a methodology for the synthesis of communication gateways for network interoperability

Computer Standards & Interfaces 17 (1995) 193-207

logy for the synthesis of co for network interope

Kassem Saleh a,*, Mansour Jaragh a, Qmar ’ Department of Electrical & Computer Engineering, Kuwait Uniuersity, P.0. Box 5969, 13060 &fat, Kuwait

b D&artement d’lnformatique, Lnborutoire TASC, Uniuersite’ de Pau, Pay France

abstract

Because of the proliferation of proprietary network architectures and protocols, there is an urgent need for constructing communication gateways to ensure the interoperability among such networks and protocols. This interoperability will guarantee a wider access to value-added services and applications in today’s information technology market. In this paper, we present a gateway synthesis method that considers the common services of two different proprietary protocols and services to obtain a gateway that can provide a transparent reconciliatory interface between the various networks. Our method starts by computing the greatest common service definition of two service definitions. Then, two sets of traces related to appropriate observation points are obtained and then synchronized. Finally, a synchronizing finite state machine converter is synthesized. An illustrative example is also provided.

Keywords: Communication protocols; Conversion; Gateways; Interoperability; Services; Synthesis

Because of the proliferation of proprietary network architectures, the communication between users residing on different networks is often impossible. Although proprietary communication architectures often offer similar services, the protocols implementing them are incompatible for trivial or non-trivial reasons. Current and projected future trends in the information technology market are favorable for the provision and implementation of value-added services and ap-

* Corresponding author. Email: [email protected]

plications across various communication architectures and networks. To ensure the universally of such services, there is a need to interconnect these networks. This can be achieved using gateways. The development of such gateways should be considered as a transitory step in contrast to the long term solution involving the standardiza- tion of network interfaces over which value-added services can be supported [25].

The need for the development of formal non- adhoc methods for gateway design was first pointed to by Green [lo]. Since then, the issue of gateway design has been tackled extensively in the literature, and various formal gateway design techniques have been proposed [3,15,X2]. Two

0920-5489/35/$09.50 0 1995 Elsevier Science l3.V. 41 rights reserved SSDI 0920-5489(94)00045-I

194 K. Saleh et al. /Computer Standards & Interfaces 17 (1995) 193-207

major concerns are being addressed. First, the architectural concerns which deal with the identi- fication of the layer at which a gateway must exist [6,12,14,19,27] and second, the behavioral concerns which deal with the reconciliation between the different behaviors of protocols manifested by the different protocol message formats and their orderings. Many techniques address the behavioral concerns. These techniques are either topdown or bottom-up. Top-down or service-oriented techniques attempt to automatically generate communication gateways from formal service specifications. Techniques belonging to this category appear in [5,7,11,13,14,21]. Bottom-up (or protocol-oriented) techniques do not consider the complete service specification, but attempt to reconciliate at the protocol messages level. Tech- niques belonging to this category appear in [1,8,15,24,26,281. Top-down techniques are purely synthetic since they guarantee both syntactic and semantic correctness and are based on systematic non-heuristic methods.

Other service-based approaches use the concept of a service relay which translates each of the service primitive emanating from one network to a format a.cceptable by the other network. Mowever, this is not so simple since services can have different options, quality of services and classes. Therefore, variant solutions of different complexities can be used. These solutions are

Service Users

Upper SAPS

mainly based on local or global service comple- mentation in which additional sub-layer(s) required to ensure service compatability [S]. Sur- veys of existing gateway design techniques can be found in [9,17,22].

In this paper, we introduce a hybrid (service and protocol-oriented) gateway synthesis technique. The synthesis problem is formulated as: ‘the design of a gateway for the inte~~rki~g between two incompatible protocols, at layers hi and M, starting from the formal specification of these protocols and the services they provide’. The basis of our work is that the interconnection of networks should be based on the common communication services provided in both networks. Conse- quently, our method consists of the following components: (1) the computation of the greatest common service definition given two service definitions, (2) the generation or collection of two sets of traces related to the appropriate observation points, (3) the synchronization of the observed traces, and finally, the synthesis of a finite state converter machine. Our gateway synthesis approach integrates eEi- cient components and procedures to obtain a correct converter.

The rest of this paper is organized as follows Section 2 provides some preliminary information

Layer N

Fig. 1. An abstract view of a distributed communication service.

I<. Saleh et al. /Computer Standards & Inferfaces 17 (1995) 193-207 !95

on networks, their architectures and their inter- connections. Section 3 provides a definition of a specification formalism, the communicating finite state machine model, to be used in the design of gateways. Section 4 introduces the basic require- ments and components for synthesizing converters. Section 5 introduces our synthesis methodology and provides its proofs of correctness and a brief compietity analysis. Section 6 provides an illustrative example. Finally, we conclude the paper in Section 7.

In this section, we provide some background information. First, we define the concepts of protocols and services. Then, we describe the context in which a communication gateway is required.

