed or implied T o obtain this information for a state Sw e searc h the p ostcondition
column of the transition table for en tries where the endS tate of a transition is S In addition a state ma y
be iden tied as an initial state IS The initial states for this study include fEU E D N M g Based on the ab o v e transition table follo wing is the resulting state dep endency table
State P ossible Bac kw ard Implications
F
i
Fpkt
other
EU
i
Join
F
i Del
J oin
NF
i
Gr af t Rcv
NF
i
SP kt
EU
i
F
i Del
P r une
F
i
NF
i
Del
F
i Del
Asser t
F
i
NH
i
RtxGAck
NH
i Rtx
HJ
NC
i
FPkt
M
i
FPkt
ED
i
NH
i Rtx
Gr af t Tx
NH
i
NC
i
FPkt
NM
i
L
NH
i Rtx
L
NH
i
EU
i
I S
ED
i
I S
M
i
HJ
NM
i
NM
i
L
M
i
I S
F OTG details
As previously men tioned our F OTG approac h consists of three phases I syn thesis of the global state to
insp ect I I forw ard implication and I I I bac kw ard implication These phases are explained in more detail
in this section
F OTG starts from a giv en fault The fault w e address here is message loss
Syn thesizing the Global State
Starting from a message ie the message to b e lost and using the information in the proto col mo del ie
the transition table a global state is c hosen for in v estigation W e refer to this state as the globalstate
insp ected G
I
and it is obtained as follo ws
The global state is initially empt y and the insp ected message is initially set to the message to b e lost
F or the insp ected message the state or the star tS tate of the transition of the p ostcondition is
obtained from the transition table If the state do es not exist in the global state and cannot be
implied therefrom then it is added to the global state
F or the insp ected message the state or the endS tate of the transition of the precondition is obtained
If the state do es not exist in the global state and cannot b e implied therefrom then it is added to the
global state
Get the stim ulus of the precondition of the insp ected message If this stim ulus is not external Ext then set the insp ected message to the stim ulus and rep eat step A t the end of this stage the global state to b e in v estigated is obtained
Note that although in lots of cases the top ology will b e constructed during the rst phase of obtaining G
I
the top ology
ma y still b e expanded during the forw ardbac kw ard implication phases
F orw ard Implication
The states follo wing G
I
ie G
I i
where i are obtained through forw ard implication W e simply apply
the transitions starting from G
I
as giv en b y the transition table in addition to implied transitions suc has
timer implication In case of a message loss the transition due to the lost message is not applied If more
than a state is aected b y the message then the space searc hed is expanded to include the v arious selectiv e
loss scenarios for the aected routers
Bac kw ard Implication
If an error o ccurs bac kw ard implication attempts to obtain a sequence of ev en ts leading to G
I
from an
initial state IS if suc h sequence exists ie if G
I
is reac hable from I S The state dep endency table is used in the bac kw ard searc h F or eac h comp onen t in the global state G
I
bac kw ard steps are tak en un til an initial global state a state with all comp onen ts as IS is reac hed
F aultorien ted Analysis of PIMDM
W e consider single message loss scenarios for the Join Prune Assert and Graft messages F or brevit yw e
partially discuss our results and only expand branc hing poin ts when needed for illustration The Graft
message is particularly in teresting since it is ac kno wledged and it raises timing and sequencing issues that
w e address at the end of this section
Join
Syn thesizing the Global State
set the insp ected message to Join
the star tS tate of the p ostcondition is F
dst Del
G
I
fF
j Del
g the state of the precondition is NH
i
G
I
fNH
i
F
j Del
g
the stim ulus of the precondition is Prune Set the insp ected message to Prune the star tS tate of the p ostcondition is F
j
whic h can b e implied from F
j Del
in G
I
the state of the precondition is NC
k
G
I
fNH
i
F
j Del
N C
k
g
the stim ulus of the precondition is L Set the insp ected message to L the star tS tate of the p ostcondition is NH whic h can b e implied from NC in G
I
the state of the precondition is Ext External ev en t
F orw ard implication
without loss Insp ected state G
I
fNH
i
F
j Del
N C
k
g
Join
G
I fNH
i
F
j
N C
k
g correct state
with loss wrt aected routers ie R
j
fNH
i
F
j Del
N C
k
g
Del
G
I
fNH
i
N F
j
N C
k
g error state
Bac kw ard implication
G
I
fNH
i
F
j Del
N C
k
g
P r une
G
I fNH
i
F
j
N C
k
g
FPkt
G
I fM
i
F
j
N M
k
g
SP kt
G
I fM
i
EU
j
N M
k
g
HJ i
G
I fNM
i
EU
j
N M
k
g
G
I is an initial state IS
Prune
Syn thesizing the Global State
set the insp ected message to P r une
the star tS tate of the p ostcondition is F
dst
G
I
fF g the state of the precondition is NC G
I
fNC F g
the stim ulus of the precondition is FPkt Set insp ected message to FPkt the star tS tate of the p ostcondition is NM
whic h can b e implied from NC in G
I
the state of the precondition is F already exists in G
I
the stim ulus of the precondition is SP k t Set insp ected message to SP k t the star tS tate of the p ostcondition is EUwhic h can b e implied from F in G
I
the state of the precondition is Ext an external ev en t
F orw ard Implication
without loss
G
I
fNC F g
Prune
GI fNC F
Del
g
Del
G
I fNC N F g correct state
with loss of prune wrt aected router ie F G
I
G
I
fNC F g error state
Note that prunes on p oin ttop oin t links are triggered p er pac k et and so practically the error state ab o v e
do es not aect pac k et deliv ery but this conclusion is dra wn b y the designer b ecause this seman tic w as not
added to the system
Bac kw ard Implication
G
I
fNC F g
FPkt
G
I fNM F g
SP kt
G
I fNM E U g IS Assert
Sev eral c hoices ma y b e made here w epic k the transition that is asso ciated with a previously insp ected message in this
case P r une and the transition is NM NC
Syn thesizing the Global State
set the insp ected message to Asser t
the star tS tate of the p ostcondition is F
j
G
I
fF
j
g the state of the precondition is F
i
G
I
fF
i
F
j
g
the stim ulus of the precondition is FPkt
j
Set the insp ected message to FPkt
j
the star tS tate of the p ostcondition is EU
i
whic h can b e implied from F
i
in G
i
the state of the precondition is F
j
already in G
I
the stim ulus of the precondition is SP k t
j
Set the insp ected message to SP k t
j
the star tS tate of the p ostcondition is NF
j
whic h can b e implied from F
j
in G
I
the stim ulus of the precondition is Ext an external ev en t
F orw ard Implication
G
I
fF
i
F
j
g
Asser t i
G
I fF
i
N F
j
g error
This error o ccurs ev en in the absence of message loss
Bac kw ard Implication
G
I
fF
i
F
j
g
FPkt j
G
I fEU
i
F
j
g
Spkt j
G
I fEU
i
EU
j
g IS Graft
Syn thesizing the Global State
Set the insp ected message to Gr af t
Rcv
the star tS tate of the p ostcondition is NF G
I
fNF g
the endS tate of the precondition is NH
Rtx
G
I
fNF N H
Rtx
g
