Protocol pruning

16
1357 Protocol Pruning DAVID LEE, SENIOR MEMBER, IEEE, ARUN N. NETRAVALI, FELLOW, IEEE, AND KRISHAN K. SABNANI, FELLOW, IEEE Invited Paper A communication system uses a precise set of rules, called a protocol, to define interactions among its entities. With advancing computer, transmission and switching technology, communication systems are providing sophisticated services demanded by users over a wide area. Protocol standards include a very large number of options to take care of different service possibilities and toplease all the people involved in the Standards Committees. Consequently, protocols have become large and complex, and, therefore their design and analysis have become a formidable task. To cope with this problem, a variety of approaches to simplib the protocols have been proposed in the published literature, such as protocol projection, homomorphism, selective resolution, and many others. We have recently developed a new technique called protocol pruning. It reduces the complexity of the protocols by pruning them to keep only that part which is required for a spec$ed subset of services. More importantly, it takes polynomial (rather than exponential) time and space in the size of the protocol spec$cation. This makes the algorithm feasible for engineers to use for practical problems involving large and complex protocols. We describe the technique and discuss applications to synthesis of protocol converters/gateways, protocol conformance testing, and thinning for lightweight and high perjormance protocols. The technique could also be useful for protocol implementation, synthesis, validation, and ver$cation. I. INTRODUCTION Information networks have become ubiquitous, capable, and flexible during the past decade. Connected computing, for example, does not use the network merely as a conduit for message transfer to support applications executing at the “end points,” but as a host for distributed applications that execute both inside and outside the “network cloud.” The end-user terminal can be simple or sophisticated; wired or wireless. The network can adjust itself to the type of the access device and the application is built on top of a flexible communications infrastructure. Many emerging applications require regional, national, or even international connectivity. In addition, emergence of multimedia requires Manuscript received April 14, 1995; revised July 6, 1995. D. Lee and A. N. Netravali are with AT&T Bell Laboratories, Murray K. K. Sabnani is with AT&T Bell Laboratories, Holmdel, NJ 07733 IEEE Log Number 9414430. Hill, NJ 07974 USA. USA. data, voice, and video integration at all levels of the service: from physical transport to application. The transport may be over a variety of media, such as twisted wire pairs, coaxial cables, optical fibers, microwave radio, or satellite links. A variety of applications are being developed on these networks. Instead of thinking of networks as offering only real-time, connection-oriented sessions, new networks offer a hybrid of connection and connectionless services with extensive use of store-forward messaging transports. Col- laborative applications using multimedia require substantial coordination of the different pieces of the network and the end points. Thus the increased flexibility and functionality of information networks makes the need and the complexity of communication protocols grow. Communication protocols are sets of rules defining the manner in which communication takes place. At the lowest level, a protocol may describe how information is to be represented and transported over a physical medium. At higher levels, protocols attempt to overcome the unreliabil- ity of the medium due to many factors such as transmission errors or buffer overflows as a result of congestion, and provide mechanisms for delivery, addressing and routing of messages. At an even higher application level, protocols provide services for transferring files, for security, and for managing messages required to enable the application. Almost always, protocol design problems become chal- lenging because they involve independent processes run- ning concurrently on physically separate systems that can communicate only via imperfect message channels. Tra- ditional methods of protocol engineering have involved relatively informal narrative specifications and validation by a “walk through.” While such methods have been quite successful overall, they have also allowed disturbing a number of errors or unexpected behavior to creep through, due primarily to ambiguous and incomplete specifications. Consequently, formal methods have emerged in which a protocol may be represented as, for example, a set of com- municating finite-state machines. A large collection of ana- lytical techniques can then be used to analyze (e.g., validate correctness, estimate performance) as well as synthesize the 0018-9219/95$04.00 0 1995 IEEE LEE et al.: PROTOCOL PRUNING 1357

Transcript of Protocol pruning

1357

Protocol Pruning DAVID LEE, SENIOR MEMBER, IEEE, ARUN N. NETRAVALI, FELLOW, IEEE, AND KRISHAN K. SABNANI, FELLOW, IEEE

Invited Paper

A communication system uses a precise set of rules, called a protocol, to define interactions among its entities. With advancing computer, transmission and switching technology, communication systems are providing sophisticated services demanded by users over a wide area. Protocol standards include a very large number of options to take care of different service possibilities and toplease all the people involved in the Standards Committees. Consequently, protocols have become large and complex, and, therefore their design and analysis have become a formidable task. To cope with this problem, a variety of approaches to simplib the protocols have been proposed in the published literature, such as protocol projection, homomorphism, selective resolution, and many others.

We have recently developed a new technique called protocol pruning. It reduces the complexity of the protocols by pruning them to keep only that part which is required for a spec$ed subset of services. More importantly, it takes polynomial (rather than exponential) time and space in the size of the protocol spec$cation. This makes the algorithm feasible for engineers to use for practical problems involving large and complex protocols. We describe the technique and discuss applications to synthesis of protocol converters/gateways, protocol conformance testing, and thinning for lightweight and high perjormance protocols. The technique could also be useful for protocol implementation, synthesis, validation, and ver$cation.

I. INTRODUCTION Information networks have become ubiquitous, capable,

and flexible during the past decade. Connected computing, for example, does not use the network merely as a conduit for message transfer to support applications executing at the “end points,” but as a host for distributed applications that execute both inside and outside the “network cloud.” The end-user terminal can be simple or sophisticated; wired or wireless. The network can adjust itself to the type of the access device and the application is built on top of a flexible communications infrastructure. Many emerging applications require regional, national, or even international connectivity. In addition, emergence of multimedia requires

Manuscript received April 14, 1995; revised July 6, 1995. D. Lee and A. N. Netravali are with AT&T Bell Laboratories, Murray

K. K. Sabnani is with AT&T Bell Laboratories, Holmdel, NJ 07733

IEEE Log Number 9414430.

Hill, NJ 07974 USA.

USA.

data, voice, and video integration at all levels of the service: from physical transport to application. The transport may be over a variety of media, such as twisted wire pairs, coaxial cables, optical fibers, microwave radio, or satellite links. A variety of applications are being developed on these networks. Instead of thinking of networks as offering only real-time, connection-oriented sessions, new networks offer a hybrid of connection and connectionless services with extensive use of store-forward messaging transports. Col- laborative applications using multimedia require substantial coordination of the different pieces of the network and the end points. Thus the increased flexibility and functionality of information networks makes the need and the complexity of communication protocols grow.

Communication protocols are sets of rules defining the manner in which communication takes place. At the lowest level, a protocol may describe how information is to be represented and transported over a physical medium. At higher levels, protocols attempt to overcome the unreliabil- ity of the medium due to many factors such as transmission errors or buffer overflows as a result of congestion, and provide mechanisms for delivery, addressing and routing of messages. At an even higher application level, protocols provide services for transferring files, for security, and for managing messages required to enable the application.

Almost always, protocol design problems become chal- lenging because they involve independent processes run- ning concurrently on physically separate systems that can communicate only via imperfect message channels. Tra- ditional methods of protocol engineering have involved relatively informal narrative specifications and validation by a “walk through.” While such methods have been quite successful overall, they have also allowed disturbing a number of errors or unexpected behavior to creep through, due primarily to ambiguous and incomplete specifications. Consequently, formal methods have emerged in which a protocol may be represented as, for example, a set of com- municating finite-state machines. A large collection of ana- lytical techniques can then be used to analyze (e.g., validate correctness, estimate performance) as well as synthesize the

0018-9219/95$04.00 0 1995 IEEE

LEE et al.: PROTOCOL PRUNING 1357

protocol automatically from specifications to execute on a given platform. Unfortunately, while such a strategy works well for protocols of manageable sizes, it quickly runs into trouble when the size of the protocol (measured, for example, by the number of states of the finite state machine) becomes large. With the ever increasing sophistication in networked applications, protocols have become extremely complex. Additionally, many protocol standards contain a large number of options which may provide only a slightly different functionality. Such a plethora of options is often included to facilitate negotiations between the members of a Standards Committee. Thus both the need for sophisticated services as well as the process of standardization make protocols complicated.