A communication protocol consists of a set of rules which govern the orderly exchange of messages among various system components in order to provide a specified set of selrvices to users located at different service access points. The relationship between protocols and services can be described at two levels of abstraction. At a high level of abstraction, a communication system can be viewed as a service provider which offers some specified communication services to a number of service users (U,, U., . . . , U,) who access

the system through many geogra~hica~!~ distributed service access points (SAP1, S 2,~*-: SAP,) (Fig. 1). At a lower level of abstraction, the communication system can be seen to consist of a number of cooperating protocol entities GYM which exchange protocol messages, also called protocol data units (I’DUs), that are not observ- able to the users at the access points. The PEs exchange these messages over a reliable communication medium according to a FIFO (first-in, first-out) discipline. These BEs have their own service access points for accessing the FE medium called lower SAPS (Fig. 2).

The communication service specification describes the distributed functions provided by the communication system to its service users. The communication protocol specification describes the behaviour of the protocol entities, each ser- vicing a particular access point. A protocol entity specification describes the behaviour of that entity with respect to its upper interface (SAPS) and with respect to its lower interface with the nnder- lying service provider. In the context of the Iay- ered architecture of the OS1 ode1 [271, a layer N protocol entity uses the layer N - 1 service functions to exchange messages with other protocol entities to provide the layer M service (Fig. 2).

Suppose we have two networks based on different layered communication architecture. Two

TJsers

Layer N-l .ble Commun. Medium

Fig. 2. A refinement of a communication service.


Fig. 3. Service-level conversion in a global communication service. Fig. 4(a) Protocol-level conversion in a global communication

service.

distributed users, each belonging to a different network, will not be able to interconnect and c~mmu~icatc because of the incompatibilities at either or both the protocol or service levels. A gateway can exist in a separate interoperability unit or at either end of the connection, and can be used to reconciliate between the messages exchanged at the boundaries of both networks. This function is often referred to as conversion. The complexity of the gateway depends mainly on the extent of disagreement between the protocols

t which the conversion is made. Conversion can e performed at either the service or the protocol

level.

two protocol hierarchies up to the conversion level, and includes a service interface adaptor at the (N)-service level. Fig. 3 shows a service-level conversion architecture.

In protocol or (PDU) level conversion, the interoperability is based on a conversiorr at the level of the protocols involved. The gateway function is defined explicitly in terms of the exchanged within the two interconnecte works at protocol layer N, above which all protocols are compatible. Fig. 4(a) shows the protocol- level conversion, in which a converter exists at layers N and M of networks A and

In service level conversion, a common service tively. An equivalent abstract representation of boundary is found. The conversion is performed the system, in which only the i~compatibIc proto- at level N assuming that the protocols of the two col layers appear, is shown in Fig. 4(b). This networks above that level are compatible. The figure also shows various observation points that gateway consists of the implementations of the will be used later to synthesize a converter. For

-

-

j Gateway

Points of Observation

Fig. 4(b). Abstract representation of a global communication service.

K Saleh et al. /Computer Standards & Interfaces I7 (1995) 193-207 197

more details on related architectural issues and If no direct channel exists (i.e. no messages are comparison between the two conversion ap- exchanged) between two processes, say PAZ and proaches refer to Bochmann’s work in [61. Pl, then ckl and elk are represented by ‘ _ ’ in C.

ormal specification model and definitions

The use of a collection of Communicating Fi- nite State Machines (CFSMs) as a natural and intuitive modeling formalism for communication protocols has been motivated by the observation that protocols can be characterized by event- driven processes that communicate with each other by exchanging messages through unidirectional FIFO channels. In the following, we formally define the CFSM model and its properties r4.

Definition 4. The initial (final) global state of a protocol is a pair (S, C) in which each of the component states of S are initial (final> states in their respective processes, and all channels are empty. A global state is said to be stable if, in that state, all channels are empty.

Definition 5. The reception of a message m at state s in a CFSM, is called unspeci$ed if WI is at the head of one of the incoming channels Cjr, and CFSM, is unable to receive it. Formally, we say that ?;:(s, m> is undefined.

efinition I. A CFSM is formally defined by the quadruple CFSM, = (Si, sOi, Mi, &), where: Si is the non-empty set of internal states of the machine, so. E Si is the initial state of the machine, iVi is the set of messages sent or received by CFSM, to or from other machines, and finally, T is a partial transition function: Si x M, + Si.

Definition 6. A deadlock state is reached in a protocol of n CFSMs if all the channels are empty and each individual machine is at a state at which no transmission transition is specified.

If 7;:(s, m> (for m E lMi and s E Si> is defined, and m corresponds to a message reception (transmission), we say that the transition is labelled by + m C-m). A unidirectional FIFO chan- lzel Cij carries messages belonging to Mi sent from CFSM, to CFSM,.

Definition 7. A protocol enters a &lock (or dynamic deadlock) if the same sequence of global states are traversed infinitely, and no possible transition out of that sequence exists. However, if such outgoing transition is possible, we say the protocol enters a liveloop.

A protocol design is said to be correct if it offers the services de-

Normally, one CFSM is used to model each of the protocol entities (PE) of a communication protocol. In th.e rest of the paper, we use protocol entity, machine and process (P) interchangeably.

scribed its service definition. We also say that in such protocol is Ziue (i.e. something good eventu- ally happens), that is, it satisfies its predefmed liveness properties.

efinition 2. A transition (labelled by -m or 4-m) emanating from state s of CFSM, is said to be specij-ied if Y&s, m) is defined in CFSM,.

efinition 3. A global state of a protocol consist- ing of y2 PEs is a pair (S, C), where S = (sr, sz,..., s,), and sr, s2,. . . , s, represent current states of PE,, PE,, . . . , PE,, respectively, and C = (cij, for all i #j, and i, j I n) represents the current contents of the channels cij linking processes.