the stim ulus of the precondition is Gr af t
Tx
the star tS tate of the p ostcondition is NHwhic hma y b e implied from NH
Rtx
in G
I
the endS tate of the precondition is NH whichma y b e implied
the stim ulus of the precondition is HJwhic his Extie external
More than one c hoice can b e made here w esho w the one that resulted in the minim um top ology
A B
A
B
upstream
router
downstream
router
time
t
1
t
2
t
3
t
4
t
5
t
6
Graft
Prune
Graft
GAck
Figure Graft ev en t sequencing
F orw ard Implication
without loss
G
I
fNH N F g
Gr af t Tx
G
I
fNH
Rtx
N F g
Gr af t Rcv
G
I
fNH
Rtx
F g
GAck
G
I fNH F g correct state
with loss of Gr af t ie the Gr af t
Rcv
do es not tak e eect
G
I
fNH N F g
Gr af t Tx
G
I fNH
Rtx
N F g
T imer I mplication
G
I fNH N F g
Gr af t Tx
G
I
fNH
Rtx
N F g
Gr af t Rcv
G
I
fNH
Rtx
F g
GAck
G
I
fNH F g correct state
Sequencing and extended dela ys for ac ked messages
A Gr af t message is Ac ked b y the Gr af t Ack GAck message and is inheren tly robust to message
loss according to the completion and timer implication conditions giv en no other external adv erse ev en ts
in terrupt these conditions
T o examine the vulnerable robustness asp ects of Ac ked messages w e try to establish adv ersary external
conditions during the transien t states in whichthe system exists and b efore the completion of the Ac ked
message phase Toac hiev e this w e clear the retransmission timer suc h that the adv erse ev entwill not be
o v erridden b y the retransmission mec hanism
T o clear the retransmission timer w e should create a transition from NH
Rtx
to NH whic h is triggered
bya GAck according to the state dep endency table NH
GAck
NH
Rtx
W e then insert this transition in
the ev en t sequence
F orw ard Implication G
I
fNH N F g
Gr af t Tx
G
I fNH
Rtx
N F g
GAck
G
I fNH N F g
error state
Bac kw ard Implication Using bac kw ard implication w e can construct a sequence of ev en ts leading to
conditions sucien t to trigger the Gr af t Ack F rom the transition table these conditions are fNH
Rtx
F g
G
I
fNH N F g
HJ
G
I fNC N F g
Del
G
I fNC F
Del
g
Prune
G
I fNC F g
L
G
I fNH
Rtx
F g T o generate the GAck wecon tin ue the bac kw ard implication and attempt to reac h an initial state
G
I fNH
Rtx
F g
Gr af tRcv
G
I fNH
Rtx
N F g
Gr af t Tx
G
I fNH N F g
HJ
G
I fNC N F g
Del
G
I fNC F
Del
g
Prune
G
I fNC F g
FPkt
G
I fNM F g
SP kt
G
I fNM E U g IS The o v erall sequence of ev en ts is illustrated in gure
W e do not sho w all branc hing or bac ktrac king steps for simplicit y
Comparison of the Approac hes
The algorithms in v estigated in this do cumen t use dieren t approac hes to test generation Dep ending on the
proto col and the robustness criteria these algorithms mayin v estigate dieren t parts of the state space in
the time and resoure constrain ts giv en In this sense they ma y b e considered complemen tary In this section ho w ev er w e will giv e a qualitativ e comparison of the three algorithms highligh ting some
strengths and w eaknesses of eac h All algorithms assume the existence of i a sp ecication for the tested
mec hanisms ii correctness conditions for these mec hanisms and iii denition of proto col robustness in
terms of a fault mo del
Wealsoassume thein tegration of these algorithms with the detailed sim ulator at some stage of the design
pro cess
Heuristic TG F aultindep enden tTG F aultorien ted TG
Proto col Mo del not required Global FSM functional Global FSM transition
description of the mec hanisms table prep ostconditions
Reduction T ec hnique top ological equiv alence sym b olic represen tation implicit en umeration
ev en ts heuristic equiv coun ting equiv of states faults targets aected states
Automation Syn thesis man ual equiv top ologies Auto ev en t fault generation Auto ev en t fault Capabilit y get test thru sim ulation top ology is an input top ology generation
State Space reac hable ad ho c states reac hable equiv states ma y searc h unreac hable states
F aults Explored exhaustiv e fault scenarios equiv alen t faults faults aecting states
T est Qualit y estimates scenario co de but targets state co v erage targets error co v erage
not state error co v erage wrt the fault mo del
T op ological Extensibilit y ma y use heuristics with need to extend the GFSM need to extend the GFSM
nonlo calrandomized top ologies mo del b ey ond the LAN mo del b ey oned the LAN
Errors in terms of endtoend or proto col states proto col states proto col states
SearchT ec hnique sim ulation of represen tativ e forw ard searc h from initial forw ard searc h from faultaected
scenarios extended b y the faults and correct states states bac kw ard searc h to initial state
As sho wn in the ab o v e table the heuristic TG is the least exp ensiv e in the sense that it do es not
require a proto col mo del but establishes the initial testsuites based on top ological and ev en t equiv alences
and heuristics Using the heuristic approachmaypro vide some insightin to the proto col b eha vior but do es
not pro vide estimates of the test qualit y in terms of state or error co v erage since the explored states are
practically ad ho c Heuristic TG is sim ulationbased as the test patterns are obtained after sim ulating and analyzing the
represen tativ e scenarios It is probably more extensible to supp ort nonlo cal top ologies more fault mo dels
and proto cols than the other t w o approac hes Also the error conditions ma y b e dened in terms of endto
end b eha vior or proto col states since b oth ma y b e traced and analyzed through pac k et lev el sim ulation In
fact weha v e used heuristic TG to capture lo oping problems in PIMSM see app endix A
P erhaps the main dra wbac k of the heuristic approac h is its inabilit y to generate high qualit y testsuites
automatically This problem is addressed in the t w o other approac hes byin tro ducing a proto col mo del the
global FSM GFSM that can b e pro cessed to pro duce the tests automatically The faultindep enden t TG uses a forw ard searc h tec hnique to in v estigate a subset of the state space
obtained through state and fault equiv alence relations This eliminates redundan t states and fault scenarios
that ma y ha v e been in v estigates b y the heuristic approac h Also a good estimate of state co v erage ma y
be obtained Of the three dimensions of the test input pattern only the ev en ts and faults are obtained
automatically The top ology is considered an input to the faultindep enden t algorithm
In con trast the faultorien ted approac h has the abilitytosyn thesize top ologies as part of the test patterns
Ho w ev er more information is needed b y the proto col mo del to p erform the bac kw ard searc h and top ology
syn thesis than that needed b y the faultindep enden t approac h This information is giv en in the form of a
preconditionp ostcondition transition table
F aultorien ted TG F OTG targets the states aected b y the fault and p erforms bac kw ard searc h only
for erroneous states ie only when necessary and hence obtains a high co v erage for the errors caused b y
