1. 57
Conference Report
Protocol Specification, Testing and
Verification
The need for standards in computer communica-
tion systems and the growing complexity of func-
tion covered by these standards have created a
burgeoning demand for carefully conceived tech-
niques to specify, design, verify, implement and test
protocols. The Workshop at the IBM Zurich Re-
search Laboratory in ROschlikon, Switzerland from
May 31-June 2, 1982, was the third in an annual
series of workshops organized under the auspices
of the IFIP Working Group 6.1 devoted to this theme.
The lectures presented at the meeting ranged in
subject matter from theoretical advances in proto-
col representation and verification to reports of
practical experience with protocol testing systems.
The participants came from a wide variety of institu-
tions, including universities, government laborato-
ries and computer manufacturers in ten different
countries.
We present below a detailed report on the lec-
tures presented at this workshop.
Protocol Theory and Analysis
Interval Logic
A new interval-based temporal logic was pre-
sented by R.L. Schwartz, P.M. Melliar-Smith and
F.H. Vogt (SRI International, Calif., U.S.A.). The
logic stems from their experience in using tem-
poral logic for specifying protocols standards. The
use of intervals to establish a context for temporal
assertions provides a high-level structure for proto-
col specification. In their lecture, entitled "Interval
Logic: A Higher-Level Temporal Logic for Proto-
col Specification", Schwartz, Melliar-Smith and
Vogt presented an informal introduction to the
North-Holland
ComputerNetworks8 (1984)57-65
logic and illustrated it with examples of asynch-
ronous queues and the Alternating Bit protocol.
Selection/Resolution Model
In a lecture entitled "A Calculus for Protocol
Specification and Validation", S. Aggarwal, R.P.
Kurshan and K. Sabnani (Bell Laboratories, N.J.,
U.S.A.) described first the main features of the
selection/resolution model. The classical alternat-
ing bit protocol, described in fairly realistic detail,
was then used to illustrate the specification, analy-
sis and "validation" techniques. Aggarwal, Kurshan
and Sabnani included the service specification for
the upper layer, the peer level protocol and the
requirements from the lower layer in their descrip-
tion of the protocol. The alternating bit protocol
was initially described in terms of a dozen simple,
concurrent, interacting processes, four being
buffers with an indeterminate number N of states
and the remainder having 2 or 3 states each. Next,
Aggarwal, Kurshan and Sabnani showed how their
coordinated behavior can be computed. A reach-
ability analysis was performed to obtain the states
reachable from the initial states. Methods to
analyze the protocol were also discussed. The
"validity" of the specification, relative to a form-
ally defined "task" derived from the service speci-
fication to the upper layer, was proved in terms of
properties of the trajectories of the component
processes.
Language
According to S. Aggarwal, R.P. Kurshan and D.
Sharma (Bell Laboratories, N.J., U.S.A.), the selec-
tion/resolution model for concurrent processes can
be used, in theory, for design, specification, analy-
sis and implementation of complex concurrent sys-
tems, assuming the availability of supporting
software. Such software, they said, must faithfully
2. 58 ConferenceReport
represent the model and yet have sufficiently effi-
cient storage structures and operations to be via-
ble. To be of practical use, it also must have a user
interface with mechanisms for error control, nam-
ing and "system development" including the de-
velopment of hierarchical structures and the ability
to compare different versions of components. Ag-
garwal, Kurshan and Sharma described an ongoing
effort to design such a software system. It will be a
general coordination analyzer and specifier (thus
named COSPAN) not limited to protocols. Their
lecture was entitled "A Language for the Specifi-
cation and Analysis of Protocols".
Modelling Elapsed Time
In another presentation, S. Aggarwal and R.P.