Definition 9. A protocol is said to be sy~t~ctic~~ly correct if it will never reach a deadlock state, and is free from unspecified reception errors and livelocks. We also say that such protocol is safe (i.e. something bad will never happen), that is, it satisfies its predefined safety properties.

Definition 10. A transition t in CFS by an event e, is said to be executable at global protocol state S 3% (1) the event e is a transmission event, or (2) the event e is a reception event


and Ti(si, ej in CFSM, is specified, and e is at the head of the channel C,,.

e~~iti~~ If. The projection of a CFSM M over a set of observation points (sop>, denoted n,,, A4, is a new CFSM (M’) in which we replace the events (transmission or reception) occurring at an observation point (OPj not belonging to sop by an empty Be) event. Then, we apply known algo- rithms for the removal of e-cycles and c-transitions to obtain M’ [2].

e~~~tio~ 12. A trace is a sequence of zero or more events observed at one or more OPs. De- pending on the location of the OPs, these events can be either protocol messages and/or service primitives. Pos(e, tj returns the position of event e in trace t, and I t / denotes the number of events in (or the length of) trace t.

finition 13. Two communication traces tl and are said to be mutually compatible if:

61) V-e in tl, 3 +e in t2/Pos(+e, t2)2 pos(-e, tlj, and V+ e in t2, 3 -e in tI/Pos(-e, tI> 5 PodSe, t2).

(2)V-e in t2, 3+e in tl/Pos(+e, tlj2 Po,s(-e, t2), and V+e in tl, 3 -e in t2/Pos(-e, t2) IPos(+e, tlj.

(3) If -ei and -ej in tl and Pos(-e,, tl) > Pos(-ej, tl) then Pos(+ei, t2)>Pos(+ej, t 2).

~~t~o~ 14. A projection of a trace t over an denoted t’ = n,,, t, is a subtrace of t in

which only the events that could be observed at the specified observation points are included while preserving the order of their occurrences. The empty trace E is a possible trace.

15. The complement of a trace t, de- is a trace in which each input

(output) event in t is transformed to an output (input) event in - t. Moreover, the complement of a set of traces T, denoted by - T, is a set in which each trace is a complement of a trace in T.

e~~it~Q~ 16. The Cartesian product P of two CFSMs M= (S,, so,, M,, T,) and N = (S,,

s,,,, MN, TN>, denoted by P =MXN, is formally defined as P = (S,, so,, MD, T,), in which: ;S, -+ SMX SN, so, E,$,, IMp=M,~ih4,, MMn @ and sop= sO, sON, that is, each state o represented by two states sMsN, sM E S,W and sN E s,, Tp: SpxMp+Sp, meaning that each transition in P corresponds to a transition in either M or N according to the transition function Tp, and is defined as follows: .$, = Tp(sp, m> = Tp (s~s,,,, m) = TM(.sM7 m)s, if m EMU or Q.fTN(SN? mj if m E M,v.

It is clear that in machine P we find all the possible interleaving of events from machines -!4 and N.

Definition 17. The composition C of two CFSMs M = (s,, so,, MM TM) and N= (S,, so,7 MN, TN), denoted C = M /I N, is formally defined as c = (SC, so,, MC, TCj in which S, -+ S, x S,, so, E S,, MC -+ M, u MN, MM n A& f CD and so = so,so,+ that is, each state of C is represente; by two states s~s,,,,, SUES, and SUE SN, T,: S, x MC -+ S,, meaning that each transition in C corresponds to a transition in either or N according to the transition ftmction : b-L= Tc(sc, m> = Tc(sMsN, m> = TJ&, m>s, if m E: MM and &(s,, m> is executable, or sMTN(sN, m> if m E MN and TN(s,, m) is executable.

This composition computation is often referred to as the reachability computation and suffers from the state explosion problem. OW-

ever, techniques and heuristic relief strategies can be used to reduce the complexity of this problem [16]. It is clear that the Cartesian product C of machines M and N is a subset of their Cartesian product P (i.e. P 3 Cj. C contains only the feasible interleavings or communication patterns that can be observed when M and N are communicating.

Definition 18. The synchronization or schuffling of two compatible traces tl and t2 (i.e. t = tl 8 t 2) produces the set of traces satisfying the following conditions: (1) It1 = Itll+lt2l,and

K. Saleh et al. /Computer Standards & Interfaces 17 (1995) 193-207 199

(2) the reception of a message (i-m> in t 1 is preceeded by its transmission ( -m> in t 2 or vice versa.

If k’l is a trace from CFSM N and t 2 is a trace from CFSM M, then t = tl @ t2 contains all the traces from C = N I/ M (i.e. @ for traces is analo- gous to ]I for CFSMs).

for converter synthesis

A converter is yet another communication component that must be syntactically and seman- tically correct, that is deadlock free, complete and live so that a smooth and transparent interoperability is guaranteed between two different protocols. The development of a converter can use eitker an analytic or a synthetic technique [23]. Analytic techniques are adhoc techniques that are iterative and time consuming. However, using a synthetic technique, the correctness of the converter is guaranteed as a by-product of the synthesis process itself [23]. Also, the converter can be developed and maintained faster because its construction is automatic and non-iterative.

