1. Modeling the SIP proxy using Promela Jong Yul Kim December 21, 2009

2. Session Initiation Protocol A signaling protocol widely used for multimedia session setup and teardown Used with Real Time Protocol (RTP) to send voice/video During setup (negotiation): UAC offers a range of session types and codecs UAS answers with a range of session types and codecs During teardown: One of the parties sends a BYE message. The other replies “OK”. User Agent Client (UAC) INVITE sip:alice@columbia.edu 180 Ringing 200 OK ACK “Hi, how are you?” User Agent Server (UAS)

3. Related Work “Understanding SIP through Model-Checking” by Dr. Pamela Zave Her Promela code models the initial session setup + termination between one UAC and one UAS.

4. Abstractions in the Basic model We’re modeling the topmost layer of the SIP stack. No syntax checking, no retransmission, no timers, … Many failure messages are also out. Transport Transaction UAC / UAS core The SIP Stack

5. The FIFO/Pruned Model Two channels Assume one TCP connection each from both sides Two processes One UAC process One UAS process Many messages invite, prack, update, ack, cancel, info, bye, unProv, relProv, invSucc, invFail, prackRsp, cancRsp, updSucc, updFail, infoRsp, byeRsp proctype UAC proctype UAS

6. SIP proxy A SIP proxy is a server that relays SIP signals between two endpoints. Usually, UAS registers to a proxy to receive calls. Two modes of operation: Stateless : “blindly” forwards message from one side to the other Stateful : keeps track of state to do more interesting things

7. Modeling a SIP proxy Four channels Three processes Same messages proctype UAC proctype UAS proctype proxy proctype proxy() { mtype message, sdp; end: do :: c2p?message,sdp; p2s!message,sdp :: s2p?message,sdp; p2c!message,sdp od }

8. Stateless SIP Proxy If there are multiple UAS registered, then pick one and forward. UAC UAS1 UAS2 Proxy INVITE bob failed proctype proxy() { mtype message, sdp; byte uasid; c2p?invite,sdp; do :: true; uasid = 0; break; :: true; uasid = 1; break; od; p2s[uasid]!invite,sdp; end: do :: c2p?message,sdp; p2s[uasid]!message,sdp :: s2p[uasid]?message,sdp; p2c!message,sdp od }

9. Stateful SIP Proxy: Sequential Search Search multiple UAS in order. Establish connection with first one that answers. However, Had to change UAC as well. Proxy forwards provisional response to UAC. UAC may receive provisional responses from multiple UAS. Variables intended for single UAC-UAS transaction changed to arrays. UAC UAS1 UAS2 Proxy INVITE bob failed INVITE OK

10. Simulation of Sequential Search Verification of the model using Partial Order Reduction Compression Reveals that there’s an invalid end state at depth 284. Hopefully will be fixed by Wednesday.

11. Lessons Learned Promela / SPIN is a tool that can be used to check network protocols. To make a model, need to abstract a lot of details out. Finding the right level of abstraction in the problem you’re interested in is important. Making or modifying a model from plain English- based standards documents is not an easy task. But the resulting model is very useful.