Abstract
We show how to use an interactive theorem prover, HOL, together with a model checker, SPIN, to prove key properties of distance vector routing protocols. We do three case studies: correctness of the RIP standard, a sharp real-time bound on RIP stability, and preservation of loop-freedom in AODV, a distance vector protocol for wireless networks. We develop verification techniques suited to routing protocols generally. These case studies show significant benefits from automated support in reduced verification workload and assistance in finding new insights and gaps for standard specifications.
- Bertsekas, D. P., and Gallager, R. 1991. Data Networks. Prentice Hall, Englewood Cliffs, N.J.]] Google Scholar
- Bhargavan, K., Gunter, C. A., Kim, M., Lee, I., Obradovic, D., Sokolsky, O., and Viswanathan, M. 2002. Verisim: Formal analysis of network simulations. IEEE Transactions on Software Engineering 28, 2 (Feb.), 129--145. Originally appeared in Proceedings of the International Symposium on Software Testing and Analysis (ISSTA, 2000). IEEE Computer Society Press, Los Alamitos, Calif.]] Google Scholar
- Bhargavan, K., Gunter, C. A., and Obradovic, D. 2000a. An assessment of tools used in the Verinet Project. Technical Report MS-CIS-00-15, University of Pennsylvania, Philadelphia, Pa.]]Google Scholar
- Bhargavan, K., Gunter, C. A., and Obradovic, D. 2000b. A taxonomy of logical network analysis techniques. Technical Report MS-CIS-00-14, University of Pennsylvania, Philadelphia, Pa.]]Google Scholar
- Bhargavan, K., Gunter, C. A., and Obradovic, D. 2000c. Fault origin adjudication. In Formal Methods in Software Practice (FMSP' 00, Portland, Ore., Aug. 2000). ACM Press, New York.]] Google Scholar
- Chiang, C.-C. 1997. Routing in clustered multihop, mobile wireless networks with fading channel. In Proceedings of IEEE SICON '97 (April 1997). IEEE Computer Society Press, Los Alamitos, Calif., pp. 197--211.]]Google Scholar
- Clarke, E. M., Grumberg, O., and Long, D. E. 1994. Model checking and abstraction. ACM Trans. Program. Lang. Syst. 16, 5, 1512--1542.]] Google Scholar
- Cypher, D., Lee, D., Martin-Villalba, M., Prins, C., and Su, D. 1998. Formal specification, verification, and automatic test generation of ATM routing protocol: PNNI. In Formal Description Techniques & Protocol Specification, Testing, and Verification ((FORTE/PSTV) IFIP, Nov. 1998). Kluwer, Boston, Mass.]]Google Scholar
- Freier, A. O., Karlton, P., and Kocher, P. C. 1996. Secure socket layer. IETF draft, Nov. Available online at home.netscape.com/eng/ssl3.]]Google Scholar
- Gao, L., and Rexford, J. 2000. Stable internet routing without global coordination. In ACM SIGMETRICS (2000). ACM Press, New York.]] Google Scholar
- Gordon, M. J. C., and Melham, T. F., Eds. 1993. Introduction to HOL: A Theorem Proving Environment for Higher Order Logic. Cambridge University Press, Cambridge, U.K.]] Google Scholar
- Griffin, T. G., and Wilfong, G. 1999. An analysis of BGP convergence properties. In Proceedings of ACM SIGCOMM '99 Conference (Boston, Aug. 1999), G. Parulkar and J. S. Turner, Eds. ACM Press, New York, pp. 277--288.]] Google Scholar
- Griffin, T. G., and Wilfong, G. 2000. A safe path vector protocol. In Proceedings of INFOCOM 2000 Conference (Tel Aviv, Israel, March 2000). IEEE Computer Society Press, Los Alamitos, Calif.]]Google Scholar
- Heitmeyer, C., Kirby, J., and Labaw, B. 1998. Applying the SCR requirements method to a weapons control panel: An experience report. In Formal Methods in Software Practice (ACM SIGSOFT Conference, March 1998). ACM Press, New York.]] Google Scholar
- Hendrick, C. 1988. Routing Information Protocol. RFC 1058, IETF. Website: www.ietf.org.]] Google Scholar
- Holzmann, G. J. 1991. Design and Validation of Computer Protocols. Prentice Hall, Englewood Cliffs, N.J.]] Google Scholar
- Holzmann, G. J. 1997. The SPIN model checker. IEEE Trans. Softw. Eng. 23, 5 (May), 279--295.]] Google Scholar
- Huitema, C. 1995. Routing in the Internet. Prentice Hall, Englewood Cliffs, N.J.]] Google Scholar
- ISO 1990. Intermediate System to Intermediate System Intra-Domain Routing Exchange Protocol for Use in Conjunction with the Protocol for Providing the Connectionless-Mode Network Service. ISO 8473. Website: www.iso.org.]]Google Scholar