In this section, we introduce some concepts and procedures that are needed for the construction of a communication converter. First, we introduce the concept of a greatest common service definition given two service definitions provided by two different network protocols. Then we dis- cuss the issues of trace generation at various subsets of observation points and their synchronization. Finally, we introduce a procedure to synthesize a CFSM converter specification given a set of synchronized traces.

4.1. Compuhng the greatest common service definition (gcsdl

To find a communication gateway, the minimal and necessary requirement is that the communication services to reconciliate must not be disjoint, otherwise no converter would be found. The gcsd is the basis of most top-down converter synthesis methods To obtain it, one must rely on the designer’s deep understanding of the services offered by the two networks. Rajagopal’s tech-

nique 1241 refers to the gcsd as t specification, and does not provide any indication on how to obtain it. Similarly, Okumura’s technique [20] uses a partial service definition referred to as a conversion seed that might not be feasible (i.e., does not contain common services>. In this paper, we introduce a procedure similar to that introduced in 1141 to compute

Suppose the service provided by ified as an FSM SJS,). The inpu operations of S, are S, are the service primitives of N and M, respectively. Let the set of input operations of N,(M,) with its local user or the upper layer be 1N1(1A4,>. Similarly, let the set of output operations of Mi(NJ with its local user or the upper layer be OM,(ON,). The designer has to map the elements of ON,(Om,> to IM,(IN,). In most cases, this is a straigbtfo~ard one-to-one mapping. However, the mapping may be more complex. For example, two service primitives in one service can be equivalent to only one primitive in the other service. other service primitives of N may involve functions that are not offered by any combination of primitives in 34. These functions will not be reconciliated and should never be invoked while using the greatest common subset of services. The mapping functions for SPs belonging to both systems are mod- eled by a CFSM called a service interface converter (SIC).

Next, we remove from the service definitions S, and S, all the transitions corresponding to the primitives that were not mapped in the SIC. The resulting pruned service FSMs are Sh and Sh. The greatest common service definition or the global service can be computed by gcsd =

n tupDer-N,upper-M)(S;V II SIC II Sb) (Fig. 51, in which disjoint services of M and N are discarded.

4.2. Trace generation and collection

Two sets of traces of interest in our procedure correspond to the traces that can describe the events occurring at each of the networks sepa- rately and that contribute to the gcsd introduced in Section 4.1. Let TN be the set of traces observed at upper-N and lower-N, and TM be the set of traces observed at upper-f%! and lower-M.


Fig. 5. The greatest common service definition (gcsd).

The set TN (similarly for TM) can be obtained using one or a combination of the following three

ing and recording the distinct sequences of events which occur at the specified set ’ of observation points in a production system, (2) analytically computing N; 11 us-N where N; is a pruning of Nr that only shows the contribution of ?J; to Sk, and us-N is a composition of lower services and the bidirectional communication channel, and finally (3) simulating the execution of the services contributing to the gcsd at the upper interfaces. In all three cases, the resulting traces are projected onto {upper-N, lower-N} (if needed). The first method is the simplest since it relies on real-life execution sequences and which, if observed over a long duration, may capture most feasible communication traces. The second method is computationally complex, but can (the- oretically) capture all communication traces of interest. Finally, the third method is the weakest since it relies on the completeness of selected or generated test interactions or stimuli applied and collected at the specified observation points.

owever, the disadvantages of the first method are that: (I) no indication on when to stop monitoring and collecting traces to insure that a superset of traces is obtained, and (2) the set of traces has to be pruned to exclude all traces not contributing to the gcsd, therefore requiring extra processing. If we denote the sets of traces obtained by the first, second and third method, as Tabs, Tanal and

Tim, respectively, we can see that: Tanai 2 T& 2 Tsim. Fig. 6 shows a local observation architecture that can be used to implement both the first and the third method.

4.3. Trace synchronization

Given the two sets of traces TN and TM, obtained as described in Section 4.2., the corresponding sets of traces which include the in and output events (or protocol data units) served at lower-N and lower34 are &w&q N T and TR, = 17(lower-MlTM, tively. The converter must be able to synchronize the complements of these two sets of traces. First, let the two partial sets of traces of the converter TC, and TC, be the complement of the two sets of traces in TR, and TR,, respectively. Then, each input event in a trace belonging to TC, has to be matched with an output event in a trace belonging to TC,, and vice versa. Schuffling the events in all the traces of the converter is called trace sync~ro~i~at~o~~

The communication traces in TC, and TC, are related to the patterns of the two types of communication services belonging to the gcsd. A communication service can be either confirmed or unconfirmed. In a confirmed service, there is a request, an indication, a response and a confirm service primitives and their related PDIJs. A typi- cal example of a confirmed service is a CGN- NECT service that requires prior mutual agree- ment to establish a connection between two communicating entities. However, in an unconfined service, there is only a request and an indication. Services such as the Data Transfer and DISCON-

Fig. 6. Architecture for collecting traces by observation or simulation.

