Verifying the progress properties of a heterogeneous protocol system in an internetworking environment

The rapid proliferation of computer networks has resulted in numerous homogeneous and heterogeneous networks coexisting today. To achieve interoperability between them, internetworking through the use of gateways has become a priority. The basic problem in designing a heterogeneous internetwork is the mismatch between the internal architectures of the component networks, known as protocol mismatch. An immediate solution is the incorporation of a protocol conversion mechanism into the gateway, giving rise to a heterogeneous protocol system consisting of two incompatible peer processes communicating via a converter sited between them. Verification of this system is necessary to ensure the proper design of the converter and the progress properties of the heterogeneous protocol. Using a communicating finite state machine (CFSM) model, we have studied the dynamics of a general heterogeneous protocol system, and we present a formal procedure to perform a fast reach ability analysis of the system for the purposes of its verification. Performing a reach ability analysis of a heterogeneous protocol system is a new dimension in protocol converter design, and the verification algorithm presented in this paper - a remarkable improvement upon the conventional technique ~ employs the reduction approach of a state transition graph representation of the CFSMs involved, hence the name reduced reach ability analysis. Two computer networks are said to be heterogeneous (homogeneous) if they are architecturally different (identical) and hence incompatible (compatible) from a protocol point of view. When the need for interconnection between heterogeneous networks across architectural or organizational boundaries was first recognized, the imminent disparity between their protocols, better known as protocol mismatch, posed the biggest problem. The complexity of the problem increases as the heterogeneity among the networks to be connected widens. A

gateway2 is a real system (a special node) that interconnects otherwise independent networks of homogeneous or heterogeneous types. The existence and usage of gateways for internetworking leads to the formation of a network of networks, called an internetwork (or simply an internet) that consists of all the networks interconnected by gateways. A heterogeneous internetwork is characterized as a group of networks, each having different architectures, protocols, user communities, but as a whole supporting some internetwork services over and above those intranetwork services relative to each network. Consequently, the user of a heterogeneous internetwork is confronted with protocols and services that lack uniformity in design. But the most important aspect of heterogeneous interconnection is the requirement of user transparency to this non-uniformity, with an aim of hiding the pitfalls of protocol mismatch from the normal users. To reach this goal, each gateway is equipped with a protocol conversion (or translation) mechanism, 4. Such a gateway is termed a protocol converter gateway, and this gives rise to a heterogeneous protocol system consisting of two incompatible peer processes communicating via a converter process. A converter gateway connects networks running different protocols by translating the messages of one network into the corresponding messages of the other network. A converter gateway may be a dedicated processor (or node) connected to both networks, or additional software residing in the existing processor of one or both of the networks. The design of an efficient protocol converter is, however, a very difficult proposition which is yet to be understood and solved in its entirety, as is evident from the literature. Moreover, the gravity of the problem is increasing at an alarming rate with the rapid proliferation of specific networks supporting a particular set of protocols and services. We have found that the designer of a protocol converter does not foresee all the structural properties of the design derived from the notion of semantic equivalence and completeness, in that the converter may be incomplete or logically inconsistent. Like protocols, one popular method to specify a

protocol converter is to model it as a communicating finite state machine (CFSM). This idea was first proposed by Green, but the method was first used by Lam and Groenbaek and later adopted and extended by 0kumura, Lam, Liu and others. Correspondingly, several algorithms to construct a converter CFSM from the given CFSM model of the protocols of networks A and B have been proposed in the literature. Among them, Okumuras algorithm is by far the most formal and robust bottom-up approach to producing an efficient converter. However, like every other finite state approach, an inherent limitation of Okumuras approach is the state space explosion, which results in a very high degree of computational complexity. This problem can be alleviated by the reduction of the state transition graph (STG) approach proposed by Saha and Dhar. Reduction lowers the complexity of the algorithm, and contains the state explosion to a considerable extent. This approach is the first of its kind in the literature. It is simple, formal, and can be automated easily. The same reduction technique can also be used in the verification of the conversion system described in this paper.

