diff options
Diffstat (limited to 'doc/rfc/rfc963.txt')
-rw-r--r-- | doc/rfc/rfc963.txt | 1083 |
1 files changed, 1083 insertions, 0 deletions
diff --git a/doc/rfc/rfc963.txt b/doc/rfc/rfc963.txt new file mode 100644 index 0000000..d4316fa --- /dev/null +++ b/doc/rfc/rfc963.txt @@ -0,0 +1,1083 @@ + + +Network Working Group Deepinder P. Sidhu +Request for Comments: 963 Iowa State University + November 1985 + + SOME PROBLEMS WITH THE SPECIFICATION OF THE + MILITARY STANDARD INTERNET PROTOCOL + + +STATUS OF THIS MEMO + + The purpose of this RFC is to provide helpful information on the + Military Standard Internet Protocol (MIL-STD-1777) so that one can + obtain a reliable implementation of this protocol standard. + Distribution of this note is unlimited. + +ABSTRACT + + This paper points out several significant problems in the + specification of the Military Standard Internet Protocol + (MIL-STD-1777, dated August 1983 [MILS83a]). These results are based + on an initial investigation of this protocol standard. The problems + are: (1) a failure to reassemble fragmented messages completely; (2) + a missing state transition; (3) errors in testing for reassembly + completion; (4) errors in computing fragment sizes; (5) minor errors + in message reassembly; (6) incorrectly computed length for certain + datagrams. This note also proposes solutions to these problems. + +1. Introduction + + In recent years, much progress has been made in creating an + integrated set of tools for developing reliable communication + protocols. These tools provide assistance in the specification, + verification, implementation and testing of protocols. Several + protocols have been analyzed and developed using such tools. + Examples of automated verification and implementation of several real + world protocols are discussed in [BLUT82] [BLUT83] [SIDD83] [SIDD84]. + + We are currently working on the automatic implementation of the + Military Standard Internet Protocol (IP). This analysis will be + based on the published specification [MILS83a] of IP dated 12 August + 1983. + + While studying the MIL Standard IP specification, we have noticed + numerous errors in the specification of this protocol. One + consequence of these errors is that the protocol will never deliver + fragmented incoming datagrams; if this error is corrected, such + datagrams will be missing some data and their lengths will be + incorrectly reported. In addition, outgoing datagrams that are + divided into fragments will be missing some data. The proof of these + statements follows from the specification of IP [MILS83a] as + discussed below. + + +Sidhu [Page 1] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + +2. Internet Protocol + + The Internet Protocol (IP) is a network layer protocol in the DoD + protocol hierarchy which provides communication across interconnected + packet-switched networks in an internetwork environment. IP provides + a pure datagram service with no mechanism for reliability, flow + control, sequencing, etc. Instead, these features are provided by a + connection-oriented protocol, DoD Transmission Control Protocol (TCP) + [MILS83b], which is implemented in the layer above IP. TCP is + designed to operate successfully over channels that are inherently + unreliable, i.e., which can lose, damage, duplicate, and reorder + packets. + + Over the years, DARPA has supported specifications of several + versions of IP; the last one appeared in [POSJ81]. A few years ago, + the Defense Communications Agency decided to standardize IP for use + in DoD networks. For this purpose, the DCA supported formal + specification of this protocol, following the design discussed in + [POSJ81] and the technique and organization defined in [SDC82]. A + detailed specification of this protocol, given in [MILS83a], has been + adopted as the DoD standard for the Internet Protocol. + + The specification of IP state transitions is organized into decision + tables; the decision functions and action procedures are specified in + a subset of Ada[1], and may employ a set of machine-specific data + structures. Decision tables are supplied for the pairs <state name, + interface event> as follows: <inactive, send from upper layer>, + <inactive, receive from lower layer>, and <reassembling, receive from + lower layer>. To provide an error indication in the case that some + fragments of a datagram are received but some are missing, a decision + table is also supplied for the pair <reassembling, reassembly time + limit elapsed>. (The event names are English descriptions and not + the names employed by [MILS83a].) + +3. Problems with MIL Standard IP + + One of the major functions of IP is the