R Sale/a et al. /Computer Standards & Interfaces I7 (1995) 193-207 SD1

NECT can be either confirmed or unconfirmed services, depending on whether or not the sender requires an acknowledgement. Consequently, the converter has to synchronize two sets containing traces corresponding to different types of the same service. In the following, we list the possible traces of TC, and TC, and their synchronization. The trace synchronization or schuffling operator @ is used between two traces: t = tl 8 t 2, where tl E TC, and t2 E TC,.

In the following, we list all possible patterns that can be observed at lower-N and lower A4 and their schuffling. We refer to an event e sent (received) by the converter at lower-N as N - e(N + e). These patterns are also shown in Fig. 7.

\ lower-M

a.

d.

9. h.

Unconfirmed service in both networks N and M: (a> (N+m)@3(M-m)=(N-+m, M-ml.

Confirmed service in M (with possible acknowledgement) and unconfirmed service in h7: (b) (N+m)@Gf-m, M+confm)=(N+m,

M-m, M+confm) or Cc> (N + m) ~3, (Ii4 - m, M + confm,

(N+m, M-m, M+confm, M-a&). Confirmed service in N with possible acknowl-

edgement) and unconfirmed service in M: (d) W+m, N-confm)@i(M-m)=(N-tM,

A4 - m, N - confm) or (e> (N i- m, N- confm, N + a&) 8 (44 -m) =

(N + m, M - m, N - confm, M + a&j.

e.

Fig. 7. Communication patterns for different combinations of service types.

202 K Saleh et al. / Computer Standards & Interfaces 17 (1995) 193-207

Confirmed service in both networks N and M, with possible acknowledgements at either of both networks: (f> (N+m, N-confm)@((M-m, M+confm)

= (N + m., M - m, M + confm, N - confm) (g>(N+m, N-confmb@(M-m, M+confm,

M-ack)=(N+m, M-m, M+confm, N- confm, M - ack)

(h)(N+m, N-confm, N+ack)@((M-m, M + confm) = (N + m, M - m, A4 + confm, N - confm, N + ack)

(i> (N-l-m, N-confm, N+ack)@(M-m, M +confm, M-ack)=(N+m, M-m, M-t confm, N - confm, N + ack, M - ack).

In addition to the above loopless traces, other traces containing repetitions of one or more events (or subtrace) can also be obtained. A repeated subtrace t is represented using the reg- ular expression repetition operator* (i.e. (t)*) in the generated traces or their complemented sets TC, and TCM. t may include one of the following types of patterns:

(i) the transmission of one or more messages, i.e. (N-m,, N - m2,. . . , N - m,).

(ii) the reception of one or more messages, i.e. (N-l- ml, N + m2,. . . , N + m,).

(iii) the reception and transmission of one or more messages, i.e. (Nfm,, N-m, ,..., >.

The following rules apply for the synchronization of traces containing repeated subtraces. Sim- ilar rules appeared in [18]. Let tl and t 2 be traces in TC, and TCM, respectively.

Xule 1. If tl (or t2) contains a repeated subtrace, the repetition operator is eliminated and the resulting trace will be synchronized with t 2 (or t 1) using one of the rules (a) to (i> for loopless traces.

fiule 2. If both tl and t2 contain loops, then we first eliminate the repetition of the loops and the resulting traces will be synchronized (1 = t 1 @ t 2) using one of the rules (a) to (i) for loopless traces.

uie 3. After the application of either Rule 1 or 2, the following should be applied: if the (eliminated) repeated subtrace is of type (i) or (ii), and appears between messages x and y, then insert the loop before y in trace t. However, if it

is of type (iii>, then insert the loop before x in trace t.

4.4. Synthesis of converter’s CFSM

Given a set of communication traces (CT), obtained by schuffling traces of T@, and TC,, it is possible to construct a minimal CFSM which represents the expected behaviour of the converter. Another technique similar to Algor~tbm Synthesize in 1241 is more exhaustive and requires the construction of the Cartesian product C = N2 X Ml, and then C’ = &,wer~N,lower~NIC is computed. The algorithm removes from C’ all the transitions that are never exercised by any trace belonging to CT. Non-reachable states are then removed from the resulting state machine. In our methodology, we compute the composition N’2 /I M’l instead of the Cartesian product, where N’2 and M’l are pruned, and they only show the contribution of N2 to Sh and Ml to SJ’,, respectively.

5. The converter synthesis proce

In this section, we first informally describe our procedure, then we formally introduce its steps. These steps require the use of the principles and techniques introduced in the previous section. Finally, we show the complexity of the procedure and the proofs of its correctness.

The basic assumptions for the proper application of our protocol conversion methodology are that both protocols are syntactically and semanti- cally correct, that is, they are free from deadlocks, livelocks and unspecified receptions, but may contain liveloops.

In the first step of the procedure, we obtain the definition of the greatest common service (gcsd) to be supported by the converter. If such definition does not exist, then the procedure ter- minates. In the second step, we obtain the traces that are local to each of the network architectures. Two observation points are of interest at each architecture, namely the access point at the upper interface of the global service and the lower access point that interfaces with other pro-

K. Saleh et al. /Computer Standards & Interfaces 17 (1995) 193-207 203

tocols. In the third step, we find traces that contribute to the common service at each architecture independently. Then, in the fourth step, these traces are complemented, and shuffled to obtain synchronization traces that represent the communication patterns realized by the converter. Finally, given these synchronization traces, a CFSM modeling the converter is synthesized.

