Analysis of a Protocol for Dynamic Configuration of IPv4 Link Local Addresses Using Uppaal Miaomiao Zhang Frits W. Vaandrager Department of Computer Science University of Nijmegen

Contents Informal explanation of the protocol Purpose of our work Model in UPPAAL Results and analysis Future work

Contents Informal explanation of the protocol Purpose of our work Model in UPPAAL Results and analysis Future work

Protocol Nondeterministically select an IP address Wait time: 0~2 seconds. Claim the IP address – 4 probes 2 seconds before sending next probe number of collision(10) Reselect a new IP address after 60 seconds – 2 gratuitous ARP packet 2 seconds waiting After 8~10 seconds, host uses the IP address.

Protocol Address collision and defense(ongoing process). As to conflicting ARP packet –Either immediately configure a new IP address. –Or receives 2 conflicting ARP packets within 10 seconds, reconfigurate. Otherwise, send gratuitous ARP. Note: (1)All ARP packets are sent using broadcast instead of unicast. (2)Any probe sent from one host will not become a conflicting ARP packet to the other hosts.

Contents Informal explanation of the protocol Purpose of our work Model in UPPAAL Results and analysis Future work

Purpose of our work Makes a detailed model in Uppaal with several hosts run concurrently. If possibly the protocol allows for some unexpected scenarios, such as two hosts acquiring the same IP address in a setting without message loss. Improve the performance (1)No two host get the same IP address (2)Less time to get an IP address.

Some assumptions 1.The underlying network consists of a single “wire” and contains no routers, keep FIFO rule. 2.At any time there is at most only one message on the wire. So this means that we do not consider bus collisions. 3.There is a nonzero message delay. Also, we assume there is a known upper bound on the transmission delay. 4.As soon as a packet arrives at some host, it will be processed at once. We assume processing time is zero. Note a host can not receive two packets at the same time.

Structure of the system

Three tasks

Contents Informal explanation of the protocol Purpose of our work Model in UPPAAL Results and analysis Future work

Main global constants N (4): number of probes a host needs to send before using an IP address. M (3): number of available IP addresses. k (2): number of hosts in the network. d (2): time interval between the sending of consecutive probes. D (1): upper bound on the transmission time delay. S(10):number of packets the output buffer can accommodate

Global variables for output buffer int[0,3] OutBType[S][k]; This array denotes packet type in output buffer. Let h be an integer denoting packet number stored in output buffer and let i be a host. Then: OutBType[i][h]==0 means there is no packet on position h in i’s output buffer. OutBType[i][h]==1 means packet h in i’s output buffer is a probe. OutBType[i][h]==2 means packet h in i’s output buffer is a gratuitous ARP. OutBType[i][h]==3 means packet h in i ’s output buffer is a probe reply. int[0,m] OutBIP[S][k]; This array contains the IP addresses of packets placed in output buffer. OutBIP[i][h]==2 means the IP address contained in packet h in host i’s output buffer is 2.

Host template

Broadcast template

Input handler template

Contents Purpose of our work Informal explanation of the protocol Model in UPPAAL Results and analysis Future work

Results and analysis Two restrictions: (1) Host will never choose the same IP address as it failed before. (2) Without message lost. For two hosts, property to be verified. Prop1:

Let r =d/D, When r>2 to any value of n it is impossible to reach a state in which two hosts have acquired the same IP address, so host may spend less time (d*n,n<=4) to acquire an IP address by changing d and n. When r<=2, we can avoid the phenomenon that two hosts get the same IP address by increasing n.

Three hosts A Two hosts(host1 and host2) are using the same IP address, the third host (host0) is used to trigger collision. B One host(host0) is using IP address “1”, two other hosts attempt(host1 and host2) the same IP address “1” C Two hosts(host1 and host2) are using different IP addresses, the third one(host0) needs to configure an IP address.

Both host1 and host2 will be forced to reconfigure and we managed to give the upper bound on the timing for various instances of the parameters. we found that it is possible one host(host1 or host2) will never be killed. n=1, d==1, D==4 and no change of other parameters in the model. Analysis (A)

Analysis(B) When r>2, for any n (n<=4), host0 will successfully defend its IP address even when other hosts(host1and host2)attempt the same IP address. When r<=2 and n is smaller, though host0 could lose its IP address. However, it can be avoided by increasing the number of probes n.

Analysis(C): When k=3, under the constraint r>=3, to any value of n, host0 can’t configure the same IP address as those of host1’ and host2’. In addition, host1 and host2 will not lose their IP addresses. why r<3 Prop1 is invalid, while r=3 is valid. We can prove that the latest time host receives the probe reply from the time it sent out its probe is dd=3*D-infinitely small value.

Results of case C For a network with several hosts having used their different IP addresses, one host connecting on it at some time, when r>=3, for any value of probe numbers n, no two hosts can have the same IP address. Any old host who has had its IP address initially will never lose its initial I P address When r>=3, n=1 is ok for a new host to configure a new IP address. Meanwhile, if d is more than three times of D, we can reduce d under the constraint r>=3. Therefore the time for a new host to acquire a new IP address can be decreased by decreasing these two parameters (d, n). For a new host on the first try, in d*1~(d*1+2) seconds it can acquire a new IP address..

Comments on 05.txt “…shorter time values may be used on network technologies… On these network technologies the recommended time values are: The host should first wait for a random time interval selected uniformly in the range milliseconds, and then send four probe packets, waiting 200 milliseconds after each probe, making a total delay of milliseconds before a chosen IP address may be used…”. Why 200 milliseconds should be chosen? not others? If transmission time delay D is still 1, the performance is not pleasant since we can verify two hosts may have the same IP address. We deem that to let two hosts don’t have the same IP address has the priority to be first satisfied, after that we can talk about the aspect that how to reduce time to get a new IP address. Under the condition that r is satisfied by some constraint, d can be decreased when D is smaller enough. Therefore, d is not necessary to be 200 milliseconds, but may be the values (smaller or greater than 200 milliseconds) that meet the constraints we have found.

Comments on 05.txt In summary, according to different Ethernet we may improve the performance by modifying the parameters d, and n under the constraint condition of rate r. This is conformed to the following statement: “…Link-layer network technologies that support ARP but operate at rates below 1Mb/s or latencies above one second may need to specify different values for the following parameters described in Sections 2.2, 2.3 and 2.4: (a) the number of, and interval between, ARP probes, (b) the number of, and interval between, ARP announcements, (c) the maximum rate at which address claiming may be attempted, and (d) the time interval between conflicting ARP below which a host MUST reconfigure instead of attempting to defend its address.

Purpose of our work Informal explanation of the protocol Model in UPPAAL Verification results and analysis Future work Contents

Future work Reduce state space. We have found several parametric constraints to improve performance, some have proved, for others how to prove them ? Need to send two gratuitous ARP packets, are there other parametric constraints related with the number of gratuitous ARP?

Thank you!