the fault Ho w ev er b ecause it starts from faultaected states F OTG mayin v estigate unreac hable states
unlik e the other t w o approac hes
Both faultindep enden t and faultorien ted TG can dene the error only in terms of proto col states and
cannot b e used with nonlo cal top ologies ie bey ond the LAN without extending the GFSM mo del In te
grating these approac hes ho w ev er in to the sim ulation framew ork allo ws for more exibilit y and extension
but ma y aect their formalit y and testing qualit y
Summary and F uture W ork
The goals of our metho d are to simplify and systematize robustness analysis of m ulticast proto cols W e
attempt to pro vide practical metho ds to study robustness of real In ternet m ulticast proto cols with the aid
of semiformal and sim ulation metho ds
This do cumen t presen ted our initial attempts to ac hiev e these goals in the con text of m ulticast routing
proto cols In this section wepresen t a summary of our con tributions and describ e our prop osed future w ork
Con tributions
In this prop osal weha v e presen ted our framew ork for systematic testing of m ulticast proto col robustness
In this pro cess weha v e
Iden tied robustness v erication as an essen tial and in tegral part of the design and testing pro cess
of net w ork proto cols Our w ork is the rst w ork of whic h w e are a w are that addresses this issue
explicitly and systematically for m ulticast proto cols
Prop osed a framew ork for systematic ev aluation of m ulticast proto col robustness through the in tegra
tion of test generation sim ulation and em ulation in terface to implemen tation co de The framew ork
can b e used to ev aluate design tradeos analyze proto col b eha vior under v arious net w ork conditions
or test proto col implemen tation
Dev elop ed automatic test generation algorithms with proto col and fault mo deling formalisms Three
approac hes for test generation TG ha vebeen in v estigated a heuristic approac h faultindep enden t
TG and faultorien ted TG
The heuristic approachin tro duced the notion of represen tativ e scenarios to circum v en t the state ex
plosion problem Also it iden tied represen tativ e top ologies based on equiv alence relationships The
equiv alence denition suggests that extending the sim ulated top ologies w ould not rev eal additional
errors in the proto col
The faultindep enden t approac h used a forw ard searc h algorithm for the most part The complexit y
of the algorithm w as reduced from exp onen tial to p olynomial in the n um b er of routers b y the use of
sym b olic represen tation and coun ting equiv alence
By con trast the faultorien ted approac h used a bac kw ard searc h as the main algorithm starting from
the error state Using a transition tablelik e represen tation of the proto col this approac hw as able to
syn thesize top ologies necessary to exp erience the error automatically These approac hes w ere applied to m ulticast routing in the lo calized LAN en vironmen t with a single
message loss The fault mo del used w as that of selectiv e loss on a LAN
Established a set of testsuites for the m ulticast routing proto cols studied PIMDM and PIMSM
Eachof these tests consists of the net w ork top ology sequence of no de ev en ts in terms of failure or
proto col actions and call patterns in terms of host application ev en ts
Pro vided detailed sim ulation for PIMDM and PIMSM in NS and a detailed implemen tation of PIM
SM pimd
F uture W ork
Our future w ork consists of t w o main parts p erforming more analysis for m ulticast routing proto cols and
in v estigating systematic testing of endtoend m ulticast proto cols
Multicast Routing
In the area of m ulticast routing w e will pursue the follo wing researc h directions
Conduct a thorough quan titativ e comparison b et w een the dieren t test generation metho ds based on
case studies for PIMDM
Criteria used for the comparison include
T est qualityin terms of fault co v erage ie n um b er of errors disco v ered and co de co v erage in
this case sim ulation co de
Algorithm complexit y in terms of the memory and time required to nish the test or exceed the
a v ailable resources
Length of the test sequences pro duced F or faultorien ted test generation the c hoice of the cost
function used to decide the bac kw ard implication steps aects the length of the test pro duced
Study other m ulticast routing proto cols suc h as Border Gatew a y Multicast Proto col BGMP and
Core Based T rees CBT BGMP is a proto col under dev elopmen t to facilitate in terdomain m ulticast
routing and is a go o d candidate to ev aluate the eectiv eness of STRESS in the proto col design stage
CBT is sparsemo de proto col ho w ev er it diers from PIMSM in that it uses hard state messaging
to set up the distribution tree instead of the p erio dic refresh soft state messaging used b y PIMSM
Hard state mec hanisms use ac kno wledged messages and hence are more robust to message loss W e
are in terested to study the b eha vior of suc h mec hanisms with other faultmo dels suc h as crashes and
loss of state
In addition CBT uses bidirectional route en tries in con trast to the unidirectional route en tries k ept
b y PIMSM that enforces the RPF c hec k W e susp ect that bidirectional trees ma y b e more vulnerable
to lo oping problems due to lac k of RPF c hec ks
Extend the fault mo del to capture crashes and extended dela ys There are sev eral kinds of crashes
ranging from momen tarily loss of state to p ermanen t crash The duration of the crash mayha vean
eect on the proto col b eha vior
W e ha v e used sequencing to mo del dela ys assuming that temp oral signicance results only in re
ordering of ev en ts This mo del ma y be hard to in tegrate with implemen tation co de where ev en ts
occur in ph ysical time Adding temp oral seman tics to the mo del ma y b e required for in tegration with
implemen tation
In v estigate ric her top ologies
T op ologies with asymmetric or unidirectional links suc h as satellite or wireless links
T op ologies that con tain sev eral links and LANs Beha vior of a proto col in a lo calized en viron
men t suc h as a LAN do es not necessarily reect the global b eha vior F or example correctness
conditions ma y b e satised for eac h LAN in a top ology and y et the o v erall b eha vior is erroneous
due to an error in the b oundary bet w een the links On the other hand a LAN ma y violate
the correctness conditions y et the o v erall global beha vior is not erroneous from an endtoend
p ersp ectiv e
Endtoend Multicast
F uture researc h direction in the area of endtoend m ulticast proto cols include
Studying the ripple eects of lo w lev el net w ork errors and anomalies suc h as route oscillations and
apping on endtoend m ulticast proto cols
The lowlev el net w ork errors will b e those captured in earlier stages for m ulticast routing for example
The in teraction b et w een net w ork proto cols and end proto cols pro vides a c hallenge When an applica
