Close
About
FAQ
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
Computer Science Technical Report Archive
/
USC Computer Science Technical Reports, no. 673 (1998)
(USC DC Other)
USC Computer Science Technical Reports, no. 673 (1998)
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
F aultorien ted T est Generation for Multicast Routing
Ahmed Helm y Deb orah Estrin Sandeep Gupta
Univ ersit y of Southern California
Los Angeles CA email fahelm y estrin guscedu sandeepb o oleuscedu
Marc h
Abstract
The unpreceden ted gro wth of the In ternet and the in tro duction of new net w ork services suc has m ulticast
has lead to the increased complexityof net w ork proto cols and proto col in teraction Multicast proto cols supp ort
a wide range of m ultip oin t applications ranging from teleconferencing to net w ork games Unlik e traditional p oin t
to p oin t proto cols m ultip oin t comm unication in v olv es m ultiple senders and receiv ers increasing the n um ber of
proto col states and complicating the task of ev aluating the b eha vior and robustness of the proto cols and supp orted
applications
In addition the heterogeneit yofnet w ork comp onen ts and tec hnologies has in tro duced new failure mo des that
ha v e not b een considered traditionally in the design of m ulticast proto cols suc h as unicast routing anomalies and
selectiveloss o v er LANs The presence of these failures exacerbates the design and testing problems of m ulticast
proto cols due to the esoteric in teraction b et w een the dieren tla y ers in the proto col stac k T o date little eort
has b een exerted to form ulate practical metho ds and to ols that aid in the systematic testing of these proto cols
In this pap er w e presen t a new algorithm for automatic test generation for m ulticast routing W e target proto col
robustness in sp ecic and do not attempt to v erify other prop erties in this pap er Our algorithm pro cesses a
nite state mac hine FSM mo del of the proto col and uses a mix of forw ard and bac kw ard searchtec hniques to
generate the tests The output tests include a set of top ologies proto col ev en ts and net w ork failures that lead to
violation of proto col correctness and b eha vioral requiremen ts W e apply our metho d to a real m ulticast routing
proto col PIMDM whic h has b een deplo y ed in parts of the In ternet and in v estigate its b eha vior in the presence
of selectiv e pac k et loss on LANs and router crashes
In tro duction
Net w ork proto col errors are often detected b y application failure or p erformance degradation Suc h errors are hardest
to diagnose when the b eha vior is unexp ected or unfamiliar Ev en if a proto col is pro v en to b e correct in isolation its
beha vior ma y b e unpredictable in an op erational net w ork where in teraction with other proto cols and the presence
of failures ma y aect its op eration
The complexit y of net w ork proto cols is increased with the exp onen tial gro wth of the In ternet and the in tro duction
of new services In particular the adv entofIPm ulticast and the MBone enabled applications ranging from m ulti
pla y er games to distance learning and teleconferencing among others
In addition researc hers are observing new and obscure y et all to o frequen t failure mo des o v er the in ternets
suc h as routing anomalies and selectiv eloss o v er LANs Suc h failures are b ecoming more frequen t mainly
due to the increased heterogeneit y of tec hnologies and conguration of v arious net w ork comp onen ts
Man y researc hers ha v e dev elop ed proto col v erication metho ds to ensure that certain prop erties of a proto col
hold prop erties lik e freedom from deadlo c ks or unsp ecied receptions Muc h of this w ork ho w ev er w as based
on abstract mathematical mo dels with assumptions ab out the net w ork conditions suc h as FIF O queues or not
considering net w ork comp onen t failures that ma y not alw a ys hold in to da ys In ternet and hence ma y become
in v alid
T o pro vide an eectiv e solution to these problems w e prop ose a new metho d for automatic test generation
W e refer to our metho d as the faultorien ted test generation F OTG It is targeted to w ards the study of proto col
robustness in the presence of pac k et loss and net w ork failures
Helm y and Estrin w ere supp orted b y the Defense Adv anced Researc h Pro jects Agency D ARP A under Con tract No D ABT
C An y opinions ndings and conclusions or recommendations expressed in this material are those of the authors and do not
necessarily reect the views of the D ARP A
Our approac h b orro ws from w ellestablished c hip testing tec hnologies W e adopt concepts suc h as faultorien ted
pattern generation and forw ard and bac kw ard implication expand and apply them to net w ork proto cols
The algorithm used in our metho d utilizes a mix of forw ard and bac kw ard searchtec hniques Starting from a
giv en fault the necessary top ology and ev en t sequences are established that driv e the proto col in to error states
F or illustration and as a case studyw e apply F OTG to a m ulticast routing proto col deplo y ed as an in tradomain
routing proto col in parts of the In ternet PIMDM The rest of this pap er is organized as follo ws Section giv es an o v erview of m ulticast The related w ork on
proto col design and testing is discussed in section Section pro vides an o v erview of test generation and presen ts
the system mo del and denitions Section describ es our algorithm in detail and ho w it can b e applied to m ulticast
routing along with the results of our case study Weconcludeb y a summary and a discussion of future directions
in section
Brief Ov erview of Multicast
Multicast proto cols are the class of proto cols that supp ort group comm unication A m ulticast group mayin v olv e
m ultiple receiv ers and one or more senders In this pap er w e address m ulticast proto cols for the In ternet based
on the IP m ulticast mo del These proto cols include m ulticast routing proto cols eg D VMRP MOSPF PIMDM CBT and PIMSM m ulticast transp ort proto cols eg SRM R TP and R TCP and
m ultipart y applications eg WB v at vic n te and sdr This study fo cuses on m ulticast
routing proto cols whic h deliv er pac k ets ecien tly to group mem bers b y establishing distribution trees Figure sho ws a v ery simple example of a source S sending to a group of receiv ers R
i
S
R1
R2
R3
R4 R5
S: sender to the group
Ri: receiver i of the group
Figure Establishing m ulticast deliv ery tree
Multicast distribution trees ma y b e established b y either broadcastandprune or explicit join proto cols In
the former suc has D VMRP or PIMDM a m ulticast pac k et is broadcast to all leaf subnet w orks Subnet w orks with
no lo cal mem b ers for the group send prune messages to w ards the sources of the pac k ets to stop further broadcasts
Link state proto cols suc h as MOSPF broadcast mem b ership information to all no des In con trast in explicit join
proto cols suc h as CBT or PIMSM routers send hopb yhop join messages for the groups and sources for whic h
they ha v e lo cal mem b ers When receiv ed these messages build routing state in routers and cause further messages
to b e sen t upstream un til the distribution tree is established Up on receiving m ulticast pac k ets a router forw ards
the pac k ets according to the routing state
W e are particularly in terested in m ulticast routing proto cols b ecause they are vulnerable to failure mo des suc h
as selectiv e loss that ha v e not b een traditionally studied in the area of proto col design
F or most m ulticast proto cols when routers are connected via a m ultiaccess net w ork or LAN
hopb yhop
messages are m ulticast on to the LAN and ma y exp erience selectiv e loss ie ma y b e receiv ed b y some no des but not
others The lik eliho o d of selectiv e loss is increased b y the fact that LANs often con tain h ubs bridges switc hes and
other net w ork devices Selectivelossma y aect proto col robustness
Similarly endtoend m ulticast proto cols and applications m ust deal with situations of selectiv e loss This dier
en tiates these applications most clearly from their unicast coun terparts and raises in teresting robustness questions
W e use the term LAN to designate a connected net w ork with resp ect to IPm ulticast This includes shared media suc h as Ethernet
or FDDI h ubs switc hes etc
Our case study illustrates wh y selectiv e loss should be considered when ev aluating proto col robustness This
lesson is lik ely to extend to the design of higher la y er proto cols that op erate on top of m ulticast and are ev en more
