Modelling IP Mobility
نویسندگان
چکیده
ing away the details of message delivery across the network. The communication mechanism we assume is an asynchronous one, involving unbounded bu ers and allowing message overtaking. We assume a collection of names de ned as the union of pairwise disjoint sets RN [ AN [ LAN [DN [ CN , where: ri 2 RN Router Names ai 2 AN Agent Names li 2 LAN Local Agent Addresses di 2 DN Data Items c 2 CN Control Directives The set CN of Control Directives has the following elements (the Control Directives that we consider in Stat consist of exactly msg, to indicate a data message; the directives fwdd and upd will be used only in CMob): msg message regd registered infmd informed fwdd forwarded immig immigrating repat repatriating mig migrating upd update The sets AN and DN are assumed to be non-empty. The elements of RN and LAN are channel names that can carry values of the following domain (note that the sort corresponding to the set RN is recursively de ned): [x1; x2; x3; x4; x5; x6] 2 CN AN RN AN RN DN Elements of this domain may be interpreted as: [control directive; to agent ; at router ; from agent ; from router ; data ] We often write x to stand for the tuple [x1; x2; x3; x4; x5; x6]. An underscore indicates that the name is irrelevant (\don't care"). The tables L and H are used for the address translation necessary to route a message to its destination. L is an injective function that gives the local address for an agent at a given router, H computes the \home router" of an agent. Tables: ( L : RN AN ! LAN (injective) H : AN ! RN We denote with obs(x) an atomic observation. If z[x] is a message, we call the triple [x2; x4; x6] its observable content (original sender, addressee and data). We assume a distinguished channel name o on which we can observe either the reception of a message or anomalous behavior, represented by a special value . obs([x1; x2; x3; x4; x5; x6]) = ( o[x2; x4; x6] if x1 = msg or x1 = fwdd o otherwise 3.1 The system without mobility Stat In Figure 1, we present (formally) the system Stat . Agents An agent A(a) either receives a message from its home router on its local address and observes it, or it generates a message to a correspondent agent that it gives to its home router for delivery to the correspondent agent via the latter's 6 [x1; x2; x3; x4; x5; x6] 2 CN AN RN AN RN DN A(a) = c2fin;outg;y2AN ;w2DN if c = in : Ain(a) else : let z = H(y); r0 = H(a) in r0[msg; y; z; a; r0; w] j A(a) Ain(a) = let l = L(H(a); a) in l(x):(obs(x) j A(a)) Router (r) = r(x): if x3 = r : let l = L(r; x2) in lx j Router (r) else : x3x j Router (r) Stat r2RNRouter(r) j a2ANA(a) Figure 1: System without mobility home router. L(H(a); a) represents the local address of the agent a in its home subnet3. Router The router examines an incoming message, and if it is the destination router mentioned in the message, accordingly delivers it to the corresponding agent. Otherwise it sends it to the appropriate router. L(r; x2) is the local address of x2, the addressee of the message, whereas x3 is the destination router. 3.2 The system with mobility Mob We now allow agents to migrate from one router (i.e., subnet) to another. While doing so, the agents and routers engage in a handover protocol [JP96]. When an agent moves to another router, a proxy \home agent" at its home router4 forwards messages intended for the mobile agent to a \care-of address"5, the agent's current router. To avoid message loss, the forwarding home agent should have an up-to-date idea of the current router of the mobile agent. Hence when a mobile agent moves, it must inform the home agent of its new coordinates. In the rst approximation, we model all messages addressed to a mobile agent being 3We have used nondeterminism to model actions arising from the transport or higher layers corresponding to processing a received message, or generating a message to a correspondent agent. Communication on the LAN channels abstracts link-level communication between the router and the agent. We have a simplifying assumption that a node can be on-link to only one router. 4For simplicity, we identify the routers serving as mobility agents / proxies with the routers administering a subnet. We also assume that each router is always capable of acting as a home or foreign agent. 5We model only what are called \foreign agent care-of addresses" and not \co-located care-of addresses" in IPv6 parlance. 7 forwarded via the home agent; later we will consider correspondent agents caching the current router of a mobile agent. The router description remains unchanged. We observe that the migration of a mobile agent from one router to another can be modelled \statically": for each router, for each agent, we have a process that represents the behavior of a mobile agent either being present there or absent there, or that of a router enacting the role of a forwarder for the agent, routing messages addressed to that agent to its current router. Migration may now be described in terms of a coordinated state change by processes at each of the locations involved6. Although the model involves a matrix of shadow agents running at each router, it has the advantage of being static, in terms of processes and channels, requiring neither dynamic name generation nor dynamic process generation. The conceptual simplicity of the model is a clear advantage when carrying on proofs which have a high combinatorial complexity, as well as when attempting veri cation by automated or semi-automated means. For instance, the only aspect of the modelling that brings us outside the realm of nite control systems is the fact that channels have an in nite capacity, and there is no bound on the number of messages generated. Starting from this observation, it is possible to consider a revised protocol which relies on bounded channels (see Appendix B). In the commentary below, we refer to various processes as agents. Note that only the agents Ah, Ah in , Ma and Main correspond to \real" agents, i.e., the behavior of mobile nodes. The others may be regarded as roles played by a router on a mobile node's behalf. Their analogues in IPv6 are implemented as routers' procedures that use certain tables. States of the agent at home We describe an agent at its home router in Figure 2. Ah The mobile agent is at its home base. It can receive and send messages, as in the de nition of A(a) in Figure 1, and can also move to another router. When the agent \emigrates", say, to router u, it changes state to Ham(a). We model the migration by the agent intimating its \shadow" at router u that it is \immigrating" there, and to prepare to commence operation7. Ham The mobile agent during emigration. We model the agent during \emigration" by the state Ham(a). During migration, messages addressed to the agent may continue to arrive; eventually, these messages should be received and handled by the mobile agent. The emigration completes when the shadow agent at the target site registers (by sending control message regd) its new care-of router (x5) at the home base. The agent is ready to operate at that foreign subnet once it 6Thus, our formalization of the migration of an agent, involving the small coordinated state change protocol, may be considered an abstraction (rather than a faithful representation) of some of the actions performed when a mobile node attaches itself to a new router and disengages itself from an old one. 7Registration is treated in a simple fashion using the immig and repat messages, ignoring details of Agent Discovery, Advertisement, Solicitation, and protocols for obtaining care-of addresses. Deregistration is automatic rather than explicit. The issue of re-registration is totally ignored. 8 Ah(a) = c2fin;out;mvg;y2AN ;w2DN ;u2RN if c = in : Ah in(a) if c = out : let z = H(y); r0 = H(a) in r0[msg; y; z; a; r0; w] j Ah(a) else : let r0 = H(a) in if u = r0 : Ah(a) else : r0[immig; a; u; a; r0; ] j Ham(a) Ahin(a) = let l = L(H(a); a) in l(x):(obs(x) j Ah(a)) Ham(a) = let r0 = H(a); l = L(r0; a) in l(x): if x1 = regd : r0[infmd; a; x5; a; r0; ] j Haf (a; x5) if x1 = msg : lx j Ham(a) else : o j Ham(a) Haf (a; r) = let r0 = H(a); l = L(r0; a) in l(x): if x1 = repat : Ah(a) if x1 = mig : r0[infmd; a; x5; a; r0; ] j Haf (a; x5) if x1 = msg : r0[msg; a; r; x4; x5; x6] j Haf (a; r) else : o j Haf (a; r) Router(r) (as in Figure 1) Figure 2: States of the agent at home receives an acknowledgement from the home agent (control message infmd). The control messages (regd and infmd) are required to model the coordinated change of state at the two sites8. The home agent lters messages while waiting for the regd message; this ltration can be expressed in our asynchronous communication model by having other messages \put back" into the message bu er, and remaining in state Ham(a). Haf The home agent as a forwarder. The home agent forwards messages to the mobile agent at its current router9 (via the routers of course), unless informed by the mobile agent that it is moving from that router. There are two cases we consider: either the mobile agent is coming home (\repatriation") or it is migrating elsewhere. States of the agent away from home We describe the agents at a foreign router in Figure 3. Idle If the agent has never visited. The Idle state captures the behavior of the shadow of an agent at a router it has never visited. If the agent moves to that 8These messages may be likened to the \binding update for home registration" and \binding acknowledgement from home". 9This is the primary care-of address. 