tion fails it is hard to detect whether the failure w as due to the application or some other net w ork
b eha vior Our study will analyze the eect of net w ork proto col b eha vior on end system applications
and proto cols Examples of suc h proto cols include reliable m ulticast transp ort eg SRM R TCP and
session managemen t eg sdp
Generalizing the metho d and extending it to apply to endtoend m ulticast proto cols Sensitivit y
analysis and p erformance ev aluation ma y b e needed for these proto cols F or example retransmission
and congestion con trol mec hanisms emplo y ed b y endtoend transp ort proto cols usually use timer
parameters Metho ds ma y b e needed for in v estigating the parameter space of the proto col eg timer
v alues and the net w ork eg delayv alues and study the eect of the c hange on p erformance in a
systematic and ecien t fashion
Toac hiev e this the m ulticast distribution tree maybe view ed as a virtual or lo gic al LANwith v arious
selectiv e loss and dela y mo dels This transforms the problem in to the matrix space that is more
amenable to p erturbation and in terv al analyses F or example w emayin tro duce a dela y or distance
matrix for the LAN represen ting the propagation and other dela ys in the net w ork By c hanging the
dela y parameters dieren t top ologies ma y b e represen ted
Exp ected Con tributions
Study ripple eects of net w ork lev el errors and dynamics on the endtoend proto cols in the con text
of m ulticast
Analyze proto col beha vior and robustness in a nonlo calized en vironmen t ie bey ond that of the
LAN and under a wider range of faultmo dels
Dev elop metho ds for sensitivit y analysis and p erformance proling of endtoend m ulticast proto cols
in a systematic fashion F or suc h metho ds wewill in v estigate the notion of the virtual LAN whic h
represen ts the underlying net w ork infrastructure as a dela y and loss matrix
Build a library of p erformance proles for the m ulticast proto cols under study Pro vide a set of to ols for design and test aid of m ulticast proto cols These to ols attempt to realize the
in tegration b et w een automatic test generation sim ulation and em ulation
P oten tial Applications of the Metho d
Other p oten tial applications of our metho ds include
Applying STRESS to real implemen tation conformance testing through an em ulation in terface
Deriving beha vioral assertion c hec ks based on the STRESS metho d Assertions can be used in
net w ork managemen t and selfdiagnosing proto cols
Generating p erformance prole libraries for rapid net w ork diagnosis These proles ma ybe used as
net w ork managemen t aids used for b eha vioral c haracterization of deplo y ed and emerging proto cols for
impro v ed net w ork diagnosis
Metho d Ev aluation
T o realize and ev aluate our metho d w e will use the Net w ork Sim ulator NS with the extensions dev elop ed
b y the VINT pro ject to supp ort PIMDM PIMSM SRM among others W e also plan to use the PIMSM
implemen tations dev elop ed at USC pimd and ISI in gated to b e driv en b y the em ulator in terface
App endices
A Case Study for PIMSM
In this app endix w e presen t our case study for PIMSM using the heuristic test generation approac h see
section This study uses the same equiv alen t top ologies represen tativ e scenarios and test suites that
w ere used for the case study on PIMDM presen ted earlier for the heuristic approac h
An o v erview of PIMSM is giv en rst Then w e presen t an elab orate example of applying the heuristic
approac h in conjunction with sim ulation follo w ed b y the detailed results of the case study A PIMSM Ov erview
PIMSM is a m ulticast routing proto col that uses explicit join mec hanisms for building shared m ulticast
trees F or simplicit yw e do not address sourcesp ecic trees in this description
AB C
D
1. Receiver sends a PIM join toward the RP
RP
Sender
Receiver
2. Sender sends a PIM register to the RP
3. RP sends data packets
down the established path
establishing a path from RP back to the receiver.
Figure Ho w senders rendezv ous with receiv ers
As sho wn in gure when a receiv ers lo cal router A disco v ers it has lo cal receiv ers it starts sending
periodic join messages to w ard a groupsp ecic Rendezv ousP oin t RP The join messages are m ulticast hop
b yhop Eac h router along the path to w ard the RP builds a wildcard an ysource r oute entry for the group
and sends the join messages on to w ard the RP A route en try is the state held in a router to main tain the
distribution tree T ypically it includes the source address group address the in terface from whichpac k ets
are accepted inc oming interfac e and the list of in terfaces to whic h pac k ets are sent outgoing list This
state forms a shared RPro oted distribution tree that reac hes all group mem bers When a source rst sends to a group its lo cal router D unicasts r e gister messages to the RP with the
sources data pac k ets encapsulated within Data pac k ets reac hing the RP are forw arded nativ ely do wn the
shared tree to w ard group mem b ers
Similarly when a mem ber lea v es the group a prune message is sen t b y the lo cal router to stop the
m ulticast trac from o wing do wn the branc h leading to the pruned mem ber Being robust to at least a single message loss ev en in the presence of unicast inconsistencies w as a
RP
S1
S2, R2 R1
AB
CD
RP
S1
R2 R1
AB
CD
RP
S2, R2 R1
AB
CD
unicast route
to RP
Topology 1 Topology 2 Overall topology
Figure The top ology used for the case study
design goal for PIMSM The Assert and pruneoverride mec hanisms for PIMSM are the same as those
presen ted earlier for PIMDM
A T est suites
The top ologies used for the study are those sho wn in gure The sim ulation en vironmen t and tracing seman tics are the same as those giv en in section Subsetting F or brevit y w e do not consider sourcesp ecic trees and switc hing to the shortest paths in
this pap er This is an example of state subsetting since w e consider shared group states while disregarding
sourcesp ecic states
The messages considered in the study are join prune assert and r e gister messages T o study joins prunes and asserts without the eect of r e gistersw e consider a top ology where the source and the RP are
colo cated see S in gure top ology This is an example of message subsetting When studying r e gisters joins and prunes w e consider top ology in gure where a S is the source
hence no de A sends registers to the RP and b the routed top ology has consisten t unicast routing to
eliminate the eect of the assert mec hanism This represen ts function or me chanism subsetting Only
triggered actions are in v estigated for simplicit y A Applying the Metho d
Weha v e implemen ted and a detailed implemen tation of PIMSM
Our detailed PIMSM sim ulation mimics the unix pimd implemen tation mo del and hence is able to capture man y
implemen tation asp ects W e plan to dev elop an in terface bet w een the sim ulator and an op erational net w ork running the
duplicates
loss
Sent by S1
Rcvd by R1
Rcvd by R2
time
seq. No.