- Jackson, D., Ng, Y., and Wing, J. 1999. A Nitpick analysis of mobile IPv6. Formal Aspects Comput. 11, 6 (Nov.), 591--615.]]Google Scholar
- Malkin, G. 1993. RIP, version 2: Carrying Additional Information. RFC 1388, IETF. Website: www.ietf.org.]] Google Scholar
- Malkin, G. 1994. RIP, version 2: Carrying Additional Information. RFC 1723, IETF. Website: www.ietf.org.]] Google Scholar
- Manna, Z., and Pnueli, A. 1991. The Temporal Logic of Reactive and Concurrent Systems. Springer-Verlag, Berlin, Germany.]] Google Scholar
- Mitchell, J. C., Shmatikov, V., and Stern, U. 1998. Finite-state analysis of SSL 3.0. In Seventh USENIX Security Symposium (San Antonio, 1998). USENIX, Berkeley, Calif., pp. 201--216.]] Google Scholar
- Moy, J. 1994. OSPF, version 2. RFC 1583, IETF. Website: www.ietf.org.]]Google Scholar
- Murthy, S., and Garcia-Luna-Aceves, J. J. 1996. An efficient routing protocol for wireless networks. ACM Mobile Netw. Applicat. J. 1, 2 (Oct.), 183--197. (Special Issue on Routing in Mobile Communication Networks)]] Google Scholar
- Obradovic, D. 2002. Real-time model and convergence time of BGP. In Proceedings of IEEE INFOCOM 2002 (New York, June 2002). IEEE Computer Society Press, Los Alamitos, Calif.]]Google Scholar
- Perkins, C. E., and Bhagwat, P. 1994. Highly dynamic destination-sequenced distance-vector routing (DSDV) for mobile computers. In Proceedings of the ACM SIGCOMM'94 Conference on Communications Architectures, Protocols, and Applications (Sept. 1994). ACM Press, New York, pp. 234--244.]] Google Scholar
- Perkins, C. E., and Royer, E. M. 1998. Ad Hoc on-demand distance vector (AODV) Routing. Internet-Draft, version 2, IETF. Website: www.ietf.org.]]Google Scholar
- Perkins, C. E., and Royer, E. M. 1999. Ad-hoc on-demand distance vector routing. In Proceedings of the 2nd IEEE Workshop on Mobile Computer Systems and Applications (Feb. 1999). IEEE Computer Society Press, Los Alamitos, Calif., pp. 90--100.]] Google Scholar
- Perlman, R. 1985. An algorithm for distributed computation of spanning trees in an extended LAN. In Proceedings of the Ninth Data Communications Symposium (Sept. 1985). ACM Press, New York, pp. 44--53.]] Google Scholar
- Perlman, R. 1992. Interconnections: Bridges and Routers. Addison-Wesley, Reading, Mass.]] Google Scholar
- Rekhter, Y., and Li, T. 1995. A Border Gateway Protocol 4 (BGP-4). RFC 1771, IETF. Website: www.ietf.org.]] Google Scholar
- Royer, E. M., and Toh, C.-K. 1999. A review of current routing protocols for ad hoc mobile wireless networks. IEEE Person. Commun. 6, 2 (April), 46--55.]]Google Scholar
- Varadhan, K., Govindan, R., and Estrin, D. 1996. Persistent route oscillations in inter-domain routing. ISI Technical Report 96-631. USC/Information Sciences Institute, Los Angeles, Calif.]]Google Scholar
- Wang, B. Y., Meseguer, J., and Gunter, C. A. 2000. Specification and Formal Verification of a PLAN Algorithm in Maude. In Proceedings of the 2000 ICDCS Workshop on Distributed System Validation and Verification (April 2000), T. Lai, Ed. IEEE Computer Society Press, Los Alamitos, Calif., pp. E:49--E:56.]]Google Scholar
Index Terms
- Formal verification of standards for distance vector routing protocols
Recommendations
Formal verification of ASMs using MDGs
We present a framework for the formal verification of abstract state machine (ASM) designs using the multiway decision graphs (MDG) tool. ASM is a state based language for describing transition systems. MDG provides symbolic representation of transition ...
Using DEv-PROMELA for Modelling and Verification of Software
SIGSIM-PADS '16: Proceedings of the 2016 ACM SIGSIM Conference on Principles of Advanced Discrete SimulationEfficient modelling and verification of models need an accurate representation of systems. Especially, PROMELA cannot represent time as quantitative properties. That means some properties depending on time cannot be checked with SPIN model-checker. ...
Modeling and analyzing the convergence property of the BGP routing protocol in SPIN
The Border Gateway Protocol (BGP) is an interdomain routing protocol such that each autonomous system can independently formulate its routing policies. However, BGP does not always converge, because its routing policies may conflict and cause BGP to ...
Comments