9 Idle(a; r) = let l = L(r; a); r0 = H(a) in l(x): if x1 = immig; x5 6= r0 : r[mig; a; r0; a; r; ] j Bma(a; r) if x1 = immig; x5 = r0 : r[regd; a; r0; a; r; ] j Bma(a; r) else : o j Idle(a; r) Fwd(a; r) = let l = L(r; a); r0 = H(a) in l(x): if x1 = immig; x5 6= r0 : r[mig; a; r0; a; r; ] j Bma(a; r) if x1 = immig; x5 = r0 : r[regd; a; r0; a; r; ] j Bma(a; r) if x1 = msg : r[msg; a; r0; x4; x5; x6] j Fwd(a; r) else : o j Fwd(a; r) Bma(a; r) = let l = L(r; a) in l(x): if x1 = infmd :Ma(a; r) if x1 = msg : lx j Bma(a; r) else : o j Bma(a; r) Ma(a; r) = c2fin;out;mvg;y2AN ;w2DN ;u2RN if c = in :Main(a; r) if c = out : let z = H(y) in r[msg; y; z; a; r;w] jMa(a; r) else : let r0 = H(a) in if u = r :Ma(a; r) if u 6= r; u = r0 : r[repat; a; r0; a; r; ] j Fwd(a; r) else : r[immig; a; u; a; r; ] j Fwd(a; r) Ma in(a; r) = let l = L(r; a) in l(x):(obs(x) jMa(a; r)) Mob r2RNRouter(r) j a2ANAh(a) j r2RN ;a2AN ;r 6=H(a)Idle(a; r) Figure 3: States of the agent away from home 10 router, indicated by the control message immig, then the shadow agent changes state to Bma(a; r), from where it will take on the behavior of mobile agent a at the foreign router r. Any other message is ignored, and indeed it should be erroneous to receive any other message in this state. Fwd If the agent is not at foreign router r, but has been there earlier. This state is similar to Idle , except that any delayed messages that had been routed to the agent while it was at r previously are re-routed via the home router10. This state may be compared to Haf , except that it does not have to concern itself with the agent migrating elsewhere. Bma Becoming a foreign mobile agent. Once the protocol for establishing movement to the current router is complete, the agent becomes a foreign mobile agent. Messages are ltered looking for an acknowledgement from the home agent that it is aware of the mobile agent's new current router. Once the home agent has acknowledged that it has noted the new coordinates, the mobile agent may become operational11. Ma The mobile agent at a foreign router. As with the mobile agent at its home base Ah(a), the mobile agent may receive messages, send messages, or move away. The behavior of the mobile agent in state Ma is similar to that of Ah except that during movement, di erent control messages need to be sent to the target site depending on whether it is home or another site. If the target site is the home base, then a repat message is sent. Otherwise the target site is intimated of the wish to \immigrate". The agent goes into the state Fwd . In the upper part of Figure 4 we describe the possible transitions that relate to control messages, not including ltering, forwarding, and erroneous situations. We decorate the transitions with the control messages that are received (-) and emitted (+). In the lower part of Figure 4 we outline the three basic movements of an agent a: leaving the home router, coming back to the home router, and moving between routers di erent from the home router. 10Since messages forwarded by the home agent may get arbitrarily delayed in transit, it is important that the mobile agent, in addition to informing its home agent of its current router, arrange for a forwarder at its prior router to handle such delayed messages. This point is the only major di erence between our model and the IPv6 proposal. In order not to lose messages, we require a forwarder at any router where the mobile agent has previously visited. The default target for forwarding is the home router. In the Mobile IPv6 proposal, however, it is not mandatory for the mobile agent to arrange for a forwarder at the previous router, and if a message reaches a router that had previously served as a foreign agent, the message may be dropped. This is permissible in the context of IP since dealing with lost messages is left to the transport and higher layers. Our analysis shows that Mobile IP can use our default policy of forwarding to the home router, without messages traversing cycles inde nitely, but at the cost of some increase in the number of hops for a message. The need for forwarders is, of course, well known in the folklore regarding implementation of process migration. 11In IPv6 a mobile node may begin operation even before it has registered its new location with the home agent or received an acknowledgement from the home router. Correct updates of the primary care-of address at the home router are achieved using time-stamping of messages, which in turn requires synchronized clocks. In contrast, our asynchronous communicationmodel makes no timeliness assumptions and permits message overtaking. Hence our protocol requires an acknowledgement from home before permitting further migrations. 11 (1) Ah(a) +immig ! Ham(a) regd +infmd ! Haf (a; r) (2:1) Idle=Fwd(a; r) immig +mig ! Bma(a; r) infmd ! Ma(a; r) (2:2) Idle=Fwd(a; r) immig +regd ! Bma(a; r) infmd ! Ma(a; r) (3:1) Ma(a; r) +immig ! Fwd(a; r) (3:2) Ma(a; r) +repat ! Fwd(a; r) (4:1) Haf (a; r) mig +infmd ! Haf (a; r0) (4:2) Haf (a; r) repat ! Ah(a) I{Leaving home Ah(a) Idle=Fwd(a; r) Ham(a) Idle=Fwd(a; r) immig Ham(a) Bma(a; r) regd Haf (a; r) Bma(a; r) infmd Haf (a; r) Ma(a; r) II{Coming home Ma(a; r) Haf (a; r) Fwd(a; r) Haf (a; r) repat Fwd(a; r) Ah(a) III{Moving between routers di erent from the home router Ma(a; r) Haf (a; r) Idle=Fwd(a; r0) Fwd(a; r) Haf (a; r) Idle=Fwd(a; r0) immig Fwd(a; r) Haf (a; r) Bma(a; r0) mig Fwd(a; r) Haf (a; r0) Bma(a; r0) infmd Fwd(a; r) Haf (a; r0) Ma(a; r0) Figure 4: Control transitions We brie y describe how our \static" description that requires a thread for each agent at each router relates to a more \dynamic" model that is more natural from a programming viewpoint. First we observe that an agent's name is obtained by combining a router's name with a local identifying name. The computation of function H is distributed, in that an agent's name contains su cient information for computing its home router's name. Further, our in nite name space of agents is a virtual representation of a nite location name space with dynamic generation of names at each location. As observed earlier, the only actual processes are Ah, Ah in , Ma and Main , which run in parallel with the routers. The other \agents" are threads run on the router. The Ham thread is spawned on the home router when Ah wishes to move away; this thread becomes Haf, a thread that forwards messages to the mobile agent and terminates when the agent returns. Each router maintains a list of agents for whom it serves as a home router, with their current locations as well as a list of mobile agents currently visiting. The default policy of a router is to deliver messages to agents actually present there, to forward messages to mobile agents for whom it serves as a home router, and to otherwise forward the message to the target agent's home router. Messages to a non-existent agent trigger an error. As our analysis will show, the only message an Idle thread can receive is an immig message. So this thread need not exist. Instead, on receiving an immig 12 message, the router spawns a Bma thread, updating the list of agents actually present there. WhenMa moves away from a router, it noti es the router to spawn a Fwd thread. In practice, the Fwd thread will synchronize with the router to empty the bu er of messages left behind by the agent and then terminate. Following this implementation, the number of threads running at a router r is proportional to the number of agents whose home is r or who are currently visiting r. 3.3 The system with caching CMob The previous system su ers from overcentralization. All tra c to an agent is routed through its home router, thus creating ine ciencies as well as poor fault tolerance. So, correspondent agents can cache the current router of a mobile agent [JP96]. The agents' de nitions are parametric in a function f : AN ! RN , which represents their current cache. The cache is used to approximate knowledge of the current location of an agent; this function parameter can be implemented by associating a list with each agent12. We now use control directives fwdd and upd; the former indicates that the current data message has been forwarded thus pointing out a \cache miss", the latter suggests an update of a cache entry, following a cache miss13. An agent may also decide to reset a cache entry to the home router14. Note that the protocol does not require the coherence of the caches. In case of cache miss, we may forward the message either to the home router (which, as in the previous protocol, maintains an up-to-date view of the current router) or to the router to which the agent has moved. We present in Figure 5, the new de nitions of the agent at home. Note the use of the directives fwdd and upd to update the cache and to suggest cache updates. In Figures 6,7 we present the modi ed de nitions for the agent away from home. We note the introduction of two extra states: Fwd in(a; r; r0) andMam(a; r). To model timing out of cached entries by a forwarder, an extra state Fwd in(a; r; r0) is introduced. Non-determinism is used in Fwd and Ma in to model possible resetting or updating cache entries15. Mam(a; r) is an extra state that we need when an agent moves from a router di erent from the home router. Before becoming 12When moving to another router, we could deliver the current cache with the message immig. In the presented version we always re-start with the default cache H. 13A fwdd message can be regarded as having been tunnelled, while a upd message is a binding update. 14In IPv6, the validity of a cache entry may expire. In the informal description of the protocol, the update and deletion of a cache entry are often optional operations. We model this by using internal choice. No messages to reset a cache entry (binding deletion updates) are ever sent out, nor are negative acknowledgements sent out. We also note that maintaining the \binding update list" is not essential to the protocol, but is only a pragmatic design choice. Instead, an agent may non-deterministically decide to reset a cache entry, thus abstracting from a particular cache management mechanism. 