lik ely to exp erience selectiv e loss among receiv ers
W e are also in terested in studying the m ulticast proto col b eha vior in the presence of other net w ork failures suc h
as router crashes considered in this pap er and unicast routing anomalies considered in the future w ork
Related W ork
The related w ork falls mainly in the eld of proto col v erication In addition some concepts of our w ork w ere inspired
byVLSIc hip testing Most of the literature on m ulticast proto col design addresses arc hitecture sp ecication and
comparisons b et w een dieren t proto cols W e are not a w are of an y other w ork to dev elop automatic test generation
for m ulticast proto col robustness
There is a large b o dy of literature dealing with v erication of comm unication proto cols Proto col v erication t yp
ically addresses w elldened prop erties suc has safety livenessand r esp onsiveness prop erties Safet y prop erties
include freedom from deadlo c ks assertion violations improp er terminations and unsp ecied receptions Liv eness
prop erties include detection of acceptance cycles and absence of nonprogress cycles while resp onsiv eness prop erties
include timeliness and fault tolerance Most proto col v erication systems aim to detect violations of part of these
proto col prop erties
In general the t w o main approac hes for proto col v erication are theorem pro ving and reac habilit y analysis
or mo del c hec king Theorem pro ving systems dene a set of axioms and construct relations on these
axioms Desirable prop erties of the proto col are then pro v en mathematically Theorem pro ving includes mo delb ase d
formalisms suc hasZ and Vienna Dev elopmen t Metho d VDM and lo gicb ase d formalisms including rst
order logic suc h as Nqthm and higher order logic suc h as Protot yp e V erication System PVS An
attempt to apply formal v erication to TCP and TTCP has b een giv en in In general ho w ev er the n um ber of
axioms and relations in theorem pro ving systems gro ws with the complexit y of the proto col W e b eliev e that these
systems will b e ev en more complex and p erhaps in tractable for m ulticast proto cols Moreo v er these systems w ork
with abstract sp ecication of the proto col and hence tend to abstract out some net w ork dynamics suc h as selectiv e
loss or unicast routing inconsistencies or failures that ma y cause problems w e are addressing in this study Reac habilit y analysis algorithms on the other hand try to generate and insp ect all the proto col states that
are reac hable from giv en initial states Suc h algorithms suer from the state space explosion problem esp ecially
for complex proto cols T o circum v en t this problem state reduction and con trolled partial searchtec hniques could b e used These tec hniques fo cus only on parts of the state space and ma y use probabilistic random or
guided searc hes Reduced reac habilit y analysis has b een used in the v erication of cac he coherence proto cols using a global FSM nite state mac hine mo del W e adopt a similar FSM mo del and extend it for our approachin
this study Asim ulationbased STRESS testing metho d w as prop osed in Although this metho d prop oses heuristics and
top ological equiv alence to reduce the n um ber of sim ulated scenarios it do es not pro vide automatic generation of
top ologies and scenarios Our w ork in this pap er ma y be in tegrated with the STRESS framew ork as part of the
scenario generation phase
Another related eld is VLSI c hip testing Chip testing uses a set of w ellestablished approac hes to generate
test v ector patterns generally for detecting ph ysical defects in the VLSI fabrication pro cess Common test v ector
generation metho ds detect singlestuc k faults where the v alue of a line in the circuit is alw a ys at logic or T est
v ectors are generated based on a mo del of the circuit and a giv en fault mo del
One w ellkno wn testing pro cess for stuc kat faults is the faultorien ted pro cess In this pro cess the t w o funda
men tal steps in generating a test v ector are a activ ating the fault and b propagating the resulting error to an
observ able output Activ ating a fault in v olv es a line justication step ie setting circuit input v alues to cause a line
in the circuit to ha v e a sp ecic v alue
Line justication or error propagation usually in v olv e a searc h pro cedure with a bac ktrac king strategy to resolv e
or undo con tradiction in the assignmen t of line and input v alues These line assignmen ts sometimes determine or
imply other line assignmen ts The pro cess of computing the line v alues to b e consisten t with previously determined
v alues is referred to as implic ation
F orw ard implication in v olv es implying v alues of lines from the fault to w ard the
output while bac kw ard implication in v olv es implying v alues of lines from the fault to w ard the circuit input
F or c hip testing implic ation often refers to a unique assignmen t In our usage of the term ho w ev er w eallowm ultiple p ossible v alues
in whic h case a searc h pro cedure is used to in v estigate the p ossibilities
W e adopt some implication concepts for our metho d and transform them to the net w ork proto col domain W e
note that c hip testing is p erformed for a giv en circuit while a proto col m ust w ork o v er arbitrary and time v arying
top ologies adding another dimension to our problem
T est Generation Ov erview
The input to our metho d is the sp ecication of a proto col its correctness requiremen ts and a denition of its
robustness In general proto col robustness is the abilit y to resp ond correctly in the face of net w ork failures and
pac k et loss Usually robustness is dened in terms of net w ork dynamics or fault mo dels A fault mo del represen ts
v arious comp onen t faults suc haspac k et loss corruption reordering or mac hine crashes The desired output is a
set of testsuites that stress the proto col mec hanisms according to the robustness criteria
The core con tribution of our w ork lies in the dev elopmen t of systematic test generation algorithms for proto col
robustness
In general there are t w o approac hes for test generation TG random TG R TG and deterministic TG R TG in v olv es only the generation of random test patterns see section for the denition of test patterns and
hence is simple Ho w ev er a large set of test patterns is needed to ac hiev e a high measure of error co v erage and ev en
then determining the test qualityma y b e exp ensiv e Also the cost of running long test sequences ma y b e high R TG
generally do es not takein to accoun t the function or the structure of the proto col under test and do es not attempt
to minimize the test length
Deterministic TG on the other hand pro duces tests based on a mo del of the proto col Hence it ma y b e more
exp ensivethanR TG Ho w ev er the kno wledge built in to the proto col mo del enables the pro duction of shorter and
higherqualit y test sequences Deterministic TG can b e man ual or automatic In this study w e fo cus on automatic
deterministic TG A TG
A TG can b e a faultindep enden t or b faultorien ted F aultindep enden tTG FITGw orks without targeting
individual faults as dened b y the fault mo del Suchanapproachma y employa forw ard searc h tec hnique to insp ect
the proto col state space or an equiv alen t subset thereof after in tegrating the fault in to the proto col mo del In this
sense it ma y b e considered a v arian t of reac habilit y analysis and ma y use equiv alence relations to reduce the state
space in v estigated In general FITG ma y b e used to automatically construct sequences of ev en ts that lead to error
states o v er a giv en top ology In con trast faultorien ted tests are generated for sp ecied faults F aultorien ted test generation F OTG starts
from the fault eg a lost message and syn thesizes the necessary top ology to trigger that message It then uses a
mix of forw ard and bac kw ard searc hes to construct sequences of ev en ts leading to proto col error In general F OTG
requires more information in the proto col mo del for the top ology syn thesis and the bac kw ard searc h In section w e will discuss in greater detail the proto col mo del used and apply it to a m ulticast proto col PIMDM
In the remainder of this section w e describ e the system mo del presen t some denitions and giv ean o v erview of
the case study proto col PIMDM
System Mo del and Denition
The system mo del consists of the net w ork elemen ts top ology elemen ts and the fault mo del