7
8
9
10
11
12
13
200 250 300 350 400
J2 L1
S1 Node RP Send 12 t 300
L1 Node A Leave G t 300
PIMS Node A Send Prune{NH=C} t 300
PIMR Node C Rcv Prune{NH=C} t 310
PIMS Node C Send Prune{NH=RP} t 310
PIMR Node B Rcv Prune{NH=C} t 310
PIMS Node B Send Join{NH=C} t 310
PIMR Node D Rcv Prune{NH=C} t 310
R2 Node B Rcv 12 t 321
PIMR Node C Rcv Join{NH=C} t 321
PIMS Node C Send Join{NH=RP} t 321
PIMR Node RP Rcv Prune{NH=RP} t 321
PIMR Node A Rcv Join{NH=C} t 321
PIMR Node D Rcv Join{NH=C} t 321
S Node RP Send 13 t 325
PIMR Node RP Rcv Join{NH=RP} t 332
S Node RP Send 14 t 350
R2 Node B Rcv 14 t 371
S Node RP Send 15 t 375
R2 Node B Rcv 15 t 396
x 10
-3
S1 Node RP Send 7 t 175
R1 Node A Rcv 7 t 190
S1 Node RP Send 8 t 200
J2 Node B Join G t 200
PIMS Node B Send Join{NH=D} t 200
PIMR Node A Rcv Join{NH=D} t 210
PIMR Node D Rcv Join{NH=D} t 210
PIMS Node D Send Join{NH=RP} t 210
PIMR Node C Rcv Join{NH=D} t 210
R1 Node A Rcv 8 t 221
R2 Node B Rcv 8 t 221
PIMR Node RP Rcv Join{NH=RP} t 221
S1 Node RP Send 9 t 225
R1 Node A Rcv 9 t 246
R2 Node B Rcv 9 t 246
PIMS Node D Send Assert t 246
PIMS Node C Send Assert t 246
R2 Node B Rcv 9 t 247
R1 Node A Rcv 9 t 247
S1 Node RP Send 10 t 250
PIMS: sent by the PIM component
PIMR: received by the PIM component
NH: next hop
Figure Simple pac k et trace graph sho wing pac k et loss and duplication
The metho d is applied in a manner similar to that presen ted in section Example In our simple example an error condition is an y pac k et loss or duplication exp erienced b y the
endp oin ts A fault y scenario without pac k et loss that leads to t w o error conditions is iden tied and
explained Then the proto col actions leading to the errors are analyzed
The represen tativ e scenario explained here is JJLL using top ology This scenario w as iden tied
automatically as a fault y scenario T races in gure giv e the history of the errors found A trace tak es
the follo wing format R No de A Rcv t meaning that receiv er R in no de A receiv ed a data
pac k et with sequence n um ber at time ms from the b eginning of the sim ulation run The rst error
ie the pac k et duplication has the host ev en t J as the closest join or lea v e host ev en t in its history at
time ms The error is a join transien t caused b y parallel paths to the RP The error is resolv ed using the
Assert messages exc hanged during the duplication at time ms The second error ie pac k et loss is a
lea v e transien t it has a host ev en t L in its recen thistory The loss is due to the prune sentbynode A at
ms and is resolv ed bya pruneoverride sentbynode B at ms
Although the proto col actions leading to the endp oin t errors sp ecied as an y pac k et loss or duplication
in this sp ecic example are considered transien t errors they are not considered proto col design errors W e
do ho w ev er address proto col design errors in section A A Scenario and proto col co v erage
While the fact that wew ere able to disco v er design errors pro vides some evidence of the metho ds utilit yw e
w ould lik e to quan tify the co v erage of proto col states and p ossible scenarios
pimd co de Ho w ev er the analyses presen ted in this study are based strictly on the proto col sp ecication indep enden tof the
implemen tation
The o v erall proto col co v erage has t w o dimensions The rst is the proto col state co v erage and w e attempt
to co v er this dimension using the r epr esentative scenarios reac hable states In v estigation of the loss scenarios
do es not aect proto col co v erage signican tly The second dimension is the space of p ossible in teraction scenarios b et w een the state mac hines in dieren t
routers within the top ology This dimension is explored byin v estigating the sele ctive loss scenarios
Scenarios co v ered The initial n um ber of sim ulated scenarios without proto col message loss w as
X
topolog ies
No rep scenarios Where No rep scenarios is the n um ber of r epr esentative scenarios equal to in our case discussed in
section and the top ologies are the t w o discussed in section Hence w e sim ulated scenarios
without proto col message loss
After feeding bac k the link traces for the messages under studythe loss patterns w ere assigned to the
corresp onding links The scenario generator then setup the sim ulations for the new scenarios with loss
The total n um b er of scenarios with proto col message loss sim ulated is giv en b y the follo wing form ula
X
T opos
X
Reps
X
Msgs
X
Link s
Link M sg s Link Rtr s
where the terms used are describ ed in the follo wing table
T erm Meaning
T op os T op ologies
Reps Represen tativ e Scenarios
Msgs Messages under study
LinkMsgs No messages tra v ersing the link
LinkR trs No routers connected to the link
F or eac h top ology this form ula giv es the n um ber of scenarios automatically generated after the rst
sim ulation run during whic hthe n um b er of messages and links tra v ersed b y these messages is coun ted
F or example for the rst top ology the messages under study w ere joins prunes and asserts The
represen tativ e scenarios triggered joins prunes and asserts on the LAN and joins and prunes on p oin ttop oin t links F or the second top ology the messages under study w ere joins and prunes The represen tativ e scenarios triggered joins and prunes on the LAN and joins and prunes
on poin ttop oin t links Hence the total n um ber of scenarios with loss b ecame and scenarios
resp ectiv ely Proto col co de co v erage A large p ortion of the m ulticast supp ort co de in NS w as annotated automatically
to pro vide co de tracing The represen tativ e scenarios without loss in v ok ed pro cedures out of o v erall
annotated pro cedures The pro cedures that w ere not in v ok ed dealt mainly with sourcesp ecic state whic h
w as abstracted in our test suites or with the mo dularit y of the ob jectorien ted nature of the co de
A Results
This section describ es the proto col design errors unco v ered for PIMSM under STRESS
W e mo died the error conditions to a v oid join and lea v e transien ts since unlik e our simple example
ab o v e w e are only in terested in design errors The new error conditions do not consider single duplication
or loss
F ollo wing is a summary of the ma jor fault y scenarios encoun tered and ho w they relate to STRESS F or
a more detailed discussion of the proto col errors and xes see section A
A Summary of Results
W e describ e a partial list of faulty sc enarios captured b y STRESS W e obtained this list after sim ulating
only a few of the represen tativ e scenarios The traces pro duced pro vided guidance to disco v er the proto col
errors Design errors disco v ered include Assert JoinPrune and R e gister mec hanisms
Asserts F or the rst top ology gure top ology a blac kholew as observ ed for one receiv er
The fault y scenario in this case in v olv ed another receiv er joining in the recen t history of the blac k hole
By analyzing the proto col trace history after rolling bac k w e noticed that an Assert pro cess to ok place righ t
b efore the loss
In addition the fault y scenario included the loss of a join message whic hprev en ted the establishmentof
the branc h of the shared tree from the Assert winner to the RP Hence the proto col design error is allo wing
a router on a branc h of the tree that is not completely established to participate in Asserts Joins and Prunes Ov er the same top ology ie gure top ology sev eral other fault y scenarios lead
to blac k holes The host scenarios in v olv ed one receiv er lea ving just b efore blac k holes w ere exp erienced b y
the other receiv er In these cases join and prune messages o ccurred the recen t history of the endp oin t error
F urthermore all suc h scenarios included either i loss of a join message prev en ting a pruned branc h
from b eing reestablished or ii selectiv e loss of a prune message prev en ting a join ie pruneoverride from b eing triggered The proto col design error in this case w as not allo wing a second c hance for routers
with do wnstream mem b ers to o v erride prunes Registers In the second top ology gure top ology fault y scenarios w ere captured that cause pac k et
duplicates at the endp oin ts
In this case the observ ed fault y scenarios did not follo w a regular pattern and w ere dev elop ed iterativ ely
ie when one fault y scenario led to a suggested x in the proto col the x w as implemen ted and the metho d
rerun to observ e further fault y scenarios
Therstscenario in v olv ed a single host receiving duplicates merely b y joining the group The pac k ets
w ere b eing deliv ered at least t wice once directly from the source b yvirtue of b eing on the same LAN
and the second deliv ery from the shared tree after the r e gister reac hed the RP and w as sentdo wn the shared
tree When the n umberofpac k et duplicates exceeded t w o this suggested a lo op The lo op o ccurred when a
pac k et receiv ed o v er the shared tree on the LAN w as a pic k ed up b y the lo cal router b reregistered to
RP
S1
R2 R1
AB
CD
1
2
RP
S1
R2 R1
AB
CD
5
RP
S1
R2 R1
AB
CD
3
4
1) R1 joins the group. B sends joins towards RP.