fragmentation of datagrams + that cannot be transmitted over a subnetwork in one piece, and their + subsequent reassembly. The specification has several problems in + this area. One of the most significant is the failure to insert the + last fragment of an incoming datagram; this would cause datagrams to + be delivered to the upper-level protocol (ULP) with some data + missing. Another error in this area is that an incorrect value of the + data length for reassembled datagrams is passed to the ULP, with + unpredictable consequences. + + As the specification [MILS83a] is now written, these errors are of + + +Sidhu [Page 2] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + + little consequence, since the test for reassembly completion will + always fail, with the result that reassembled datagrams would never + be delivered at all. + + In addition, a missing row in one of the decision tables creates the + problem that network control (ICMP) messages that arrive in fragments + will never be processed. Among the other errors are the possibility + that a few bytes will be discarded from each fragment transmitted and + certain statements that will create run-time exceptions instead of + performing their intended functions. + + A general problem with this specification is that the program + language and action table portions of the specification were clearly + not checked by any automatic syntax checking process. Variable and + procedure names are occasionally misspelled, and the syntax of the + action statements is often incorrect. We have enumerated some of + these problems below as a set of cautionary notes to implementors, + but we do not claim to have listed them all. In particular, syntax + errors are only discussed when they occur in conjunction with other + problems. + + The following section discusses some of the serious errors that we + have discovered with the MIL standard IP [MIL83a] during our initial + study of this protocol. We also propose corrections to each of these + problems. + +4. Detailed Discussion of the Problems + + Problem 1: Failure to Insert Last Fragment + + This problem occurs in the decision table corresponding to the + state reassembling and the input "receive from lower layer" + [MILS83a, sec 9.4.6.1.3]. The problem occurs in the following row + of this table:[2] + + ________________________________________________________ + check- SNP TTL where a reass ICMP + sum params valid to frag done check- + valid? valid? ? ? ? ? sum? + __________________________________________________________________ + YES YES YES ULP YES YES d reass_ + delivery; + state := + INACTIVE + __________________________________________________________________ + + The reass_done function, as will be seen below, returns YES if the + + +Sidhu [Page 3] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + + fragment just received is the last fragment needed to assemble a + complete datagram and NO otherwise. The action procedure + reass_delivery simply delivers a completely reassembled datagram + to the upper-level protocol. It is the action procedure + reassemble that inserts an incoming fragment into the datagram + being assembled. Since this row does not call reassemble, the + result will be that every incoming fragmented datagram will be + delivered to the upper layer with one fragment missing. The + solution is to rewrite this row of the table as follows: + + ________________________________________________________ + check- SNP TTL where a reass ICMP + sum params valid to frag done check- + valid? valid? ? ? ? ? sum? + __________________________________________________________________ + YES YES YES ULP YES YES d reassemble; + reass_ + delivery; + state := + INACTIVE + __________________________________________________________________ + + Incidentally, the mnemonic value of the name of the reass_done + function is questionable, since at the moment this function is + called datagram reassembly cannot possibly have been completed. A + better name for this function might be last_fragment. + + Problem 2: Missing State Transition + + This problem is the omission of a row of the same decision table + [MILS83a, sec 9.4.6.1.3]. Incoming packets may be directed to an + upper-level protocol (ULP), or they may be network control + messages, which are marked ICMP (Internet Control Message + Protocol). When control messages have been completely assembled, + they are processed by an IP procedure called analyze. The + decision table contains the row + + ________________________________________________________ + check- SNP TTL where a reass ICMP + sum params valid to frag done check- + valid? valid? ? ? ? ? sum? + __________________________________________________________________ + YES YES YES ICMP YES NO d reassemble; + __________________________________________________________________ + + + + + +Sidhu [Page 4] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + + but makes no provision for the case in which where_to returns + ICMP, a_frag returns YES, and reass_done returns YES. An + additional row should be inserted, which reads as follows: + + ________________________________________________________ + check- SNP TTL where a reass ICMP + sum params valid to frag done check- + valid? valid? ? ? ? ? sum? + __________________________________________________________________ + YES YES YES ICMP YES YES d reassemble; + analyze; + state := + INACTIVE + __________________________________________________________________ + + Omitting this row means that incoming fragmented ICMP messages + will never be analyzed, since the state machine does not have any + action specified when the last fragment is received. + + Problem 3: Errors in reass_done + + The function reass_done, as can be seen from the above, determines + whether the incoming subnetwork packet contains the last fragment + needed to complete the reassembly of an IP datagram. In order to + understand the errors in this function, we must first understand + how it employs its data structures. + + The reassembly of incoming fragments is accomplished by means of a + bit map maintained separately for each state machine. Since all + fragments are not necessarily the same length, each bit in the map + represents not a fragment, but a block, that is, a unit of eight + octets. Each fragment, with the possible exception of the "tail" + fragment (we shall define this term below), is an integral number + of consecutive blocks. Each fragment's offset from the beginning + of the datagram is given, in units of blocks, by a field in the + packet header of each incoming packet. The total length of each + fragment, including the fragment's header, is specified in the + header field total_length; this length is given in octets. The + length of the header is specified in the field header_length; this + length is given in words, that is, units of four octets. + + In analyzing this subroutine, we must distinguish between the + "tail" fragment and the "last" fragment. We define the last + fragment as the one which is received last in time, that is, the + fragment that permits reassembly to be completed. The tail + fragment is the fragment that is spatially last, that is, the + fragment that is spatially located after any other fragment. The + + +Sidhu [Page 5] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + + length and offset of the tail fragment make it possible to compute + the length of the entire datagram. This computation is actually + done in the action procedure reassembly, and the result is saved + in the state vector field total_data_length; if the tail fragment + has not been received, this value is assumed to be zero. + + It is the task of the reass_done function [MILS83a, sec 9.4.6.2.6] + to determine whether the incoming fragment is the last fragment. + This determination is made as follows: + + 1) If the tail fragment has not been received previously and + the incoming fragment is not the tail fragment, then return NO. + + 2) Otherwise, if the tail fragment has not been received, but + the incoming fragment is the tail fragment, determine whether + all fragments spatially preceding the tail fragment have also + been received. + + 3) Otherwise, if the tail fragment has been received earlier, + determine whether the incoming fragment is the last one needed + to complete reassembly. + + The evaluation of case (2) is accomplished by the following + statment: + + if (state_vector.reassembly_map from 0 to + (((from_SNP.dtgm.total_length - + (from_SNP.dtgm.header_length * 4) + 7) / 8) + + 7) / 8 is set) + then return YES; + + The double occurrence of the subexpression " + 7 ) / 8" is + apparently a misprint. The function f(x) = (x + 7) / 8 will + convert x from octets to blocks, rounding any remainder upward. + There is no need for this function to be performed twice. The + second problem is that the fragment_offset field of the incoming + packet is ignored. The tail fragment specifies only its own + length, not the length of the entire datagram; to determine the + latter, the tail fragment's offset must be added to the tail + fragment's own length. The third problem hinges on the meaning of + the English "... from ... to ..." phrase. If this phrase has the + same meaning as the ".." range indication in Ada [ADA83, sec 3.6], + that is, includes both the upper and lower bounds, then it is + necessary to subtract 1 