Elemen ts of the net w ork The net w ork consists of links and no des routers and hosts A link ma y be p oin t
top oin t or m ultiaccess ie LAN In this study w e assume bidirectional symmetric links A no de runs a set of
net w ork proto cols unicast and m ulticast routing W e assume the existence of a MACla y er proto col to resolv e media
access and collision issues but w e donot modelsuc h proto col A host runs endtoend proto cols or applications
Elemen ts of the top ology In this do cumen t w e consider only lo cal top ology Nrouter LAN mo deled at the
net w ork lev el ie connecting h ubs switc hes bridges and other datalinkla y er devices are abstracted out The
b oundary of our top ology is the m ulticast routing domain whic hcon tains only a single m ulticast routing proto col
Ho w ev er the top ology ma yspan m ultiple unicast routing domains or Autonomous Systems ASs
The fault mo del W e distinguish b et w een the terms err or and fault An err or is the failure of a proto col to meet
its design requiremen t F or example duplication in pac k et deliv ery is an error for m ulticast routing A fault on
the other hand is a lo wlev el eg ph ysical la y er anomalous b eha vior that ma y aect the b eha vior of the proto col
under test and include for example pac k et loss or unicast route apping among others Note that a fault maynot
necessarily b e an error for the lo w lev el proto col
The fault mo del mayinclude Loss of pac k ets due to queue congestion o v ero w link failures or pac k et corruption W e assume that the
pac k ets are either deliv ered correctly or are dropp ed ie pac k et corruption is disco v ered using c hec ksum or
other error detection co des
Loss of state suc hasm ulticast andor unicast routing tables due to failure of the routing proto col crashes or
insucien t memory resources The duration of this loss v aries with the nature of the failure F or example for
glitc hes the loss ma y last for p ortions of a second whereas for momen tary mac hine crashes the loss ma y last
for min utes
The dela y mo del Dela ys in the net w ork ma y b e due to transmission propagation or queuing dela ys W e assume
that the pro cessing dela ys are negligible wrt the time gran ularit y the analysis is addressing Sometimes dela y
problems can b e translated in to sequencing problems as w ewill showb y example in section Unicast routing anomalies suc h as route inconsistencies oscillations or apping
Usually a fault mo del is dened in conjunction with the robustness criteria for the proto col under study in our
case PIM A fault mo del ma y include a single fault or m ultiple faults In our studyw e adopt a singlefault mo del
where only a single fault mayoccur during a scenario or a test sequence A design requiremen t for PIM is to be
robust to single proto col message loss
W e also study the b eha vior of the proto col in the presence of momen tary loss of state
T est Sequence Denition
Giv en t w o sequences T e
e
e
n
where e
i
is an ev en t and T
e
e
e
k
fe
j
a
n
where f is
afault
Let P q T b e the sequence of states and stim uli of proto col P under test T starting from the initial state
q According to one of the follo wing denitions T
ma y b e said to b e a test sequence if
P q T P q T
This means that the b eha vior of the system in the presence of the fault is dieren t than
that without the fault Note that this denition ma y include sequences that including and excluding the fault
pro duce the same correct nal states but with dieren t transien t b eha vior or
Final P q T P q T
ie the stable state after the o ccurrence of the fault is dieren tfor thet w o outputs
This denition ignores transien t b eha vior but ma y include sequences that including and excluding the fault
pro duce dieren t correct nal states or
Final P q T
is incorrect
ie the stable state reac hed after the o ccurrence of the fault do es not satisfy
the correctness conditions irresp ectiv eof P q T In case of a faultfree sequence where T T
the error is
attributed to a proto col design error Whereas when T T
and nal P q T is correct the error is manifested
b y the fault
Since w e are only concerned with the stable ie nontransien t b eha vior of a proto col w e will only use the
second and third denition for our study T est Input P attern
A test input pattern is dened b y a list of host ev en ts Ev a top ology T and a fault mo del F as sho wn in
gure W e dene a test input pattern as a tuple Ev T F
Ev en ts Ev ev
ev
ev
n
is a list of host ev en ts host scenarios or call patterns Eac h ev en t ev
j
consists of action time where action is the host or no de ev en t input for example join lea v e send
pac k et etc
Ev en ts ma yb e classied in man ydieren tw a ys but just to sho w the exten t of this dimension weonly men tion
here triggered timed and in terlea v ed ev en ts
F or PIM b eing robust to a single message loss implies that transitions causing the proto col to mo v e from one stable state to another
b e correct ev en in the presence of single message loss F or the sak e of analyzing erroneous b eha vior ho w ev er w e consider single message
loss p er test sequence T est sequences and stable states are describ ed in later sections
The fault maybe emptyin whic h case T T
Correctness is dened b y the proto col sp ecication See section
Topology
Events
Faults
triggered timed interleaved
LAN
regular topologies
random
packet loss
crashes
routing
anomalies
Figure T est pattern dimensions
T op ology T N L is the routed top ology of set of no des N and links L N n
n
n
k
is the list
of no des eac h running a set of proto cols L l
l
l
m
are the links connecting the no des t w o in case of
apoin ttop oin t link or more for LANs
The top ology dimension extends to co v er LANs regular top ologies eg star string ring tree and a mix
thereof ie random top ologies
F aults F is the fault mo del used to inject the fault in to the test According to the singlemessage loss mo del
for example a fault ma y denote the loss of the second message tra v ersing link l
i
of t yp e pr une Kno wing the
lo cation and the triggering action of the fault is imp ortan t in analyzing the proto col b eha vior
F aults ma y include pac k et loss crashes and routing anomalies among others
PIMDM
As a case studyw e apply our automatic test generation metho d to a v ersion of the Proto col Indep enden t Multicast
Dense Mo de PIMDM proto col
PIMDM uses broadcastandprune to establish the m ulticast distribution tree In this mo de of op eration a
m ulticast pac k et is broadcast to all leaf subnet w orks Subnet w orks with no lo cal mem bers send prune messages
to w ards the sources of the pac k ets to stop further broadcasts
Routers with new mem b ers joining the group trigger Gr aft messages to w ards previously pruned sources to re
establish the branc hes of the deliv ery tree Gr aft messages are ac kno wledged explicitly at eac h hop using the Gr aftA ck
message
PIMDM uses the underlying unicast routing tables to obtain the nexthop information needed for the RPF
rev ersepathforw arding c hec ks This ma y lead to situations where there are m ultiple forw arders for a LAN The
Assert mec hanism resolv es these situations and ensures there is at most one forw arder for the LAN
PIM Proto col Errors In this study w e target proto col design and sp ecication errors Weare in terested mainly
in erroneous stable ie nontransien t states W e assume that these errors are pro vided b y the proto col designer or
sp ecication A proto col error ma y manifest itself in one of the follo wing w a ys
black holes consecutivepac k et loss b et w een p erio ds of pac k et deliv ery p acket lo oping the same pac k et tra v erses the same set of links m ultiple times
p acket duplic ation m ultiple copies of the same pac k et are receiv ed b y the same receiv ers
join latency time tak en b y a receiv er joining the group to start receiving pac k ets destined to the group
le ave latency time tak en after a receiv er lea v es the group to stop the pac k ets from o wing do wn the branc hes
that no longer lead to receiv ers
Some of these manifestations concern the correct deliv ery of pac k ets while others eg lea v e latency concern
eciency and conserv ation of net w ork resources
Correctness Conditions W e assume that correctness conditions are pro vided b y the proto col designer or sp eci
cation These conditions are necessary to a v oid during stable nontransien t states the ab o v e proto col errors in a