5.1. The procedure

Our converter synthesis procedure is summa- rized as follows. Step 1. Obtain the gcsd FSM (as described in

Section 4.1). If a gcsd is empty or cannot be found,

then terminate the procedure. Generate the set of possible global ser-

vice traces T, from the gcsd. Step 2. Obtain the set of possible traces, TN and

T), observed at upper-N,lower-N and upper J4, lower J4, respectively (as described in Section 4.2).

Step 3. Initialize T, to E. For each trace t, in Ts:

3.2. Obtain a subtrace tkN corresponding to the contribution of t, to the upper service interface of N, that is, t’ =I-I t &Lain t%Ys< o‘f’ traces:

TR, = I@, 1(&r = n,,,,-,t> AND (t E TN> AND

(rI upperLd = thv)) Let TC, be the Complement of TR,.

3.2. Obtain a subtrace tiM corresponding to the contribution of t, to the upper service interface of M, that is, fSA4 = myJ,erLM tr Obtain the set of traces:

TR, = {tr, I(@, =n lowerud) AND

Let TC, be the ~orn~l~rn~~~ of TR,.

3.3. Synchronize the traces in TC, and TG, to obtain some traces corresponding to the converter behavior. Add those traces to the set T,.

Endfor. Step 4. Synthesize the CFSM specification of the

converter (as described in from the synchronization traces T, obtained in Step 3.

5.2. Proofs of correctness

In the following, we shall prove that if a converter exists (i.e. a gcsd exists), then it is syntactically correct, that is, it is deadlock free and complete. We refer to the protocol converter obtained by our methodology as ‘the converter’.

Lemma 1. The converter is ,free from ~~s~ec~~ed reception errors.

Proof. According to the trace sy~c~ro~izatio~ rules, each message sent by either ~~derl~i~g networks is received by the converter. Each pair of traces to synchronize consists of two traces that are the complement of two traces related to the same service observed at the interfaces with the underlying networks. Consequently, every message sent from one network to the other is received by the converter, and therefore, the converter is free from unspecified receptions u

Lemma 2. The converter is free from deadlocks.

Proof. After relaying messages, the converter re- verts back to a state at which it is always ready to synchronize with messages emanating from either network protocol interfaces. The only possibility of reaching a deadlock is when either network protocol reaches a deadlock. However, this is excluded in our assumptions. Moreover, each of traces considered in our synchronization rules consists of mutually compatible traces. n

Lemma 3. The converter is free from ~~ve~oc~s.

204 K Saleh et al. /Computer Standards & Interfaces 17 (1995) 193-207

roof. Since according to our assumptions, both network protocols are free from livelocks, then no livelock would exists in the converter. This is evident from the synchronization rules them- selves since no loops are added to the converter if they do not belong to either or both livelock-free network protocols. q

emem 1. The converter is safe.

roof. Using the results of the three above lem- mas, it is clear that the converter is safe. q

The proof of the semantic correctness of the converter is straightforward (therefore omitted), since the converter does not change existing messages or introduce new messages, but it only acts as a message relay, i.e. it faithfully relays messages from one end to the other. Consequently, the converter is live.

5.3. Complexity of the methodology

To analyze the complexity of our converter synthesis methodology, we consider the complexity of each of its steps.

The following computations are performed:

Step 1. (1) the SIC is computed manually, and its com-

plexity depends on the set of common services.

(2) the two refined services ,!& and Sb tkat exclude uncommon services.

(3) compute ssd = II~upper~N,~pper~Ml Sh IISIC 11 Sh,, the complexity of which depends

on the set of common services. Step 2 (Analytical approach). (4) obtaining N’l and M’2 as the pruning of Nl

and M2, respectively. (5) n (upper-N,lower~N} =N’l llus_N (6) FI (upper -M,lower &f) =M’2 IIUSJM Step 3. (7) Schuffling traces, the complexity of which de-

pends on the number of traces in either TC, or TCM.

Step 4. (8) compute M = II,low,,~N,l,,,,~,, N’2 II M’1. (9) Prune the machine M.

The computations involving projections or pruning are straightforward a.nd their complex- ties are linearly related to the number of transitions (or events) in the CFSM (or trace) to prune or project onto. However, the time consuming computations are those involving the composition of two or more CFSMs. In our computations, we avoided the use of the more expensive cartesian product operation. The complexity of the composition of the pruned service definitions depends only on the complexity and size of the gcsd, and not on the size of the original protocols.

ACCEPT

+ACK(i)

-DATA(l),-LOST

DELVER

+DATA( 1) -TIMEOUT

ABP’

DELIVER

Fig. 8(a). ABP and its service definition S,,.

K Saleh et al. /Computer Standards & Interfaces 17 (1995) 193-207 205

NSPl NSP2

Fig. 8(b). NSP and its service definition SNsp.