2) S1 sends packets to the group. Packets flow
3) R2 joins the group. A sends joins towards RP.
4) The join from C to RP is lost.
RP
S1
R2 R1
AB
CD
6
7
5) Packets forwarded by D onto the LAN are
received by C on an outgoing interface.
6) C Asserts with a winning metric onto the LAN.
7) D removes the LAN from its entry and sends
prunes towards the RP.
down distribution tree and are multicast on the LAN.
(I)
(II)
(III)
(IV)
Figure The Assert scenario under study
the RP and c forw arded do wn the shared tree again The proto col error w as allo wing the pac k ets to o w
do wn from the shared tree to the originating LAN and b e reregistered Thexw as to prune suc h sources
from the shared tree
The second scenario in v olv ed another receiv er joining b efore the duplicates w ere observ ed The pruned
branc h of the shared tree w as reestablished b y the joining receiv er allo wing the pac k ets to o wdo wn the
shared tree to the originating LAN and subsequen tly causing the lo op
The third scenario in v olv ed a prune message loss again allo wing the pac k ets to o wdo wn the shared
tree to the originating LAN and led to lo oping
Rules w ere added to prev en t pac k ets from being forw arded bac k on their original LANs in the ab o v e
scenarios
A Detailed Results
The rest of this section describ es the ab o vefault y scenarios in more detail and illustrates ho w the solutions
w ere dev elop ed with the aid of STRESS After the solutions w ere in tegrated in to the proto col sim ulator w e
applied regression testing to v erify that the xes did not in tro duce an y new errors
A Assert analysis
F ollo wing is a discussion of the pathological cases found in the Assert pr o c ess An exhaustiv e list of the
results is not included in this do cumen t for brevit y A few errors in the PIMSM sp ecication w ere un v eiled
during this pro cess w e fo cus on errors that created the p ossibilityof pac k et loss ie blac k holes
The scenario
In this scenario the top ology in gure w as setup suc hthat As nexthop to w ards the RP is Cand
Bs nexthop to w ards the RP is D
NoState
State for G
ActiveState
OifDeleted
Rcv join for G; create state, trigger join upstream
Rcv join for G
Rcv pkts for G; activate state, forward pkts
Rcv pkts for G; forward pkts
or
Rcv assert on oif & win; send assert
Rcv assert on oif & lose; delete oif from entry
All oifs deleted
oif: outgoing interface
& entry removed
G: multicast group
Figure T ransition diagram for joinsand asserts
Consider the sequence of ev en ts sho wn in gure whic h used the represen tativ e scenario JJLL
with the loss of a join message on the link b et w een C and RP During the last t woev en ts of the scenario steps and D loses the Assert pro cess to C with lo w er
metric or higher address Subsequen tly D remo v es the LAN from its en trys in terface list and R stops
receiving pac k ets from S This problem p ersists un tilunless the branc h of the tree from C to RP is
established
Discussion and x The curren t rules of the PIM sp ecication aim to guaran tee atmost one forw arder
on a m ultiaccess net w ork Ho w ev er to ensure prop er deliv ery of pac k ets without pac k et loss the righ t
seman tics should b e exactly one forw arder
The problem arises more sp ecically b ecause the PIM sp ecication do es not distinguish bet w een an
activ e en try ie an en try created due to arriv al of data pac k ets eg am ulticast forw arding cac he and
an en try on a branc h of a tree that is not y et established or an inactive en try An inactiv e en try ma y
win an Assert pro cess resulting in blac k holes
Tosolv e this problem w e mo died the sp ecication to ensure exactly one forw arder seman tics using
the follo wing rule A router receiving a data pac k et or Assert on an outgoing in terface of a matc hing en try
do es not participate in the Assert pro cess unless the en try is activ e Figure illustrates the Activ eState
added to the transition diagram to realize the solution
B JoinPrune analysis
In this analysis w e address the eect of selectiv eloss of JoinPrune messages Although this problem has
b een addressed in recen t releases of the PIMSM sp ecication w epro vide a more ecien t solution
W e use the top ology giv en in gure I The represen tativ e scenario used is JJLL with the
second join from no de A lost on the LAN
W e assume that S sends pac k ets to group G throughout the sim ulation Consider the sequence of ev en ts
giv en in gure I After the last ev en t step R stops receiving Ss pac k ets This problem p ersists
un til A sends the next p erio dic join to C and reestablishes the pruned branc h of the tree A similar problem
is encoun tered in gure II when the prune sentfrom B is selectiv ely lost on the LAN b y A and receiv ed
b y C
RP
R2 R1
AB
C
S1
1
RP
R2 R1
AB
C
RP
R2
R1
A
B
C
2
S1
S1
3
3
4
5
5
4
1) R1 joins the group. B sends joins towards RP.
2) R2 joins the group. A sends joins towards RP.
3) R1 leaves the group. B multicasts prunes onto the LAN.
4) A gets the prune and sends a join to override. The join is lost.
5) C gets the prune and sends it towards RP.
(I)
(II)
3) R1 leaves the group. B multicasts prunes onto the LAN.
4) A does not receive the prune, and so does not override.
5) C gets the prune and sends it towards RP.
Figure The JoinPrune scenario under study
Discussion and x
The solution suggested b y the PIM sp ecication in tro duces a deletion timer This ho w ev er increases
the lea velatency and incurs unnecessary data o v erhead
A more ecien t solution w ould be to ha v e the upstream router C announce a prunealert b efore
remo ving the LAN from its outgoing list b y resending the prune message previously receiv ed from B C Register analysis
F ollo wing is a description of the scenarios that exhibit pac k et duplication due to r e gister messages and
the suggested xes to eliminate suc h duplication The xes w ere applied iterativ ely un til the error w as
eliminated
i First scenario single source single receiv er
In this scenario w e consider S and R in gure I Consider the sequence of ev en ts in the gure
P ac k et duplication and r e gister lo oping o ccur in the ab o v e scenario A similar scenario o ccurs when R
joins rst then S starts sending to the group
Suggested xes
The required b eha vior is to send a triggered and p erio dic sourcesp ecic prune o of the shared tree if
a router has sourcesp ecic state for registering and shared tree state for the same group regardless of the
incoming in terface settings
ii Second scenario single sender t w o receiv ers
W e assume the implemen tation of the ab o v e xes to the sim ulator then consider the sequence of ev en ts
in gure I I This scenario exhibits pac k et duplication and r e gister lo oping
Suggested x
The problem arises b ecause the pac k ets are forw arded backon the originating LAN and treated as if
RP
S2,R2
A
C
1
2
3
4
1) R2 joins group(G).