A successful development methodology for a proper protocol conversion system involves the validation of the converter model derived. A converter is said to be valid if the heterogeneous protocol system has the required progress properties. A converter which causes protocol errors such as deadlock is invalid, and should be eliminated. To verify that a heterogeneous protocol system is logically correct, representing the protocol processes and the converter by CFSMs and then constructing a reach ability graph (RG) &I8 is one of the most straightforward ways. This paper concerns a novel technique to carry out a reach ability analysis of the heterogeneous protocol system in a much faster way than using conventional methods. Under the assumption that the given protocol processes are valid, we employ a reduction technique to construct the reduced CFSM model of the system and build a reduced reach ability graph (RRG) to verify the reduced heterogeneous protocol system, thereby minimizing both computing time and space.

FORMAL MODEL In a communication network, the common goal of a protocol is the successful exchange of messages between two interacting processes. The CFSM model is the simplest of all the formalizations used to date to model the protocols. In this model, the protocol entities are formally specified as automatons which exchange messages through unidirectional bounded FIFO queues. This method has been used widely by researchers in protocol specification, verification, testing and conversion. Easy to understand and implement, it has also been found to be effective in treating protocol conversion problems. A CFSM is formally defined as a four-tuple, F = (S, M, I, 6), where S is the finite set of states of the machine, M is its set of messages, I is its initial state: I E S, and 6 is a non-deterministic partial state transition function mapping, p: (S x E) + s, where E= {m v fm ) m E M} is an alphabet consisting of all of the machines input/output operations. The transition function 6 for an event e E E at state 5 E S written as 6 (~,e),actually represents the next state reached by machine F after executing event e at state s. Set E is also known as the set of events of the machine. An output (input) operation is basically a message transmission (reception) event, and is identified, for readability purposes, by a minus (plus) sign before the message name. A CFSM is schematically represented by an STG G = < V, E>, where V is the set of vertices representing the process states and E is the set of edges representing transitions between states. Each edge is labelled by an event e, belonging to E, which causes the state transitions. The node corresponding to the initial state I is designated as the initial node, and every other node should be reachable by a directed path from the initial node. A CFSM starts from its initial state and, when in a given state, it can execute any of the operations labelling the outgoing transitions from the state. If e E E is the label of an edge connecting one state sl to another state ~2, then its front state is 52 and its rear state is 51. Let the set of outgoing (incoming) edges from (to) state 5 be out(s) (in(s)). The front (rear) states of the edges in out(s) (in(s)) are called the successor (predecessor) states of 5, written

as succ(s) (pred(s)). Given a conversion seed CFSM FX = (SX, IX, Ex, px) for a protocol conversion between two protocols A and B, the messages present in the input/output operations of the conversion seed are defined as significant for that conversion seed. Obviously, the set of significant messages is a function of Ex, and varies from one seed to another. An operation involving a significant message is called a significant operation, and an edge labelled by a significant operation is known as a significant edge. Otherwise, it is an insignificant edge. A protocol system consists of a network of protocol entities connected through bidirectional channels the most obvious characteristic of a protocol system is its extreme abstract nature, realize mathematical models. In one such abstraction the protocol entities are modeled as CFSMs, and each bidirectional channel is modeled as a pair of unidirectional FIFO queues. This is known as the CFSM model of protocol. In this model, a protocol system is completely specified by a set of CFSMs and a set of unidirectional FIFO queues, where two CFSMs communicate with each other through a pair of FIFO queues. The CFSMs change states by sending or receiving messages, and the queues hold messages sent by one CFSM but not yet received by the other in each direction. The CFSM corresponding to a protocol process is better known as the protocol machine, and its STG representation is similarly known as the protocol graph (PG) of the process. Verification is a procedure to detect the logical errors present in a protocol system specification. Many different ways have been suggested for performing automated protocol verification. Most successful techniques are based on some form of reach ability analysis by the symbolic execution of the CFSM description of the protocol. The first method of this type was the duologue matrix analysis. This technique was later expanded for multiple processes and for cyclic behaviour into the perturbation analysis method. In this method, the system behaviour is described by global state transitions, where each global state includes a control flow state for each CFSM in the model and the entire message contents in the channels. The interaction must start from the initial global state, where each process is in