6. Example

In this section, we present an example illus- trating the application of our synthesis procedure. The example considers the formal description of two simple data transfer protocols, namely, the alternating bit protocol (ABP) and the non- sequenced protocol (NSP). Fig. 8 shows the two protocols and their respective service definitions. In this example, we consider the transfer of data in both directions, that is from ABP’s sender to NSP’s receiver, and from NSP’s sender to ABP’s receiver, For more on these two protocols refer to [221.

Step 1. It is clear that these protocols offer only one

common service, that is the data transfer service. Once a service request ACCEPT(data) is re-

y the ABP, it is received by the end service user using the service function RE- CEIVE(datab. Similarly, once a SEND(data) is received by the NSP, it is received by the end service user using the service function DE- LIVER(data). Using the procedure shown in Sec- tion 4,1., the greatest common service definition is computed and shown in Fig. 9.

Fig. 9. Greatest common service definition or SABP and S,,,.

Step 2. The traces T,, and T,,, obtained Using the

technique described in Section 4.2., we obtain the traces TAsp and T,,,. T ABp = { ACCEPT - DATA(bit~~ -t- ACK(bit)

- DATA(bit))* + ACK(bit), + DATA(bit)( - ACK( N bit) + DATA(bit))* DELIVER - ACK(bit), + DATA(bit~~~LIV~ ( - ACK-( N bit) + DATA~~it~)* - ACK(bit), + DATA(bit) (+ DATA(bit))* DELIVER - ACK(bit), + DATA(bit) (+ DATA(bit))* - ACK(bit> }

T NsP = I’ SEND - data( + ack -- data)” + ack, + data( + data)” RECEIVE - ack, + dataRECEIVE( + data)” - ack )

Step 3. -l-I -T

( +~?~~bit~??.$?A(bit~ - DATA(bit)( - DATA(bit))* + ACK(bit), + DATA(bit)( - ACK(bit) + DATA~bit~~~ - ACK(bit) 1

TC NSP - - ~(lower~NSP) - TN,!? = { - data( - data)” + ack, + data( - ack i- data)* - ack}

The set of synchronization traces are: T, = { + DATA(bit - data( - data)”

+ ack( - ACK(bit) -I- ~ATA(bit)~* - ACK(bit), + data - DATA(bit) ( f ACK( N bit) - ~ATA(bit)~~ + ACK(bit)( - ack + data)” - ack,

206 K. Saleh et al. /Computer Standards BL Interfaces 17 (1995) 193-207

-ack 1

It DATA(bit) I -DATA(bit)

I

ACK(bit)

data

1 +ack

-ACK(bit) DATA(bit)

Fig. IQ. The CFSM corresponding to the converter.

+ data - DATA(bit)( - DATA(bit))* + ACK(bit)( - ack + data)* - ack}

Step 4. Fig. IQ shows the converter CFSM synthesized

from the set of traces in Tc.

In this paper, we have introduced a new methodology for the synthesis of communication converters to ensure the interoperability between incompatible network protocols providing related or common communication services. The procedure uses a blend of various techniques and operations to manipulate communicating finite state machine descriptions of the services and protocols for which a converter is needed. Our procedure follows the topdown approach since it starts with the service definitions, but it also relies on the protocol messages and their relationships with

service primitives. We start by cornp~ti~~ the greatest common service definition of two service definitions. Then, two sets of traces related to appropriate observation points are obtained and synchronized. Finally, a synchronization finite state machine converter is synthesized. e are currently studying the problem of dealing with concurrent services and protocols and their ef- fects on our converter design methodolo~.

Acknowledgement

The authors would like to ac partial support of this work by Kuwait University research grant EE064.

References

[ll

121

i31

[41

[51

[61

t71

Bl

191

DOI

illI

1121

J. Akella and K. McMillan, §ynthesizing converters between finite state protocols, IEEE ICCD’91 (1991) 410- 413. W.A. Barrett and J.D. Couch, Compiler Construction: Theory and Practice (Science Research Associates, 1979). E.W. Biersack, An annoted bibliography on network interconnection, IhEE J. Selected Areas on Commun. 8 (1) (Jan. 1990) 22-41. G.v. Bochmann, Finite state description of communication protocols, Comput. Networks 2 (4/5), (Sep. 1978) 361-372. G.V. Bochmann, Deriving protocol converters for communications gateways, IEEE Trans. Commun. 38 (9) (Sep. 1990) 1298-1300. G.V. Bochmann and P. Mondain-Monval, Design principles for communication gateways, IEEE .I. Selected Areas on Commun. 8 (1) (Jan. 1990) 12-21. K. Calvert and S. Lam, Deriving a protocol converter: a top down method, Proc. ACM SIGCOMM’89 pp. 247- 258. K. Calvert and S. Lam, Adaptors for protocol conversion, Proc. ZNFOCOM’90, Vol. 2, pp. 552-560. K. Calvert and S. Lam, Formal methods for protocol conversion, IEEE Trans. Selected Areas Commurz. 8 (1) (Jan. 1990) 127-148. P. Green, Protocol conversion, IEEE Trans. Commun. 34 (3) (March 1986) 257-268. H.J. Jeng and MT. Liu, From service specification to protocol converter: A synchronization transition set approach, Proc. 12th Int. Symp. on Protocol Specification, Testing and Verification (June 1992). G. Juanole et al., Interconnexion de r&eaux - Concepts - Exemples, Rbeaux Informatique R$artie 1 (1) (1991) 7-57.