LAN en vironmen t and are dened in terms of proto col states as opp osed to endp oin t b eha vior
If one or more of the routers is exp ecting to receiv e pac k ets from the link ie ha ving the link as their
nexthop then one other router m ust b e a forw arder for the link Violation of this condition maylead todata
pac k et loss eg join latency or blac k holes
The link m ust ha v e at most one forw arder at a time Violation of this condition ma y lead to data pac k et
duplication
The deliv ery tree m ust b e lo opfree
a An y router should accept pac k ets for SG from one incoming in terface only This condition is enforced
b y the RPF Rev erse P ath F orw arding c hec k
b The underlying unicast top ology should b e lo opfree
Violation of this condition ma y lead to data pac k et lo oping
If one of the routers is a forw arder for the link then there m ust b e at least one router exp ecting pac k ets from
the link ie ha ving the link as their nexthop Violation of this condition ma y lead to lea v e latency The Proto col Mo del
As men tioned earlier b y virtue of b eing deterministic faultorien ted test generation requires the denition of a
proto col mo del F ormallyw e presen t the proto col b y a nite state mac hine FSM and the LAN b y a global FSM
mo del as follo ws
I FSM mo del A deterministic nite state mac hine mo deling the b eha vior of a router R
i
is represen ted b y the
mac hine M
i
Q i
i
where
Q is a nite set of state sym bols
i
is the set of op erations causing state transitions and
i
is the state transition function Q i
Q II Global FSM mo del With resp ect to a particular LAN the global state is dened as the comp osition of
individual router states wrt to that LAN The b eha vior of a LAN with n routers ma y b e describ ed b y the global
FSM M
G
Q
G
G
G
where
Q
G
Q
Q
Q
n
is the global state space
G
n
S
i
i
is the set of op erations causing the transitions and
G
is the global state transition function Q
G
G
Q
G
whic h is dened as
G
u
u
u
n
q
q
q
n
x u
q
x
n
u
n
q
n
x
Some esoteric scenarios of route apping ma y lead to m ulticast lo ops in spite of RPF c hec ks Curren tly our study do es not address
this issue as it do es not p ertain to a lo calized b eha vior
Applying the metho d
In this section w e in v estigate faultorien ted automatic test generation F aultorien ted test generation F OTG
targets sp ecic faults Starting from agiv en fault F OTG attempts to syn thesize minimal top ologyies that ma y
exp erience an error and a sequence of ev en ts leading to the error
The faults studied here are single message loss and loss of state
F or single message loss the algorithm is run for a sp ecic message and is rep eated for other proto col messages
F or a giv en message the algorithm iden ties a set of stim uli and states needed to stim ulate that message and
the p ossible states and stim uli elicited b y the message The set of states form the system state to b e insp ected
and the system comp onen ts required to represen t these states form a top ology that ma y b e vulnerable to error
The proto col mo del is used to deriv e this information
Similarly for loss of state the algorithm is rep eated for eac h state The top ology necessary to create the state
is constructed and the initial system state to b e insp ected is obtained
Subsequen t system states are obtained through a pro cess called forwar d implic ation after the fault is included
in the implication rules F orw ard implication is the pro cess of inferring subsequen t states from a giv en state
The subsequen t stable state is c hec k ed for errors
If an error o ccurs an attempt is made to obtain a sequence of ev en ts leading from an initial state to the
insp ected state if suc h state is reac hable Suc h pro cess is called b ackwar d implic ation Details of these algorithms are presen ted in section The rest of this section is organized as follo ws The proto col mo del is presen ted and applied to PIMDM in
sections F aultorien ted analysis of PIMDM is giv en in section Section concludes our
case study PIMDM Mo del
W e represen t the proto col as a nite state mac hine FSM and extend it to capture the proto col LAN en vironmen t
as a global FSM
I FSM mo del M
i
Q
i
i
i
F ollo wing is an FSM mo del of a simplied v ersion of PIMDM F or a sp ecic sourcegroup pair w e dene the
states wrt a sp ecic LAN to whic h the router R
i
is attac hed F or example a state ma y indicate that a router is a
forw arder for or receiv er exp ecting pac k ets from the LAN
A System States Q The p ossible states in whic h a router in the system ma y exist are describ ed in the
follo wing table
State Sym bol Meaning
F
i
Router i is a forw arder for the LAN
F
i Timer
i forw arder with Timer
Timer
running
NF
i
Upstream router i is not a forw arder but has en try
NH
i
Router i has the LAN as its nexthop
NH
i Timer
same as NH
i
with the Timer
Timer
running
NC
i
Router i has a negativ ecac he en try p oin ting to the LAN
EU
i
Upstream router i do es not ha vean en try ie is empt y
ED
i
Do wnstream router i do es not ha veanen try ie is empt y
M
i
Do wnstream leaf router with no state and an attac hed mem ber
NM
i
Do wnstream leaf router with no state and no attac hed mem bers
The p ossible states for upstr e am and downstr e am routers are as follo ws
Q
i
fF
i
F
i T imer
N F
i
EU
i
g if the router is upstream fNH
i
N H
i Timer
N C
i
M
i
N M
i
ED
i
g if the router is do wnstream
B Stim uli and Ev en ts The stim uli and system ev en ts considered here include transmitting and receiving
proto col messages timer ev en ts and external host ev en ts Only ev en ts leading to c hange of state or stim ulation
of other ev en ts are considered F or example transmitting messages p er se vs receiving messages do es not cause
anyc hange of state unless it is an ac kno wledged message eg a Gr af t in whic h case the transmission causes the
retransmission timer to b e set F ollo wing are the ev en ts considered in our study
T ransmitting messages Graft transmission Gr af t
Tx
Receiving messages Graft reception Gr af t
Rcv
Join reception Join Prune reception P r une Graft Ac
kno wledgemen t reception GAck Assert reception Asser t and forw arded pac k ets reception FPkt
Timer ev en ts these ev en ts o ccur due to timer expiration Exp and include the Graft retransmission timer
Rtx the ev en t of its expiration R txE xp the forw arderdeletion timer
Del and the ev en t of its expiration
DelE xp
W e note here that the expiration ev en t of a timer is implied when a timer is set This ev en t is referred to as
T imer I mpl ication
External host ev en ts abbreviated as Ext include host sending pac k ets SP k t host joining a group H J oin
or HJ and host lea ving a group Leav e or L fJ oin P r une Gr af t
Tx
Graf t
Rcv
GAck AssertF P kt Rtx Del SP ktHJ oinLeave g
II Global FSM mo del An example global state for a top ology of routers connected to a LAN with router
asaforw arder router exp ecting pac k ets from the LAN and routers and ha v e negativecac hes is giv en b y
fF
N H
N C
N C
g T ransition T able
The global state transition ma y b e represen ted in sev eral w a ys Here w ec ho ose a transition table represen tation that
emphasizes the eect of the stim uli on the system and hence facilitates top ology syn thesis as will b e sho wn The
transition table describ es for eac h stim ulus or ev en t the conditions of its o ccurrence A condition is giv en as stim ulus
and state or transition denoted b y stimulusstatetr ans where the transition is giv en as star tS tate endS tate A
precondition for an ev entisasucien t condition
to trigger the ev en t In con trast a p ostcondition for a stim ulus
is an ev en t andor transition that is triggered b y the stim ulus in the absence of faults eg message loss A p
indicates a p ossible transition or stim ulus and represen ts a branc hing p oin t in the searc h space or ig dst and other
indicate the origin of the stim ulus its destination and other routers resp ectiv ely F ollo wing is the transition table
for the global FSM discussed earlier
Stim ulus Preconditions stim ulusstatetrans P ostconditions sim ulusstatetrans
J oin P r une
other
N H
or ig
F
dst Del
F
dst
N F
dst
F
dst
Prune LN C F P k tN C F
dst
F
dst Del
p Join
other
Gr af t
Tx
HJ NC NH RtxExp NH
Rtx
NH Gr af t
Rcv
NH NH
Rtx
Gr af t
Rcv
Gr af t
Tx
NH NH
Rtx
GAck NF
dst
F
dst
GAck Gr af t
Rcv
F NH
dst Rtx
NH
dst
Asser t FPkt
other
F
or ig
Asser t
other
F
or ig
p F
other
NF
other
p Asser t
other
FPkt S pk tF P r une NM NC ED NH M NH EU
other
F
other
p Asser t
Rtx R txExp Gr af t
Tx
NH
or ig Rtx
NH
or ig
Del DelExp F