its initial state and all the channels are empty. Let G denote the set of all global states of the protocol system. The global states change due to the occurrence of an event in any of the CFSMs in the network. These global state transitions define a directed graph on G. Given any initial global state g,, the portion of the graph that is reachable from g, is referred to as the reach ability graph (or reach ability tree), T. T contains all the information available on the logical properties of the protocol system. Further details on reach ability can be found elsewhere. All these techniques have one main problem in common, viz. the state space explosion. A large number of global states is required to describe the system behaviour. Even an automated analyzer is insufficient to allow for the exhaustive validation of complex protocol systems with a large number of states. This problem can be alleviated by using protocol projection and an image protocol. However, image protocols deal with homogeneous protocol systems, and it is difficult to extend them for use in a protocol conversion system. To perform reach ability analysis of heterogeneous protocol systems, conventional perturbation analysis can be enhanced by the reduction of protocol graphs employed during protocol converter construction. HETEROGENEOUS SYSTEM PROTOCOL

We distinguish the protocol system of a homogeneous network from that of a heterogeneous network by the number of CFSMs and queues required to specify the system completely. A homogeneous protocol system consists of two processes PI and P2 obeying the same network protocol, and written [PI, P2]. In the CFSM model of this system (Figure I), we find two protocol machines F1 and F2, representing processes PI and Pz, respectively, interconnected by two unidirectional FIFO queues C1 and C2, where C, holds messages from process Pi to process Pj The dynamics of this homogeneous protocol system is abundant in the literature, and so omitted here for the sake of brevity. We extend the concept of a homogeneous protocol system to include converter processes, along with the protocol process, in order to model

the protocol behaviour in a heterogeneous network. A complete definition of a simple heterogeneous protocol system consists of a peer process PI of one network protocol [PI, P2], a peer process Q2 of another network protocol [Q1, Q2] a converter process R between PI and Q2, and two intervening bidirectional channels Cl and C2 connecting PI and R, and Q2 and R, respectively. Unlike the homogeneous case, a heterogeneous protocol is denoted by a triplet [PI, R, Q2]. The CFSM model of a heterogeneous protocol system is a network of three CFSMs, FO, F, and F2, representing the processes R, PI and P2, respectively, and two pairs of unidirectional unbounded FIFO queues (C10, C01) and (C20, C02), representing the channels Cl and C2, respectively, as shown in Figure 2. As usual, Fl and F2 are protocol machines and F. is known as the converter machine (CM). It is important to note that the converter process R is also modeled as a CFSM which communicates with both its partner CFSMs by exchanging messages. The peer protocol CFSMs do not exchange messages directly, as they are unable to do so due to their message mismatch problem. This is why they talk through the interpreter R, whose primary function is to translate messages from one protocol format to another without disturbing the semantics as much as possible. Similar to protocol graphs of Fl and F2, the converter machine F. is also represented by a state transition graph, called a converter graph (CG), as shown in Figure 3.

So the CFSM model of a heterogeneous protocol system is similar to that of a homogeneous protocol system, except for the intermediate converter machine (F0) and the extra queues required to incorporate it. The state transitions of F0 are also associated with the transmission and reception of messages, but unlike the protocol entities, the converter does not act as a message generator, rather it performs as a message translator. In general, reception of a message from one protocol process will initiate a transition in the converter, leading to its change of state followed by the transmission of message(s) to the other (or both) protocol process(es). Since a heterogeneous protocol system can be modelled as a network of three CFSMs, its dynamics can be described by the set of global states G and transitions between global states in the form of a reachability tree T. Let us represent the global state of a heterogeneous protocol system by <f1,x,y,f0,u,v,.f2>, where f1 is the present state of the CFSM Fi, and x, y, U, v are the strings of messages in the queues C10, C01, C20 and C02, respectively. An empty string is denoted by 1, and so the initial global state of [P1,Q2] is <I,, A, &IO, A, A, Z2>, where Zi is the initial state of CFSM Fi. The transition between global states can be defined by a precedence relation k between global states. A state g1 is said to follow state g = <.f1,x,y,f0,u,v,f2> over an event e, an outgoing edge of either of the nodes f1, f0 and f2, denoted as g F g, iff one of the following condition is satisfied. E is an edge from f1 to fl,labelled m and g=<f1,x,my,f0,u,v,f2>(. Is a concatenation operator)

