Jonathan Billington

The Petri net markup language: concepts, technology, and tools

The Petri Net Markup Language (PNML) is an XML-based interchange format for Petri nets. In order to support different versions of Petri nets and, in particular, future versions of Petri nets, PNML allows the definition of Petri net types. Due to this flexibility, PNML is a starting point for a standard interchange format for Petri nets. This paper discusses the design principles, the basic concepts, and the underlying XML technology of PNML. The main purpose of this paper is to disseminate the ideas of PNML and to stimulate discussion on and contributions to a standard Petri net interchange format.

A Coloured Petri Net Approach to Protocol Verification

The correct operation of communication and co-operation protocols, including signalling systems in various networks, is essential for the reliability of the many distributed systems that facilitate our global economy. This paper presents a methodology for the formal specification, analysis and verification of protocols based on the use of Coloured Petri nets and automata theory. The methodology is illustrated using two case studies. The first belongs to the category of data transfer protocols, called Stop-and-Wait Protocols, while the second investigates the connection management part of the Internet’s Transmission Control Protocol (TCP). Stop-and-Wait protocols (SWP) incorporate retransmission strategies to recover from data transmission errors that occur on noisy transmission media. Although relatively simple, their basic mechanisms are important for practical protocols such as the data transfer procedures of TCP. The SWP case study is quite detailed. It considers a class of protocols characterized by two parameters: the maximum sequence number (MaxSeqNo) and the maximum number of retransmissions (MaxRetrans). We investigate the operation of the protocol over (lossy) in-sequence (FIFO) channels, and then over (lossy) re-ordering media, such as that provided by the Internet Protocol. Four properties are considered: the bound on the number of messages that can be in the communication channels; whether or not the protocol provides the expected service of alternating sends and receives; (unknowing) loss of messages (i.e. data sent but not received, and not detected as lost by the protocol); and the acceptance of duplicates as new messages. The model is analysed using a combination of hand proofs and automatic techniques. A new result for the bound of the channels (2MaxRetrans+1) is proved for FIFO channels. It is further shown that for re-ordering channels, the channels are unbounded, loss and duplication can occur, and that the SWP does not provide the expected service. We discuss the relevance of these results to the Transmission Control Protocol and indicate the limitations of our approach and the need for further work. The second case study (TCP) illustrates the use of hierarchies to provide a compact and readable CPN model for a complex protocol. We advocate an incremental approach to both modelling and analysis. The importance of stating the assumptions involved is emphasised and we illustrate how they affect the abstractions that can be made to simplify the model. The incremental approach to analysis allows us to validate the model against the TCP definition and to show how errors in the connection establishment procedures can be found. Finally we provide some observations and tips on the how the methodology can be used based on many years of experience. The emphasis of the paper is on providing a tutorial style introduction to the methodology, examining case studies in depth, rather than breadth, and giving some insight into the process while noting its limitations.

Verification of a Revised WAP Wireless Transaction Protocol

The Wireless Transaction Protocol (WTP) is part of the Wireless Application Protocol (WAP) architecture andp rovides a reliable request-response service. The state space methodof Coloured Petri Nets has been usedt o analyse a revised version of WTP, to gain a high level of confidence in the correctness of the design. Full state space analysis allows us to prove properties of the protocol for maximum values of the retransmission counters usedin GSM networks (values are 4). However, the size of the state space grows rapidly as the maximum counter values are increased. We apply the sweep-line method to take advantage of the progress present in the protocol, notably the progression through major states of the protocol entities, and the increasing nature of the retransmission counters. The sweep-line method allows us to prove properties of the protocol for larger counter values, including those used in Internet Protocol (IP) networks (where the maximum values are 8). As a result, verification of WTP can be performed for the two most important networks (GSM and IP), the ones for which the WAP standard gives recommended maximum values for the retransmission counters.

On Modelling and Analysing the Dynamic MANET On-Demand (DYMO) Routing Protocol

The Dynamic MANET On-demand (DYMO) routing protocol, being developed by the Internet Engineering Task Force, is a reactive routing protocol for mobile ad-hoc networks (MANETs). The basic operations of DYMO are route discovery and route maintenance. Constructing an analysable model of the DYMO protocol specification is a challenge because the routing operations are complex and the network topology changes dynamically. This paper presents a formal model of DYMO using Coloured Petri Nets. The model has a compact net structure, with functions in the arc inscriptions representing DYMOs routing algorithms. The paper shows how careful crafting of the model results in smaller state spaces, compared with models using intuitively appealing hierarchical constructs. Initial results of state space analysis of the model are presented.