Kurshan noted that in the analysis of communica-
tion protocols, it is often useful to incorporate
timing information that specifies the elapsed time
associated with sequences of operations. For ex-
ample, they said, in order to determine the proper
setting of a timer, one needs information on the
expected elapsed time between message transmis-
sion and acknowledgement. In a lecture entitled
"Modelling Elapsed Time in Protocol Specifica-
tion", Aggarwal and Kurshan described how timing
information may be modelled, using the formal
selection/resolution model for concurrent
processes, a semantically precise mathematical
model of coordination. The classical alternating
bit protocol was used to illustrate the concepts.
Step- Wise Refinement
M.G. Gouda (University of Texas at Austin,
U.S.A.) considered the problem of constructing
two finite-state machines that communicate by
exchanging messages via two, one-directional, un-
bounded, FIFO channels. The two machines,
Gouda explained, should be constructed such that
their communication is guaranteed to progress in-
definitely. Gouda discussed a methodology to solve
this problem by a succession of refinement steps.
At each step more nodes and edges are added to
the two machines constructed so far; this con-
tinues until the required two machines are realized.
Gouda illustrated the usefulness of this methodol-
ogy by using it to construct two communicating
machines which model the call establishment/clear
protocol in X.25.
Specification and Formal Models
Power
Two formal techniques for modelling of concur-
rent systems were compared in a lecture presented
by R. Gustavsson and B. Pehrson (Uppsala In-
stitute of Technology, Sweden). The two tech-
niques are Communicating State Machines and
Calculus of Communicating Systems (CCS). A
variant of the Alternating Bit (AB) protocol was
used as an illustrating example. The service speci-
fication was stated in both formalisms. Implemen-
tation specifications were designed from an infor-
mal protocol specification. The behavior of the
composed entities was given in each formalism
and transformed within each theory, i.e. structural
reduction or deduction rules were used. Gustavsson
and Pehrson showed that, apart from liveness, the
implementation specifications are observation
equivalent to the service specification. In the
CCS-based example, it was shown how interval
temporal logic can be used to achieve proofs of
total correctness. Both techniques, Gustavsson and
Pehrson pointed out, support incremental design
which is desirable in an interactive design system.
Structural Reduction
B. Pehrson (Uppsala Institute of Technology,
Sweden) presented a technique to reduce the func-
tional descriptions of a set of connected compo-
nents into a less complex functional description
for the composed system. The technique was dem-
onstrated by verifying the data link service pro-
vided by the alternating bit protocols. The proto-
col specification is reduced into the specification
of a queue. Pehrson explained that the basic idea is
to abstract away all events which do not affect the
behavior of the composed system according to a
given equivalence criterion. According to Pehrson,
the technique provides a powerful tool for mecha-
nizing formal synthesis and verification in a
hierarchical manner. It has so far been used to-
gether with abstract machine descriptions with a
finite number of transitions. Pehrson's lecture was
entitled "Abstraction by Structural Reduction".
Structured Finite State Automata
S. Budkowski (Warsaw Technical University,
Poland) and E. Najm (Agence de l'Informatique,
Project RHIN, Paris, France) presented and for-
malized a new modelling technique, called Struc-
3. ConferenceReport 59
tured Finite State Automata (SFSA), which per-
mits finite state automata to be structured so that
operations such as direct coupling and projections
of various sorts may be easily described and
accomplished. Budkowski and Najm also briefly
illustrated and commented on how the techniques
may be applied to describe and validate Distrib-
uted Communication Systems. A simple example
was given of the techniques applied to validate the
cooperation of Session/Transport adjacent entities
in a local system.
Constructive and Executable Specifications
L. Logrippo (University of Ottawa, Canada)
discussed some problems connected with the for-
mal specification of protocol services and pro-
posed some possible solutions. He introduced the
concepts of "constructive" and "executable"
specifications, and presented a model for the "con-
structive" specification of protocol services that is
based on the combined use of finite-state trans-
ducers and abstract data types. The example
Logrippo used is the OSI transport layer service.
His lecture was entitled "Constructive and Execu-
table Specifications of Protocol Services by using
Abstract Data Types and Finite State Trans-
ducers".