E is a edge from f2 to f2 labelled m, and g= ,f,x,y,f0,u,m,v,f2> E is an edge from f1 to f1, labelled +m and g=<f1,x,y,f0,u,v,f2>,where y=(m.y) E is an edge from f2 to f2 labelled +m, and g=<f,x,y,f0,u,v,f2>,where u=(m.u) E is an edge from f0 to fo.labelled m and g= <f1,x,y,m,f0,u,v,f2>, if m M1,or g= <f,x,y,f0,u,v,m,f2>, if m M2 E is an edge from f0 to fo.labelled +m and g= <f1,x,y,m,f0,u,v,f2>, where x=(m..x) and if m M1,or g<f,x,y,f0,u,v,m,f2>,where u=(m.u) and if m M2

2. <fi,x,y,fo,u,m.v,f2>, where none of the outgoing edges of f2 is labelled +m, i.e. S2(f2, +m) is not specified in F2 for any message m in M2; 3. <fi,m.x,y,fo,u, v,f2>, where none of the outgoing edges of f0 is labelled fm, i.e. bo(f0, +m) is not specified in FO for any message m in Ml ; 4. <f1,x,y,f0,m.u,v,f2>, where none of the outgoing edges of fo is labelled +m, i.e. do(fo, +m) is not specified in F. for any message m in M2. A non-progress state is a deadlock state or unspecified reception state. A heterogeneous protocol system [Pi, R, Q2] is guaranteed to progress indefinitely when none of its reachable states are non-progress states. A heterogeneous protocol is said to have the required progress properties if it does not contain any unspecified reception or deadlock state.

Let go be initial global state. A state g is reachable iff there exists a sequence of states go, gi, . . . ,gk, and edges ei, . . . , ek, such that gi follows gi- I over edge ei: g;_ 1 F gi for i= 1,2,. . . , k and gk = g. It is briefly written as F g, where go F denotes the reflexive transitive closure of k. Let PI =e]],e]2,...,+, p2= e21,e22,...,e2, and PO = e01, e02,. . . , eo,, where eik is the edge in PI for i=O,1,2 and k= 1,2 ,..., r are paths in machines Pi, F2, and Fo, respectively. A state gj is reachable from state gi along paths PO, p] and p2, denoted by gi &gj, if there exists an interleaving of po, p1 and p2, written as LpOp,pz, such that g, is reachable from gi over LpOpp, z. The progress properties of a protocol system can be stated in terms of error conditions that may arise in the execution of the protocol. A protocol that is error free during execution is said to have the required progress properties. A tinite state heterogeneous protocol system can exhibit the following types of error conditions: (a) a deadlock state is a global state of the form < fi, A, A, fo, A, A, f2 > if none of the nodes fi, fo and f2 has an outgoing sending edge, i.e. Si(f;, -m) is not specified in Fi for all i and for any message m belonging to {MI U 442); (b) an unspecified reception state is a global state of one of the forms given below. 1. <fi,x,m.y,fo,u,v,f2>, where none of the outgoing edges off, is labelled +m, i.e. S1,(f1, +m) is not specified in F1 for any message m in Ml;

VERIFICATION ALGORITHM The protocol converter synthesis algorithm based on the reduction technique? consists of the following steps: 1. Input of the protocol CFSMs P2 and Qi and the conversion seed X7. 2. Formulation of reduction rule based on X and the construction of reduced CFSM P2 and Ql 3. Derivation of a reduced CFSM model of converter RZ (P2 x QI) . X according to Okumuras algorithm. 4. Verification of the heterogeneous protocol system [Pi, R, Q21. If converter R satisfies the desired progress requirements, then R is expanded to produce the complete converter CFSM R. 5. If converter R satisfies the desired progress requirements, then R is expanded to produce the complete converter CFSM R.

