Probabilistic Model Checking of the CSMA/CD Protocol Using PRISM and APMC

Marie Duflot, Laurent Fribourg, Thomas Herault, Richard Lassaigne, Frédéric Magniette, Stéphane Messika, Sylvain Peyronnet, Claudine Picaronny
2005 Electronical Notes in Theoretical Computer Science  
Carrier Sense Multiple Access/Collision Detection (CSMA/CD) is the protocol for carrier transmission access in Ethernet networks (international standard IEEE 802.3). On Ethernet, any Network Interface Card (NIC) can try to send a packet in a channel at any time. If another NIC tries to send a packet at the same time, a collision is said to occur and the packets are discarded. The CSMA/CD protocol was designed to avoid this problem, more precisely to allow a NIC to send its packet without
more » ... cket without collision. This is done by way of a randomized exponential backoff process. In this paper, we analyse the correctness of the CSMA/CD protocol, using techniques from probabilistic model checking and approximate probabilistic model checking. The tools that we use are PRISM and APMC. Moreover, we provide a quantitative analysis of some CSMA/CD properties. Interface Cards (NIC) may be connected via the same channel. Since two NICs may send packets simultaneously, collisions may occur, thus discarding both packets. Both the NICs will detect this collision, but cannot re-send the packets at once, since it would induce a new collision. So, when a collision happens, the CSMA/CD protocol forces each NIC to pick at random an integer-valued delay from a bounded interval, and to wait for a length of time proportional to this integer-valued delay before re-sending the packet. This paper considers an application of probabilistic model checking techniques to the verification of the IEEE 802.3 CSMA/CD protocol. Here, we are interested in establishing quantitative properties of the protocol, such as computing the probability that a given event occurs before a certain deadline. Other values are also computed, like the maximum expected time needed to send a packet. Following [21, 23] , we model the protocol in the framework of probabilistic timed automata (PTA). PTA [24] are extensions of timed automata [1] which incorporate probability distributions of discrete transitions. A PTA has an infinite number of states due to the presence of real-valued clock variables. However, for the class of reachability properties that we consider here, one can always derive an equivalent finite-state transition system (see [23] ). We adopt here a method (referred to as "integer semantics" method, in [8, 23, 22] ), where clocks are viewed as counters storing non-negative integer values, which increment as time passes. The PTA modelling the system then reduces to a finite-state Markov decision process [10]. We then use the model-checking tool PRISM [30] in order to analyse the resulting Markov decision process for the CSMA/CD protocol. However, the original constants used by the protocol lead to a model of prohibitively large size. Therefore, the verification with PRISM requires to divide all the time constants by the length of some "time unit" before performing the verification. A way to partially alleviate this limitation consists in removing the sources of nondeterminism, replacing nondeterministic choices (originating from the timed transitions and the asynchronous product of components of the system) by probabilistic distributions. The underlying Markov decision process then becomes a "fully probabilistic system" (or, in other terms, a Markov chain), and can then be analysed via the tool APMC [13] . The same input format (Reactive Modules, [2]) is used for processing the model in both tools.
doi:10.1016/j.entcs.2005.04.012 fatcat:wxr6oba4jzewbcaa2yzqz7c5wy