15Timing out of cache entries is modelled using non-determinism, rather than by explicit representation of time stamps in a message. Note that in the Mobile IP protocol no hypothesis is made regarding the coordination of the clocks of the agents, so it seems an overkill to introduce time to speak about these time stamps. 13 Ah(a; f) = c2fin;out ;mv;rstg;c12f0;1g;c22f0;1g;y2AN;w2DN ;u2RN if c = in : Ahin(a; f; c1; c2) if c = out : let r0 = H(a); z = f(y) in r0[msg; y; z; a; r0; w] j Ah(a; f) if c = mv : let r0 = H(a) in if u = r0 : Ah(a; f) else : r0[immig; a; u; a; r0; ] j Ham(a) else : let r0 = H(y) in Ah(a; f [r0=y]) Ahin(a; f; c1; c2) = let r0 = H(a); l = L(r0; a) in l(x): if x4 = a; x1 2 fmsg; fwddg : obs(x) j Ah(a; f) if x4 6= a; x1 = msg : obs(x) j (Ah(a; f [x5=x4]) c1 Ah(a; f)) if x4 6= a; x1 = fwdd : obs(x) j (r0[upd; x4; x5; a; r0; ] c2 0) j (Ah(a; f [x5=x4]) c1 Ah(a; f)) if x4 6= a; x1 = upd : (Ah(a; f [x5=x4]) c1 Ah(a; f)) else : o j Ah(a; f) Ham(a) = let r0 = H(a); l = L(r0; a) in l(x): if x1 = regd : r0[infmd; a; x5; a; r0; ] j Haf (a; x5) if x1 2 fmsg; fwdd; updg : lx j Ham(a) else : o j Ham(a) Haf (a; r) = let r0 = H(a); l = L(r0; a) in l(x): if x1 = repat : r0[regd; a; x5; a; r0; ] j Ah(a;H) if x1 = mig : r0[infmd; a; x5; a; r0; ] j Haf (a; x5) if x1 2 fmsg; fwddg : r0[fwdd; a; r; x4; x5; x6] j Haf (a; r) if x1 = upd; x4 6= a : r0[upd; a; r; x4; x5; ] j Haf (a; r) else : o j Haf (a; r) Router(r) (as in Figure 1) Figure 5: Modi ed control for agent at home with caching 14 Idle(a; r) = let l = L(r; a); r0 = H(a) in l(x): if x1 = immig; x5 6= r0 : r[regd; a; x5; a; r; ] j r[mig; a; r0; a; r; ] j Bma(a; r) if x1 = immig; x5 = r0 : r[regd; a; r0; a; r; ] j Bma(a; r) else : o j Idle(a; r) Fwd(a; r; r0) = c2f0;1g let r0 = H(a) in Fwd(a; r; r0) c Fwd in(a; r; r0) Fwd in(a; r; r0) = let l = L(r; a); r0 = H(a) in l(x): if x1 = immig; x5 6= r0 : r[regd; a; x5; a; r; ] j r[mig; a; r0; a; r; ] j Bma(a; r) if x1 = immig; x5 = r0 : r[regd; a; r0; a; r; ] j Bma(a; r) if x1 = upd; x4 6= a : r[upd; a; r0; x4; x5; ] j Fwd(a; r; r0) if x1 2 fmsg; fwddg : r[fwdd; a; r0; x4; x5; x6] j Fwd(a; r; r0) else : o j Fwd(a; r; r0) Bma(a; r) = let l = L(r; a) in l(x): if x1 = infmd :Ma(a; r;H) if x1 2 fmsg; fwdd; updg : lx j Bma(a; r) else : o j Bma(a; r) Figure 6: Modi ed control for agent away from home with caching, part I a forwarder to the router to which the agent moved, we have to make sure that the agent has arrived there, otherwise we may forward messages to an Idle(a; r0) process, thus producing a run-time error (this situation does not arise in system Mob because we always forward to the home router). 4 Analysis We now analyze the three di erent systems Stat,Mob, and CMob. In each case, the rst step is to provide a schematic description of the reachable con gurations, and to show that they satisfy certain desirable properties. Technically, we introduce a notion of admissible con guration, i.e., a con guration with certain properties, and go on to show that the initial con guration is admissible, and that admissibility is preserved by reduction. A crucial property of admissible con gurations for Mob and CMob is control stabilization. This means that it is always possible to bring these systems to a situation where all migrations have been completed (we can give precise bounds on the number of steps needed to achieve this). We call these states stable. Other interesting properties we show relate to the integrity and delivery of messages. The 15 Ma(a; r; f) = c2fin;out;mv ;rstg;c12f0;1g;c22f0;1g;y2AN;w2DN ;u2RN if c = in :Ma in(a; r; f; c1; c2) if c = out : let z = f(y) in r[msg; y; z; a; r; w] jMa(a; r; f) if c = mv : let r0 = H(a) in if u = r :Ma(a; r; f) if u = r0 : r[repat; a; r0; a; r; ] jMam(a; r) else : r[immig; a; u; a; r; ] jMam(a; r) else : let r0 = H(y) in if y 6= a :Ma(a; r; f [r0=y]) else :Ma(a; r; f) Main(a; r; f; c1; c2) = let l = L(r; a) in l(x): if x4 = a; x1 2 fmsg; fwddg : obs(x) jMa(a; r; f) if x4 6= a; x1 = msg : obs(x) j (Ma(a; r; f [x5=x4]) c1 Ma(a; r; f)) if x4 6= a; x1 = fwdd : obs(x) j (r[upd; x4; x5; a; r; ] c2 0) j (Ma(a; r; f [x5=x4]) c1 Ma(a; r; f)) if x4 6= a; x1 = upd : Ma(a; r; f [x5=x4]) c1 Ma(a; r; f) else : o jMa(a; r; f) Mam(a; r) = let l = L(r; a) in l(x): if x1 = regd : Fwd(a; r; x5) if x1 2 ffwdd;msg; upd; immigg : lx j Mam(a; r) else : o jMam(a; r) CMob r2RNRouter(r) j a2ANAh(a;H) j r2RN ;a2AN ;r 6=H(a)Idle(a; r) Figure 7: Modi ed control for agent away from home with caching, part II control stabilization property of admissible con gurations is also exploited to build (barbed) bisimulation relations, with respect to a suitable notion of observation, between Stat and Mob, and between Stat and CMob. 4.1 Analysis of Stat Figure 8 presents the notion of admissible con guration for Stat. We will write s:Rt, s:Ob, s:Ag, and s:Ms to denote the state of the routers, atomic observations, agents, and data messages, respectively, in con guration s. We will abuse notation, and regard products of messages as multisets, justi ed since parallel composition is associative and commutative. When working with multisets we will use standard set-theoretic notation, though operations such as union and di erence are intended to take multiplicity of the occurrences into account. We assume that ]RN 3, to avoid considering degenerate cases when es16 s Rt j Ob j Ag j Ms Rt r2RNRouter (r) Ob i2Io[xi; yi; zi] xi; yi 2 AN ; zi 2 DN ; Ag a2ANB(a) B(a) ::= A(a) jAin(a); Ms j2Jzj [msg; x2;j; x3;j; x4;j; x5;j; x6;j] x2;j ; x4;j 2 AN ; x3;j; x5;j 2 RN ; x6;j 2 DN ; x3;j = H(x2;j); x5;j = H(x4;j); zj 2 fx5;j; x3;j;L(x3;j; x2;j)g Figure 8: Admissible con gurations for Stat tablishing the correspondence between Stat and Mob (if ]RN 2, then the transitions III in Figure 4 cannot arise). Proposition 4.1 The initial con guration Stat is admissible, and admissible congurations are closed under reduction. By the de nition of admissible con guration, we can conclude that the error message o is never generated (a similar remark can be made for the systemsMob and CMob, applying theorems 4.5 and 4.13, respectively). Messages do not get lost or tampered with. Corollary 4.2 (message integrity) Let s be an admissible con guration for Stat, let zx 2 s:Ms and suppose s ! s0. Then either z0x 2 s0:Ms, for some z0; or else o[x2; x4; x6] 2 s0:Ob when the message gets received by its intended addressee. Corollary 4.3 (message delivery) Let s be an admissible con guration for Stat such that zx 2 s:Ms. Then the data message can be observed in at most 4 reductions. 4.2 Analysis of Mob The table in Figure 9 lists the situations that can arise during the migration of an agent from a router to another. k is the case number, Ag(a; k; r; r0) denotes the shadow agents of a not in a Fwd or Idle state in situation k, CMs(a; k; r; r0; z) the migration protocol control messages at z involving at most the sites H(a); r; r0 for that situation, and R(a; k; r; r0) denotes the routers involved in situation k of the protocol at which a's shadow is not in a Fwd or Idle state. Relying on this table, we de ne in Figure 10 a notion of admissible function . Intuitively, the function associates with each agent a its current migration control (the state and the protocol messages), the routers already visited, and the data messages in transit that are addressed to a. We denote with P n(X) andM n(X) the nite parts, and nite multisets ofX, respectively, and with (a)i the i-th projection of the tuple (a). Then Act(a; ) denotes the routers where a has visited, which are not in an Idle state. Condition (C1) states that at most nitely many agents can be on the move (\deranged") at 17 k Ag(a; k; r; r0) CMs(a; k; r; r0; z) R(a; k; r; r0) 1 Ah(a) 0 fr0g 2 Ah in(a) 0 fr0g 3 Ham(a) z[immig; a; r; a; r0; ] fr0g 4 Ham(a) j Bma(a; r) z[regd; a; r0; a; r; ] fr0; rg 5 Haf (a; r) j Bma(a; r) z[infmd; a; r; a; r0; ] fr0; rg 6 Haf (a; r) jMa(a; r) 0 fr0; rg 7 Haf (a; r) z[repat; a; r0; a; r; ] fr0g 8 Haf (a; r) jMa in(a; r) 0 fr0; rg 9 Haf (a; r) z[immig; a; r0; a; r; ] fr0g 10 Haf (a; r) j Bma(a; r0) z[mig; a; r0; a; r0; ] fr0; r0g . Figure 9: Control migration (r0 = H(a)) K = f1; : : : ; 10g Ks = f1; 2; 6; 8g (stable states) : AN ! K RN RN (RN [ LAN ) (control migration) P n(RN ) (Fwd's) M n((RN [ LAN ) RN AN RN DN ) (data messages) Act(a; ) = (a)5 [ R(a; (a)1; (a)2; (a)3) Admissibility conditions on : (C1) fa 2 AN j (a)1 = 2 Ksg nite (C2) 8a 2 AN (k = (a)1; r = (a)2; r0 = (a)3; z = (a)4; and F = (a)5)) (]fH(a); r; r0g = 3; F \R(a; k; r; r0) = ;; (k 2 f7; 9g ) r 2 Act(a; )); and (CMs(a; k; r; r0; z) z[cdir ; a; r1; a; r2; ]) z 2 fr1; r2;L(r1; a)g)) (C3) 8 a 2 AN 8 (z; r1; a2; r2; d) 2 (a)6 (r1 2 Act(a; ); r2 2 Act(a2; ); and z 2 Act(a; )[ fr2g [ fL(r00; a) j r00 2 Act(a; )g) Figure 10: Admissible con gurations for Mob 18 any instant. (C2) is a hygiene condition on migration control messages, indicating that they may be at exactly one of three positions, and that if an agent is on the move (cases 7 and 9), the home forwarder always points to an active router, where a proxy agent will return delayed data messages back to a's home; after receiving the pending control message, the home forwarder will deliver the data message to the current (correct) location of the mobile agent. Thus, although there may apparently be forwarding cycles, these will always involve the home forwarder and will be broken immediately on receipt of the pending control message. Condition (C3) explicitly indicates where a control message involving a may be. De nition 4.4 (admissible con guration) An admissible con guration for Mob, m, is generated by a pair ( ;Ob) comprising an