or ig Del
NF
or ig
SP k t Ext FPkt EU
or ig
F
or ig
HJ oin Ext NM M Gr af t
Tx
NC NH Leav e Ext M N M P r une NH NC P r une NH
Rtx
NC This is referred to as OifDeletion timer in the PIM sp ecication
Here w e use the term sucient lo osely It is actually also necessary to ha v e one precondition sa y X to trigger the stim ulus Y suchthat X Y holds and w e can construct the bac kw ard implication rules If more than a precondition sa y X
X
is sp ecied w e
ma y infer either Y X
or Y X
and this represen ts a branc hing p oin t in the bac kw ard searc h
State Dep endency T able
T o aid in test sequence syn thesis through the bac kw ard implication pro cedure w e construct what w e call a state
dep endency table This table do es not con tain additional information ab out the proto col b eha vior to that giv en b y
the transition table and is inferred automatically therefrom W e use this table to impro v e the p erformance of the
algorithm and for illustration
F or eac h state the dep endency table con tains the p ossible preceding states and the stim ulus from whic h the state
can be reac hed or implied T o obtain this information for a state S w e searc h the p ostcondition column of the
transition table for en tries where the endS tate of a transition is S In addition a state ma ybeiden tied as an initial
state IS The initial states for this study include fEU E D N M g Based on the ab o v e transition table follo wing is the resulting state dep endency table
State P ossible Bac kw ard Implications
F
i
Fpkt
other
EU
i
Join
F
i Del
J oin
NF
i
Gr af t Rcv
NF
i
SP kt
EU
i
F
i Del
P r une
F
i
NF
i
Del
F
i Del
Asser t
F
i
NH
i
RtxGAck
NH
i Rtx
HJ
NC
i
FPkt
M
i
FPkt
ED
i
NH
i Rtx
Gr af t Tx
NH
i
NC
i
FPkt
NM
i
L
NH
i Rtx
L
NH
i
EU
i
I S
ED
i
I S
M
i
HJ
NM
i
NM
i
L
M
i
I S
Dening stable states
As men tioned earlier w e are concerned with stable state ie nontransien t b eha vior T o establish the erroneous
stable states w e need to dene the transition mec hanisms b et w een suc h states and so w ein tro duce the concept of
transition classication and completion to distinguish b et w een transien t and stable states
Classication of T ransitions W e iden tify t w o t yp es of transitions external ly trigger e d ET and internal ly
trigger e d IT transitions The rst t yp e is stim ulated b y actions external to the system eg HJ oin or Leav e
whereas the second t yp e is stim ulated b y actions in ternal to the system eg FPkt or Gr af t W e note that some transitions ma y be triggered due to both in ternal and external actions dep ending on the
scenario F or example a Prune ma y b e triggered due to forw arding pac k ets b y an upstream router FPkt whic his
an in ternal action or a Leav e whic h is an external ev en t
The global state is c hec k ed for correctness only at the end of an externally triggered transition and after com
pleting all its dep endentin ternally triggered transitions
F ollo wing is a table of host ev en ts their dep enden tET ev en ts and their dep endentIT ev en ts
Host Ev en ts SP k t HJ oin Leav e
ET ev en ts FPkt Gr af t Prune
IT ev en ts Asser t Prune GAck Join
J oin
T ransition Completion T o c hec k for the global system correctness all stim ulated in ternal transitions should
be completed to bring the system in to a stable state In termediate transien t states should not be c hec k ed for
correctness since they ma y violate the correctness conditions set forth for stable states and hence maygiv e false
error indication
The pro cess of iden tifying complete transitions dep ends on the nature of the proto col But in general w ema y
iden tify a complete transition sequence as the sequence of all transitions triggered due to a single external stim ulus
eg H J oin or Leav e Therefore w e should b e able to iden tify a transition based up on its stim uli either external
or in ternal
A t the end of eac h complete transition sequence the system exists in either a correct or erroneous stable state
Actiontriggered timers eg Del Rtx re at the end of a complete transition satisfying the T imer I mpl ication
Also according to the ab o v e completion concept the prop er analysis of beha vior should start from externally
triggered transitions F or example analysis should not consider a J oin without considering the Prune triggering
it and its eects on the system Th us the global system state m ust b e rolled backto the b eginning of a complete
transition ie the previous stable state b efore applying the forw ard implication This will b e implied in the forw ard
implication algorithm discussed later to simplify the discussion
F OTG details
As previously men tioned our F OTG approac h consists of three phases I syn thesis of the global state to insp ect
II forw ard implication and I I I bac kw ard implication These phases are explained in more detail in this section
F OTG starts from a giv en fault The faults w e address here are message and state loss
Syn thesizing the Global State
Starting from a message ie the message or state to b e lost and using the information in the proto col mo del ie
the transition table a global state is c hosen for in v estigation W e refer to this state as the globalstate insp ected
G
I
and it is obtained for message loss as follo ws
The global state is initially empt y and the insp ected message is initially set to the message to b e lost
F or the insp ected message the state or the star tS tate of the transition of the p ostcondition is obtained from
the transition table If the state do es not exist in the global state and cannot b e implied therefrom then it is
added to the global state
F or the insp ected message the state or the endS tate of the transition of the precondition is obtained If the
state do es not exist in the global state and cannot b e implied therefrom then it is added to the global state
Get the stim ulus of the precondition of the insp ected message If this stim ulus is not external Ext then set
the insp ected message to the stim ulus and go bac k to step A t the end of this stage the global state to b e in v estigated is obtained
F or state loss the state dep endency table is used to determine the message required to create the state and the
top ology constructed for that message is used for the state This is illustrated in section F orw ard Implication
The states follo wing G
I
ie G
I i
where i are obtained through forw ard implication W e simply apply the
transitions starting from G
I
as giv en b y the transition table in addition to implied transitions suc h as timer
implication In case of a message loss the transition due to the lost message is not applied If more than a state is
aected b y the message then the space searc hed is expanded to include the v arious selectiv e loss scenarios for the
aected routers
Bac kw ard Implication
If an error o ccurs bac kw ard implication attempts to obtain a sequence of ev en ts leading to G
I
from an initial state
IS if suc h sequence exists ie if G
I
is reac hable from I S
The state dep endency table is used in the bac kw ard searc h F or eac h comp onen t in the global state G
I
bac kw ard
steps are tak en
un til an initial global state ie a state with all comp onen ts as IS is reac hed
Figure sho ws the ab o v e pro cesses for a simple example
F aultorien ted Analysis for PIMDM
In this section w e discuss the results of applying our metho d to PIMDM The analysis is conducted for single message
loss and momen tary loss of state
Note that although in lots of cases the top ology will b e constructed during the rst phase of obtaining G
I
the top ology ma y still b e
expanded during the forw ardbac kw ard implication phases
F or eachbac kw ard step a forw ard step is tak en to v erify that in teraction b et w een comp onen ts do es not lead to a state dieren t than
that from whic h the bac kw ard step w as tak en This ma y b e optimized if w e are certain that suchin teraction will not o ccur W edonot ho w ev er discuss suc h optimization here w e consider it part of our future w ork
A termination condition suc h as max n um b er of states in v estigated ma y b e used to terminate the algorithm The details of suc h
condition are irrelev an t in this con text
Join
i
Stimulus Pre-conditions Post-conditions
Prune
j
. NH
i
NF
k
--> F
k
Prune
j
Leave
j
. NC
j
(F
k
--> NF
k
).(p) Join
i
Leave
j
External (NH
j
--> NC
j
).Prune
j
G
I
= {NC
j
, NH
i
, NF
k
}
no loss
{NC
j
,NH
i
,F
k
}
G
I
+ --> forward implication
backward implication <-- G
I
-
loss
{NC
j
,NH
i
,NF
k
}
error state
Initial State. . .