K Saleh et al. /Computer Standards & Interfaces 17 11995) 193-207 207

1141

1151

[161

I171

ml

!191

DO1

WI

i221

E231

L241

I251

i261

[271

[281

S. Kelekar and G. Hart, Synthesis of protocols and protocol converters using the submodule construction approach Proc. 13th Znt. Symp. on Protocol Specification, Testing and Verification (May 1993) Fl.l-F1.16. D. Kristoi et al., A polynomial algorithm for gateway generation from formal specifications, IEEE/ACM Trans. Networking 1 (2) (April 1993) 217-229. S. Lam, Protocol Conversion, IEEE Trans. Software Eng. 13 (31 (March 1988) 352-363. MT. Liu, Protocol engineering, in Advances in Comput- ers 27 (July 1989) 79-195. MT. Liu, Tutorial notes on protocol conversion, Proc. 12th Znt. Symp. on Protocol Specification, Testing and Verification (June 1992). M. Noosong, Interconnexion de reseaux informatiques heterogenes: methode formelle de conversion de proto- coles, These de Doctorat, ENST, Paris, Janvier 1992. Y. Ohara et al., Protocol conversion method for hetere- geneous systems interconnection in multi-profile environ- ment, Proc. 7th Znt. Symp. on Protocol Specification, Testing and Verification (May 19871. K. Okumara, A formal protocol conversion method, Proc. ACM SZGCOMM’86, pp. 30-37. K. Okumara, Generation of proper adapters and converters from a formal service specification, Proc. IEEE ZN- FOCQM’90 Vol. 2 (1990) 564-571. M. Peyravian and CT. Lea, Construction of protocol converters using formal methods, Computer Commun. 16 (4) (April 1993) 215-228. R. Probert and K. Saleh, Synthesis of communications protocols: Survey and assessment, IEEE Trans. Comput. 40 (4) (April 1991) 468-476. M. Rajagopal and R.E. Miller, Synthesizing a protocol converter from executable protocol traces, IEEE Trans. Comput. 40 (4) (April 1991) 487-499. K. Saleh and H. Ural, Formal specification of an information gateway service interface in Estelle, Comput. Standards & Interfaces 16 (4) (1994). J.C. Shu and M. Liu, A synchronization model for protocol conversion, Proc. IEEE ZNFOCOM’89 Vol. 1 (1989) 276-284. M. Tillman and D. Yen, SNA and OSI: three strategies for interconnection, Commun. ACM 33 (2) (Feb. 1990) 214-224. Y. Yao and M.T. Liu, Constructing protocol converters from service specification, IEEE ZCDCS-12, Japan (June 19921.

Kassem Saleh received the B.Sc., M.Sc. degrees in Computer Science, and the Ph.D. degree in Electrical Engineering from the University of Ottawa, Canada in 1985, 1986 and 1991, respectively. He is currently an assistant professor in the department

awarded the IBM telecommunications Software Scholarship in 1988 and the George Franklin Prize for the best student paper in 1990 from the Canadian Interest Group on Open Systems (CIGOS). He is a member of ACM and Computer Society. His research and teaching interests include software engineering, distributed system design and communications protocol engineering.

Mansour H. Jaragh received his BSc. in electrical engineering from Tulane Universitv. and the M.Sc. and Ph.D. with honors in Computer Engineering from New Mexico State University, in 1979 and 1983, respectively. He joined the Ministry of Communication in Kuwait in July 1975 and was in charge of testing the International Tele- phone Exchange 0vl.O.C.) in 1971. In 1983, he joined the department of electrical and computer engineering at Kuwait University where he is cur-

rently an associate professor. He is a member of tbe board of IEEE Region 8, Kuwait Section. His research interests include computer architecture, systolic array architecture and protocol engineering.

Omar-Rafiq received the Doctor ks- Sciences degree in computer science from the University of Bordeaux-l in 1983. From 1974 to 1978, he was an assistant professor at the University of Bordeaux-I. From 1979 to 1980, he was a consultant to industry. From 1981 to 1983,. he was a membre of the French national research project RHIN+ Paris, and he served as an expert member in the IS0 FIX work- ing group. From 1984 to 1986, he was the responsible for the design and

implementation of OS1 testing tools at the French manufac- turer Bull.and he participated to the ESPRIT CSA project. Since 1987, he is a professeur of computer science at the Unversity of Pau, France. His research interests include computer networks? protocol specification, verification, implementation and testing. Dr. Rafiq served 2s the General Chairman of the French-speaking conference on protocol engineering CFIP in 1988 and 1991, and of the 6th IFIP International Workshop on Protocol Test Systems in 1993, and is a Co- Chairman of the 8th IFIP International Conference on For- mal Description Techniques in 1995. He is the Editor-in-Chief of the Networking and Distributed Computing review, Hermes, Paris, France. He has chaired sessions at several conferences and served on program committees for conferences.

; of electrical and computer engineering at Kuwait University. He was a computer systems specialist at Bell Canada from 1985 to 1991 before he joined Concordia University as an assistant professor for one year. He was

a methodology for the synthesis of communication gateways for network interoperability

Documents