Behavioral Description Language
In the Behavioral Description Language a pro-
cess algebra to the specification of protocols in
distributed systems is applied. G. Karjoth (Univer-
sity of Stuttgart, F.R.G.) explained that individual
system components are solely described by its
interactions which are observable in the outside
world and represent multi-way synchronized com-
munication over explicit interaction points. The
semantics of the language are defined by temporal
logic axioms, using Wolper's relativization proce-
dure. According to Karjoth, they provide a
mathematical framework for the analysis of proto-
cols and for developing logical systems for proving
their properties.
Theory and Applications of Petri Nets
Tools and Studies
The use of Petri Net Analyzer, PNA(8), in
analysis of ECMA-75, was discussed by M. Ant-
tila, H. Eriksson, J. Ikonen, R. Kujansuu, L. Ojala
and H. Tuominen (Helsinki University of Technol-
ogy, Finland). Extensions to PNA were presented,
which include an automatic "Petri net compiler".
With that one can describe a protocol with a more
powerful Petri net (Pr/T-net) and compile it to a
simpler one (P/T-net) in order to analyze it. Ant-
tila et al. also discussed the development of a
timed Petri net analyzer which is mainly devoted
to the performance analysis of protocols. They
described the work of developing tools for a Petri
Net laboratory and showed an approach in the
temporal logic area of using temporal logic to
describe Petri nets.
Timed Petri-Nets
B. Walter (University of Stuttgart, F.R.G.)
introduced several types of Timed Petri-Nets for
modelling network protocols that make extensive
use of timers as well as of the time behavior of the
physical system. Timed Petri Nets, Walter noted,
are ordinary Petri Nets with additional elements
for modelling time. Three types of nets were con-
sidered in the lecture: (1) Condition Event Nets,
(2) Place Transition Nets and (3) Predicate Transi-
tion Nets. Walter showed how to analyze Time
Petri Nets and how to check the validity of the
modelled timers. His lecture was entitled "Timed
Petri-Nets for Modelling and Analyzing Protocols
with Real-Time Characteristics".
Communication Protocols
M. Menasche and B. Berthomieu (Centre Na-
tional de la Recherche Scientifique, Toulouse,
France) concentrated in their lecture on modelling
and proving correct concurrent systems in which
time appears as a parameter, such as communica-
tion protocols. Merline's Time Petri nets were used
for modelling these systems and a recently devel-
oped enumerative method was employed for
analyzing their behavior. In the lecture, "Time
Petri Nets for Analyzing and Verifying Time De-
pendent Communication Protocols", Menasche and
Berthomieu applied the method to the specification
and verification of a data transfer protocol and a
bus allocation protocol.
ISO Transport Service
A formal specification of the ISO Open Systems
Interconnection- Transport Service (TS) Defini-
tion was presented by J. Billington (Telecom
Australia Research Laboratories, Victoria,
4. 60 ConferenceReport
Australia). The Specification applies to a single
instance of a connection. Six phases of the connec-
tions were specified by simple separate Numerical
Petri Nets (NPNs) which may be easily combined
to obtain the total specification. The invocation of
a service primitive, noted Billington, has been asso-
ciated with the firing of a transition using a label.
The execution of the NPN then describes the
allowable sequences of TS primitives and the rela-
tionship between TS primitives at both ends of the
connection.
Validation and Verification
VALIDOC
One important step in the methodology for
description and implementation of OSI-oriented
communication protocols as introduced by O.
Rafiq and J.P. Ansart (Agence de l'Informatique,
Projet RHIN, Paris, France) is the translation of
the information description (i.e. in natural lan-
guage) into a description using extended finite
state automaton using predicates. This automaton
describing the behavior of an entity for one con-
nection is first checked for correctness before it is
used for a description based on a programming
language and for protocol validation. After having
established the list of the operations to be per-
formed on such an automaton, a first interactive
tool has been built to reduce the amount of time to
be spent by a protocol designer before having a
"correct" state automaton. This tool, called
VADILOC/Bs (basic system), described by Rafiq
and Ansart, is based on classical algorithms for
graph manipulations (AhUL 75) and protocol
validation using reachability graph (Zall 80) and is
additionally able to generate the skeleton of a
program in ADA, Pascal and PDIL (ARCh82).