It is necessary to simplify protocols for analysis (veri- fication, validation), conformance testing, implementation and conversion between different protocol stacks for in- terworking. Ad hoc techniques are often used that can cause a variety of errors and prevent interworking. Formal methods, on the other hand, rely on the information of the global behavior of the protocol. For practical protocols, global information is too complex to be accessible. It is necessary to divide the problem of checking global behavior into smaller parts. A number of different techniques have been proposed to solve this problem, including protocol projection, homomorphism, probabilistic search, and many others [34] , [39] , [SI. Most of these techniques take time and space exponential in the size of the protocol specifications.

We present a new algorithmic procedure-protocol prun- ing; it divides the protocol into a collection of simpler protocols, each one of which provides a subset of services. This is useful since most of the time no single application can use all the options and services provided by a protocol. Our procedure is able to prune real and complex protocols such as TCP in a few seconds on a low end workstation. This technique has applications to protocol conversion, testing, thinning, and complementing [3 11, [35] , [45] . We describe all these applications except complementing with several realistic examples.

Comparable techniques developed in the published lit- erature are protocol projection and homomorphism. For example, several types of messages may be merged into one type. Thus, only coarser grain results are possible due to simplification. On the other hand, our technique generates and concentrates on the part of the protocol that provides the specified part of the services. Here is an analogy to explain the difference. Consider the protocol to be a geographical map with a certain resolution. Protocol projection is equivalent to a coarser view of the map with a reduced resolution. A pruned protocol is similar to only the required part of the map with its original resolution. Thus pruning reduces the protocol to only that part required for any given subset of services without simplifying that part itself. Since most protocols offer many services, pruning

’ More precisely, it is exponential in the number of components.

1358

based on subsets of services results in substantial size reduction of the protocol.

Here is an outline of the paper. In Section 11, we describe the communicating finite state machine model of protocols. Our pruning procedure is presented in Section 111. Its applications to protocol thinning, conformance testing, and conversion are discussed in Sections IV, V, and VI, respectively. A comparison with protocol projection is given in Section VIT. We conclude our discussion in Section VIII.

11. PROTOCOL MODEL A protocol can often be modeled as a collection of

communicating finite state machines (CFSM’s) [ I O ] . To specify interactions between various machines, we use interprocess inputloutput (I/O) operations similar to those used in the language Communicating Sequential Processes (CSP) [26] . An output operation in process2 is denoted as processl!msg (send msg to processl) and a match- ing operation in process1 is denoted as process2lmsg (receive msg from process2). These matching operations are executed simultaneously. In other words, if a process attempts to do an output, it has to wait until its corre- sponding process is ready to execute the matching input operation. For example, if process2 is ready to do the output operation processl!msg, it must wait until processl is ready to do the input operation process2?msg. The synchronized message exchange between two processes is also called a rendezvous. In an input (output) operation if the process name is not specified, then this opera- tion can take place with any other process. For example, if a process has an operator ?msg, it can receive msg from any other process. Such operations are often used to model protocols’ interactions with users and communica- tion channels.

Formally, a finite state machine (FSM) is a four-tuple F = (E, V, p, SO) where C is an alphabet consisting of the U 0 operations and an internal operation called Znt; V is a finite set of states; p : V x C -+ 2v is a nondeterministic state transition function; and SO is the initial state. An internal operation is an unobservable action. While doing an internal transition, an FSM makes a state transition without interacting with any other FSM.

We can represent an FSM as a directed graph (V, E ) where V is the set of states and E is the set of edges or possible state transitions. Each edge is labeled by an YO operation (belonging to E) which causes the state transition. An FSM starts in its initial state and, when it is in a given state, it can execute any of the operations labeling a transition from that state. Communication channels have bounded storage and are specified as FSM’s. The services expected from the protocol are also specified as an FSM. The U0 operations for this service FSM are service prim- itives of the protocol. A service primitive, a term used in the international standards, means an abstract message exchanged between the protocol and its user or upper layer. If e is an edge that connects one state s1 to another state

PROCEEDINGS OF THE EEE, VOL. 83, NO. IO, OCTOBER 1995

sa, then its tail state is s1 and its head state is s2. The label of an edge e is given as label (e).

Note that if an edge is labeled by an VO operation that has no matching operation, the transition can never occur. For example, if an edge in process2 is labeled processl!msg, and process1 contains no edge labeled process2?msg or ?msg, the transition in process2 can never occur. This point is used to design the pruning algorithm; we can prune transitions that can never occur.

For any two finite state machines F1 and F2, we can build an FSM F1 # F2 that corresponds to the joint behavior of F1 and F2. The machine FI # F2 is called the reachable FSM or the composition of F1 and F2 and each of F1 and Fz is called a component machine. This operation of constructing F1 # F2 is called the reachability computation or composing. This computation is done by computing reachable global states [7]. Specifically, a global state for F1 # Fz is defined as a two-tuple (s:’), 512))’ where si’) is the current state of F1 and 512) is the current state of F2. There is a transition in F1 # Fz labeled a from (si(’), s?))

to (s;) s(’)) if and only if there is a transition in F1 from s:’) to :;’ and a transition in F2 from ~ $ 2 ) to sr) and both transitions are labeled a. Generally, for a protocol with k CFSM’s: F I , F2,. . . , Fk, the composition F1 # F2 # . . . # Fk is defined similarly, and a global state si is denoted as

In the reachability computation, there is a potential prob- lem of state explosion: the number of the global states is the product of the numbers of states of all the component machines. Several techniques have been developed to cope with it [27], [32], [47], [49]. However, it is inherently exponential. In this article, we shall describe a procedure that prunes a protocol without constructing the composite machine and we also discuss its applications to protocol analysis and synthesis.

(si:), si;’ , . . . , S i k ( k ) ).

111. THE PRUNING PROCEDURE A protocol typically provides multiple services. A service

is modeled as an FSM with service primitives as its U0 operations. For applications such as conformance testing and protocol conversion, we need only to or choose to deal with a subset of services at a time. We remove the services that we do not need and prune the protocol by deleting parts of the protocol which are not exercised. The pruned protocol machine is typically much smaller than the original one. A conventional approach for pruning is to first construct a composite machine and then remove the irrelevant and unreachable transitions. However, the composite machine usually has such a large number of states that it is impossible to construct; this is the well known state explosion problem.

Our pruning procedure does not construct a composite machine. It prunes a protocol in time and space polynomial in the size of the component machines. Variations of this procedure have been successfully applied to protocol testing and computation of converters for complex protocols

such as TPCOP and ATM Adaptation Layer Convergence Protocols. The pruning time on a SPARCstation is only a few minutes while similar reduction is infeasible using conventional approaches.

A. The Pruning Algorithm We present a procedure that constructs a pruned protocol

machine which provides a selected service of the original protocol. Suppose that the original protocol has T services: S j , j = 1,. . . , T . For clarity, we prune it to only one service Sj among all services provided by the protocol. Recall that each service is modeled as an FSM with service primitives as its VO operations.

Suppose that the original protocol has IC component machines: Fi, i = 1,. . . , I C . We first delete from each component machine transitions that are labeled with service primitives other than those of the selected service Sj and, consequently, we delete transitions that have no matching service primitives any more. Then the algorithm prunes the component machines iteratively until no deletion is needed. Specifically, for each component machine, the algorithm computes and retains the strongly connected component that contains the initial state, discarding the rest of the machine. As a result, some edges of other machines may no longer have matching VO’s, and they are also deleted. For those machines with edges removed, again we compute the strongly connected components containing the initial states and discard the rest of the machines. We continue this process iteratively until each pruned component machine consists of a strongly connected component that contains the initial state and in which every VO transition has a matching U0 transition. The intuitive idea behind this algorithm is that we can remove those parts of the protocol machines that can be reached only by applying unmatched service primitives and that the remaining machines have to be strongly connected.2

Here is the algorithm in p~eudo-code.~ The use of the data structure MATCH is described in more detail in the next subsection.

Algorithm 1. (Pruning communicating finite state ma- chines) Input: FSM’s of a protocol: Fi, i = 1, . . . , I C ; a selected service machine Sj; Output: FSM’s of a pruned protocol only for service Sj. See complete algorithm at the top of the following page.