The detailed description of step The detailed description of steps l-3 can be found elsewhere, and here we present only step 4, which determines the logical correctness of the converter R, and thus R. For the sake of continuity and convenience in understanding the following verification algorithm, we repeat here the reduction procedure (i.e. step 2) in brief. Reduction of states is always done incrementally while maintaining the reduced machines conversion equivalence with the original machine. The final reduced machine is called the Reduced CFSM (RCFSM). The reduction rule is very simple and can be applied to the STG of the CFSM as long as it contains insignificant state pairs. An insignificant state pair consists of two states such that they are connected to each other by insignificant edges only. During each reduction step i, the machine F is reduced by exactly one state, and at least one insignificant transition producing a newmachine Fi, which contains a new composite |Sf1|=S|SFi+ 1 |+ 1. The rule states that state and

F+ = F. The reduction procedure terminates here, and F is declared as the final reduced machine. The reduced state transition graph representations of the protocol machines of the heterogeneous protocol system of Figure 3 are shown in Figure 4, where D and M messages are considered to be the only significant messages.

if s1 and s2 are two states b(simple or composite) in the CFSM F such that all transitions between s1 and s2 are labelled with insignificant operations then perform the following (A), (B), (C) and (D) to obtain the reduced machine F+ (A) merge 5, and 52 into a composite state (~i.5~) and delete all their interconnecting edges in Fi+1, for each 5 E [succ(si) 521 (or, [SUCC(S~- ) s,]) add an edge from (5, .s2) to s in F if with the label of the outgoing edge from 5 (or, s2) to 5 in F. for each 5 E [pred(si) 521 (or, [pred(sz) - si]) add an edge from 5 to (5 1.52) I F is- with the label of the incoming edge from s to 5, (or, 52) in F; copy other states and transitions from F to Fi+1.

(B)

(C)

(D)

Starting with F, we apply the rule iteratively until an F is reached for which

The important characteristic of the verification algorithm is that if the reduced system [PI, R, Q2] is found to be correct, then the algorithm ensures that the original system [PI, R, Q2] will also be correct, provided, however, that PI and Q2 are valid in their own protocol systems [PI, Pz] and [Ql, Qz], respectively Based on the theory presented above, we can now present an algorithm for reach ability analysis of the protocol system [PI, R, Qz]. Two special data structures, MARK and STORE, are used here. MARK represents the global states already explored (i.e. visited nodes in the reachability tree), and STORE represents a set to hold those global states yet to be explored, and which are hence unmarked. At any intermediate point of the analysis, (MARK + STORE) represents the tree partially generated at that point. At the end, STORE becomes empty and MARK contains the full set of global states. Next we will show how to apply this algorithm to an example. Figure 3 shows the CFSM model of a heterogeneous protocol system [PI, R, Q2], where CFSMs F; and F2 represent protocol entities Pi and Qz, respectively, and CFSM F. corresponds to the converter R. The derivation R PI, QZ and the conversion seed has been detailed elsewhere, I29 . Here we will verify the progress

properties of the system. Note that the initial states are marked by an incoming arrow in all CFSMs, and transitions are labelled by events denoted by the first letter of the message name preceded by a + or - sign to indicate reception or transmission, respectively. Applying the above algorithm on the heterogeneous protocol system of Figure 3, we first derive the reduced system of Figure 4 at the end of the reduction step. The significant message set contains A4 from FI and D from F2. It is determined by the conversion seed, and hence comes along with the input (c). The reduction procedure follows in this way. In CFSM FI states 1 and 2 are connected by two insignificant transitions, namely +N and M, and hence are merged into a composite state (1 . 2) in FI. Since no more pairs of states in F, can be detected with all insignificant transitions, the reduction procedure stops here. Similarly F0 and F2 are produced one-by-one. They can also be generated in paralle15. Once these reduced machines have been obtained, the next step is to directly apply the reachability analysis, i.e. the verification step of the above algorithm on this reduced system. The corresponding reachability tree obtained after the verification stage is shown in Figure 5. Considering single message flow, the tree is obtained by tracing the execution of the reduced protocol system [PI, R, Qz] with global states, as in the following (Figure 5): go = <O, (0. 2. 3 5), (0 . l)>, initial global state g1 = <(l.2), (0.2. 3 . 5),(0 . l)>, F1 transmits message M g2 = <(l .2), (1 .4),(0 . l)>, F0 receive message M g3 = <( 1 . 2), (6 . 7),(0 . l)>, F0 transmits message D g4 = <( 1 2), (6 . 7),(0 l)>, F2 receives message D g5 = <(1.2), (0 . 2 . 3 . 5),(0 . l)>, F0 transmits message A

g0 = <(O), (0 .2 .3 . 5),(0. l)>, F1 receives message M

Algorithm (Reduced Reachability Analysis)

