Analysis of Zeroconf Using Uppaal
[GVZ06]Abstract
Formal methods have been applied frequently to analyze (critical parts of) standards for communication protocols and it has been demonstrated that their application may help to improve the quality of these standards. Nevertheless, despite several decades of formal methods research, formal methods notations have rarely been included in the authoritative part of protocol standards. Also, the relationships between (abstract) formal models and informal protocol standards are typically obscure. It is our ambition to improve this situation. To establish the current state-of-the-art, we report in this paper on a case study where we use Uppaal to formally model parts of Zeroconf, a protocol for dynamic configuration of IPv4 link-local addresses that is defined in RFC 3927 of the IETF. Our goal has been to construct a model that (a) is easy to understand by engineers, (b) comes as close as possible to the informal text (for each transition in the model there should be a corresponding piece of text in the RFC), and (c) may serve as a basis for formal verification. Our conclusion is that Uppaal, which combines extended finite state machines, C-like syntax and concepts from timed automata theory, is able to model Zeroconf in a faithful and intuitive way, using notations that are familiar to protocol engineers. Our modeling efforts revealed some errors (or at least ambiguities) in the RFC that no one else spotted before. We also identify a number of points where Uppaal still can be improved. After applying a number of abstractions, Uppaal is able to fully explore the state space of an instance of our model with three hosts, and to establish some correctness properties.
PDF (EMSOFT version)
PDF (Report version May 11, 2006, comments welcome!)
PDF (Slides presented at ARTIST NoE meeting)
PDF (Slides presented at IPA meeting)
Uppaal model
Uppaal query file
Abstracted Uppaal model
Zeroconf abstracted to its ``essence''