The set of the remaining machines: Fi, i = 1,. . . , I C , contains the pruned protocol4 that provides only the selected

*Most protocols have a reset capability. Application of a reset input forces a component FSM into its initial state. FSM’s for protocols that do not have this reset capability are made strongly connected by adding some dummy transitions.

3Note that communication channels with bounded storage are also modeled by FSM’s. However, they are not involved in the pruning process. For clarity, we do not include them in the algorithm.

4After pruning if a component machine has no transitions left then we can simply remove it; it does not interact with other machines any more. A pruned protocol may contain less component machines than the original one. For clarity, we still use IC to denote the number of the component machines.

LEE er al.: PROTOCOL PRUNING 1359

begin begin /* initial pruning */

initialize a data structure MATCH to keep track of all matched UO’s; initialize a list of active component machines: L = 0; for (each FSM Fi) do

delete transitions with service primitives not in Sj ; append Fi to L; /* to be further pruned */

end end while ( L is not empty) do /* prune component machines iteratively */

remove an F; from L; compute strongly connected component Ci that contains initial state; delete edges of Fi that are not in Ci; update MATCH with respect to edges deleted append to L machines that are not in L and that have newly unmatched edges;

end return pruned machines F i , a = 1, . . . , k;

end

service Sj . Note that Fi is a submachine of the original component machine F;.

B. Datu Structures and Eficient Implementations The data structure MATCH keeps track of the matching

U 0 transitions as follows. Identical U 0 transitions are asso- ciated with a counter (by a linked list, for instance), which records their total number. Counters of matching UO’s are associated with each other (by pointers, for instance). When an U0 transition is deleted, its associated counter is decreased accordingly. When a counter p becomes zero, all its associated VO transitions have been deleted, and, consequently, their matching U 0 transitions may not have any transitions to match. In this case, we have to delete all these transitions as well. We conduct an update iteratively as follows. We check the counters of all its matching VO transitions ,G. If p has no matching counters any more (all of them have become zero when p becomes zero), then we decrease ,G to zero and delete all its associated U 0 transitions from the corresponding component machines. The associated counters of ,G are processed similarly. This counter updating is done iteratively until none of the involved counters have to be further decreased. On the other hand, whenever we delete an U 0 transition from a component machine, the machine needs an update, and we append it to L for further processing if it is not there.

It takes a constant time to delete an U 0 transition and to update its counter. When the counter is decreased to zero, we process its associated counters if necessary. When a counter becomes zero we do not have to process it any more. We charge the processing cost to the tran- sitions deleted. Since there are O(Ct=l mi) transitions initially, the total cost to initialize and to update MATCH is O(C&l mi), here mi is the number of transitions of Fi.

We can use a k-bit vector to record whether Fi is in L. If F; is in L, then the ith bit is 1, otherwise, 0. To update the vector and to check whether Fi is in L take a constant time.

Whenever a component machine Fi is appended to L, at least one edge has been removed. Whenever a component machine F; is removed from L, we construct the strongly connected component that contains the initial state. It takes time O(mi) to compute the strongly connected component of Fi, using depth-first search [2], [17]. Since a machine Fi can be removed from L only after it has been appended to L, if we charge the cost of processing to each machine, then the total cost is O(Ct=l dimi), where di is the number of edges deleted from Fi .

In summary, the total pruning cost is O(ci,l &mi) where mi is the number of transitions of the component machine F; and d; is the number of transitions deleted from that component machine. On the other hand, the space needed is O(Ci,l m;). As a comparison, using the conventional method, to compute the composite machine takes time and space proportional to ni=, mi.

k

k

k

C. Correctness We have to show that the pruned protocol provides the

selected service Si. Suppose instead that we construct the composite machine,

delete all the service primitives except that of Sj , compute the reachable part from the initial state, and obtain a protocol that provides the service of Sj only and that consists of the component machines F: C Fi. For clarity, we call them the minimal component machines that provide service Sj.

We now claim that using Algorithm 1 the pruned protocol does provide service Sj. In another word, each pruned component machine F; - contains the minimal machine for the service Sj: F: Fi, i = 1,. . . ,k. Note that FT may be properly included in Fi, i.e., the pruned protocol is not minimal. However, the pruned protocol contains the minimal one, and, therefore, performs the same function when limited to the selected service.

As defined in Algorithm 1, we denote by C; the strongly connected component of Fi which contains the initial state.

1360 PROCEEDINGS OF THE IEEE, VOL. 83, NO. 10, OCTOBER 1995

We first delete from Fi all the service primitives that are not in Sj. Obviously, they are not in F; either. Therefore, after the first loop, our claim is true. Since F,?; is strongly connected and contains the initial state, C; must contain F,?;, and, after deleting all the edges not in C;, our claim still holds. If an edge becomes unmatched after we update MATCH, this edge (YO) can never be exercised, and, therefore, cannot be in F:. After deleting this edge, our claim still holds. Therefore, during the whole process, the minimal component machines F: are always contained in Ci. When the process terminates, Ci is the pruned machine Pi. We summarize:

Proposition 1. Given a protocol specified as a set of communicating component finite state machines F;, i = 1, . . . , k , and a selected service Sj among all the services that the protocol provides, Algorithm 1 constructs a set of pruned component machines F;, i = 1, . . . , 5, each of which is strongly connected and contains the corresponding minimal machine F:, that provides the service Sj. The total cost of processing is O(‘&l &mi), where mi is the number of edges of F; and di is the number of edges removed from Fi.

This procedure requires a computation of strongly con- nected components in the component FSM’s but it does not require a computation of all reachable states. This is why it can be done within a few minutes on a SPARCstation.

In the next three sections, we will present applications of the versatile algorithm presented.

IV. PROTOCOL THINNING An important application of pruning technology is thin-

ning of protocols. In order to appreciate the need and value of protocol thinning, consider the progress made in data transport and switching, which has resulted in deployment of networks with raw bandwidth that is orders of magnitude higher than the current systems. Optical fibers, for example, can transmit tens of gigabitdsecond over several hundred kilometers without repeaters and modern asynchronous transfer mode (ATM) switches can switch bit streams of multiple gigabits/second. In spite of this, perceived throughput at the application (even if it resided entirely within a LAN) has not increased correspondingly. Ideally, an application should be able to transmit at the peak bandwidth of the channel once access is obtained and if high speed is desired. In practice, however, the realized end-to-end throughput (from one process to another across the network) is only a small fraction of the transmission bandwidth. This throughput limitation comes from a variety of factors. Sources of these are:

1) Design decisions made in developing many of today’s transport protocols are incorrect due to changes in the environment. In particular, today’s transport protocols use extra processing to reduce the transmission costs, to recover from errors, and to control flows in the network.

2) Most protocol standards contain a large number of options. No single application can use all these op- tions, but since the standard is intended for different

applications and network architectures, it must con- tain all the options. In recent years, number of op- tions have increased dramatically as the number of applications and networking platforms have grown. Another reason for the large number of options is the standardization that takes place using “design by committee” process. Several (usually not completely tested) options with very similar functionality are included in the standards to facilitate negotiations between the members of the committee. A large number of options results in protocol implementations that are slow and have a large code size. The situation gets worse when these options are added over a long time (e.g., TCPDP), since it is difficult to develop modular code in such instances.

3) Implementation and the environment in which proto- cols are executed play a significant part as well. In transport protocols, for example, an efficient network interface (e.g., a powerful outboard processor with special memory and controllers for byte operations such as copy and checksum) can go a long way in improving protocol performance. Other implemen- tation factors such as reduction of data movement during the execution of protocols, use of suitable internal queue and buffer management schemes, use of lightweight processes, and efficient embedding of protocols in the operating system architecture also improve performance [131,[141, [161, [281, [521, [571.

A number of approaches exist for overcoming such

1) Implement existing standard protocols efficiently. High speed can sometimes be obtained (provided the environment is optimized as well) if protocol processing is done in silicon [14]. If the entire processing is “hard wired,” then protocol changes cannot be easily accommodated. Programmable processors suitably optimized for the templates of processing in protocols can overcome this problem at a very slight loss of performance [30]. Another possibility is to modularize protocol processing and choose only those modules that are needed for the applications. Depending on the size of the subset of modules needed, substantial reduction in processing overhead can be obtained.