RP
S2,R2 R1
AB
C
1
2
3
4
5
1) R2 joins G& S2 sends to G.
2) R1 joins G. B sends join to RP,
A builds routing state& sends join
to G& prune for S2 towards RP.
RP
S2,R2
A
C
1
2
3
4
1) A sends prune to RP; R2 is member
of G& S2 is source. prune is lost.
2) A registers packets from S2 to RP.
3) RP decapsulated &forwards
packets down shared tree.
4) Shared tree packets accepted from
LAN&re-registered to RP forming loop.
2) S2 sends packets to G. A builds source
A sends joins towards RP.
(I) (II) (III)
eliminating prune state for S2 in C.
3) S2 sends to G; A registers to RP.
4) RP decapsulates & forwards
packets down shared tree.
5) Packets forwarded onto LAN are
re-registered by A, causing a loop.
state & registers to RP. Incoming interface
for the state points towards LAN.
3) RP gets registers, decapsulates &
forwards packets down shared tree.
4) Packets down shared tree are accepted
from LAN&re-registered forming a loop.
Figure The r e gister scenarios under study
they w ere new pac k ets originated b y the directly connected source The follo wing rule solv es this problem
for the giv en scenario
A router receiving join message m ust NOT add an in terface on the same subnet as a source S for an y
source sp ecic en try for S asso ciated with same group
iii Third scenario single source single receiv er with message loss
Considering the scenario in gure I I I The source sp ecic prune sen t from A to C when A ha ving a shared tree state creates the source sp ecic
en try for registering is lost
P ac k et duplication and r e gister lo oping problems are exp erienced in this scenario The problem p ersists
un til a p erio dic JoinPrune message is successfully sen t upstream
Suggested x
T o b e robust to at least one message loss w e suggest the follo wing rule for pac k et forw arding
A router m ust NOT forw ard a pac k et on to the subnet from whic h the pac k et w as originated This
is ac hiev ed b y p erforming a c heckonthe source and the outgoing in terface b efore building asource
sp ecic state or b efore forw arding a pac k et
References
D W aitzman S Deering C P artridge Distance V ector Multicast Routing Proto col No v em b er RF C
Most implemen tations create a cac he for forw arding pac k ets This c hec k can b e done only once when creating the cac he
and is not done p er pac k et
This is dieren t than the incoming in terface c hec k stated b y the curren t sp ecication In the sp ecic case discussed here
the lo oping m ulticast pac k ets will matc h on the incoming in terface the LAN for the sourcesp ecic en try
J Mo y Multicast Extension to OSPF Internet Dr aftSeptem b er D Estrin D F arinacci A Helm y V Jacobson and L W ei Proto col Indep enden t Multicast Dense Mo de
PIMDM Proto col Sp ecication Pr op osedExp erimental RF C URL httpnetwebusce dupimpimdmPIM
DM ftxtps ggz Septem b er A J Ballardie P F F rancis and J Cro w croft Core Based T rees In Pr o c e e dings of the A CM SIGCOMM San
F rancisco D Estrin D F arinacci A Helm y D Thaler S Deering M Handley V Jacobson C Liu P Sharma and
L W ei Proto col Indep enden t Multicast Sparse Mo de PIMSM Motiv ation and Arc hitecture Pr op ose d
Exp erimental RF C URL httpnetwebusce dupimpimsmPIMA r ch ftxtps ggz Octob er S Flo yd V Jacobson C Liu S McCanne and L Zhang A Reliable Multicast F ramew ork for Ligh tw eigh t
Sessions and Application Lev el F raming IEEEA CM T r ansactions on NetworkingNo v em b er
H Sc h ulzrinne S Casner R F rederic k and V Jacobson R TP A T ransp ort Proto col for RealTime Applica
tions RF C Jan uary S McCanne A Distributed Whiteb oard for Net w ork Conferencing UC Berkeley Computer Sciencepr oje ct Ma y V Jacobson and S McCanne v at LBNL Audio Conferencing T o ol URL httpwwwnr ge elblgovvat
S McCanne and V Jacobson vic A Flexible F ramew ork for P ac k et Video A CM Multime dia No v em ber
M Handley NTE The UCL Net w ork T ext Editor URL httpwwwmic ensccsuclacukmic enscto olsnt
helpab outhtml M Handley The sdr Session Directory An Mb one Conference Sc heduling and Bo oking System URL
httpugwwwe dacukmic ear chivesdrhtml E Clark e and J Wing F ormal Metho ds State of the Art and F uture Directions A CM Workshop on Str ate gic
Dir e ctions in Computing R ese ar ch V ol No pages Decem b er A Helm y A Surv ey on Kernel Sp ecication and V erication T e chnic al R ep ort of the Computer Scienc e
Dep artment University of Southern California URL httpwwwusce dudeptcste chnic al r ep ortshtml F Lin P Ch u and M Liu Proto col V erication using Reac habilit y Analysis Computer Communic ation R eview
V ol No F Lin P Ch u and M Liu Proto col V erication using Reac habilit y Analysis the state explosion problem and
relief strategies Pr o c e e dings of the A CM SIGCOMM
D Probst Using partialorder seman tics to a v oid the state explosion problem in async hronous systems Pr o c
nd Workshop on ComputerA idedV eric ation Springer V erlag New Y ork
P Go defroid Using partial orders to impro v e automatic v erication metho ds Pr o c nd Workshop on Computer
A idedV eric ation Springer V erlag New Y ork N Maxemc h uc k and K Sabnani Probabilistic v erication of comm unication proto cols Pr o c th IFIP WG Int Workshop on Pr oto c ol Sp e cic ation T esting and V eric ation NorthHol land Publ A mster dam C W est Proto col V alidation b y Random State Exploration Pr o c th IFIP WG Int Workshop on Pr oto c ol
Sp e cic ation T esting and V eric ation NorthHol land Publ A mster dam
J P ageot and C Jard Exp erience in guiding sim ulation Pr o c VIIIth Workshop on Pr oto c ol Sp e cic ation
T esting and V eric ation A tlantic City NorthHol land Publ A mster dam B Konemann B Bennetts N Jarw ala and B NadeauDostie BuiltIn SelfT est Assuring System In tegrit y
IEEE Computer Magazine pages No v em b er
F P ong and M Dub ois V erication T ec hniques for Cac he Coherence Proto cols A CM Computing Surveys
V olume No pages Marc h K Saleh I Ahmed K AlSaqabi and A Agarw al Areco v ery approac h to the design of stabilizing comm uni
cation proto cols Journal of Computer Communic ation V ol No pages April J Spiv ey Understanding Z a Sp ecication Language and its F ormal Seman tics Cambridge University Pr ess C Jones Systematic Soft w are Dev elopmen t using VDM Pr entic eHal l Intl R Bo y er and J Mo ore A Computational Logic Handb o ok A c ademic Pr ess Boston S Owre J Rush b y N Shank er and F Henk e F ormal v erication for faulttoleran tarc hitectures Prolegomena