Designing and Verifying a Communications Gateway Using Coloured Petri Nets and Design/CPN

A gateway between a packet radio network and B-ISDN is being designed as part of a larger project that aims to bring modem telecommunications services to the Australian Defence Force. The modelling procedure employs Coloured Petri Nets to investigate the gateway architecture and behaviour prior to implementation. Part of the modelling involves the specification of the gateway call control using Coloured Petri Nets and the Design/CPN™ tool. The specification is then checked for correctness by simulation and observation of the Occurrence Graph generated by the Design/CPN™ tool. The form of the refined specification is discussed and future verification tests using the PROTEAN tool outlined

Transactions on Petri Nets and Other Models of Concurrency I

In Memoriam: Carl Adam Petri.- Strategies for Modeling Complex Processes Using Colored Petri Nets.- Applications of Coloured Petri Nets for Functional Validation of Protocol Designs.- Business Process Modeling Using Petri Nets.- Structure Theory of Petri Nets.- Causality in Extensions of Petri Nets.- External Behaviour of Systems of State Machines with Variables.- The Synthesis Problem.- Models from Scenarios.- Discovering Petri Nets from Event Logs.

Checking safety properties on-the-fly with the sweep-line method

The sweep-line state space method allows states to be deleted from memory during state exploration, thus alleviating the state explosion problem. Properties of the system (such as the absence of deadlocks) can then be verified on-the-fly. This paper presents an extension to the sweep-line method that allows on-the-fly checking of safety properties expressed as sequences of actions of the modelled system. This has been implemented in a prototype sweep-line library for Coloured Petri nets. We evaluate the prototype by applying it to the connection management procedures of the Datagram Congestion Control Protocol, a new Internet transport protocol.

Exploiting equivalence reduction and the sweep-line method for detecting terminal states

State-space exploration is one of the main approaches to computer-aided verification and analysis of finite-state systems. It is used to reason about a wide range of properties during the design phase of a system, including system deadlocks. Unfortunately, state-space exploration needs to handle huge state spaces for most practical systems. Several state-space reduction methods have been developed to tackle this problem. In this paper, we develop algorithms for combining two of these methods: state equivalence class reduction and the sweep-line. The algorithms allow deadlocks to be detected by recording terminal states of the system on-the-fly during state-space exploration. We derive expressions for the complexity of the algorithms and demonstrate their usefulness with an industrial case study. Our results show that the combined method achieves at least a six-fold reduction of the state space for interesting parameter values compared with either method used in isolation while still proving the desired system property of the terminal states. The runtime performance of the combined method is almost the same as that of the equivalence class method over the chosen parameter range. Moreover, the improvement in space reduction increases with increased parameter values.

A parametric state space for the analysis of the infinite class of stop-and-wait protocols

The Stop-and-Wait protocol (SWP) has two (unbounded) parameters: the maximum sequence number (MaxSeqNo) and the maximum number of retransmissions (MaxRetrans). This paper presents an algebraic method for analysis of the SWP for all possible values of these parameters. Model checking such a system requires considering an infinite family of models, one for each combination of parameter values, and thus an infinite family of state spaces (reachability graphs). These reachability graphs are represented symbolically by a set of algebraic formulas in MaxSeqNo and MaxRetrans. This result is significant as it provides a complete characterisation of the infinite set of reachability graphs of our SWP model in both parameters, allowing properties to be verified for the infinite class. Verification of a number of properties is described.

Discovering chatter and incompleteness in the datagram congestion control protocol

A new protocol designed for real-time applications, the Datagram Congestion Control Protocol (DCCP), is specified informally in a final Internet Draft that has been approved as an RFC (Request For Comment). This paper analyses DCCP’s connection management procedures modelled using Coloured Petri Nets (CPNs). The protocol has been modelled at a sufficient level of detail to obtain interesting results including pinpointing areas where the specification is incomplete. Our analysis discovers scenarios where the client and server repeatedly and needlessly exchange packets. This creates a lot of unnecessary traffic, inducing more congestion in the Internet. We suggest a modification to the protocol that we believe solves this problem.