2) A second option is to design new protocols that are specifically suited for applications in hand and for networks under consideration. Such custom proto- cols require a substantial amount of work in de- sign, specification, implementation and exhaustive testing. Moreover, internetworking becomes difficult and many times performance gained through cus- tomization is lost in processing for interconnections. Nonetheless, many specialized protocols have been developed over the years 1151, [181, [431.

protocol bottlenecks:

A. Thinning Procedure A complex protocol consisting of many options provid-

ing many services is modularized by using the pruning

LEE et al.: PROTOCOL PRUNING 1361

techniques described in Section 111. Thus a protocol pro- vides many services, each of which is modeled as an FSM with service primitives as its input/output (YO) operations. The protocol itself, which is modeled as FSM’s, is pruned using Algorithm 1 for one service at a time. Such a pruned protocol is usually much smaller than the original protocol since we remove those parts of the protocol machines that can be reached only by applying unmatched service primi- tives. Protocol performance can be improved by having an implementation that is smaller in code size. In addition to code size reduction, it is obvious that the elimination of options leads to speed advantages since the overhead of checking for the presence of options is usually high. Also smaller code size is of great value in many applications such as mobile computing devices. In these cases, one can only afford smaller main memory and therefore smaller code size decreases the probability of swapping from a disk with resulting loss of performance. Another important aspect of thinning is that this improvement in performance is derived without creating a nonstandard protocol. Thus the “thinned” protocol conforms fully with the standard and is completely interoperable with other “nonthinned” standard protocols for the chosen subset of services.

dataR -

B. Example 1 Let us consider a full-duplex alternating bit protocol

(FABP) that allows information exchange between two remote application processes connected by unreliable FIFO channels. FABP consists of two protocol entities and two communication channels C B ~ Z and C~21, see Fig. 1 . Each of the two identical protocol entities consists of seven FSM’s shown in Fig. 2. These seven FSM’s are trans, Retimer, rec, NS, NR, buJ and Atimer. FSM trans takes care of transmission of outgoing messages and of acknowledg- ment. Data messages piggyback acknowledgment. Retimer is the retransmission timer. If an acknowledgment is not received within a certain time-out period after sending a data message, then this data message is retransmitted. FSM rec takes care of incoming messages: data messages and explicit acknowledgment. FSM’s NS and NR store sequence numbers of the next message to be sent and of the next expected message, respectively. FSM buf takes care of sending acknowledgment. When a data message is received, buf starts a timer Atimer. If a data message is not sent out before Atimer expires, an explicit acknowledgment is sent. A data message has the structure dataxy where z is the sequence number of the message with two values (0; 1 ) and g is the piggybacked acknowledgment with two values (0; 1). There are two types of explicit acknowledgment: ak0 and akl . Transmission of d a t d (datuxl) or ak0 (akl ) means that the next expected message has the sequence number O(1). The composition of these seven FSM’s has 4848 states and has 15 312 edges.

This protocol provides two services: forward data transfer and reverse data transfer. The service FSM for FABP, S F , shown in Fig. 3, provides data transport in both directions. In this machine, the protocol picks up a message from one

Protocol Protocol Entity Entity - d a t a

dataF t+ cs12 J+ dataF

rcvr 1867/2398 1406/1779

Table 1 Results of Pruning TCP.

buf-mgr xmtr

t-proc

89/142 72/115 158/231 1 50/2 1 9 48/65 48/65

user process using the input operation (?dataF) and delivers it to the other user process using the output operation (!dataF). We select froward data transfer service only and use Algorithm 1 to prune the FABP. The service FSM for forward data transfer only, S;, is in Fig. 4. The result- ing pruned machines in Fig. 5 perform the forward data transfer. The composition of these pruned machines has 483 states and 109 edges. Similarly, the pruned machines that perform reverse data transfer are quite small; their composition has 82 states and 146 edges.

The original protocol has seven FSM’s with a compo- sition of 4848 states and has 15 312 edges. After pruning with respect to each service, each of the pruned composite machine has fewer than 100 global states.

C. Example 2 Let’s consider Transport Control Protocol (TCP) [48],

which is a full-duplex protocol. When it interconnects with half-duplex protocols such as SNR [43], we want to prune it to make it more efficient. A detailed discussion with be given in Example 6. Here we only aggregate results in Table 1. The second column has numbers for TCP before pruning, the third column after pruning. In each pair of numbers, the first is the number of states, the second is the number of edges. This computation takes only 10 s on a Sun SPARCstation l+. Such computation is intractable using any other techniques.

In the next section, we will describe how pruning can help in conformance testing.

V. CONFORMANCE TESTING Reliable communication can be ensured among protocol

systems if the protocol implementations used within each system conform to their specifications. As the services expected from a communication network grow, the com- plexity of the communication protocols also increases, making the task of conformance testing more challenging and most essential. Hence, protocol conformance testing has become an integral part of communication system design.

The dominant schemes in test sequence generation are structured, such as checking sequences 111, [9], 1251, 1411, 1421, 1501, 1531, 1581 where a test is designed based on the structure of the FSM’s. It is appropriate for testing a

1362 PROCEEDINGS OF THE IEEE, VOL. 83, NO. 10, OCTOBER 1995

m s ! o

buf! 1

NR

rec?O

e B

EanS!l

NS

8 2

Atimer Retimer

(C) (4 Fig. 2. FABP. (a) transmitter, trans., (b) process buf., (c) auxiliary processes, and (d) receiver, rec.

single isolated machine. However, for protocols specified by FSM’s, the size of the structure of the composite machine is formidable and that makes structured testing impractical.

To reduce the complexity, we can first prune a protocol to a subset of (or each individual) services and test each of the pruned protocols separately. If the resulting pruned protocols are not very large such as the FABP of Example 1,

LEE et al.: PROTOCOL PRUNING 1363

?daw

! d a w

Fig. 3. Service FSM for FABP, S F .

?datal

!dah0

Fig. 4. Service FSM for forward data transfer

then we can still apply structured testing. Unfortunately, for most of the complex protocols, the pruned protocol machines may still be too large to compose. Another difficulty of testing arises from internal transitions; they are not observable by a tester, and, consequently, the composite machine exhibits nondeterministic behavior, whereas most of the structured testing methods are only for deterministic FSM’s. A more subtle problem is that the composition of the pruned machines contains and may not be the same as the composition of the minimal component machines (there is no obvious way to figure out) that provide the selected services. Without knowing the exact structure of the machine for the selected services, it is difficult, if not impossible, to apply any techniques of structured testing.

A. A Guided Random Walk for Test Generation An unstructured test sequence generation procedure is

reported in [35]. It is based on pruning and follows an adaptive guided random walk. For a protocol under test, we first prune it according to each or a subset of services. For a pruned protocol, we select the inputs adaptively as follows. The inputs that will take the unexercised transitions have higher priority and among the inputs with the same priority we choose one uniformly at random. It is a random walk through the system but is guided by the priorities of the inputs to choose [35].

We apply our procedures to two protocols: full-duplex alternating bit protocol (FABP) and the ATM Adaptation Layer Convergence Protocol [ 191.

B. Example 3 As described in Example 1, we prune the FABP for

forward and reverse data transfer services, respectively. This pruning reduces the problem of testing a collection of FSM’s with over 4800 global states to that of testing two sets of FSM’s with less than 100 global states each.

1364

NR

DELETED

Atimer

tIms?O

e 8 8

IIans!l rec? :4 1

NS

Retimer

m trans? fill

(b)

Fig. 5. FABP process buf.

(a) Pruned FABP auxiliary processes, and (b) Pruned

Furthermore, the guided random walk can test all external transitions of every component machine in about 125 steps. Fig. 6 shows that our procedure requires about half as many steps, as does a pure random walk to produce a test that exercises all the external input edges.

C. Example 4 For the ATM Adaptation Layer Convergence Protocol,

if we take the Cartesian product of all the component machines, the global state space is larger than lo2’. Using our procedure, 99% of the component machine edges can be tested in 8082 steps (fewer than seven edges remain untested), see Fig. 7. For a protocol model of the complexity of the ATM Adaptation Layer, it would be impossible for the previous known approaches to generate test sequence with that coverage. The machines for this protocol are too big to be described here.