Initialization Procedure
A.E. Baratz and A. Segall (IBM Thomas J.
Watson Research Center, N.Y., U.S.A.) began their
lecture by reaffirming that HDLC and other bit-
oriented DLC procedures ensure data transmis-
sion reliability on noisy links provided that all
transmission errors are detected and the link
processes are synchronized at initialization. Baratz
and Segall showed in their lecture that the HDLC
initialization procedure does not ensure synchroni-
zation and thus allows inadvertent loss of data.
They then proposed a new link initialization pro-
cedure and proved that it does ensure synchroniza-
tion. Their lecture was entitled "A Reliable Link
Initialization Procedure".
Protocols Against Services
H. Eckert and R. Prinoth (Gesellschaft ftir
Mathematik und Datenverarbeitung, Darmstadt,
F.R.G.) presented a short introduction of a speci-
fication tool for communication protocols, in par-
ticular for those protocols having a potentially
unbounded set of reachable states. The mathe-
matical foundation of the specification method is
such that it is possible to compare different speci-
fications of the same protocol by means of homo-
morphisms. Eckert and Prinoth next presented a
verification method which combines the developed
specification tool and the structuring principles of
the ISO-reference model. The main feature of the
method is that it makes possible the proof that a
protocol provides a service and uses an underlying
service correctly. A complete system for the auto-
mated verification of protocols has been imple-
mented. Eckert and Prinoth lastly presented an
example which illustrated both the specification
and verification method.
Automated Verification
In a lecture entitled "Experience with Auto-
mated Protocol Verification", C.A. Sunshine (Uni-
versity of Southern California, Marina del Rey,
U.S.A.) applied four automated verification sys-
tems to a common set of communication protocols
to assess their capabilities. The system and their
key features were Affirm (abstract data types),
FDM (Ina Jo - abstract machines), Gypsy (buffer
histories), and Concurrent State Delta (temporal
logic, symbolic execution). Each system showed
different strengths in specifying protocols and
verifying their correct behavior. Sunshine's experi-
ence shows that important features of real proto-
cols can be handled by current automated systems,
but a great deal of effort and ingenuity is required,
and further development efforts are needed before
real protocols can be fully and routinely verified.
Logic Specifications
D.P. Sidhu (SDC- A Burroughs Company,
Paoli, Pa., U.S.A.) discussed the use of logic pro-
gramming techniques in the specification and
verification of communication protocols. The pro-
5. ConferenceReport 61
tocol specifications discussed are formal and di-
rectly executable. According to Sidhu, the ad-
vantages of executable specifications are: (1) the
specification is itself a prototype of the specified
system, (2) incremental development of specifica-
tions is possible, (3) behavior exhibited by the
specification when executed can be used to check
conformity of specification with requirements.
Sidhu discussed Horn clause logic, which has a
procedural interpretation, and the predicate logic
programming language, PROLOG, to specify and
verify the functional correctness of protocols. The
PROLOG system possesses a powerfui pattern-
matching feature which is based on unification.
Protocol Performance
Industrial Local Networks
Industrial local networks have to be built using
low cost interfaces since they are designed to con-
nect cheap control process devices. According to
G. Florin, S. Natkin, A. Woog and J. AttaI (CERCI
and CNAM, France), Integrated Circuits for
CSMA-CD protocol are now available and would
be very useful for such applications. The major
problem which arises with CSMA-CD, Florin et al.
contend, is the non-deterministic bound of the
response time. Whether CSMA-CD techniques are
adequate for control process applications can be
validated only by probabilistic techniques. Florin
et al. presented general methods to validate
CSMA-CD industrial networks response time
characteristics. These methods were applied to a
highly constrained application (the control of an
energy power plant). The lecturers discussed the
characteristics of control process applications, the
probabilistic assumptions to be validated and the
statistical tests to check such assumptions and the
simulation of the transient behavior of Ethernet.