input: (a) two protocol CFSMs PI and Ql, (b) converter RCFSM R, and (c) conversion seed X. output: protocol error (if present). Steps: The algorithm uses two data structures MARK and STORE to contain array of global states. reduction step: (1) Reduce PI and Q2 according to the reduction rule subjected to the seed X to produce reduced CFSMs PI and Qz. initialization step: (2) Initialize MARK to be null and STORE tocontain the initial global state ofthe reduced system [Pl, R, Ql]. verification step: (3) Select a global state g in STORE and find all g of system [PI, R, Qz] such that g t g. (4) Add g to STORE, if g is not already in (MARK + STORE). (5) MARK g as visited by transferring it from STORE to MARK. (6) If g encounters a deadlock, then report deadlock at g and go to step 9. (7) If g encounters an unspecified reception, then report unspecified reception at g and go to step 9. (8) If STORE is empty then go to step 10, else go to step 3. (9) Output g as non-progress state and go back to step 3. (10) Output MARK and STORE.

transitions need not always be traced. This optimization is valid under the assumption that the reduction procedure does not disturb the validity of the given protocols, which are again assumed to be valid originally. This has been proved as correct.

RESULTS
The algorithmic complexity of the reach ability analysis of a heterogeneous protocol system [PI, R, Ql] is in general given by 5 = Q(IPII x (RI x IQ2lb where lfl is the number of states in CFSM F, Because it involves combining the states CFSMs PI, R and Q2 in any order. On the other hand, since the reduction routine is to be performed on each CFSM in a number of operations in the order of the square of the number of states in the worst case possible, the generation of a reduced CFSM will require at most 0(]F12) operations. The complexity of reduced reach ability analysis is then given by: = Q(|P1| x |R| x |Q2| +O(|P1|) + O(|R|) + O(|Q2|) O|P1| x |R| x |Q2|, when the first product term dominates =(l/(kP kQ kR)) x O(|P1|x|R|x|Q2|) where kP=(|P1|/|P1|) kR=(|R|/|R|) kQ=(|Q2|/|Q2|)

It reveals no erroneous global state, which implies that there is no logical error in the converter design, and the heterogeneous protocol system can progress smoothly. The reduced reach ability tree (Figure 5) contains only six states, whereas tracing the execution of the corresponding unreduced protocol system without using reduction would require 25 different global state?. Clearly, exploration of only six global states is a large reduction. As to the computing space, we need to save only six instead of 25 states in the reach ability graph. Therefore, we can save a lot of computing time and space if reduction is employed for the validation of heterogeneous protocol systems. Obviously, the aforementioned reach ability analysis takes advantage of the reduction technique applied to the conversion procedure, hence reduced reach ability analysis. It alleviates the state explosion problem to a great extent, as reduction decreases the number of states and their associated transitions by an order of two to three. Otherwise there is every possibility of state explosion in heterogeneous protocol system verification, as the number of processes has gone up to three from the two employed in the homogeneous case. This optimization is a remarkable achievement in the converter validation context, and is not reported anywhere before. The manipulation of global states containing composite states reduces the state explosion problem, because now a lot of information on members of the composite states does not need to be stored separately, and paths in RT produced by insignificant

Normally ks are greater than unity, so that the ratio t/t is also greater than unity, resulting in a considerable decrease in complexity and thereby an improvement in analysis. For the example shown in Figures 3,4 and 5, the values of ks are 1.5, 2.67 and 2, respectively, which, however, ultimately gives an overall gain of the order of 4 ( M 25/6). To substantiate our theoretical claim for global state space reduction, we present empirical results obtained by running the reach ability analysis algorithm with and without reduction on problems having a varying number of states and conversion seeds. As can be seen from Table 1, the reduced reach ability tree is generally 2-4 times smaller than that of an unreduced tree generated by the conventional algorithm. In addition, Figure 6 displays the corresponding execution times for the two algorithms, implemented in C on a workstation supporting UNIX. It can be seen that the execution times for the reduced reach ability algorithm are typically 50-70% of those for the conventional algorithm. In summary, these empirical findings confirm that the proposed algorithm offers both storage and computational advantages over the conventional method.

valid, constructing a reach ability graph is the most straightforward way. Provided that the two given protocols are valid, a reduction of STGs can be performed before constructing the reduced reach ability graph for verifying the heterogeneous protocol systems, thereby achieving considerable optimization in the number of global states required to declare the system free from logical errors. Composite states can be formed easily before construction of the reach ability tree, thereby speeding up construction of the converter and, in addition, rendering the reach ability analysis of the composite system less time and space consuming.