In the next section, we will describe automated gateway generation, another application of pruning.

VI. PROTOCOL CONVERSION A gateway design involves solving two sets of problems:

architectural and protocol conversion. The first problem

PROCEEDINGS OF THE IEEE, VOL. 83, NO. 10, OCTOBER 1995

75 20

60 16 t untested (guided) A untested (pure) . below threshold (guided)

45 l2 Number of o below threshold (pure)

Input Edges

Number of

Internal Edges Below Threshold Untested

30 8

15 4

0 25 50 75 100 125 150 175 200 225 250 275 300 Test Steps

FABP

Fig. 6. Results for FABP.

Number of Below Threshold

Internal Edges

160

120

80

40

40

. below threshold (guided)

+ untested (guided) A untested (pure)

below threshold (pure)

20

t lo

Number of Untested

Input Edges

t I I I I 1‘ 1 10 100 lo00 loo00 1OOOOO

Test Steps ATM Adaptation Layer

Fig. 7. Results for the ATM adaptation layer.

deals with matching the layered architectures in the two networks. The second problem deals with differences in message formats and rules for message exchanges. We address the second set of problems and describe a proce- dure that computes in polynomial time a converter which provides the largest common subset of two protocols being connected. The core part of the procedure is the pruning algorithm given in Section 111.

Most procedures reported in the literature [ 5 ] , [6], [8], [14], [23], [31], [33], [46], [59] are based on constructing a composite machine from all the component machines of the protocols involved and have exponential complexity. The first polynomial-time algorithm was reported in [31]. Basically, it uses the pruning Algorithm 1 and has the following major steps: 1) Identify the largest common subset of services provided by the two protocols; and 2) Compute those parts of the protocol machines that are necessary to provide the largest common subset of services.

Our approach is a top-down appr~ach .~ However, we do not synthesize the converter from scratch as in [MB90, 121. We prune the input specification of protocol machines to compute the converter. This approach allows us to derive a polynomial-time algorithm for generating converters. The details are as follows.

Let us consider two protocols A and B. Let A consist of 4 FSM’s: A I , A2, c A 1 2 , c A 2 1 , where A1 and A2 are the two end entities; CA12 and c~21 are half-duplex communication channels. c A 1 2 ( c A 2 1 ) transports messages from A I ( A2) to A2(A1), see Fig. 8. Similarly, let B consist of four FSM’s: B1, B2, CB1-2, c B 2 1 . We construct a converter conv that enables AI to communicate with B2, see Fig. 9. This procedure has the following steps, which are further explained in Section VI-A-VI-C, respectively:

In a top-down approach, the converter is constructed from the service specifications.

LEE er al.: PROTOCOL PRUNING 1365

Fig. 8. Component FSM’s of protocol A.

U 0 Fig. 9. Overall block diagram

1) Design an interface converter (IC). This interface matches service primitives of A with those of B. There must be a reasonable degree of matching at this level; otherwise, conversion between A and B does not make any sense.

2) Compute the largest common subset of services of A and B. If A1 is connected to B2 through a converter, this tandem can provide at most such a common subset of services of A and B.

3) A trivial converter can be obtained by a direct com- position of all the machines involved, and, as shown in Fig. 10, consists of AB, IC, and B1. Some parts of A2 and B1 are never exercised in providing common services. Prune these parts from the trivial converter to compute a pruned converter.

Here are further details of this procedure.

A. Design an Interface Converter The service provided by A ( B ) is specified as an FSM

SA(SB). The U 0 operations of SA and SB are the service primitives of A and B, respectively. Let the set of U 0 operations of Al(A2) with its local user be IAl(IA2). Similarly, let the set of U 0 operations of Bl(B2) with its local user be IBl(IB2).

For example, suppose A and B are both data transfer protocols. Suppose A1 is given a service primitive for establishing a connection. Eventually A2 should generate a service primitive indicating to its local user that a remote user connected to A1 wishes to establish a connection with it. On receiving this output service primitive, the interface converter IC should generate an input service primitive for protocol B indicating that a local user (in this case, A2) wants to establish a connection. B1 has to play the role of user for A2. Similarly, A2 has to play the role of user for B1. The output service primitives for A2 are tied to the input service primitives for B1. Similarly, the output service primitives from B1 are tied to the input service primitives for A2. The input service primitives for A2 may not have a one-to-one correspondence with the output service primitives of B1. In such a case, the following step should be taken.

1366

Fig. 10. A trivial converter.

The designer has to develop a translation between the elements of IA2 and those of IB1 . In most cases, this mapping or translation is one-to-one. In some other cases, the mapping may be more complex. Suppose two output service primitives x and y from A2 are equivalent to one input service primitive z for B1. We must insert a translator box between A2 and B1 that generates z after it has received x or y. This translator box is modeled as a machine called the interface converter (IC). Some service primitives of A may perform functions that are not performed by any combination of service primitives of B. In such cases, no attempt is made to translate between the service primitives. These service primitives are the ones that result in the reduction given later. In the procedure given here, defining the IC is nonalgorithmic and has to be done manually.

Each service primitive in IAl(IB1) typically has a corresponding service primitive in IA2( I&). For example, a service primitive that requests connection establishment for AI has a corresponding service primitive that indicates a connection establishment request for A2. We would also identify those service primitives of A1 and B2 that correspond to the service primitives of A2 and B1 that are not translated by IC. These service primitives should never be invoked while using the largest common subset of services. This point is used to reduce the converter design.

B. Compute the Largest Common Subset of Services Offered by A and B

In the service FSM’s of A and B (SA and SB), remove the edges that correspond to service primitives not matched in Step (1). Let the resulting pruned machines be Sa and Sb. Compute W = Si # IC # Sb, where W is the largest common subset of services offered by A and B. This machine can be subsequently reduced while maintaining its observational equivalence [40]. The services that both protocols provide are kept in this machine W ; other services are discarded.

C. Compute a Pruned Converter We consider the same set of interacting FSM’s:

F1,. . . ,Fk, which are from A I , A2, B1, B2, channels, IC, and Wl. Wl is an image of W in which an input operation ?x is replaced by an output operation !x and an output operation ! y is replaced by an input operation ?y. We remove those edges that have unmatched service primitives as labels. Then, for each machine, the algorithm computes and retains the strongly connected component that starts at the initial state, discarding the rest of the machine. As a result, some edges of other machines may no longer have matching VO’s, and they are also removed.

PROCEEDINGS OF THE IEEE, VOL. 83, NO. 10, OCTOBER 1995

?dataI

!data0

Service FSM for HABP, SH Fig. 11.

!d.uF 8 ? d d

!daw m ?data0

Fig. 12. Interface converter.

For those machines with edges removed, we again compute the strongly connected components starting from their initial states and discard the rest of the machines6 We continue this process iteratively until each pruned machine consists of a strongly connected component that contains the initial state, and every VO transition that has matching I/O transitions. The intuitive idea behind this algorithm is that we can remove those parts of protocol machines that can be reached only by applying unmatched service primitives and that the remaining machines have to be strongly connected. This basically is the pruning Algorithm 1; we prune the unmatched service primitives and then apply the algorithm.

D. Example 5 Consider two protocols, a half-duplex alternating bit

protocol (HABP) and a full-duplex alternating bit protocol (FABP). HABP transports data messages from a transmitter user process to a receiver user process over a lossy com- munication channel. It does not transport data messages in the reverse direction. FABP allows two remote processes to exchange data messages, as given in Example 1. The service FSM for HABP, S H , is shown in Fig. 11. Its alphabet is (?dataI, !dataO). In the input operation (?dataI), HABP picks up a message from a transmitter user process. During the output operation (!dataO), HABP delivers a data message to the receiver user process.

As described in Example 1, the service FSM for FABP, S F , is shown in Fig. 3. This protocol picks up a message from one user process using the input operation (?dutaF) and delivers it to the other user process using the output op- eration (!dutuF). In the reverse direction, the corresponding VO operations are (?datuR) and (!dutaR). Only one service primitive (!dutaO) of SH can be mapped to (?dutuF) of SF.

The interface converter for this protocol is shown in Fig. 12. The service primitives (?dutaR) and (!dutuR) are never exercised in SF during this conversion.