from the final expression. + + The expression following the word to, above, should thus be + changed to read + + +Sidhu [Page 6] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + + from_SNP.dtgm.fragment_offset + + ((from_SNP.dtgm.total_length - + (from_SNP.dtgm.header_length * 4) + 7) / 8) - 1 + + Another serious problem with this routine occurs when evaluating + case (3). In this case, the relevant statement is + + if (all reassembly map from 0 to + (state_vector.total_data_length + 7)/8 is set + then return YES + + If the tail fragment was received earlier, the code asks, in + effect, whether all the bits in the reassembly map have been set. + This, however, will not be the case even if the incoming fragment + is the last fragment, since the routine reassembly, which actually + sets these bits, has not yet been called for this fragment. This + statement must therefore skip the bits corresponding to the + incoming fragment. In specifying the range to be tested, + allowance must be made for whether these bits fall at the + beginning of the bit map or in the middle (the case where they + fall at the end has already been tested). The statement must + therefore be changed to read + + if from_SNP.dtgm.fragment_offset = 0 then + if (all reassembly map from + from_SNP.dtgm.fragment_offset + + ((from_SNP.dtgm.total_length - + from_SNP.dtgm.header_length * 4) + 7) / 8 + to ((state_vector.total_data_length + 7) / 8 - 1) is set) + then return YES; + else return NO; + end if; + + else + if (all reassembly map from 0 to + (from_SNP.dtgm.fragment_offset - 1) is set) + and (all reassembly map from + from_SNP.dtgm.fragment_offset + + ((from_SNP.dtgm.total_length - + from_SNP.dtgm.header_length * 4) + 7) / 8 + to ((state_vector.total_data_length + 7) / 8 - 1) is set) + then return YES; + else return NO; + end if; + end if; + + + + +Sidhu [Page 7] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + + Note that here again it is necessary to subtract 1 from the upper + bound. + + Problem 4: Errors in fragment_and_send + + The action procedure fragment_and_send [MILS83a, sec 9.4.6.3.7] is + used to break up datagrams that are too large to be sent through + the subnetwork as a single packet. The specification requires + [MILS83a sec 9.2.2, sec 9.4.6.3.7] each fragment, except possibly + the "tail" fragment, to contain a whole number of 8-octet groups + (called "blocks"); moreover, each fragment must begin at a block + boundary. + + In the algorithm set forth in fragment_and_send, all fragments + except the tail fragment are set to the same size; the procedure + begins by calculating this size. This is done by the following + statement: + + data_per_fragment := maximum subnet transmission unit + - (20 + number of bytes of option data); + + Besides the failure to allow for header padding, which is + discussed in the next section, this statement makes the serious + error of not assuring that the result is an integral multiple of + the block size, i.e., a multiple of eight octets. The consequence + of this would be that as many as seven octets per fragment would + never be sent at all. To correct this problem, and to allow for + header padding, this statement must be changed to + + data_per_fragment := (maximum subnet transmission unit + - (((20 + number of bytes of option data)+3)/4*4)/8*8; + + Another problem in this procedure is the failure to provide for + the case in which the length of the data is an exact multiple of + eight. The procedure contains the statements + + number_of fragments := (from_ULP.length + + (data_per_fragment - 1)) / data_per_fragment; + + data_in_last_frag := from_ULP.length modulo data_per_fragment; + + (Note that in our terminology we would rename data_in_last_frag as + data_in_tail_frag; notice, also, that the proper spelling of the + Ada operator is mod [ADA83, sec 4.5.5].) + + If data_in_last_frag is zero, some serious difficulties arise. + One result might be that the datagram will be broken into one more + + +Sidhu [Page 8] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + + fragment than necessary, with the tail fragment containing no data + bytes. The assignment of data into the tail fragment will succeed + even though it will now take the form + + output_data [i..i-1] := input_data [j..j-1]; + + because Ada makes provision for so-called "null slices" [ADA83, + sec 4.1.2] and will treat this assignment as a no-op [ADA83, sec + 5.2.1]. + + This does, however, cause the transmission of an unnecessary + packet, and also creates difficulties for the reassembly + procedure, which must now be prepared to handle empty packets, for + which not even one bit of the reassembly map should be set. + Moreover, as