Main numerical results were also presented.
Automated Prediction
H. Rudin (IBM Zurich Research Laboratory,
Rtischlikon, Switzerland) described some first steps
in using a formal protocol definition as the basis
for the automated prediction of protocol perfor-
mance. By considering a simple example, Rudin
presented a technique for predicting protocol per-
formance direct and automatically from the kind
of formal machine-readable definition now often
being used for concise protocol specification.
Rudin's lecture was appropriately entitled "From
Formal Protocol Specification Towards Auto-
mated Performance Prediction".
Protocol Design and Implementation
Couple Service-Protocol
G. Juanole and B. Algayres (C.N.R.S., Toulouse,
France) dealt with the design of couples Transport
Service-Transport Protocol. This couple was em-
phasized because the design of a protocol is closely
bound to the service it provides. Juanole and AI-
gavres presented a three level model, which pro-
vides insight into the design specification and pro-
vided a method to specify well designed couples.
One important result gives under what conditions
protocols either with a two-way handshake scheme
(with one or two types of messages) or with a three
way handshake scheme (with two or three types of
messages) have to be used. Finally, Juanole and
A lgayres presented a Petri net model of a couple
which uses a three way handshake scheme: it
allows the view of relations between the service
and the protocol and the verification of the logic
of their interactions.
MODIAC
W. Ansaldi, M. Olobardi, A.M. Traverso
(Ansaldo S.p.A., Genova, Italy) and C. Boccalini (I
& O, Genova, Italy) described a project which is
part of the Computer Science Program PFI co-
sponsored by CNR, the Italian National Council
of Research. Within the subprogram P3A, several
research and industrial groups are contributing to
the development of a distributed computing sys-
tem for industrial automation and process control.
The system described, called MODIAC, is a local
area network whose stations can be configured as
mono- or multiprocessor nodes based on the Z-
8000 microprocessor. Ansaldi, Boccalini, Olobardi
and Traverso described the choices made about the
transport layer design and the considerations which
led to them. They also described the services pro-
vided by the transport layer in comparison with
the ECMA-72 standard. They then gave a detailed
description of the implementation aspects and de-
scribed the internal architecture of the transport
layer.
6. 62 ConferenceReport
Transport Protocol
F.M. Restorick (Plessey Office Systems plc,
Nottingham, U.K.) described the method used to
implement a transport layer protocol in the 8086
assembly language. The protocol implementation
works under a multi-tasking executive and consists
of a funnel stepper, a state table, and a collection
of action modules. This approach, as well as reduc-
ing the processing time necessary to interpret the
protocols, allows easy implementation of a trace
facility to be included in the system at debug time,
and allows coding of the action modules to be
pooled between many programmers at the design
stage, according to Restorick. The method used to
realize the state tables in 8086 assembler and the
function of the funnel stepper was described in
detail. Restorick also covered the method used to
test the system.
IntegratedSystems
CIL Approach
The CIL approach for the development of com-
munication services, described by H. Krumm and
O. Drobnik (Universitaet Karlsruhe, F.R.G.), is
based on the special programming language CIL
(Communication Service Implementation Lan-
guage) and a CIL-compatible theory of program
execution. The programming language provides
for structuring concepts to support the design and
the implementation of services. The theory con-
tains a logical language to express specifications
and axioms of program semantics, an event-ori-
ented model of program execution, and a first-
order predicate calculus to perform verification by
means of deduction in the calculus. Krumm and
Drobnik introduced the language CIL in their lec-
ture and presented the theory and its application
to specification and verification.