Prune
j
{NC
j
,NH
i
,F
k
}
NF
k
NH
i
NC
j
Constructed Topology
Figure Simple example for top ology syn thesis forw ard implication and bac kw ard implication for Join
Single message loss
W e ha v e studied single message loss scenarios for the J oin P r une Asser t and Gr af t messages F or brevit y w e
partially discuss our results here F or this subsection w e consider nonin terlea ving external ev en ts where the system
is stim ulated only once b et w een stable states The Gr af t message is particularly in teresting since it is ac kno wledged
and it raises timing and sequencing issues that w e address in a later subsection where w e extend our metho d to
consider in terlea ving of external ev en ts
F or the follo wing analyzed messages w e presen t the steps for top ology syn thesis forw ard and bac kw ard implica
tion
Join F ollo wing are the resulting steps for join loss
Join Loss Syn thesizing the Global State
set the insp ected message to Join
the star tS tate of the p ostcondition is F
dst Del
G
I
fF
j Del
g
the state of the precondition is NH
i
G
I
fNH
i
F
j Del
g
the stim ulus of the precondition is Prune Set the insp ected message to P r une
the star tS tate of the p ostcondition is F
j
whic h can b e implied from F
j Del
in G
I
the state of the precondition is NC
k
G
I
fNH
i
F
j Del
N C
k
g
the stim ulus of the precondition is L Set the insp ected message to L
the star tS tate of the p ostcondition is NH whic h can b e implied from NC in G
I
the state of the precondition is Ext an external ev en t
F orw ard implication
without loss G
I
fNH
i
F
j Del
N C
k
g
J oin
G
I fNH
i
F
j
N C
k
g correct state
loss wrt aected routers ie R
j
fNH
i
F
j Del
N C
k
g
Del
G
I
fNH
i
N F
j
N C
k
g error state
Bac kw ard implication
G
I
fNH
i
F
j Del
N C
k
g
Prune
G
I fNH
i
F
j
N C
k
g
FPkt
G
I fM
i
F
j
N M
k
g
SP kt
G
I fM
i
EU
j
N M
k
g
HJ i
G
I fNM
i
EU
j
N M
k
g I S
Losing the J oin b y the forw arding router R
j
leads to an error state where router R
i
is exp ecting pac k ets from
the LAN but the LAN has no forw arder
Assert F ollo wing are the resulting steps for the Asser t loss
LAN
Source
Fi Fj
Fk
.. .
Figure A top ology ha ving a fF
i
F
j
F
k
g LAN
Assert Loss Syn thesizing the Global State
set the insp ected message to Asser t
the star tS tate of the p ostcondition is F
j
G
I
fF
j
g
the state of the precondition is F
i
G
I
fF
i
F
j
g
the stim ulus of the precondition is FPkt
j
Set the insp ected message to FPkt
j
the star tS tate of the p ostcondition is EU
i
whic h can b e implied from F
i
in G
i
the state of the precondition is F
j
already in G
I
the stim ulus of the precondition is SP k t
j
Set the insp ected message to SP k t
j
the star tS tate of the p ostcondition is NF
j
whic h can b e implied from F
j
in G
I
the stim ulus of the precondition is Ext an external ev en t
F orw ard Implication
G
I
fF
i
F
j
g
Asser t i
G
I fF
i
N F
j
g error
Bac kw ard Implication
G
I
fF
i
F
j
g
FPkt j
G
I fEU
i
F
j
g
Spkt j
G
I fEU
i
EU
j
g IS The error in the Asser t case o ccurs ev en in the absence of message loss This error o ccurs due to the absence of
a prune to stop the o wof pac k ets to a LAN with no do wnstream receiv ers This problem o ccurs for top ologies with
G
I
fF
i
F
j
F
k
g as that sho wn in gure
Graft F ollo wing are the resulting steps for the Gr af t loss
Graft Loss Syn thesizing the Global State
Set the insp ected message to Gr af t
Rcv
the star tS tate of the p ostcondition is NF G
I
fNF g
the endS tate of the precondition is NH
Rtx
G
I
fNF N H
Rtx
g
the stim ulus of the precondition is Gr af t
Tx
the star tS tate of the p ostcondition is NH whic hma y b e implied from NH
Rtx
in G
I
the endS tate of the precondition is NH whichma y b e implied
the stim ulus of the precondition is HJ whic his Extie external
F orw ard Implication
without loss G
I
fNH N F g
Gr af t Tx
G
I fNH
Rtx
N F g
Gr af t Rcv
G
I fNH
Rtx
F g
GAck
G
I fNH F g correct state
with loss of Gr af t ie the Gr af t
Rcv
do es not tak e eect G
I
fNH N F g
Gr af t Tx
G
I
fNH
Rtx
N F g
T imer I mplication
G
I fNH N F g
Gr af t Tx
G
I
fNH
Rtx
N F g
Gr af t Rcv
G
I
fNH
Rtx
F g
GAck
G
I fNH F g correct state
W e did not reac h an error state when the Gr af t w as lost with nonin terlea ving external ev en ts
In terlea ving ev en ts and Sequencing
A Gr af t message is ac kno wledged bythe Gr af t Ack GAck message and is inheren tly robust to message loss
according to the completion and timer implication conditions giv en no other external adv erse ev en ts in terrupt these
A
B
upstream
downstream
A B
Graft
Graft
GAck
A B
time
Graft
GAck
(I) no loss
(II) loss of Graft
A B
t
1
t
2 t
3
t
4
t
5
t
6
Graft
Prune
Graft
GAck
(III) loss of Graft &
interleaved Prune
t
1 t
1
t
2
t
2
t
3
t
3
t
4
Figure Graft ev en t sequencing
conditions
T o examine the vulnerabilityof ac kno wledged messages w e try to in terlea veadv ersary external conditions during
the transien t states in whic h the system exists and b efore the completion of the ac kno wledged message phase T o
ac hiev e this w e clear the retransmission timer suc h that the adv erse ev en t will not b e o v erridden b y the retransmis
sion mec hanism
T o clear the retransmission timer w e should create a transition from NH
Rtx
to NH whic h is triggered bya GAck
according to the state dep endency table NH
GAck
NH
Rtx
W e then insert this transition in the ev en t sequence
F orw ard Implication G
I
fNH N F g
Gr af t Tx
G
I
fNH
Rtx
N F g
GAck
G
I
fNH N F g error
state
Bac kw ard Implication Using bac kw ard implication w e can construct a sequence of ev en ts leading to condi
tions sucien t to trigger the GAck F rom the transition table these conditions are fNH
Rtx
F g
G
I
fNH N F g
HJ
G
I fNC N F g
Del
G
I fNC F
Del
g
P r une
G
I fNC F g
L
G
I fNH
Rtx
F g T o generate the GAck w e con tin ue the bac kw ard implication and attempt to reac h an initial state
G
I fNH
Rtx
F g
Gr af tRcv
G
I fNH
Rtx
N F g
Gr af t Tx
G
I fNH N F g
HJ
G
I fNC N F g
Del
G
I fNC F
Del
g
Prune
G
I fNC F g
FPkt
G
I
fNM F g
SP kt
G
I fNM E U g I S
The o v erall sequence of ev en ts is illustrated in gure In the rst and second scenarios I and II no error
o ccurs as the retransmission timer tak es care of the single Gr af t loss Ho w ev er in the third scenario IIIwhen a
Gr af t follo w ed bya Prune is in terlea v ed with the Gr af t loss the retransmission timer is reset with the receipt of
the GAck for the rst Gr af t and the systems ends up in an error state
Loss of State
W e consider momen tary loss of state to a router on the LAN A C r ash stim ulus transfers an y state X in to EU
X
C r ash
EU for upstream router or ED X
C r ash
ED for do wnstream router Hence w e add the follo wing
line to the transition table
Stim ulus Preconditions stim ulusstatetrans P ostconditions sim ulusstatetrans
C r ash Ext NM M N H NC N H
Rtx
ED F F
Del
N F EU
W e do not sho w all branc hing or bac ktrac king steps for simplicit y
Since a Crash can o ccur at an y p oin t in time the transition table m ust b e completed to sp ecify the action tak en
if an y for an empt y state up on receiving an y message F or momen tary loss of state the FSM resumes function
immediately after the transition to the empt y state ie further transitions are not aected b y the crash
T o study the eect of this t yp e of crash on the proto col w e analyze the beha vior when the crash o ccurs in
an y router state F or ev ery state a top ology is syn thesized that is necessary to create that state W e lev erage the
top ologies previously syn thesized for the messages F or example state F
Del
ma y b e created from state F b y receiving
a Prune c hec k the dep endency table en try for F
Del
P r une