admissible function and a process as follows: m Rt j Ob j a2ANV (a; ) where Rt,Ob are as in Figure 8 and V (a; ) ( Ag(a; k; r; r0) j CMs(a; k; r; r0; z) j r2FFwd(a; r) j r2RNnAct(a; )Idle(a; r) j (z;r1;a2;r2;d)2Dz[msg; a; r1; a2; r2; d] where k = (a)1; r = (a)2; r0 = (a)3; z = (a)4; F = (a)5;D = (a)6 Let m be an admissible con guration for Mob, generated by ( ;Ob). Further, let m:DMs(a) denote (z;r1;a2;r2;d)2 (a)6z[msg; a; r1; a2; r2; d], the data messages in state m addressed to a, and let m:DMs denote all data messages in state m. We will write m:CMs and m:Ob to denote the state of the control messages and atomic observations, respectively, in con guration m. Theorem 4.5 The initial con guration Mob is admissible, and admissible congurations are closed under reduction. From this result, it is possible to derive an important property of systemMob: it is always possible to bring the system to a stable state. Corollary 4.6 (control stabilization) Letm be an admissible con guration for Mob generated by ( ;Ob) and let n = ]fa j (a) = 2 Ksg. Then m! (9 n) m0 such that m0 is determined by ( 0; Ob) and 8 a ( 0(a)1 2 Ks and 0(a)6 = (a)6). In particular, if (a)1 = 2 Ks, then 0(a)1 2 f1; 6g. The analogies of corollaries 4.2 and 4.3 can be stated as follows. Messages neither get lost nor is their observable content tampered with. Corollary 4.7 (message integrity) Let m be an admissible con guration for Mob, generated by ( ;Ob), and suppose m ! m0. Then for all zjxj 2 m:DMs either o[x2;j; x4;j; x6;j] 2 m0:Obnm:Ob or else there exists a z0 lx0l 2 m0:DMs such that obs(x0l) = obs(xj). Corollary 4.8 (message delivery) Let a 2 AN and let m be an admissible con guration for Mob generated by ( ;Ob) such that (a)1 2 Ks and (z; r1; a2; r2; w) 2 (a)6. Then this data message can be observed in at most 10 reductions. 19 We now introduce a notion of what is observable of a process and a related notion of barbed bisimulation (cf. [Par81, Pnu85]). De nition 4.9 Let p be a process. Then O(p) is the following multiset (y can be ): O(p) = foy j 9 p0 p (p0 j oy)g We note that on an admissible con guration s, O(s) = s:Ob. A similar remark can be applied to an admissible con guration m or c (cf. following de nition 4.12). De nition 4.10 A binary relation on processes R is a barbed bisimulation if whenever pR q then the following conditions hold: (1) 9 q0 (q ! q0 and O(p) = O(q0)), (2) p! p0 implies 9 q0 (q ! q0 and p0R q0), and symmetrically. Two processes p; q are barbed bisimilar, written p q, if they are related by a barbed bisimulation. We use the notion of barbed bisimulation to relate the simple system Stat (viewed as a speci cation) to the more complex systems Mob and CMob. Note that each process p has a unique commitment O(p). Taking as commitments the atomic observations would lead to a strictly weaker equivalence. Theorem 4.11 Stat Mob. Proofhint. We de ne the relevant observable content of data messages in an admissible con guration s for Stat and m for Mob as the following multisets, respectively: O0(s) = f[x2;j; x4;j; x6;j] j zjxj 2 s:Msg O0(m) = f[x2;j; x4;j; x6;j] j zjxj 2 m:DMsg Next, we introduce a relation S between admissible con gurations for Stat and Mob as: S = f(s;m) j O(s) = O(m);O0(s) = O0(m); and ( ;Ob) generates m ) 8 a (Ain(a) 2 s:Ag i (a)1 2 f2; 8g)g We show that S is a barbed bisimulation. 2 4.3 Analysis of CMob The analysis of CMob follows the pattern presented above forMob. The statement of the invariant however is considerably more complicated. The table in Figure 11 lists the situations that can arise during the migration of an agent from a router to another. Relying on this table, we de ne in Figure 12 a notion of admissible function . Intuitively, the function associates with each agent a its current migration control (state and protocol messages), the routers already visited (either Fwd's or Mam's), and the data messages and update messages in transit which are addressed to a. 20 k Ag(a; k; r; r0; f; c1; c2) CMs(a; k; r; r0; z) R(a; k; r; r0) 1 Ah(a; f) 0 fr0g 2 Ahin(a; f; c1; c2) 0 fr0g 3 Ham(a) z[immig; a; r; a; r0; ] fr0g 4 Ham(a) j Bma(a; r) z[regd; a; r0; a; r; ] fr0; rg 5 Haf (a; r) j Bma(a; r) z[infmd; a; r; a; r0; ] fr0; rg 6 Haf (a; r) j Ma(a; r; f) 0 fr0; rg 7 Haf (a; r) j Main(a; r; f; c1; c2) 0 fr0; rg 8 Haf (a; r) j Mam(a; r) z[repat; a; r0; a; r; ] fr0; rg 9 Haf (a; r) j Mam(a; r) z[immig; a; r0; a; r; ] fr0; rg 10 Haf (a; r) j Bma(a; r0) z[mig; a; r0; a; r0; ] fr0; r0g Figure 11: Control migration with caching (r0 = H(a)) Again, Act(a; ) denotes the routers where a has visited, which are not in an Idle state. Condition (C1), as before, states that at most nitely many agents can be on the move (\deranged") at any instant. (C2) is, as before, an invariant on control messages and the forwarder caches, indicating that there are no forwarding cycles and the cached entries for each agent a always point to routers where the mobile agent has visited. M serves to indicate the router at which there is a Mam(a) when there is a pending regd message whose current location is indicated using Z. (C3) is an invariant dealing with data messages or forwarded data messages, which indicates that such messages may never arise from, be addressed to, or be present at agents located at as yet unvisited routers. (C4) is a condition on update messages, stating that such messages are only sent between shadow agents of two di erent agents, and that they may only originate, be present at and be targetted to routers where the two agents have been active. De nition 4.12 (admissible con guration with caching) An admissible conguration with caching cm is generated by a pair ( ;Ob), consisting of an admissible function with caching and a process, as follows: cm Rt j Ob j a2ANV (a; ) where Rt and Ob are as in Figure 8, and V (a; ) 8>>>>><>>>>>: Ag(a; k; r; r0; f; c1; c2) j CMs(a; k; r; r0; z) j r2dom(F );F 0(r)=ninFwd(a; r; F (r)) j r2dom(F );F 0(r)=inFwd in(a; r; F (r)) j r2dom(M)(Mam(a; r) j Z(r)[regd; a; r; a;M(r); ]) j r2RNnAct(a; )Idle(a; r) j (ddir;z;r1;a2;r2;d)2Dz[ddir ; a; r1; a2; r2; d] j (z;r1;a2;r2)2UMsz[upd; a; r1; a2; r2; ] where k = (a)1; r = (a)2; r0 = (a)3; f = (a)4; z = (a)5; F = 1 (a)8; F 0 = 2 (a)8;M = 1 (a)9; Z = 2 (a)9;D = (a)10;UMs = (a)11 21 K = f1; : : : ; 10g Ks = f1; 2; 6; 7g (stable states) : AN ! (K RN RN (AN ! RN ) (RN [ LAN ) f0; 1g2 (control migration) (RN * (RN fin; ning)) (Fwd's) (RN * (RN (RN [ LAN ))) (Mam's) M n(fmsg; fwddg (RN [ LAN ) RN AN RN DN ) (data messages) M n((RN [ LAN ) RN AN RN )) (update messages) Act(a; ) = R(a; (a)1; (a)2; (a)3) [ dom( (a)8)[ dom( (a)9) Admissibility conditions on : (C1) fa 2 AN j (a)1 = 2 Ksg nite (C2) 8a 2 AN (k = (a)1; r = (a)2; r0 = (a)3; f = (a)4; z = (a)5; F = 1 (a)8;M = 1 (a)9; and Z = 2 (a)9)) (]fH(a); r; r0g = 3; Act(a; ) nite; 8 a0 2 AN (f(a0) 2 Act(a0; )) (CMs(a; k; r; r0; z) z[cdir ; a; r1; a; r2; ]) z 2 fr1; r2;L(r1; a)g); dom(F ); dom(M); R(a; k; r; r0) pairwise disjoint; cod(F ); cod(M) Act(a; ); Acyclic(F;M); and (Z(r) de ned ) Z(r) 2 fr;L(r; a);M(r)g) ) where Acyclic(F;M) means: 6 9r1; : : : ; rn; X1; : : :Xn (n 1; (X1(r1) = r2; ; Xn(rn) = r1) and Xi 2 fF;Mg) (C3) 8 a 2 AN 8 (ddir ; z; r1; a2; r2; d) 2 (a)10 (r1 2 Act(a; ); r2 2 Act(a2; ); and z 2 Act(a; )[ fr2g [ fL(r00; a) j r00 2 Act(a; )g) (C4) 8 a 2 AN 8 (z; r1; a2; r2) 2 (a)11 (a2 6= a; r1 2 Act(a; ); r2 2 Act(a2; ); and z 2 Act(a; )[ fr2g [ fL(r00; a) j r00 2 Act(a; )g) Figure 12: Admissible con gurations with caching 22 Let c be an admissible con guration with caching, generated by ( ;Ob). Further, let c:DMs(a) denote (ddir ;z;r1;a2;r2;d)2 (a)10z[ddir; a; r1; a2; r2; d], the data messages addressed to a in con guration c, and let c:DMs stand for all data messages in con guration c. For convenience, we will write c:CMs and c:Ob to denote the state of the control messages and atomic observations, respectively, in con guration c. Theorem 4.13 The initial con guration CMob is admissible, and admissible congurations with caching are closed under reduction. As in Mob, it is possible to bring CMob to a stable state. Corollary 4.14 (control stabilization) Let c be an admissible con guration with caching generated by ( ;Ob) and let n = ]fa j (a) = 2 Ksg. Then c! (10 n) c0 such that c0 is generated by ( 0; Ob) and 8 a ( 0(a)1 2 Ks and 0(a)10 = (a)10). In particular, if (a)1 = 2 Ks, then 0(a)1 2 f1; 6g. As in Stat andMob, it is easy to derive corollaries concerning message integrity and message delivery. Corollary 4.15 (message integrity) Messages do not get lost nor is their observable content tampered with. Let c be an admissible con guration with caching, generated by ( ;Ob), and suppose c ! c0. Then for all zjxj 2 c:DMs either o[x2;j; x4;j; x6;j] 2 c0:Obnc:Ob, or else there exists a z0 lx0l 2 c0:DMs such that obs(x0l) = obs(xj). Corollary 4.16 (message delivery) Let a 2 AN and let c be an admissible con guration with caching generated by ( ;Ob) such that (ddir ; z; r1; a2; r2; w) 2 (a)10 and (a)1 2 Ks. Then the data message can be \delivered" in a number of reductions proportional to the length of the longest forwarding chain. The analysis of the invariant allows us to extract some general principles for the correct de nition of the protocol (note that these principles are an output of the analysis of our protocol model, they are not explicitly stated in the informal description of the protocol). Cache entries and Fwd 's always point to routers which have been visited by the agent. Any message from agent a to agent a0 comes from a router r and is directed to a router r0, which have been visited, respectively, by agent a and a0. Agent a never sends update messages to its own shadow agents. The protocol for moving an agent a from a router to another terminates in a xed number steps. Given an agent a, the