NIL Language
R.E. Strom and S. Yemini (IBM T.J. Watson
Research Center, N.Y., U.S.A.) discussed the fea-
tures of the NIL language which make NIL
valuable during the design, implementation, vali-
dation and testing phases of communication sys-
tems. These features include: (1) a process model
in which shared or global data does not exist,
thereby supporting concurrency and modularity in
a single construct; (2) queued communication,
which eliminates the need to assume "global time"
in an otherwise distributed system. This results,
Strom and Yemini said, in a high degree of uncou-
pling between modules and permits truly modular
verification of NIL systems; (3) run-time opera-
tions for loading processes and binding communi-
cations channels; (4) full specification of inter-
module interfaces, and complete compile-time
checking of the consistency between code and
interfaces; (5) typestate checking, a subset of pro-
gram verification performed automatically by a
NIL compiler, which limits the extent to which
unvalidated programs can corrupt validated ones
through dangerous side-effects. Strom and Yemini
also discussed their experience in using NIL as
both a design and an implementation language for
SNA.
LC/1
J.M. Ayache and J.P. Courtiat (CNRS, Tou-
louse, France) described the basic features of
"LC/1, A Specification and Implementation Lan-
guage for Protocols". The language supports a
global approach including the protocol specifica-
tion, validation and implementation. It is based on
the use of the ISO reference model and on the use
of Petri nets. The originality of the approach,
Ayache and Courtiat commented, results from Petri
nets (deduced from the specification) being used
not only for validation, but also for simulation
(where the simulator kernel controls the evolution
of the net markings) and for the implementation
test which can be considered as a simulation con-
ducted by events observed on a communication
medium.
CUPID Environment
Y. Yemini and N. Nounou (Columbia Univer-
sity, N.Y., U.S.A.) described research conducted
towards Columbia's Unified Protocol Implementa-
tion and Design (CUPID) environment. CUPID
research aims at the integration and automation of
protocol design and implementation tools. CUPID
uses an algebraic representation of protocols based,
in part, upon a variant of Milner's calculus of
communicating systems (CCS). Communication
behaviors are represented in terms of expressions
of a universal algebra. A key notion to the auto-
mation of protocol development functions is that
of a valuation over the algebra of communication
behaviors. Yemini and Nounou explained further
that a valuation maps communication behaviors to
7. ConferenceReport 63
expressions in other algebras. This allows one to
proceed and compute attributes of communication
behaviors over the respective algebras using a for-
mal valuation process. Yemini and Nounou pro-
vided a brief introduction to CCS in the context of
modelling protocol behaviors. This was followed
by a brief summary of how the algebraic valuation
mechanism may be used to support the different
functions of a protocol design environment: multi-
ple concurrent specifications, automated func-
tional and performance analysis and automated
test generation and performance simulation.
Pandora System
In a joint project with the Netherlands PTT,
The Delft University of Technology is developing
an interactive protocol design and analysis system
called "Pandora". The system, described by G.J.
Holzmann and R.A. Beukers (Delft University of
Technology, The Netherlands), provides users with
a controlled environment for protocol synthesis
and formal analysis, and offers both software and
hardware tools for protocol assessment. Pandora
can assist the user in the documentation of proto-
col designs by autonomously extracting SDL-dia-
grams, and the system has a set of tools for the
generation of executable protocol implementations
from abstract specifications.
Automated Technique
T.P. Blumer and D.P. Sidhu (SDC- A
Burroughs Company, Paoli, Pa., U.S.A.) presented
an overview of an automated technique for the
specification, implementation, and verification of
protocols. They concentrated on the new protocol
verification software developed for use with this
technique and described the application of this
software to a real world communication protocol.
Blumer and Sidhu gave their "Experience with an
Automated Protocol Development System".
PDIL
A brief overview of the basic concepts of the
PDIL language was given by J.P. Ansart, V. Chari
and D. Simon (Agence de l'Informatique, Project
RHIN, Paris, France) by way of an example of a
description. The basic ideas underlying the PDIL
translator were outlined. This translator is now
available on a Multics system. Ansart, Chari and
Simon also explained how they passed from a
PDIL formal description to implementation by
dealing with all the choices, e.g. the number of
entities, the number of connections for a config-
uration. Their lecture was entitled "From Formal
Description to Automated Implementation Using
PDIL (Protocol Description and Implementation
Language".