F Hence wema y use the top ologies constructed for
Prune loss to analyze a crash for F
Del
state
F orw ard implication is then applied along with the crash The b eha vior of the system after the crash is insp ected
to see if pac k et deliv ery is aected Toac hiev e this host stim uli ie SP k t HJ and L are applied to the routers
then the system state is c hec k ed for correctness
In lots of the cases studied the system reco v ered from the crash ie the system state w as ev en tually correct
An example of a reco v ery pro cess is giv en in gure The reco v ery is mainly due to the nature of PIMDM where
proto col states ma y b e created from the empt y state with the reception of data pac k ets This result is not lik ely to
extend to other m ulticast routing proto cols of other natures suc h as PIM SparseMo de
FF FF FF
NH
Rtx
ED M
NH NM NC
(I)
NH
Crash
ED
(II)
HJ
SPkt
(III)
L
SPkt
Prune
Figure System reco v ering from a crash
Ho w ev er in other cases the system did not reco v er w e discuss some of these cases briey here The rst scenario
is giv en in gure where the host joining in I I a do es not ha v e the sucien t state to send a Gr af t and hence gets
join latency un til the negativ e cac he state times out upstream and pac k ets are forw arded on to the LAN as in I I b
NF NF NF F NF F
NH ED M
NH NM NC
(I)
NH
Crash
ED
(II)
HJ
SPkt
(III)
L
SPkt
Prune
(a)
(b)
FPkt FPkt
Figure Crash leading to join latency
The scenario in gure I I a sho ws the do wnstream router blac kholed due to the crash of the upstream router
The state is not corrected un til the p erio dic broadcast tak es place and pac k ets are forw arded on to the LAN as in
I I b
EU F EU NF
NH
NH NC NC
(II)
SPkt
(III)
L
Prune
(a) (b)
F
EU
NH
Rtx NH
(I)
F
Crash
EU
G
Tx
G
Rcv
GAck
Figure Crash leading to blackholes
Case Study Conclusion
Ev en with the simple study presen ted ab o v e w ew ere able to driv e a proto col whic h has b een deplo y ed in parts of
the In ternet for o v er t woy ears in to error states b y considering scenarios of single pac k et loss or crashes Wew ere
also able to construct erroneous scenarios for ac kno wledged messages suc has Gr af t and analyze the cause of the
error Automation w as needed throughout this pro cess to tac kle the complexit y of proto col b eha vior and robustness
analysis
W e b eliev e that the strength of our faultorien ted metho d as w as demonstrated lies in its abilit y to construct
the necessary conditions for erroneous b eha vior b y starting directly from the fault and a v oiding the exhaustivew alk
of the state space Also con v erting timing problems in to sequencing problems as w as sho wn for Gr af t analysis
reduces the complexit y required to study timers
Since net w ork dynamics and failures strongly aect proto col b eha vior as w eha vesho wn w e think that robustness
studies should b e in tegrated with the proto col design and not just considered as an after though t
Although weha v e not presen ted a complete list of our ndings w e are encouraged b y the cases presen ted in this
pap er to pursue our researc h in applying our metho d to other m ulticast proto cols and applications
Summary and F uture W ork
Weha v e presen ted a new metho d for automating the testing and analysis of m ulticast routing proto col robustness
Our approac h attempts to pro vide a practical to ol for studying real In ternet m ulticast proto cols in the presence of
net w ork failures and pac k et loss
W e do not claim nor attempt to pro vide mathematical pro of of proto col correctness or v erication Rather w e
ha v e targeted proto col robustness and endea v ored to systematize its testing and analysis for a particular domain
m ulticast routing
Dra wing from w ellestablished c hip testing tec hniques and FSM mo deling our metho d syn thesizes the proto col
tests automatically These tests consist of the top ologyev en t sequences and net w ork faults The follo wing tec hniques
w ere used to automate eac h of the test dimensions
T op ology syn thesis w e ha v e used a mo del for LAN top ology with N routers where N is v ariable Using
the state transition table our metho d syn thesizes top ologies necessary to generate proto col messages or states
The global state of the system to b e insp ected is obtained to b e analyzed in later stages
F ault in v estigation starting from the state of the system to b e insp ected a forw ard implication tec hnique is
used to test the beha vior of the system in the presence of faults F aults in v estigated in this study include
selectiv e single message loss and momen tary loss of state
Sequence of ev en ts if an error is found a bac kw ard implication tec hnique establishes a sequence of ev en ts
leading to the erroneous state if it is reac hable from an initial state This sequence is used to analyze the
proto col b eha vior leading to the error and ma y b e used to driv e more detailed sim ulations and tests
Timing problems during the pro cess of message loss analysis w eha v e presen ted an example of transforming
a timing problem in to a sequencing problem to analyze ac kno wledged messages
The analysis w as presen ted in the con text of a case study for PIMDM W e found sev eral scenarios of single pac k et
loss and crashes in whic h the proto col b eha v ed erroneously W e w ere able to construct a scenario of in terlea ving
ev en ts that lead an ac kno wledged message mec hanism in to error in the presence of single message loss
Our metho d ma y also b e applicable to other proto cols that can b e represen ted b y the global FSM mo del giv en
in this pap er
F uture directions of this researc h include
applying the F OTG metho d to other m ulticast routing proto cols
suc h as PIMSM and BGMP to analyze their robustness W e will also in v estigate extending the metho d to apply to
top ologies con taining m ultiple LANs and to include other net w ork failures suc h as unicast routing oscillations and
apping
Another ric h area is to use the F OTG metho d to analyze the p erformance of endtoend m ulticast proto cols suc h
as m ulticast transp ort proto cols and m ulticast applications in a more systematic fashion A logical net w ork mo del
maybeused wherethe m ulticast distribution tree is mo deled b y dela y and loss matrices This mo del maythenbe
in tegrated with the global FSM mo del presen ted in this pap er and analyzed using a discrete ev en t sim ulator
Mathematical treatmen t of the formalism completeness or complexit y is outofscop e of this pap er and b elongs in other w ork w e
plan to publish This pap er presen ts the basic algorithmic principles and demonstrates the utilit y of the metho d in real In ternet proto col
design
References
V P axon EndtoEnd Routing Beha vior in the In ternet IEEEA CM T r ansactions on Networking V ol No A ne arlier version
app e ar edin Pr o c A CM SIGCOMM Stanfor d CA pages Octob er V P axon EndtoEnd In ternet P ac k et Dynamics A CM SIGCOMM Septem b er
A Helmyand D Estrin Sim ulationbased STRESS T esting Case Study A Multicast Routing Proto col Sixth International
Symp osium on Mo deling A nalysis and Simulation of Computer and T ele c ommunic ation Systems MASCOTS July D Estrin D F arinacci A Helm y V Jacobson and L W ei Proto col Indep enden t Multicast Dense Mo de PIMDM Proto col
Sp ecication Pr op ose d Exp erimental RF C URL httpnetwebusce dupimpimdmPIMDM ftxtps ggz Septem b er
D W aitzman S Deering C P artridge Distance V ector Multicast Routing Proto col No v em b er RF C
J Mo y Multicast Extension to OSPF Internet Dr aft Septem b er
A J Ballardie P FF rancis and J Cro w croft Core Based T rees In Pr o c e e dings of the A CM SIGCOMM San F rancisco D Estrin D F arinacci A Helm y D Thaler S Deering M Handley V Jacobson C Liu P Sharma and L W ei Pro