forwarding proxy agents never form forwarding cycles. This ensures that once the agent a has settled in one router, data messages and update messages in transit can reach it in a number of steps which is proportional to the length of the longest chain of Fwd 's. The bottom line of our analysis for system CMob is the analogue of theorem 4.11. Theorem 4.17 Stat CMob. 23 5 ConclusionsWe have described in a standard process description language a simpli ed versionof the Mobile IP protocol. We believe that a precise yet abstract model is useful inestablishing the correctness of the protocol, as well as providing a basis for simula-tion and experimentation. Our modelling uses non-determinism and asynchronouscommunication (with unbounded and unordered bu ers). Non-determinism servesas a powerful abstraction mechanism, assuring us of the correctness of the pro-tocol for arbitrary behaviors of the processes, even if we try di erent instancesof particular management policies (e.g., routing and cache management policies)provided they maintain the same invariants as in the non-deterministic model.Asynchronous communication makes minimal assumptions on the properties ofthe communication channels and timeliness of messages. All we require is thatmessages are not lost and in particular we assume there is a mechanism for avoid-ing store-and-forward deadlocks. Our analysis shows that message loss can beavoided by a router forwarding messages addressed to a mobile agent that is nolonger present in that subnet to its home router or to a router to which it hasmoved. Moreover, these forwarding links never form cycles. Control Stabilizationis a key property, since cycles that a message may potentially traverse are brokenon stabilization. Furthermore, any (reasonable) cache update policy can be usedprovided messages to an agent are forwarded to routers it has previously visited.Our model allows mobility protocol designers explore alternative policies andmechanisms for message forwarding and cache management. A concrete sugges-tion is that rather than dropping a data message (delayed in transit) for an agentthat has moved away from a router, IPv6 designers could examine the tradeo be-tween increased tra c and employing a default policy of tunneling the message tothe home subnet of the agent | particularly for applications where message lossis costly, or in the context of multi-layer protocols. Other concrete applicationsinclude designing mobility protocols where losing messages may be unacceptable,e.g., forwarding signals in process migration mechanisms.In our modelling, we have greatly simpli ed various details. On the one hand,this simpli cation is useful, since it again serves as a way of abstracting from par-ticular protocols for establishing connections (e.g., Neighbor Discovery, etc.). Onthe other hand, we have assumed that our so-called \control messages" eventuallyreach their destination without getting lost or corrupted. A future direction ofwork may be to model protocols that cope with failures, or to model security andauthentication issues.By concentrating on an abstract and simplemodel we have been able to specifythe protocol and by a process of analysis to discover and explicate some of itsorganizing principles. The speci cation and combinatorial analysis of the protocolis su ciently complicated to preclude leaving it \implicit" in the informal protocoldescription. By a careful analysis we have been able to carry out a hand proof. Adirection for further research is the formal development of the proof using a proofassistant.Finally, we report on a nite state formulation of the protocol for which auto-matic simulation and veri cation tools are available. The sets RN ;AN ;DN areassumed nite, so that there are nitely many entities in the systems. Ensuring24 that the number of messages does not grow in an unbounded manner also requiresthat communication is over bounded capacity channels. In particular we will con-sider the limit case where all communications are synchronous (we expect that aprotocol which works with synchronous communication can be easily adapted toa situation where additional bu ers are added).The main di culty lies in understanding how to transform asynchronous com-munication into synchronous communication without introducing deadlocks. Thesynchronous version seems to require a ner, more detailed description of theprotocol and makes the proof of correctness much more complicated. In retro-spect, this fact justi es the use of an asynchronous communication model withunbounded and unordered bu ers. The systems FStat and FMob with synchronouscommunication are described in Appendix B. We have compiled these descriptionsin the modelling language Promela of the simulation and veri cation tool SPIN[Hol91]. Extensive simulations on con gurations including three routers and threeagents have revealed no errors. We have been able to complete a veri cation forthe FStat system with two routers and two agents. The size of the veri cationtask and the complexity of the system FMob make veri cation of larger systemsdi cult. The Promela sources for FMob are available at URL http://protis.univ-mrs.fr/ amadio/fmob.References[AMST97] G. Agha, I. Mason, S. Smith, and C. Talcott. A foundation for actor computation.Journal of Functional Programming, 7(1):1{72, 1997.[BKT92] H. Bal, F. Kaashoek, and A. Tanenbaum. Orca: a language for parallel program-ming of distributed systems. IEEE Trans. on Soft. Eng., 21-3:261{322, 1992.[Dec86]D. Decouchant. Design of a distributed object manager for Smalltalk-80 system. InProc. Object-Oriented Programming Systems, Languages and Applications (OOP-SLA'86), pages 444{452. ACM Press, 1986.[Hol91]G. Holzmann. Design and validation of computer protocols. Prentice-Hall, 1991.[HT91]K. Honda and M. Tokoro. An object calculus for asynchronous communication.Proc. ECOOP 91, Geneve, 1991.[IDM91] J. Ioannidis, D. Duchamp, and G. Maguire. IP-based protocols for mobile inter-networking. In Proc. ACM SIGCOMM, 1991.[JLHB88] E. Jul, H. Levy, N. Hutchinson, and A. Black. Fine-grained mobility in the emeraldsystem. ACM Trans. on Comp. Sys., 6:109{133, 1988.[JNW97] D. Jackson, Y. Ng, and J. Wing. A nitpick analysis of mobile IPv6. Technicalreport, Carnegie-Mellon University, 1997.[JP96]D. Johnson and C. Perkins. Mobility support in IPv6 (RFC). Version expiringMay 97, 1996.[MPW92] R. Milner, J. Parrow, and D. Walker. A Calculus of Mobile Process, Parts 1-2.Information and Computation, 100(1):1{77, 1992.[MR97]P. McCann and G.-C. Roman. Mobile Unity coordination constructs applied topacket forwarding. In Proc. Coordination 97, Springer Lect. Notes in Comp. Sci.1282, 1997.[OCD+88] J. Ousterhout, A. Cherenson, F. Douglis, M. Nelson, and B. Welch. The spritenetwork operating system. IEEE Computer, pages 23{36, February 1988.25 [Par81]D. Park. Concurrency and automata on in nite sequences. In Proc. Theor. Comp.Sci., Springer Lect. Notes in Comp. Sci. 104, 1981.[Piq96]J. Piquer. Indirect distributed garbage collection: handling object migration.Transactions on Programming Languages and Systems, 18-5:615{647, 1996.[PM83]M.L. Powell and B.P. Miller. Process migration in demos/mp. In Proc. of the 9thACM Symp. on Op. Sys. Principles, pages 110{119, 1983.[Pnu85]A. Pnueli. Linear and branching systems in the semantics and logics of reactivesystems. In Springer Lect. Notes in Comp. Sci. 194, 1985.[PRM97] G.-P. Picco, G. Roman, and P. McCann. Expressing code mobility in mobileUNITY. In Proc. 6th European Soft. Eng. Conf. and 5th ACM SIGSOFT Symp.on Foundations of Soft. Eng., 1997.[PW85]G. Popek and D. Walker, editors. The Locus Distributed System Architecture. MITPress, 1985.[RMP97] G. Roman, P. McCann, and J. Plun. Mobile UNITY: reasoning and speci caton inmobile computing. ACM Transactions on Software Engineering and Methodology,6(3):250{282, July 1997.[TUSM94] F. Teraoka, K. Uehara, H. Sunahara, and J. Murai. Vip: a protocol providing hostmobility. Comm. ACM, 37(8), 1994.[VRHB+97] P. Van Roy, S. Haridi, P. Brand, G. Smolka, M. Mehl, and R. Scheidhauer. Mobileobjects in distributed Oz. Transactions on Programming Languages and Systems,19(5), 1997.A Proofs for Systems Stat, Mob, and CMobIn the following, we present the proofs related to the analyses outlined in x4.1,4.2, 4.3.A.1 Proofs for system StatProof of proposition 4.1 Stat trivially satis es the admissibility criteria. Clo-sure under reduction is established by examination of the possible transitions.The only possible transitions are:The reduction follows from an internal choice. This may be performed onlyby some A(a), resulting in either Ain(a), or else in a message origination. In thelatter case, the resulting con guration is A(a) together with a new data message,which satis es the admissibility criterion.Ain(a) receives a data message x addressed to a. By the side condition on zj andthe injectivity of L, Ain(a) cannot receive a message addressed to another agent.In this case, the data message is removed and replaced with a new observationobs(x) =o[x2; x4; x6]. The observation cannot be an error message o , since onlydata messages are present. Moreover, this transition is the only possible way ofintroducing new elements in the Ob component of an admissible con guration.A router receives a data message addressed to a. The message is forwarded toeither H(a), or to L(H(a); a), and its observable content is left unchanged. 