Protocol Testing
Laver-Independent Architecture
S. Palazzo, P, Fogliata and G. Le Moli (CREI,
Politecnico di Milano, Italy) introduced an archi-
tecture for a system performing the testing of a
generic OSI layer. They showed that the system
proposed can be used to test the protocol imple-
mentations in terms of both protocol testing and
service testing, either in debugging or in certifica-
tion phase. The structure of the system is designed
in such a way as to point out what is independent
from the layer in which the protocol being tested
lies. Lastly, Palazzo, Fogliata and Le Moli de-
scribed the functional specification of the modules
composing the system.
Testing and Diagnosis
According to A. Giessler (Gesellschaft fiir
Mathematik und Datenverarbeitung, Darmstadt,
F.R.G.), free communication in open systems re-
quires international standards for communication
protocols and communication services and also
communications products which are in confor-
mance with these standards. Giessler gave an over-
view of a special protocol tester which has been
developed by the GMD within the TESDI project
(TESting and Diagnosis aid for higher level pro-
ject). The following subjects were discussed: the
concept of the protocol tester, the applied testing
method, the different testing functions, the used
implementation concept, and an example of a
teletext (transport layer) test.
Test Sequence Generation
H. Ural and R.L. Probert (University of Ottawa,
Ontario, Canada) presented a computer-assisted
approach for generating test sequences from
specifications of communication protocols and
services. The approach is based on using attri-
buted context-free grammars and is directly appli-
cable in a logic programming environment. The
approach, explained Ural and Probert, involves
8. 64 ConferenceReport
constructing test sequence specifications in attri-
buted context-free grammars, implementing these
specifications in logic programming as generators,
and executing the generators in a controlled fash-
ion to generate test sequences. Ural and Probert
illustrated the approach on transport service and
protocol specifications. Benefits include improve-
ments in test design, specification, documentation
and management.
Specification Language
In another lecture R.L. Probert and H. Ural
(University of Ottawa) examined the applicability
of the notion of a test specification language to
various issues in the testing of protocol implemen-
tations. Sources of language design constraints,
such as limitations imposed by the test session
architecture, were discussed. Probert and Ural also
discussed the effect of relationships among lan-
guage features, degree of distribution of test con-
trol, the design properties of test support tools,
and test initialization and reporting requirements.
Some comparisons were made to attributes of a
typical test specification language used for soft-
ware testing. The lecture concluded with a pro-
gress report on a prototype test specification lan-
guage for specification-based testing of protocol
implementations.
Qualitative Validation
Experience in the checking of X.25 networks,
such as TRANSPAS or X75 international gate-
ways (NTI, RCA, ITT, WUI) has led J.-F. Billiard
(CAP Sogeti Logiciel, Rennes, France) to design a
simple testing method. Billiard presented four basic
rules from the method, rules which he has found
useful to obtain significant validation results. The
various tests can be sorted into two classes,
according to Billiard: (1) qualitative tests and (2)
load acceptance tests. Qualitative tests, which were
handled in the lecture, are designed to control the
"communication machine" - node, network, host
or gateway, to observe its protocol (CCITT X25,
for instance) and to see that its supplied facilities
such as routing, billing, statistics, etc. are correct.
SiVA Products
R.M.S. Cork (IBM United Kingdom Laborato-
ries Ltd., Winchester, U.K.) focussed on the evolv-
ing specification of IBM's System Network Archi-
tecture (SNA), some of the tools which have been
developed to exploit the advances in specification
and the impact these tools have had on the testing
and implementation of SNA products. At the pre-
sent time, a Format and Protocol Language
(FAPL) is used for SNA specification. This lan-
guage, Cork noted, is used not only in IBM's
external publications which describe the architec-
ture, but also in the production of a machine-read-
able, executable description of SNA. After consid-
eration of a theoretical approach to product proto-
col testing involving this executable definition,
Cork described some of the techniques which have
been applied in the real world of IBM products
and looked to the future, both within IBM and in
non-SNA-related projects.