The pruned service machine (S;) is shown in Fig. 4. Since both service primitives of HABP are exercised in providing the common service, the service machine SH

6 F S M ’ ~ for protocols that do not have infinite loops for data transfer are made strongly connected by adding some dummy transitions. Examples of such protocols are connection management and call setup protocols.

!daw t”\ ? d d

!dwF )q ?datnl

Fig. 13. Reduced W S ~ T = SH # IC # S F S ~ T .

cannot be pruned. The weaker set of services W’ is given as ( S f # IC # S;). This machine is reduced while maintaining its observational equivalence [40]. The reduced machine is given in Fig. 13.

Next, we will describe how we generate a pruned con- verter for these two protocols.

HABP (Fig. 14) consists of five machines: Htruns (Fig. 14(a)); Hrec (Fig. 14(b)); timer, CA129 C A 2 1

(Fig. 14(c)). FSM Htruns implements a simple retransmission procedure. It has a satellite FSM, c A 1 2 , and C A Z ~ are forward and reverse communication channels. C A 1 2 transports data messages from Htruns to C A 2 1 transports acknowledgment in the reverse direction. An acknowledgment is an indication from Hrec to Htrans that it received a message correctly.

FSM Htruns picks up a message (using the input op- eration ?datal) from its user process and sends it with a sequence number, either 0 or 1 to Hrec over the data medium c A 1 2 . It also starts a local timer timer and waits for an acknowledgment. When Hrec receives a message with the next expected sequence number, it gives it to its local user (using the output operation !dutuO) and sends an acknowledgment to Htruns over the acknowledgment medium c A 2 1 . Each acknowledgment also carries a se- quence number that is either 0 or 1.

The protocol entities and communication channels of FABP are described in Section IV-B, Example 1. Recall that it contains seven FSM’s with 4848 states and 15 312 edges.

We apply Algorithm 1 to both protocols (see Fig. 5 ) and get the same results. The seven pruned machines are given in Fig. 5. The composition of these pruned machines has 48 states and 192 edges. All edges in trans and rec are exercised for providing the largest common subset of services W’.

A trivial converter (from a direct composition of all the machines involved) rec # IC # S1 has 33 936 states. On the other hand, the pruned converter from our approach, rec# IC # S’, has only 336 states.

E. Example 6 We have also computed a converter for connecting an

SNR protocol [43] implementation and an TCP implemen- tation. Both protocols were specified in an extended finite

LEE et al.: PROTOCOL PRUNING 1367

?cancel

! timeout ?start

A12 Timer

(C)

Fig. 14. (a) HABP transmitter, Htruns. (b) HABP receiver, Hrec. (c) HABP timer and channels.

/ ? A . * . ,

?data0

!data0 * !ackO

d

state machine model where we extend by adding state variables and operations on them. Whereas pure finite state machine transitions may involve input or output messages, our extended model’s transitions also have conditional tests on variable values and operations that change the variables’ values. The algorithms described have been implemented in software. Although the algorithm we have described applies to pure finite state machines, our software, in fact, operates on extended finite state machines (EFSM).

Finite state machines can model control portions of communication protocols. However, for proper modeling of data portions of protocols, variables and operations based on variable values are required. To model protocols such as TCPflP, SNR, ANSVIEEE Standard ISO, and 5ESS? we extend finite state machines with variables as follows. We denote a finite set of variables by a vector: 2 =

’AT&T no. 5 electronic switching system.

A21

( X I , . . . ,xk). A predicate on variable values P(Z) returns FALSE or TRUE. Given a function of 2, A($), an action (transformation) is an assignment: $ := A(Z) . An EFSM contains a finite set of states and transitions between states. Similar to FSM, each transition is associated with an input and output. In addition, it also has a predicate and action. If the predicate on the current variable values returns TRUE then we can follow this transition and change the variable values by the corresponding action [38].

Extended finite state machines are compact represen- tations of complex systems. It is well known that even the reachability problem is PSPACE-complete when the variable values are finite and undecidable The difficulty is from the predicates and actions associated with the transitions. However, for pruning, it does not introduce any difficulties based on the following simple observation.

machines. As a matter of fact, EFSM’s have the same computing power as Turing

1368 PROCEEDINGS OF THE IEEE, VOL. 83, NO. 10, OCTOBER 1995

We can easily determine and prune states and transitions in an FSM if they are not reachable from the initial state. On the other hand, in an EFSM it is hard to determine whether a state or transition is reachable from the initial state, since a sequence of transitions from the initial state to the designated state may not be feasible due to the pred- icates and actions associated with the transitions. However, disregarding all the predicates and actions in an EFSM, a state or transition, which are not reachable from the initial state, must be unreachable in the original EFSM and can be safely pruned.

Thus we can use our pruning Algorithm 1 to protocols specified by communicating EFSM’S.~ We first discard all the predicates and actions of each component EFSM’s and obtain a corresponding set of CFSM’s. We then apply to them Algorithm 1 and construct reduced CFSM’s. When we terminate, we restore the predicates and actions on the transitions that are not pruned. As a matter of fact, in Example 6, both TCP and SNR protocols are modeled by EFSM’s, and the pruning is conducted using the extended version of Algorithm 1, as described above.

Similarly, it can be shown that the pruned communicating EFSM’s contain the minimal communicating EFSM’s for the selected services and that the correctness properties are preserved.

The SNR protocol is a half-duplex protocol and the TCP protocol is a full-duplex protocol. The service FSM’s and the specifications are not given here. We only present some aggregate results. An extension of Algorithm 1 was used to prune these specifications. In the SNR protocol specification, pruning results in no reduction. But in the TCP specification, pruning results in significant reduction. The TCP specification consists of three main state ma- chines: the receiver rcvr, the transmitter xmtr, and a timer process tproc. The rcvr process takes care of the incoming messages and the service primitives from the user. The xmtr process assembles outgoing packets and hands them to the lower layer. The tproc process controls various timers except for the delayed ACK timer tdelack, which is controlled directly by the receiver process. Both the transmitter and the receiver depend on the buffer manager bufmgr which manages the data queues and buffers. The upper and lower layer processes have been abstracted out as another four machines, tcp-if, ip-r, i p x , and icmp. In addition, the receiver also communicates with a small auxiliary machine to help it process the state information associated with any acknowledgment received ackproc and a delayed ACK timer to trigger the sending of delayed ac- knowledgment tdelack. Fig. 15 shows relationship between these machines. The details are given in [44].

Table 1 contains the results for pruning of TCP. This pruning takes only 10 s on a SPARCstation l+. Such com- putation is usually impossible using any other techniques.

9As a matter of fact, communicating EFSM’s are equivalent to an EFSM by adding a new variable that encodes the component machines. To be consistent with what we have discussed, still we discuss communicating EFSM’s.

El Fig. 15. Interconnection of HABP and FABP.

VII. A COMPARISON WITH PROTOCOL PROJECTION Global behaviors of most practical protocols are usually

large and very difficult to compute. This problem is typi- cally known as “state explosion.” A commonly used method is “divide and conquer;” we divide the problem of checking global behaviors into smaller parts. A number of different techniques have been proposed to solve this problem: projection, homomorphism, abstraction, reduction, proba- bilistic, or scatter search [33], [34], [39], [ S I . We do not intend to survey these techniques here. Instead, we compare protocol pruning with projection, the best known work for protocol reductions in recent years [331, [34].

Both approaches use “divide-and-conquer’’ and concep- tually they are similar. However, they have different goals and, consequently, have different computation procedures.

Protocol projection is intended for protocols with several distinguishable functions. The goal is to construct image protocols for each function so that the safety and progress properties are preserved. Specifically, one has a protocol P and a property Q, and the aim is to find a smaller image protocol P’ such that P’ satisfies Q if and only if P does. We reduce the problem of proving property Q of P to that of a smaller protocol P’. It is done by aggregating states into blocks (and message values into blocks); one way to do so when protocols are specified using state variables is to keep only a subset of variables, and throw away the rest. Only heuristic procedures have been reported. The attention is focused on the conditions for preserving safety and progress properties in the image protocols. There is no algorithmic procedure given so far.