226 Proof of corollary 4.2 The analysis in the above proof.2Proof of corollary 4.3 At most two routers are involved in moving the messagefrom its source router to channel L(H(a); a). For consumption, an internal choiceby A(a) may be necessary before consuming the message.2A.2 Proofs for system MobProof of theorem 4.5 The initial con guration Mob is generated by the pair( o; ;), where o(a) = (1; ra; r0a; za; ;; ;), and ra; r0a are chosen so that ]fH(a); ra; r0ag= 3, which is always possible by the hypothesis that ]RN 3, and where za issuitably chosen (H(a) may be a good choice). Let m be an admissible con g-uration for Mob generated by ( ;Ob), and suppose m ! m0. By case analysis,we build a pair ( 0;Ob 0) which generates m0, such that 0 is admissible. In thefollowing, we only indicate the components that need to be altered and leave theveri cation of admissibility to the reader.The reduction follows from an internal choice. This reduction can be performedonly by the agents Ah(a) ( (a)1 = 1) and Ma(a; r) ( (a)1 = 6; r 6= r0).Ah(a)! Ah in(a)0(a)1 = 2Ah(a)! Ah(a) jr0[msg; y; z; a; r0; w]0(y)6 = (y)6 [ f(r0; z; a; r0; w)gAh(a)! Ah(a)Ah(a)! Ham(a) j r0[immig; a; u; a; r0; ]0(a)1 = 3;0(a)2 = u;0(a)4 = r0Ma(a; r)! Main(a; r)0(a)1 = 8Ma(a; r)! Ma(a; r) j r[msg; y; z; a; r; w]0(y)6 = (y)6 [ f(r; z; a; r; w)gMa(a; r)! Ma(a; r)Ma(a; r)! Fwd(a; r) j r[repat; a; r0; a; r; ]0(a)1 = 7;0(a)4 = r;0(a)5 = (a)5 [ frgMa(a; r)! Fwd(a; r) j r[immig; a; u; a; r; ]0(a)1 = 9;0(a)3 = u;0(a)4 = r;0(a)5 = (a)5 [ frgIn no case does Ob change, and DMs changes only in the second and sixth situa-tions, by the addition of a new data message as speci ed by0(y)6.A router receives a data message addressed to a. We have:Router (r) j r[msg; a; r1; a2; r2; w]!Router (r) j ( l[msg; a; r1; a2; r2; w] if r = r1; l = L(r; a)r1[msg; a; r1; a2; r2; w] otherwiseBy (C3) we know r1 2 Act(a; ), r2 2 Act(a2; ), and r 2 fr2g [ Act(a; ). Inboth cases we alter0(a)6. Ob does not change, and for the only change we makein going to0(a)6, namely changing the data message to some zx, the observablecontent of the message (x) remains unchanged.A router receives a control message addressed to a. The analysis is similar tothe previous case, but in this case we use condition (C2) and alter0(a)4. Ob andDMs do not change.27 An agent receives a data message. Agents Ah(a) and Ma(a) cannot receive.Because of condition (C3) an agent Idle(a; r) cannot receive a data message. IfHam(a) or Bma(a; r) receive then nothing changes. If Ahin(a) or Ma in(a; r) re-ceive then we change0(a)1 (move to Ah(a) or Ma(a; r)),0(a)6 (remove messagereceived), and Ob0 (observe message received). If Fwd(a; r) receives then the mes-sage is forwarded to the home router and we emend0(a)6. Finally, if Haf (a; r)receives it forwards to r (by (C2) the invariant are maintained) and we alter0(a)6.In the last two subcases, Ob does not change, and for the only change we maketo0(a)6, namely to some zx, the observable content of the message remainsunchanged.An agent receives a control message. We have to consider the situations (a)1 2KnKs. We have the following transitions: 3 ! 4 ! 5 ! 6, 7 ! 1, 9 ! 10 !5(! 6) which correspond to the control transitions outlined in Figure 4. Thedetails of the alterations to are left to the reader. Note that at most threecontrol messages may be involved in any migration. In no case do either Ob orDMs change.2Proof of corollary 4.6 It takes at most three communications to deliver acontrol message. If (a)1 =2 Ks then we can bring the system to a con gurationin Ks by delivering at most three control messages. Ob remains unchanged asindicated in the proof of theorem 4.5.2Proof of corollary 4.7 The proof follows from the case analysis of theorem4.5, as is indicated at each stage.2Proof of corollary 4.8 In the worst case, the message has been forwarded bythe home forwarder to the shadow at a router r from where the agent has moved torouter r0, but the message has got delayed en route. In 2 reductions, the messageis delivered to the forwarder at r, which sends it back to the home router in 1+2additional steps. The home forwarder now sends the message to the agent at r0in 3 further steps. With 2 more reductions the message is observed.2Proof of theorem 4.11 We show that S is a barbed bisimulation. By de nitionof S, we have O(s) = O(m).Simulation of s by m. Let (s;m) 2 S, and suppose s ! s0. We show that thereexists a m0 such that m ! m0 and (s0;m0) 2 S. Let m be generated by some( ;Ob).s! s0 by an internal choice creating a new data message dm, from a to somey. Thus A(a) 2 s:Ag, whence (a)1 62 f2; 8g. If (a)1 62 Ks, then by corollary4.6, there exists a m00 generated by ( 00;Ob) such that00(a)1 2 f1; 6g. Thusm00 ! m0 is possible for some m0 by Ah(a) or Ma(a) performing an internalchoice generating the same data message. For m0, generated by ( 0;Ob), we have0(y)6 =00(y)6[fdmg, Ob unchanged, and0(a)1 2 f1; 6g. Since00(y)6 = (y)6,we have O0(s0) = O0(m0). Since A(a) 2 s0:Ag, we have (s0;m0) 2 S.28 s! s0 by some A(a) 2 s:Ag performing A(a)! Ain(a). Hence (a)1 62 f2; 8g.If (a)1 62 Ks, then by corollary 4.6, there exists a m00 generated by ( 00;Ob)such that00(a)1 2 f1; 6g. Thus m00 ! m0 is possible for some m0 by performingan internal choice going to state 2 or 8. For m0, generated by ( 0;Ob), we have00(y)6 =0(y)6, Ob unchanged, and0(a)1 2 f2; 8g. Since00(y)6 = (y)6, wehave O0(s0) = O0(m0). Since Ain(a) 2 s0:Ag, we have (s0;m0) 2 S.s ! s0 by some Ain(a) 2 s:Ag receiving a message lx 2 s:Ms, resulting instate s0 having s0:Ob = s:Ob [ obs(x), s0:Ms = s:Msnflxg and A(a) 2 s0:Ag. Byassumption on m, (a)1 2 f2; 8g Ks. O0(s) = O0(m) implies there is a zx0 2m:DMs, where x and x0 have the same observable content. If lx0 2 m:DMs, thenm ! m0 by receiving this message, for some m0 generated by 0;m:Ob [ obs(x).By corollary 4.7, we have0(a)1 2 f1; 6g, and O0(s0) = O0(m0). Iflx0 =2 m:DMs,then by corollaries 4.7 and 4.8, in at most 8 steps, m ! m00 corresponding to theprevious case, with m00:Ob = m:Ob and O0(m00) = O0(m). Then m00 ! m0, asbefore. Thus we have (s0;m0) 2 S.s! s0 by a router's reduction. m does nothing, and we have, by corollary 4.7,(s0;m) 2 S.Simulation of m by s.m ! m0 by an internal choice such that for some a, (a)1 2 f1; 6g and0(a)1 2 f2; 8g. By assumption A(a) 2 s:Ag, so by A(a)! Ain(a), s! s0. Sincethe data messages and observations remain unchanged, (s0;m0) 2 S.m ! m0 by an internal choice to initiate a migration. That is, for some a,(a)1 2 f1; 6g. By assumption A(a) 2 s:Ag, s remains in the same con guration.Since the data messages and observations remain unchanged, (s;m0) 2 S.m! m0 by an internal choice generating a new data message dm = zx. Thatis, for some a, (a)1 2 f1; 6g. By assumption A(a) 2 s:Ag. s ! s0 is possibleby A(a) generating a data messagez0x0 such that x;x0 have the same observablecontent, and A(a) 2 s0:Ag. Clearly, (s0;m0) 2 S.m! m0 by receiving a data message zx. Thus, for some a, (a)1 2 f2; 8g, andby corollary 4.7, O(m0) = O(m) [ fo[x2; x4; x6]g, and m0:DMs = m:DMsnfzxg.By assumption, Ain(a) 2 s:Ag, and there is a data message z0x0 2 s:Ms suchthat x;x0 have the same observable content. By corollaries 4.3, and 4.2, thismessage can be delivered in at most 2 reductions and s! s0 is possible by Ain(a)consuming that message. Clearly, (s0;m0) 2 S.m! m0 by performing a control (delivery / consumption / production) tran-sition involving an agent a. By assumption, (a)1 62 f2; 8g, otherwise this movewould not have been possible. By corollary 4.6, we are guaranteed that0(a)1 62f2; 8g. In response, s does nothing. Since, m0:DMs = m:DMs, (s;m0) 2 S.m ! m0 by a router's step. s does nothing. Since by corollary 4.7, O0(m0) =O0(m), (s;m0) 2 S.m ! m0 by a message forwarding step, in which some Fwd(a; r) or Haf (a; r)redirects a message. s does nothing. Since by corollary 4.7, O0(m0) = O0(m),(s;m0) 2 S.229 A.3 Proofs for system CMobProof of theorem 4.13 The initial con guration Cmob is generated by thepair ( o; ;) where o(a) = (1; ra; r0a;H; za; c1; c2; ;; ;; ;; ;) and ra; r0a; za; c1; c2 aresuitably chosen.Suppose cm is generated by ( ;Ob) and cm ! cm 0. We can then de ne a pair( 0;Ob 0) which determines cm 0 and such that 0 is admissible. We only indicatethe components of ( 0;Ob 0) that need to be altered, other than those which justneed to be chosen.The reduction is an internal choice. This step can be taken by the processesAh(a; f), Ma(a; r; f), and Fwd (a; r; r0).Ah(a; f)! Ahin(a; f; c1; c2)0(a)1 = 2Ah(a; f)! Ah(a; f) j r0[msg; y; z; a; r0; w]0(y)10 = (y)10 [ f(msg; r0; z; a; r0; w)gAh(a; f)! Ah(a; f)Ah(a; f)! Ham(a) j r0[immig; a; u; a; r0; ]0(a)1 = 3;0(a)5 = r0Ah(a; f)! Ah(a; f [r0=y])0(a)4 =(a)4[r0=y]Ma(a; r; f)! Ma in(a; r; f; c1; c2)0(a)1 = 7Ma(a; r; f)! Ma(a; r; f) j r[msg; y; z; a; r;w]0(y)10 = (y)10 [ f(msg; r; z; a; r;w)gMa(a; r; f)! Ma(a; r; f)Ma(a; r; f)! Mam(a; r) j r[repat; a; r0; a; r; ]0(a)1 = 8;0(a)5 = rMa(a; r; f)! Mam(a; r) j r[immig; a; u; a; r; ]0(a)1 = 9;0(a)5 = rMa(a; r; f)! Ma(a; r; f [r0=y])0(a)4 =(a)4[r0=y] (y 6= a)Fwd(a; r; r0)! Fwd(a; r; r0)0(a)8 ( rst component)Fwd(a; r; r0)! Fwd in(a; r; r0)0(a)8 (second component)About the transitions in line 5 and 11, we note that (C2) is invariant, sincein the cache update r0 = H(y), and by (C4) with respect to agent y, H(y) 2R(y; k; r00; r000) Act(y; 0) for some r00; r000.A router receives a message addressed to a. From the de nition of Router , wehave:Router (r) j r[dir ; a; r1; a2; r2; w]!Router (r) j ( l[dir ; a; r1; a2; r2; w] if r = r1; l = L(r; a)r1[dir ; a; r1; a2; r2; w] otherwiseWe distinguish three cases according to the value of dir:data message By (C3), we have r 2 Act(a; ) [ fr2g. We update (a)10, andso (C3) is invariant. Ob does not change, and for the only change we makein getting to0(a)10, namely changing the data message to some zx, theobservable content of the message (x) remains unchanged.update message By (C4), we have r 2 Act(a; )[ fr2g. We update (a)11, andso (C4) is invariant. Ob and DMs remain unchanged.control message Again similar to the previous subcase, with Ob and DMs re-maining unchanged. Note that the conditions on (a)5 in (C2) are satis ed.An agent receives a message addressed to