Routing Certification
According to G.A. Harvey (Digital Equipment
Corporation, Mass., U.S.A.), every node in a com-
puter network must follow the protocols specified
by the architecture. Consequently, a system capable
of automatically certifying the architectural con-
formance of an arbitrary implementation would be
valuable. Harvey described the design and con-
struction of a routing certification system (RCS)
for testing conformance of a node to selected
aspects of the Routing Layer protocol, as specified
by the Digital Network Architecture (DNA) of
Digital Equipment Corporation. The only restric-
tions placed upon the implementation to be certi-
fied are that its Physical Layer and Data Link
Layer are those described in the Phase IV DNA.
Product Testing
G.IV. Cowin, R.W.S. Hale and D. Rayner (Na-
tional Physical Laboratory, Teddington, U.K.) in-
troduced the concept of an Assessment Centre for
testing Open Systems Interconnection (OSI) proto-
col products. Physical architectures for assessment
were compared and the general logical architecture
was discussed. Different approaches were com-
pared for the design of "Test Responder" and
"Encoder/Decoder" modules, drawing on practi-
cal experience. Finally, Cowin, Hale and Rayner
gave a comparison of the two test definition meth-
ods in use at the National Physical Laboratory.
Conformance
Currently all conformance testing of protocol
implementations is subjective. According to D.
9. ConferenceReport 65
Rayner (National Physical Laboratory, U.K.), each
organization involved is likely to have its own
interpretation of what constitutes conformance to
a particular standard. The problem arises from
poorly defined standards. The definition of the
protocol itself is often confused with additional
procurement requirements for implementations of
the protocol. The elimination of this and other
sources of ambiguity was discussed in Rayner's
lecture. Rayner also provided a checklist which, he
believes, could assist progress towards an objective
understanding of conformance, and thus to the
definition of objective conformance tests.
Producing Tests
R.J. Linn and W.H. McCoy (National Bureau of
Standards, Washington, D.C., U.S.A.) explored
the problems associated with protocol test design,
semantics and completeness. They used a linguis-
tics approach utilizing a generative grammar aug-
mented with probability distributions associated
with the production rules and random selection to
produce test sequences for the NBS/ICST imple-
mentation of ISO Class 4 Transport protocol. Linn
and McCoy also presented advantages and limita-
tions of the methodology in their lecture, entitled
"Producing Tests for Implementations of OSI Pro-
tocols".
Technology (ICST) an architecture has been
specified for testing protocols of layers 4-7 within
the ISO Basic Reference Model of Open Systems
Interconnection. R.J. Linn and J.S. Nightingale
(National Bureau of Standards, Washington, D.C.,
U.S.A.) described specific tools within the test
architecture which has been developed and refined
using a prototype implementation of the ICST
Class 4 Transport Protocol. The language used for
executing tests is based on representations of the
service primitives of the layer under test. All possi-
ble combinations of service primitives can poten-
tially be specified using this language, according to
Linn and Nightingale. Errors are introduced into
the protocol under test in a controlled manner by
means of an Exception Generator which resides
between layers three and four at the Test Center.
The language which drives this tool provides the
mechanism to edit protocol data units. Linn and
Nightingale presented "Some Experience with
Testing Tools for OSI Protocol Implementations".
The Proceedings of this conference have been
edited by H. Rudin and C.H. West and published by
North-Holland under the title Protocol Specification,
Testing and Verification IlL 1983. x + 532 pages.
ISBN 0-444-86769-4. Price: US $65.00
(USA/Canada)/Dfl. 170.00 (Rest of the world).
Testing Tools
At the Institute for Computer Sciences and