Whereas in pruning, for a protocol with multiple services (functions) we want to focus on a subset of the services. We prune the protocol so that the pruned machines provide the selected services and that they have the same properties as the original protocol with respect to the selected services. There is nothing we can say about the safety and progress properties of the pruned CFSM’s themselves. However, we are guaranteed that within the selected services, a pruned protocol has the same properties as the original one. We have given here an efficient algorithmic procedure for pruning.

Since the two mechanisms have different purpose and reduction procedures, the outcomes are usually different. This is illustrated in the following example.

LEE et al.: PROTOCOL PRUNING 1369

A protocol has two variables U and V and two events:

Ti: U , TRUE, V := 2, U := U + 1 ;

T2: b , TRUE,U := U - 1.

For image protocols, if we project out U , then we get: Ti : U , TRUE, V := 2. If we project out V , then we get:

For pruning, if we prune 2’1, then we get: T2 : b, TRUE, U := U - 1, to which there is no corresponding image protocol.

Here is an analogy which will explain the difference between protocol projection and protocol pruning. Suppose we have a map of Europe with a resolution of x : 1. Protocol projection is equivalent to computing a map with a reduced resolution such as 22 : 1. Protocol pruning is equivalent to computing a subset of map with a small number of countries with the same resolution z : 1.

The unique feature of pruning comparing with other re- duction techniques is: if a protocol is specified by CFSM’s, we can do pruning without constructing the composite FSM. This helps to avoid the usually impossible process of constructing the composite machine.

2’1 : U , TRUE, U := U + 1; T2 : b, TRUE, U := U - 1.

VIII. CONCLUSION It is a formidable task to design, implement, analyze,

and maintain communication protocol systems due to their complexity. Inherently concurrent processes executing at different points in the network and exchanging messages over unreliable channels make protocols difficult to start with. In addition, increased flexibility and functionality of networks is increasing the size of protocols causing “state explosion.” In this article, we describe a new technique that prunes a large protocol into smaller ones determined by the desired subset of services. It ensures the correct functioning and consistency of the pruned protocols with the original one. It has an algorithmic procedure that prunes real protocols in time and space polynomial in the size of the protocol specification. It has been successfully applied to protocol conversion and conformance testing among other applications. We have given several examples to illustrate these applications.

It is possible that this method could also be useful for protocol implementation, verification, validation, and syn- thesis in collaboration with stepwise refinement. It would be encouraging and rewarding to see more applications to real protocols. On the other hand, there are intriguing problems arising from this work; we mention two here.

We prune a protocol to selected services and then analyze it. However, certain faults may only reveal when we con- sider all services together. To characterize such situations would be interesting and a challenge.

In the second part of the algorithm, we iteratively prune each component machine, which is a directed graph. After deleting one or more edges of a graph (component ma- chine), we compute a new strongly connected component containing the initial state from scratch with a total cost quadratic in the size of each component. That seems to

1370

be unnecessary. While edges are being deleted, one might want to keep track of the strongly connected component dynamically [20], [24], [17] with an amortized cost less than quadratic in the size of each component machine. We have been unable to do this so far.

ACKNOWLEDGMENT David Lee and Krishan Sabnani are greatly benefited

by numerous stimulating discussions with Simon Lam and Udaya Shankar. The authors are indebted to the constructive comments of Gerard Holzmann, Thomas La Porta, and Doug McIlroy. Insightful reviews from the anonymous referees are deeply appreciated. Some of the figures are kindly provided by David Kristol.

REFERENCES A. V. Aho, A. T. Dahbura, D. Lee, and M. U. Uyar, “An optimization technique for protocol conformance test generation based on UIO sequences and rural Chinese postman tours,” IEEE Trans. Commun., vol. 39, pp. 1604-1615, Sept. 1991. A. V. Aho, J. E. Hopcroft, and J. D. Ullman, The Design and Analysis of Computer Algorithms. Reading, MA: Addison- Wesley, 1974. R. Aleliunas. R. M. Karu. R. J. Liuton. and C. Rackoff. “Ran- dom- walks, universal traversal seiuences and the complexity of maze problems,” Proc. 20th Annu. Symp. on Found. of Computer Sci., 1979, pp. 218-223. Int. Standard IS0 8802-2, ANSl l IEE std 802.2, 1989; Int.

J. Auerbach, “A protocol conversion software toolkit,” Proc.

G. V. Bochmann and P. Mondain-Monval, “Design principles for communication gateways,” IEEE Trans. Select. Areas in Commun., vol. 8, pp. 12-21, Jan. 1990. G. V. Bochmann and C. A. Sunshine, “A survey of formal methods,” Computer Networks and Protocols, 1983. G. V. Bochmann, “Deriving protocol converters for com- munication gatewavs.” IEEE Trans. Commun., vol. 38, pp.

Standard ISO/IEC 8802-5, ANSVIEEE std 802.5, 1992.

ACM SIGCOMM ’89, pp. 259-270, 1989.

_ _ 1298-1300, Sept. i990. S. C. Bovd and H. Ural. “On the complexity of generating optimal test sequences,” IEEE Trans. S&wari Eng , vol. 1% pp. 976-978, Sept. 1991. D. Brand and P. Zafiropulo, “On communicating finite-state machines,” JACM, vol. 30, no. 2, pp. 32342, 1983. J. R. Burch et al. “Symbolic model checking: 10’’ states and beyond,” Proc. 5th IEEE LICS, pp. 428-439, 1990. K. L. Calvert and S. S. Lam, “Deriving a protocol converter: A top-down approach,” Proc. ACM SIGCOMM ’89, pp. 247-258, 1989. D. Cheriton and C. Williamson, “VMTP as the transport layer for high uerformance distributed svstems.” IEEE Commun. Mag., i p . ‘ 3 7 4 , 1989. G. Chesson. “XTPPE design consideration.” Proc. IFIP Work- shop on Protocols for High-speed Networks, pp. 27-33, 1989. D. D. Clark, M. L. Lambert, and L. Zhang, “NETBLT A bulk data transfer protocol,” Proc. ACM/SIGCOMM ’87, vol. 17, no. 5, 1987. D. C. Clark, V. Jacobsen, J. Romkey, and H. Saluren, “An analysis of tcp processing overhead,” IEEE Comm. Mag., pp.

T. H. Cormen, C. E. Leiserson, and R. L. Rivest, Introducfion to Algorithms. W. Doeringer et al., “A survey of light-weight transport protocols for high-speed networks,” IEEE Trans. Comm., pp.

S. Dravida, J. S. Swenson, and R. Zoccolillo, “A proposed con- vergence urotocol to serve class C and D users,” Contribution

23-29, 1989.

New York: McGraw Hill, 1989.

2025-2039, 1990.

to F I S I , Doc. Num. TISI, Doc. Num. TIS1.5/91-096, 1991. [20] S. Even and Y. Shiloach, “An on-line edge deletion problem,”

J. Assoc. Comput. Mach., vol. 28, pp. 1 4 , 1981. [21] G. Gonenc, “A method for the design of fault detection exper-

iments,” IEEE Trans. Computers, vol. C-19, July 1980.