to the design of PVS IEEE T r ansactions on Softwar e Engine ering pages F ebruary WD T a jibnapis A correctness pro of of a top ology information main tainence proto col for a distributed computer
net w ork Communic ations of the A CM K Shin and M Chen P erformance analysis of distributed routing strategies free of pingp ongt yp e lo oping
IEEE T r ansactions on Computers C F ebruary J Jaee and F Moss A resp onsiv e distributed routing algorithm for computer net w orks July JJ GarciaLunaAcev es Lo opfree routing using diusing computations F ebruary P M Merlin and A Segall A failsafe distributed routing proto col COM GC Roman P J McCann and JY Plun Assertional reasoning ab out pairwise transien tin teractions in mobile
computing In IEEE editor
th
International Confer enc e on SoftwareEngine ering pages Marc h
KM Chandy and J Misra Par al lel Pr o gr am Design AddisonW esley Publishing Compan y Inc B Hailp ern A simple proto col whose pro of isnt COM April R Milner A Calculus of Communic ating Systems Num b er Springer V erlag J P arro w V erifying a CSMACDproto col with CCS In VIII pages IFIP
M Smith F ormal V erication of Comm unication Proto cols F OR TEPSTV Confer enc e Octob er H Liu and R Miller Generalized F air Reac habilit y Analysis for Cyclic Proto cols IEEEA CM T r ansactions on
Networking V ol No pages April H Sc ho ot and H Ural Proto col v erication b y leaping reac habilit y analysis Pr o c of IEEE ICCCN R o ckvil le
MD pages Octob er V Klee Com binatorial optimization what is the state of the art Math Op er ations R ese ar ch V ol M Y annak akis and D Lee T esting nite state mac hines A CM Symp osium on The ory of Computing STOC E W Dijkstra Anote ont w o problems in connection with graphs Numerische Mathematik V ol
S McCanne and S Flo yd NS Net w ork Sim ulator URL httpwwwnr ge elblgovns
J Ousterhout Tcl and the Tk T o olkit A ddison Wesley D W etherall and C Lindblad Extending Tcl for Dynamic Ob jectOrien ted Programming Pr o c e e dings of the
TclTk Workshop T or onto Ontario July D Ra yner OSI conformance testing Computer Networks and ISDN Systems Sp e cial issue on Conformanc e
T esting V ol No pages S P erl P erformance Assertion Chec king PhD Thesis MIT Septem b er A Helm y Proto col Indep enden t MulticastSparse Mo de PIMSM Implemen tation Do cumen t Internet Dr aft
URL httpwwwusce dudeptcste chnic al r ep ortshtml Jan uary
Linked assets
Computer Science Technical Report Archive
Conceptually similar
PDF
USC Computer Science Technical Reports, no. 755 (2002)
PDF
USC Computer Science Technical Reports, no. 674 (1998)
PDF
USC Computer Science Technical Reports, no. 657 (1997)
PDF
USC Computer Science Technical Reports, no. 690 (1998)
PDF
USC Computer Science Technical Reports, no. 727 (2000)
PDF
USC Computer Science Technical Reports, no. 801 (2003)
PDF
USC Computer Science Technical Reports, no. 716 (1999)
PDF
USC Computer Science Technical Reports, no. 673 (1998)
PDF
USC Computer Science Technical Reports, no. 649 (1997)
PDF
USC Computer Science Technical Reports, no. 757 (2002)
PDF
USC Computer Science Technical Reports, no. 837 (2004)
PDF
USC Computer Science Technical Reports, no. 753 (2002)
PDF
USC Computer Science Technical Reports, no. 809 (2003)
PDF
USC Computer Science Technical Reports, no. 734 (2000)
PDF
USC Computer Science Technical Reports, no. 726 (2000)
PDF
USC Computer Science Technical Reports, no. 860 (2005)
PDF
USC Computer Science Technical Reports, no. 765 (2002)
PDF
USC Computer Science Technical Reports, no. 856 (2005)
PDF
USC Computer Science Technical Reports, no. 749 (2001)
PDF
USC Computer Science Technical Reports, no. 803 (2003)
Description
Ahmed Helmy. "Systematic testing of multicast protocol robustness." Computer Science Technical Reports (Los Angeles, California, USA: University of Southern California. Department of Computer Science) no. 663 (1998).
Asset Metadata
Creator
Helmy, Ahmed
(author)
Core Title
USC Computer Science Technical Reports, no. 663 (1998)
Alternative Title
Systematic testing of multicast protocol robustness (
title
)
Publisher
Department of Computer Science,USC Viterbi School of Engineering, University of Southern California, 3650 McClintock Avenue, Los Angeles, California, 90089, USA
(publisher)
Tag
OAI-PMH Harvest
Format
72 pages
(extent),
technical reports
(aat)
Language
English
Unique identifier
UC16269755
Identifier
98-663 Systematic Testing of Multicast Protocol Robustness (filename)
Legacy Identifier
usc-cstr-98-663
Format
72 pages (extent),technical reports (aat)
Rights
Department of Computer Science (University of Southern California) and the author(s).
Internet Media Type
application/pdf
Copyright
In copyright - Non-commercial use permitted (https://rightsstatements.org/vocab/InC-NC/1.0/
Source
20180426-rozan-cstechreports-shoaf
(batch),
Computer Science Technical Report Archive
(collection),
University of Southern California. Department of Computer Science. Technical Reports
(series)
Access Conditions
The author(s) retain rights to their work according to U.S. copyright law. Electronic access is being provided by the USC Libraries, but does not grant the reader permission to use the work if the desired use is covered by copyright. It is the author, as rights holder, who must provide use permission if such use is covered by copyright.
Repository Name
USC Viterbi School of Engineering Department of Computer Science
Repository Location
Department of Computer Science. USC Viterbi School of Engineering. Los Angeles\, CA\, 90089
Repository Email
csdept@usc.edu
Inherited Values
Title
Computer Science Technical Report Archive
Description
Archive of computer science technical reports published by the USC Department of Computer Science from 1991 - 2017.
Coverage Temporal
1991/2017
Repository Email
csdept@usc.edu
Repository Name
USC Viterbi School of Engineering Department of Computer Science
Repository Location
Department of Computer Science. USC Viterbi School of Engineering. Los Angeles\, CA\, 90089
Publisher
Department of Computer Science,USC Viterbi School of Engineering, University of Southern California, 3650 McClintock Avenue, Los Angeles, California, 90089, USA
(publisher)
Copyright
In copyright - Non-commercial use permitted (https://rightsstatements.org/vocab/InC-NC/1.0/