REFERENCES
1.Green, Jr. P E Protocol conversion, IEEE Trans. Commun., Vol 34, No 3 (March 1986) pp 257268 2.Green, Jr. P E (Ed.) Computer Network Architectures and Protocols, Plenum Press, New York (1982) 3.Comer, D Internetworking with TCPIIP, Prentice Hall, Englewood Cliffs, NJ (1988) 4.Groenbaek, I Conversion between the TCP and IS0 transport protocols as a method of achieving interoperability between data communication systems, IEEE J. Selected Areas in Commun., Vol 4 No 2 (February 1986) pp 288- 296 5.Saha, D and Dhar, P Protocol conversion using CFSM model, Technical Report, Department of E&ECE, IIT Kharagpur, India (June 1992) 6.Vuong, S T and Cowan, D D Reachability analysis of protocols with FIFO channels, Proc. ACM SIGCOMM (1983) pp 49-57 7.Okumara, K A formal protocol conversion method, Proc. ACM SIGCOMM, Stowe, VT (August 1986)

CONCLUSION
To avoid protocol mismatch, IS0 has developed its OS1 as the globally acclaimed standard architecture. This is a good move on the part of IS0 to bring the everproliferating network community onto a common platform. But there are already those vendor-specific networks (like SNA, DECNET, ARPANET, etc.) which do not conform to the IS0 standard but which have been fully operational for quite some time. OS1 may be the future architecture, but at present what is needed to render two incompatible networks interoperable without much alteration to their existing hardware and software is a protocol converter at the point of discontinuity on the access path between the networks. This research note has presented a formal technique to analyze a heterogeneous protocol system where two incompatible protocol peer processes communicate through a converter process. Since CFSMs are used to model processes, to verify that a converter is

8.Lam, S S Protocol conversion, IEEE Trans. Softw. Enrr., Vol I4 No 3 (March 1988) pp 353-362 9.Shu. J C and Liu. M T A synchronization model for protocol conversion, Proc. INFOCOM (1989) pp 276-284 10.Calvert, K L and Lam, S S An exercise in deriving a protocol conversion, Proc. ACM SIGCOMM, Stowe, VT (August 1987) 11.Calvert, K L and Lam, S S Deriving a protocol converter: A top-down method, Proc. ACM SIGCOMM, Austin, TX (August 1989) 12.Calvert, K L and Lam, S S Formalmethods for protocol conversion, IEEE J. Selected Areas in Commun., Vol 6 No I (January 1990) pp 127-148 13.von Bochmann, G and Mondain-Monval, P Design principles for communication gateways, IEEE J. Selected Areas in Commun., Vol 6 No I (January 1990) pp 1221 14.Auerbach, J TACT: A protocol conversion toolkit, IEEE J. Selected Areas in Commun., Vol 6 No 1 (January 1990) pp 143-159 15.von Bochmann, G Deriving protocol converters for communication gateways, IEEE Trans. Commun., Vol 38 No 9 (September 1990) pp 1298-l 300 16.Yao, Y-W and Liu, M-T Constructing protocol converters with guaranteed service, Proc. IEEE INFOCOM, FL (April 1991)

17.Saha, D and Dhar, P A fast protocol conversion technique using reduction of state transition graph, Proc. IEEE Phoenix Conf Commun., IPCC, Phoenix, AZ (April 1992) awards 18.Zatiropulo, P, West, C H, Rudin, H, Cowan, D D and Brand, D Tc analyzing and synthesizing protocols, IEEE Trans. Commun., Vol 28 No 4 (April 1980) pp 651661 19.Brand. D and Zatiropoulo, P On communicating finite state machines, J. ACM, Vol 30 No 2 (April 1983) pp 323% 342 20.von Bochmann, G Finite description of communication protocols, Computer Networks, Vol 2 (1978) pp 361-372 von Bochmann, G and Sunshine, C A Formal methods in communication protocol design, IEEE Trans. Commun., Vol 28 No 4 (April 1980) pp 624-631 .