a. We observe that Ah;Ma;Fwdcannot receive.30 data message Idle cannot receive a data message (by (C3), which states thatdata messages originate and are routed only through active routers). IfAh in(a; f; c1; c2) receives a data message from y, we update Ob, we maychange cache and remove the data message from (DMs), and we move toAh(a; f 0). We may also send an update message. That is (a)4; (a)10and (y)11 may change. We note that (C1) is invariant trivially, (C3) isinvariant, since a data message is only removed from the con guration, and(C4) is invariant even in case we add a data message. (C2) is invariant evenwhen the cache is changed. f 0(y) = ry 2 Act(y; 0), since the message fromy originated at ry 2 Act(y; ) by (C3). The analysis for Ma in is similar.Ham, Bma and Mam lter data messages, leaving Ob and DMs unchanged.Haf and Fwd in forward data messages, leaving Ob unchanged, altering DMswithout changing the observable content ([x2; x4; x6]) of the data message,and also keeping (C3) invariant.update message If Ah in(a; f) receives an update message from agent y, we mayupdate cache, and we move to Ah(a; f 0). (C4) is invariant since we are onlydeleting a message from (a)11. (C2) is invariant even when the cache ischanged since f 0(y) = ry 2 Act(y; 0), since the message from y originatedat ry 2 Act(y; ) by (C4). The analysis for Main is similar. Ham and Mamlter update messages. Haf and Fwd in forward the update message. In thelast two cases, the invariants, (C4) in particular, are maintained, and Oband DMs are unchanged.control message We have to consider the situations for (a)1 2 KnKs. We getthe following transitions 3 ! 4 ! 5 ! 6, 8 ! 1, and 9 ! 10 ! 5(! 6).Ob and DMs do not change.We consider the cases in the last sequence of transitions (which are the mostdi cult), and show that (C2) is invariant. We only consider the receipt ofa control message, and not delivery steps. By assumption, r; r0; r0 are alldistinct.9 ! 10: Fwd in(a; r0; r00) or Idle(a; r0) receivesL(r0; a)[immig; a; r0; a; r; ],and goes to Bma(a; r0), producing control messages r0[regd; a; r; a; r0; ] andr0[mig; a; r0; a; r0; ]. The changes made are:0(a)1 = 10;0(a)5 = r0, 0(a)8 =(a)8nfr0g, 0(a)9 =(a)9[(r0; r0)=r]. Act(a; ) remains invariant. The newcontrol messages are at r0. dom(F ); dom(M); R(a; k; r; r0) remain pairwisedisjoint, since r0 62 dom(F ) and R(a; k; r; r0) = fr0; r0g in 0(a). It is easilyveri ed that cod(F ), cod(M) Act(a; 0). Finally, Acyclic(F;M) is main-tained: If by , the shadow at r0 was Idle(a; r), then r0 is now added tothe path, where it was not previously present. If by the shadow at r0 wasFwd(a; r; r00), now in 0, r0 =2 dom(F ) [ dom(M).10! 5: Haf (a; r) receivesL(r0; a)[mig; a; r0; a; r0; ], and goes to Haf (a; r0),producing control message r0[infmd; a; r0; a; r0; ]. Only the state and CMsundergo any change. Thus (C2) remains invariant.5! 6: Bma(a; r0) receivesL(r0; a)[infmd; a; r0; a; r0; ] and becomesMa(a; r; f)where f = H in our modelling. The changes are to the state, to CMs, and31 0(a)4 = f . Since H(y) 2 Act(y; 0) for all y 2 AN , (C2) is maintainedinvariant.2Proof of corollary 4.14 It takes at most four reductions to deliver and processa control message (two delivery steps plus one internal choice step, plus one stepto consume the message; otherwise three reductions su ce). If (a)1 =2 Ks thenwe can bring the system to a con guration in Ks by delivering at most threecontrol messages (regd need not be delivered to reach a state in Ks). Ob remainsunchanged as indicated in the proof of theorem 4.13.2Proof of corollary 4.15 The proof follows from the case analysis of theorem4.13, as is indicated at each stage.2Proof of corollary 4.16 By (C2) (the acyclicity condition and conditions oncod(F ); cod(M)), for all forwarding chains of the form:X1(r1) = r2; : : : ;Xi(ri) = ri+1where Xj 2 fF;Mg, there is an n such that rn+1 =2 dom(M) [ dom(F ). Ad-ditionally, since all routers on a forwarding chain for a are in Act(a; ), rn+1 2R(a; k; r; r0) by (C2). Thus for k 2 Ks, the forwarding chain ends either inH(a) orat the actual location of the agent. Now, in at most 3 reductions (2 for deliveringa regd message and 1 for consuming it) per Mam(a; ri) process, it can becomeFwd(a; ri; ri+1) while maintaining the same forwarding chain. ]dom(M) is nitesince Act(a; ) is nite. Now in at most 4 reductions per hop, the data messagecan be forwarded to a forwarder at the next router in the forwarding chain. Thusin nitely many steps it can reach the agent at the end of the forwarding chain. Ifthis is Haf (a; r0), then in another hop, the message can be delivered to the mobileagent.2Proof of theorem 4.17 We de ne the relevant observable content of data mes-sages in an admissible con guration with caching c, as the following multiset:O0(c) = f[x2;j ; x4;j; x6;j] j zjxj 2 c:MsgWe de ne a relation S between admissible con gurations for Stat and CMob (withcaching) as:S = f(s; c) j O(s) = O(c);O0(s) = O0(c) and( ;Ob) generates c ) 8 a (Ain(a) 2 s:Ag i (a)1 2 f2; 7g)gWe show that S is a barbed bisimulation. By de nition of S, we have O(s) =O(m).Simulation of s by c. The proof is almost identical to that of theorem 4.11. Theonly case that we will describe is:s ! s0 by some Ain(a) 2 s:Ag receiving a message lx 2 s:Ms, resulting instate s0 having s0:Ob = s:Ob [ obs(x), s0:Ms = s:Msnflxg and A(a) 2 s0:Ag.32 By assumption on c, (a)1 2 f2; 7g Ks. O0(s) = O0(c) implies there is azx0 2 c:DMs such that obs(x) = obs(x0). If lx0 2 c:DMs, then c! c0 by receivingthis message, for some c0 generated by 0; c:Ob [ obs(x). By corollary 4.15, wehave0(a)1 2 f1; 6g, and O0(s0) = O0(c0). Iflx0 =2 c:DMs, then by corollaries 4.15and 4.16, in a bounded number of steps, c ! c00 corresponding to the previouscase, with c00:Ob = c:Ob and O0(c00) = O0(c). Then c00 ! c0, as before. Thus wehave (s0; c0) 2 S.Simulation of c by s The proof is again almost identical to that of theorem 4.11,except for the following new cases:c ! c0 by an internal choice such that for some a, (a)4 is changed (cache isreset). s performs no reductions and (s; c0) 2 S.c ! c0 by an internal choice causing a cache update. s performs no move and(s; c0) 2 S.c! c0 by an internal choice such that for some a; r, Fwd(a; r; r0)! Fwd in(a; r; r0).Again, (s; c0) 2 S, with s making no move.c! c0 by delivering or forwarding an update message. Clearly, (s; c0) 2 S, withs making no move.c! c0 by consuming an update message, and possibly altering the cache. Sincec:DMs is unchanged, (s; c0) 2 S, with s making no move.We present the case of c ! c0 by consuming a data message, perhaps creat-ing an update message and possibly altering the cache. These last two e ectsare irrelevant to the relation S, and so we only need to consider the e ects ofconsuming the data message. c ! c0 by receiving a data message zx. Thus, forsome a, (a)1 2 f2; 8g, and by corollary 4.15, O(c0) = O(c) [ fo[x2; x4; x6]g, and0(a)10 = (a)10nfzxg. By assumption, Ain(a) 2 s:Ag, and there is a data mes-sage z0x0 2 s:Ms such that x;x0 have the same observable content. By corollaries4.3, and 4.2, this message can be delivered in at most 2 reductions and s! s0 ispossible by Ain(a) consuming that message. Clearly, (s0; c0) 2 S.Again the case of c ! c0 by performing a control (delivery / consumption /production) transition involving an agent a is no di erent that in the proof of thetheorem 4.11. By assumption (a)1 62 f2; 7g, otherwise this move would not havebeen possible. By corollary 4.14, we are guaranteed that0(a)1 62 f2; 7g. s doesnothing. Since, c0:DMs = c:DMs, (s; c0) 2 S.The reader may verify that the other cases are as in the proof of theorem 4.11. 2B Finite-state FormulationIn this section, we describe the systems FStat and FMob with synchronous com-munication. The two basic properties we would like to verify for these systemsare (1) no routing errors are detected by local checks, and (2) no deadlocks occur.We note that in this case, it does not seem appropriate to require that FStatand FMob are barbed bisimilar, as we did earlier. Indeed, synchronous commu-nication may force some ordering in the delivery of the messages which may not33 be preserved in the mobile system. For instance, in FStat messages created by anagent will be received in the order of their emission. On the other hand, in theFMob the order of reception may di er from the order of emission.We point out that deadlock avoidance is a rather complicated problem. Hereare some potential di culties:1. Agents repeatedly send data messages thus lling the bu ers, but do notattempt to receive any of these available messages.2. Two routers or a local agent and a router simultaneously try to send eachother information.3. A control message that is essential to guarantee progress, is queued behinddata messages.4. A data message which is essential to guarantee progress, is queued behindother data messages addressed to di erent agents.5. Data messages addressed to the same agent ood a subnet that currentlydoes not include the destination agent.The solutions we adopt here rely, respectively, on:1. The use of guarded choice to guarantee progress in certain situations (notethat guarded choice is a high-level programming construct which permitsmaking coordinated choices, thus avoiding deadlocks).2. The splitting of each router in two parallel units: one handling outboundmessages (from the local agents to the routers) and another handling in-bound messages (from the routers to the local agents).3. The de nition of two independent networks for the delivery of `data' mes-sages and `control' messages. This change applies only to systems withmobility.4. The splitting of the data messages network in a number of virtually inde-pendent parallel networks (one for each agent). Again this is required onlyin the presence of mobility.5. The