to col Indep enden t Multicast Sparse Mo de PIMSM Motiv ation and Arc hitecture Pr op ose d Exp erimental RF C URL
httpnetwebusce dupimpimsmPIMA r ch ftxtps ggz Octob er S Flo yd V Jacobson C Liu S McCanne and L Zhang A Reliable Multicast F ramew ork for Ligh tw eigh t Sessions and Application
Lev el F raming IEEEA CM T r ansactions on NetworkingNo v em b er
H Sc h ulzrinne S Casner R F rederic k and V Jacobson R TP A T ransp ort Proto col for RealTime Applications RF C Jan uary S McCanne A Distributed Whiteb oard for Net w ork Conferencing UC Berkeley Computer Scienc epr oje ctMa y
V Jacobson and S McCanne v at LBNL Audio Conferencing T o ol URL httpwwwnr ge elblgovvat
S McCanne and V Jacobson vic A Flexible F ramew ork for P ac k et Video A CM Multime dia No v em b er M Handley NTE The UCL Net w ork T ext Editor URL httpwwwmic ensccsuclacukmic enscto olsnthelpab outhtml M Handley The sdr Session Directory An Mb one Conference Sc heduling and Bo oking System URL
httpugwwwe dacukmic ear chivesdrhtml K Saleh I Ahmed K AlSaqabi and A Agarw al A reco v ery approac h to the design of stabilizing comm unication proto cols
Journal of Computer Communic ation V ol No pages April E Clark e and J Wing F ormal Metho ds State of the Art and F uture Directions A CM Workshop on Str ate gic Dir e ctions in
Computing R ese ar ch V ol No pages Decem ber A Helm y A Surv ey on Kernel Sp ecication and V erication T e chnic al R ep ort of the Computer Scienc e Dep artment
University of Southern California URL httpwwwusce dudeptcste chnic al r ep ortshtml J Spiv ey Understanding Z a Sp ecication Language and its F ormal Seman tics Cambridge University Pr ess C Jones Systematic Soft w are Dev elopmen t using VDM Pr entic eHal l Intl R Bo y er and J Mo ore A Computational Logic Handb o ok A c ademic Pr ess Boston S Owre J Rush b y N Shank er and F Henk e F ormal v erication for faulttoleran tarc hitectures Prolegomena to the design of
PVS IEEE T r ansactions on Softwar e Engine ering pages F ebruary M Smith F ormal V erication of Comm unication Proto cols F OR TEPSTV Confer enc e Octob er F Lin P Ch u and M Liu Proto col V erication using Reac habilit y Analysis Computer Communic ation R eview V ol No F Lin P Ch u and M Liu Proto col V erication using Reac habilit y Analysis the state explosion problem and relief strategies
Pr o c e e dings of the A CM SIGCOMM D Probst Using partialorder seman tics to a v oid the state explosion problem in async hronous systems Pr o c nd Workshop on
ComputerA idedV eric ation Springer V erlag New Y ork
P Go defroid Using partial orders to impro v e automatic v erication metho ds Pr o c nd Workshop on ComputerA idedV eric ation
Springer V erlag New Y ork N Maxemc h uc k and K Sabnani Probabilistic v erication of comm unication proto cols Pr o c th IFIP WG Int Workshop on
Pr oto c ol Sp e cic ation T esting and V eric ation NorthHol land Publ A mster dam C W est Proto col V alidation b y Random State Exploration Pr o c th IFIP WG Int Workshop on Pr oto c ol Sp e cic ation
T esting and V eric ation NorthHol land Publ A mster dam J P ageot and C Jard Exp erience in guiding sim ulation Pr o c VIIIth Workshop on Pr oto c ol Sp e cic ation T esting and V eric ation
A tlantic City NorthHol land Publ A mster dam F P ong and M Dub ois V erication T ec hniques for Cac he Coherence Proto cols A CM Computing Surveys V olume No pages Marc h M Abramo vici M Breuer and A F riedman Digital Systems T esting and T estable Design ATT L abs D Estrin D F arinacci A Helm y D Thaler S Deering M Handley V Jacobson C Liu P Sharma and L W ei Proto col
Indep enden t Multicast Sparse Mo de PIMSM Proto col Sp ecication RF C URL httpnetwebusce dupimpimsmPIM
SMvExpRF C ftxtps ggz Marc h
Abstract (if available)
Linked assets
Computer Science Technical Report Archive
Conceptually similar
PDF
USC Computer Science Technical Reports, no. 690 (1998)
PDF
USC Computer Science Technical Reports, no. 727 (2000)
PDF
USC Computer Science Technical Reports, no. 674 (1998)
PDF
USC Computer Science Technical Reports, no. 696 (1999)
PDF
USC Computer Science Technical Reports, no. 657 (1997)
PDF
USC Computer Science Technical Reports, no. 644 (1997)
PDF
USC Computer Science Technical Reports, no. 755 (2002)
PDF
USC Computer Science Technical Reports, no. 726 (2000)
PDF
USC Computer Science Technical Reports, no. 809 (2003)
PDF
USC Computer Science Technical Reports, no. 860 (2005)
PDF
USC Computer Science Technical Reports, no. 801 (2003)
PDF
USC Computer Science Technical Reports, no. 730 (2000)
PDF
USC Computer Science Technical Reports, no. 663 (1998)
PDF
USC Computer Science Technical Reports, no. 678 (1998)
PDF
USC Computer Science Technical Reports, no. 655 (1997)
PDF
USC Computer Science Technical Reports, no. 723 (2000)
PDF
USC Computer Science Technical Reports, no. 811 (2003)
PDF
USC Computer Science Technical Reports, no. 702 (1999)
PDF
USC Computer Science Technical Reports, no. 749 (2001)
PDF
USC Computer Science Technical Reports, no. 565 (1994)
Description
Ahmed Helmy, Deborah Estrin, and Sandeep Gupta. "Fault-oriented test generation for multicast routing." Computer Science Technical Reports (Los Angeles, California, USA: University of Southern California. Department of Computer Science) no. 673 (1998).
Asset Metadata
Creator
Estrin, Deborah
(author),
Gupta, Sandeep
(author),
Helmy, Ahmed
(author)
Core Title
USC Computer Science Technical Reports, no. 673 (1998)
Alternative Title
Fault-oriented test generation for multicast routing (
title
)
Publisher
Department of Computer Science,USC Viterbi School of Engineering, University of Southern California, 3650 McClintock Avenue, Los Angeles, California, 90089, USA
(publisher)
Tag
OAI-PMH Harvest
Format
17 pages
(extent),
technical reports
(aat)
Language
English
Unique identifier
UC16269927
Identifier
98-673 Fault-oriented Test Generation for Multicast Routing (filename)
Legacy Identifier
usc-cstr-98-673
Format
17 pages (extent),technical reports (aat)
Rights
Department of Computer Science (University of Southern California) and the author(s).
Internet Media Type
application/pdf
Copyright
In copyright - Non-commercial use permitted (https://rightsstatements.org/vocab/InC-NC/1.0/
Source
20180426-rozan-cstechreports-shoaf
(batch),
Computer Science Technical Report Archive
(collection),
University of Southern California. Department of Computer Science. Technical Reports
(series)
Access Conditions
The author(s) retain rights to their work according to U.S. copyright law. Electronic access is being provided by the USC Libraries, but does not grant the reader permission to use the work if the desired use is covered by copyright. It is the author, as rights holder, who must provide use permission if such use is covered by copyright.
Repository Name
USC Viterbi School of Engineering Department of Computer Science
Repository Location
Department of Computer Science. USC Viterbi School of Engineering. Los Angeles\, CA\, 90089
Repository Email
csdept@usc.edu
Inherited Values
Title
Computer Science Technical Report Archive
Coverage Temporal
1991/2017
Repository Email
csdept@usc.edu
Repository Name
USC Viterbi School of Engineering Department of Computer Science
Repository Location
Department of Computer Science. USC Viterbi School of Engineering. Los Angeles\, CA\, 90089
Publisher
Department of Computer Science,USC Viterbi School of Engineering, University of Southern California, 3650 McClintock Avenue, Los Angeles, California, 90089, USA
(publisher)
Copyright
In copyright - Non-commercial use permitted (https://rightsstatements.org/vocab/InC-NC/1.0/