PROCEEDINGS OF THE EEE, VOL. 83, NO. 10, OCTOBER 1995

S. Graf and B. Steffen, “Compositional minimization of fi- nite state systems,” Proc. 2nd Workshop on Computer-Aided Verijcation, DIMACS Series, vol. 3, ACM-AMS, pp. 57-73, 1991. P. E. Green, “Protocol conversion,” IEEE Trans. Commun., vol. COM-34, pp. 257-268, Mar. 1986. D. Harel, “On-line maintenance of the connected components of dynamic graphs,” unpublished manuscript, 1982. F. C. Hennie, “Fault-detecting experiments for sequential cir- cuits,” Proc. 5th Annu. Symp. on Switching Circ. Theory and Logical Design, 1964, pp. 95-1 10. C. A. R. Hoare, Communicating Sequential Processes. Engle- wood Cliffs, NJ: Prentice Hall, 1985. G. J. Holzmann, “An improved protocol reachability analysis,” Sojiware, Practice and Experience, vol. 18, pp. 137-161, 1988. H. Kanakia and D. Cheriton, “The VMP network adapter board (NAB): high performance network communications for multiprocessors,” Proc. ACM/SIGCOMM ’88, pp. 175-187, 1988. Z. Kohavi, Switching and Finite Automata Theory. New York: McGraw-Hill, 1978. A. S. Krishnakumar, W. C. Fischer, and K. K. Sabnani, “The programmable protocol VLSI engine (PROVE),” IEEE Trans. Commun., Aug. 1994. D. M. Knstol, D. Lee, A. N. Netravali, and K. K. Sabnani, “A polynomial algorithm for gateway generation from formal spec- ifications,” IEEE/ACM Trans. Network., vol. I , pp. 217-229, 1993. R. P. Kurshan, “The Complexity of Verification,” Pruc. 26th Annu. ACM Symp. on Theory of Computing, 1994. S. Lam, “Protocol conversion,” IEEE Trans. Software Engr.,

S. S. Lam and A. U. Shankar, “Protocol verification via pro- jections,” IEEE Trans. Software Eng., vol. SE-IO, pp. 325-342, Apr. 1984. D. Lee, K. K. Sabnani, D. M. Kristol, and S. Paul, “Confor- mance testing of protocols specified as communicating finite state machines-A guided random walk based approach,” to appear in IEEE Trans. Commun. D. Lee and M. Yannakakis, “On-line minimization of tran- sition systems,” Proc. 24th Annu. ACM Symp. on Theory oj Computing, 1992, pp. 264274. -, “Testing finite state machines: State identification and verification,” IEEE Trans. Computers, vol. 43, pp. 306-320, Mar. 1994. -, “Principles and methods of testing finite state ma- chines-A survey,” to be published. N. F. Maxemchuk and K. Sabnani, “Probabilistic verification of communication protocols,” Distributed Computing, 1989. R. Milner, Communication and Concurrency. Englewood Cliffs, NJ: Prentice Hall, 1989. R. E. Miller and S. Paul, “Generating minimal length test se- quences for conformance testing of communication protocols,” in Proc. IEEE INFOCOM ’91, pp. 970-979, 1991. E. F. Moore, “Gedanken-experiments on sequential machines,” in Automata Studies, Annals of Mathematical Studies, no. 34. Princeton, NJ: Princeton Univ. Press, 1956, pp. 129-153. A. N. Netravali, W. D. Roome, and K. K. Sabnani, “Design and implementation of a high-speed transport protocols,” IEEE Trans. Commun., pp. 2010-2024, 1990. M. H. Nguyen, “Specification of TCP in APSL,” internal AT&T Bell Labs doc., 1990. A. N. Netravali and K. Sabnani, “Protocol complementation,” to be published. K. Okumura, “A formal protocol conversion method,” Proc. ACM SIGCOMM ‘86, pp. 30-37, 1986. B. Pehrson, “Protocol verification for OSI,” Computer Networks and ISDN Sysr., vol. 18, no. 3, pp. 185-202, 1990. J. Postel, “Transmission control protocol,” RFC 793, 1981. K. Sabnani, “An algorithmic technique for protocol verifica- tion,” IEEE Trans. Comm., vol. 36, pp. 924931, Aug. 1988. K. K. Sabnani and A. T. Dahbura, “A protocol testing proce- dure,” Coinputer Networks, vol. 15, no. 4, pp. 285-297, 1988. J. Sifakis, “A unified approach for studying the properties of transition systems,” Theoretical Computer Sci., vol. 3, 1982. L. Svoboda, “Implementing OS1 systems,” IEEE J. Select. Areas of Comm., pp. 1115-1130, 1989. D. Sidhu and T. Leung, “Fault coverage of protocol test methods,” Proc. IEEE INFOCOM ’88, 1988, pp. 80-85.

Vol. 14, pp. 353-362, Mar. 1988.

[S4] C. H. West, “An automated technique of communications protocol validation,” IEEE Trans. Commun., vol. COM-26, pp.

[5S] C. West, “Protocol validation by random state exploration,” in Protocol Spec$cation, Testing and Veri$cation, vol. 6 , B. Sarikaya and G.v. Bochmann, Eds. Amsterdam: North- Holland, 1986.

[S6] C.-J. Wang and M. T. Liu, “A test suite generation method for extended finite state machines using axiomatic semantics approach,” in Protocol Specijcation, Testing and VeriJication, vol. 12, M. U. Uyar and J. Linn, Eds. Amsterdam: North- Holland, 1992.

[57] R. W. Watson and S. A. Mamrak, “Gaining efficiency in transport services by appropriate design and implementation choices,” ACM Trans. Comp. Syst., pp. 97-120, 1987.

[S8] M. Yannakakis and D. Lee, “Testing finite state machines,” Proc. 23rd Annu. ACM Symp. on Theory of Computing, pp. 476485, 1991.

[59] Y.-W. Yao, W . 3 . Chen, and M. T. Liu, “A modular approach to constructing protocol converters,” Proc. INFOCOM ’90, pp.

1271-1275, Aug. 1978.

572-579, 1990.

David Lee (Senior Member, IEEE) was born in Hong Kong. He received the M A degree in mathematics from Hunter College of the City University of New York in 1982, and the Ph D degree in computer science from Columbia Uni- versity in 1985

Since 1985, he has been a member of Tech- nical Staff at the Computing Science Research Center of AT&T Bell Laboratones, Murray Hill, NJ He has been an adjunct professor at Colum- bia University His current research interests are

communication protocols, complexity theory, and image processing Dr Lee was a co-chair of the Second Intemational Conference on Net-

work Protocols (Boston, 1994). He has served on the program committees of several conferences He is a permanent member of the Institute of Divcrete Mathematicv and Theoretical Computer Science

Arun N. Netravali (Fellow, IEEE) received the B. Tech. (honors) degree from the Indian Institute of Technology, Bombay, India, in 1967, and the M.S. and Ph.D. degrees from Rice University, Houston, TX, in 1969 and 1970, respectively, all in electrical engineering. In 1994 he received an honorary doctorate from the Ecole Polytechnique Federale in Lausanne, Switzerland.

He joined AT&T Bell Laboratories in 1972, where he is now Communications Science Re-

search Vice President. He has been an adjunct professor at the MIT, City College, Columbia, and Rutgers University. He served on the editorial board of the Proceedings of the Institute of Electrical and Electronic Engineers, and is currently an editor of several journals. He has edited several special issues for the IEEE, including two for the Proceedings (on Digital Encoding of Graphics and Visual Communication Systems) and one for the Transactions on Picture Communication Systems. He is the co- author of Digital Picture Representation and Compression (Plenum, 1987) and Visual Communication Systems (IEEE Press, 1989).

Dr. Netravali is a member of Tau Beta Pi, Sigma Xi, and the United States National Academy of Engineering. He is a Fellow of AAAS. In 1980 he received the Donald G. Fink Award for the best review paper published in the Proceedings of the IEEE, the Joumal Award for the best paper from the Society of Motion Pictures and Television Engineers in 1982, the L. G. Abraham Award for the best paper by the IEEE Communications Society in 1985 and 1991, and the Alexander Graham Bell Medal in 1991.

LEE et al.: PROTOCOL PRUNING 1371

Krishan K. Sabnani (Fellow, IEEE) received the B. Tech. degree from Indian Institute of Technology, New Delhi, India, and the Ph.D. degree from Columbia University, New York, NY, in 1981.

In 1981, he joined AT&T Bell Laborato- ries, where he is currently a Research Depart- ment Head. He has served as an editor of the IEEE Transactions on Communications and of the IEEE Transactions on Computers. His research interest is in communication protocols.

He was a co-chairman of the Eighth Intemational Symposium on Protocol Specification, Testing, and Verification (Atlantic City, NJ, 1988). He has served on the program committees of several conferences. He was a Guest Editor for the IEEE Journal on Selected Areas in Communication and the Computer Networks Journal. He also serves on the editorial boards of IEEE/ACM Transactions on Networking, Journal of Systems Integration, and Wireless Networks.

Dr. Sabnani received the Leonard G. Abraham award from the IEEE Communications Society in 1991, and the Bell Laboratories Distinguished Technical Staff Award in 1990. He received the President of India’s Gold Medal and the Institute of Engineers (India) Gold Medal, both in 1975.

1372 PROCEEDINGS OF THE IEEE, VOL. 83, NO. IO, OCTOBER 1995