cooperation of the Haf agent with the local router in order to delivera message to a mobile agent even in a situation where \locally" a networkcongestion arises.B.1 The system without mobility FStatIn the formulation of the protocols with synchronous communication, we assumea set of channel names UN large enough to embed the disjoint union of the imagesof a nite set of injective functions which are speci ed in the following gures 13and 14.34 do : RN ! UN di : RN ! UN d : LAN ! UNim(do); im(di); im(d) pairwise disjoint, the functions are injectiveA(a)= y2AN ;w2DNAin(a) + let z = H(y); r = H(a); t = do(r)in t[msg; y; z; a; r;w]:A(a)Ain(a)= let l = L(H(a); a); s = d(l)in s(x):(obs(x) +A(a))DRin(r)= let s = di(r)in s(x): if x3 = r : let l = L(r; x2); t = d(l)in tx:DRin(r)else: o +DRin(r)DRout (r) = let s = do(r)in s(x): let t = di(x3)in tx:DRout(r)DRouter (r) = DRin(r) j DRout(r)FStatr2RNDRouter (r) j a2ANA(a)Figure 13: The system without mobilityFigure 13 describes the synchronous system FStat. We describe the salientdi erences from Stat. First, agents block on a send; second, to avoid deadlockscaused by all agents simultaneously trying to receive, an external choice betweensending and receiving is made. Routing errors are signaled as o messages. (inthe Promela code, we actually set an error variable to true). As anticipated in x5,the routers need some changes to avoid deadlocks. DRouter(r) has a full duplexinterface { it can be thought of as consisting of two independent componentsDRin(r) and DRout(r). DRin(r) receives data messages from other routers onchannel di(r), and, if it is the target router speci ed in the message, hands themessage over to the speci ed recipient agent on the data channel of the latter'slocal interface. Otherwise, if a message intended for another router is received,an error is signalled. DRout (r) receives messages from agents on do(r), and sendsout these messages to the target router speci ed in the message on the data-inchannel of the target router.B.2 The mobile system FMobIn the system with mobility, the structure of routers is more complex. Figure 14describes the routers. Each router now includes a dedicated component CRouter,that is similar to the DRouter in FStat, except that it receives and sends messageson interface channels reserved for control messages. The router for data messages35 do : RN AN ! UN di : RN AN ! UNco : RN ! UNci : RN ! UNc : LAN ! UNd : LAN ! UNduc : AN ! UNim(do); im(di); im(co); im(ci)im(c); im(d); im(duc) pairwise disjoint, the functions are injectiveCRin(r)= let s = ci(r)in s(x): if x3 = r : let l = L(r; x2); t = c(l)intx:CRin(r)else: o + CRin(r)CRout(r) = let s = co(r)in s(x): let t = ci(x3)in tx:CRout (r)CRouter(r) = CRin(r) j CRout (r)DRin(r; a) = let s = di(r; a)in s(x): if x3 = r : let l = L(r; x2); t = d(l)in tx:DRin(r; a)else: o +DRin(r; a)DRout (r; a) = let s = do(r; a)ins(x):DR0out (r; a;x; x3)DR0out (r; a;x; y) =266666666664if y = r; x2 = a : let t = di(y; x2)in tx:DRout(r; a)else: o +DRout(r; a)+ if r = H(a) : let u = duc(a)inu(y):DR0out (r; a;x; y3)else0DRouter (r)= a2AN (DRin(r; a) j DRout(r; a))Router (r)= CRouter(r) j DRouter (r)Figure 14: Routers in the system with mobility36 Ah(a;b)= c2fio;mvg;y2AN ;w2DN ;u2RNif c = io :26664let z = H(y); r0 = H(a); t = do(r0; y)in t[msg; y; z; a; r0; w]:Ah(a;b)+ Ahio(a;b)else: let r0 = H(a); t = co(r0)in if u = r0 : Ah(a;b)else: t[immig; a; u; a; r0; ]:Ham(a;b)Ahio(a;b) = if b = [] : let l = L(H(a); a); s = d(l)in s(x):(obs(x) + Ah(a;b))else: (obs(b) +Ah(a; []))Ham(a;b) = let r0 = H(a); l = L(r0; a); s = c(l); t = co(r0)in s(x): if x1 = regd : t[infmd; a; x5; a; r0; ]:Haf (a; x5;b)else: o +Ham(a;b)Haf (a; r;b) = let r0 = H(a); l = L(r0; a)in2666666666666666664let s = d(l); t = do(r0; a); u = duc(a)in if b = [] : s(x):Haf (a; r;x)else:264 t[msg; a; r; b4; b5; b6]:Haf (a; r; [])+u[ ; ; r; ; ; ]:Haf (a; r;b)+ let s = c(l); t = co(r0)in s(x): if x1 = repat : Ah(a;b)if x1 = mig : t[infmd; a; x5; a; r0; ]:Haf (a; x5;b)else: (o +Haf (a; r;b))Figure 15: States of the agent at homenow consists of several independent virtual routers, one for each agent. Themotivation for separate routers is to avoid deadlocks as discussed in x5. Thetables do, di, co, ci, d and c give us the various unique and independent dataand control channels on which routers and agents can interact. In addition, toavoid particular pathological deadlocks that occur when the home forwarder andthe home router for outbound messages are both loaded, there is a dedicatedchannel (given by table duc) for coordination between the home forwarder agentand that router to deliver a data message to the mobile agent.We describe an agent at its home router in Figure 15. The speci cation resem-bles the asynchronous case, but there are some complications. First, we cannotuse the old trick of ltering messages that are not awaited. Secondly, agent de-scriptions take an additional parameter to indicate \bu ered data" correspondingto messages that have previously been received but not yet observed/forwarded.For example, in Ah io, if there is a bu ered data message, it can be observed. How-37 ever, a received message can be observed only when there is no previously bu eredmessage. As in FStat, external choice is liberally employed to avoid deadlocks. Anal detail is the mini-protocol by which the home forwarder Haf uses a dedicatedchannel to inform the home router component DRout of the mobile node's currentwhereabouts, to avoid a deadlock situation when both are loaded with messages.Finally, we describe the agents at a foreign router in gure 16. We have alreadyoutlined above the main points of di erence from the asynchronous case.38 Idle(a; r) =let l = L(r; a); r0 = H(a); s = c(l); t = co(r)in s(x): if x1 = immig; x5 6= r0 : t[mig; a; r0; a; r; ]:Bma(a; r; [])if x1 = immig; x5 = r0 : t[regd; a; r0; a; r; ]:Bma(a; r; [])else: o + Idle(a; r)Fwd(a; r;b) =let l = L(r; a); r0 = H(a)in26666666666664let s = d(l); t = do(r; a)in if b = [] : s(x):Fwd(a; r;x)else: t[msg; a; r0; b4; b5; b6]:Fwd(a; r; [])+ let s = c(l); t = co(r)in s(x): if x1 = immig; x5 6= r0 : t[mig; a; r0; a; r; ]:Bma(a; r;b)if x1 = immig; x5 = r0 : t[regd; a; r0; a; r; ]:Bma(a; r;b)else: o + Fwd(a; r;b)Bma(a; r;b) =let l = L(r; a); s= c(l)in s(x): if x1 = infmd :Ma(a; r;b)else: o + Bma(a; r;b)Ma(a; r;b) =c2fio;mvg;y2AN ;w2DN ;u2RNif c = io :26664let z = H(y); t = do(r; y)in t[msg; y; z; a; r;w]:Ma(a; r;b)+Ma io(a; r;b)else: let r0 = H(a); t = co(r)in if u = r: Ma(a; r;b)if u 6= r; u = r0 : t[repat; a; r0; a; r; ]:Fwd(a; r;b)else: t[immig; a; u; a; r; ]:Fwd(a; r;b)Maio(a; r;b) =if b = [] : let l = L(r; a); s= d(l)in s(x):(obs(x) +Ma(a; r;b))else: (obs(b) +Ma(a; r; []))FMobr2RNRouter(r) j a2ANAh(a; []) j r2RN ;a2AN ;r 6=H(a)Idle(a; r)Figure 16: States of the agent away from home39
منابع مشابه
Modelling the Reliability of Ring Topology IP Micro Mobility Networks
The telecommunications, computer sciences and media of today seem to converge to an all IP network. Not only IP backbone will be used but also IP access networks. At the same time there is an increasing need for mobility. MobileIP cannot provide fast handovers in an always-on scenario. Therefore IP micro mobility solutions are needed. IP micro mobility networks have several special requirements...
متن کاملModelling and quantitative analysis of LTRACK - A novel mobility management algorithm
This paper discusses on improvements and parameter optimization of LTRACK, a recently presented handover algorithm for Mobile IP (MIP). Mathematical modelling of the algorithm and the behavior of the Mobile Node (MN) is used to optimize the parameters of LTRACK. This model, presented in a former paper, is enhanced to model the so-called Loopremoval effect. An extended qualitative and quantitati...
متن کاملA Cost-Effective Mobility Modelling in Nested Network Mobility
A mobile network is an entire network, moving as a unit, which dynamically change its point of attachment to the Internet and its reach-ability in the topology. Network Mobility is thus the opportunity to realize the Ubiquitous Internet, i.e. permanent access anywhere at anytime, in fixed locations and while on the move, provided that any available access network can be accommodated. In this pa...
متن کاملHBR IP Micro Mobility Architecture Modelling
Host based routing (HBR) protocols such as Cellular IP (CIP) facilitate IP mobility management in micro mobility access network domains where frequents handovers (or handoffs) are common. An HBR protocol based on CIP is modeled. Three main processes: the cross-over node (CoN), the base station (BS), and the mobile node (MN) process models were constructed. The CoN model is used to simulate CIP ...
متن کاملA Comparative Study of Existing Protocols Supporting Ip Mobility
In this paper, we have done a comparative study for a set of protocols supporting IP mobility, such as Mobile IP (MIP), Hierarchical Mobile IP (HMIP), Wireless IP, Cellular IP, HAWAII, TeleMIP and Dynamic Mobility Agent (DMA). These IP-based mobility protocols will play an important role in the convergence of IP and legacy wireless networks, within the context of the future 4G networks. TeleMIP...
متن کاملHandoff Mechanisms in Cellular IP: Enhancement into the Indirect Handoff Mechanism
Mobile IP is now the standard for supporting mobility in IP networks. It provides seamless mobility by hiding the change of IP address when a mobile host moves between IP subnets. Nevertheless, Mobile IP is not designed to support fast handoff and seamless mobility in handoff-intensive environments. Several micro-mobility protocols have been proposed to support host mobility with frequent hando...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- Formal Methods in System Design
دوره 17 شماره
صفحات -
تاریخ انتشار 1998