the procedure is now written, even this will not + occur. This is because the calculation of the number of fragments + is incorrect. + + A numerical example will clarify this point. Suppose that the + total datagram length is 16 bytes and that the number of bytes per + fragment is to be 8. Then the above statements will compute + number_of_fragments = (16 + 7)/8 = 2 and data_in_last_frag = 16 + mod 8 = 0. The result of the inconsistency between + number_of_fragments and data_in_last_frag will be that instead of + sending three fragments, of lengths 8, 8, and 0, the procedure + will send only two fragments, of lengths 8 and 0; the last eight + octets will never be sent. + + To avoid these difficulties, the specification should add the + following statement, immediately after computing + data_in_last_frag: + + if data_in_last_frag = 0 then + data_in_last_frag := data_per_fragment; + end if; + + This procedure also contains several minor errors. In addition to + failures to account for packet header padding, which are + enumerated in the next section, there is a failure to convert the + header length from words (four octets) to octets in one statement. + This statement, which calculates the total length of the non-tail + fragments, is + + to_SNP.dtgm.total_length := to_SNP.dtgm.header_length + + data_per_fragment; + + + + +Sidhu [Page 9] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + + Since header length is expressed in units of words, this + statement should read + + to_SNP.dtgm.total_length := to_SNP.dtgm.header_length * 4 + + data_per_fragment; + + This is apparently no more than a misprint, since the + corresponding calculation for the tail fragment is done correctly. + + Problem 5: Errors in reassembly + + The action procedure reassembly [MILS83a, sec 9.4.6.3.9], which is + referred to as reassemble elsewhere in the specification [MILS83a, + sec 9.4.6.1.2, sec 9.4.6.1.3], inserts an incoming fragment into a + datagram being reassembled. This procedure contains several + relatively minor errors. + + In two places in this procedure, a range is written to contain one + more member than it ought to have. In the first, data from the + fragment is to be inserted into the datagram being reassembled: + + state_vector.data [from_SNP.dtgm.fragment_offset*8 .. + from_SNP.dtgm.fragment_offset*8 + data_in_frag] := + from_SNP.dtgm.data [0..data_in_frag-1]; + + In this statement, the slice on the left contains one more byte + than the slice on the right. This will cause a run-time exception + to be raised [ADA83, sec 5.2.1]. The statement should read + + state_vector.data [from_SNP.dtgm.fragment_offset*8 .. + from_SNP.dtgm.fragment_offset*8 + data_in_frag - 1] := + from_SNP.dtgm.data [0..data_in_frag-1]; + + A similar problem occurs in the computation of the range of bits + in the reassembly map that corresponds to the incoming fragment. + This statement begins + + for j in (from_SNP.dtgm.fragment_offset) .. + ((from_SNP.dtgm.fragment_offset + + data_in_frag + 7)/8) loop + + Not only are the parentheses in this statement located incorrectly + (because the function f(x) = (x + 7) / 8 should be executed only + on the argument data_in_frag), but also this range contains one + extra member. The statement should read + + + + +Sidhu [Page 10] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + + for j in (from_SNP.dtgm.fragment_offset) .. + (from_SNP.dtgm.fragment_offset + + (data_in_frag + 7)/8) - 1 loop + + Note that if the statement is corrected in this manner it will + also handle the case of a zero-length fragment, mentioned above, + since the loop will not be executed even once [ADA83, sS 5.5]. + + Another minor problem occurs when this procedure attempts to save + the header of the leading fragment. The relevant statement is + + state_vector.header := from_SNP.dtgm; + + This statement attempts to transfer the entire incoming fragment + into a record that is big enough to contain only the header. The + result, in Ada, is not truncation, but a run-time exception + [ADA83, sec 5.2]. The correction should be something like + + state_vector.header := from_SNP.dtgm.header; + + This correction cannot be made without also defining the header + portion of the datagram as a subrecord in [MILS83a, sec 9.4.4.6]; + such a definition would also necessitate changing many other + statements. For example, from_SNP.dtgm.fragment_offset would now + have to be written as from_SNP.dtgm.header.fragment_offset. + Another possible solution is to write the above statement as a + series of assignments for each field in the header, in the + following fashion: + + state_vector.header.version := + from_SNP.dtgm.version; + state_vector.header.header_length := + from_SNP.dtgm.header_length; + state_vector.header.type_of_service := + from_SNP.dtgm.type_of_service; + + -- etc. + + Note also that this procedure will fail if an incoming fragment, + other than the tail fragment, does not contain a multiple of eight + characters. Implementors must be careful to check for this in the + decision function SNP_params_valid [MILS83a, sec 9.4.6.2.7]. + + + + + + + +Sidhu [Page 11] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + + Problem 6: Incorrect Data Length for Fragmented Datagrams + + The procedure reassembled_delivery [MILS83a, sec 9.4.6.3.10] does + not deliver the proper data length to the upper-level protocol. + This is because the assignment is + + to_ULP.length := state_vector.header.total_length + - state_vector.header.header_length * 4; + + The fields in state_vector.header have been filled in by the + reassembly procedure, discussed above, by copying the header of + the leading fragment. The field total_length in this fragment, + however, refers only to this particular fragment, and not to the + entire datagram (this is not entirely clear from it definition in + [MILS83a, sec 9.3.4], but the fragment_and_send procedure + [MILS83a, sec 9.4.6.3.7] insures that this is the case). + + The length of the entire datagram can only be computed from the + length and offset of the tail fragment. This computation is + actually done in the reassembly procedure [MILS83a, sec + 9.4.6.3.9], and the result saved in state_vector.total_data_length + (see above). It is impossible, however, for reassembly to fill in + state_vector.header.total_length at this time, because + state_vector.header.header_length is filled in from the lead + fragment, which may not yet have been received. + + Therefore, reassembled_delivery must replace the above statement + with + + to_ULP.length := state_vector.total_data_length; + + The consequence of leaving this error uncorrected is that the + upper-level protocol will be informed only of the delivery of as + many octets as there are in the lead fragment. + +5. Implementation Difficulties of MIL Standard IP + + In addition to the problems discussed above, there are several + features of the MIL standard IP specification [MILS83a] which lead to + difficulties for the implementor. These difficulties, while not + actually errors in the specification, take the form of assumptions + which are not explicitly stated, but of which implementors must be + aware. + + + + + + +Sidhu [Page 12] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + + 5.1 Header Padding + + In several places, the specification makes a computation of the + length of a packet header without explicitly allowing for padding. + The padding is needed because the specification requires [MILS83a, + sec 9.3.14] that each header end on a 32-bit boundary. + + One place this problem arises is in the need_to_frag decision + function [MILS83a, sec 9.4.6.2.5]. This function is used to + determine whether fragmentation is required for an outgoing + datagram. It consists of the single statement + + if ((from_ULP.length + (number of bytes of option data) + + 20) > maximum transmission unit of the local subnetwork + then return YES + else return NO; + end if; + + (A minor syntax error results from not terminating the first + return statement with a semicolon [ADA83, sec 5.1, sec 5.3, sec + 5.9].) In order to allow for padding, the expression for the + length of the outgoing datagram should be + + (((from_ULP.length + (number of bytes of option data) + 20) + + 3)/4 * 4) + + Another place that this problem arises is in the action procedure + build_and_send [MILS83a, sec 9.4.6.3.2], which prepares + unfragmented datagrams for transmission. To compute the header + field header_length, which is expressed in words, i.e., units of + four octets [MILS83a, sec 9.3.2], this procedure contains the + statement + + to_SNP.dtgm.header_length := 5 + + (number of bytes of option data)/4; + + In order to allow for padding, this statement should read + + to_SNP.dtgm.header_length := + 5 + ((number of bytes of option data)+3)/4; + + The identical statement appears in the action procedure + fragment_and_send [MILS83a, sec 9.4.6.3.7], which prepares + datagram fragments for transmission, and requires the same + correction. + + + + +Sidhu [Page 13] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + + The procedure fragment_and_send also has this problem in two other + places. In the first, the number of octets in each fragment is + computed by + + data_per_fragment := maximum subnet transmission unit + - (20 + number of bytes of option data); + + In order to allow for padding, this statement should read + + data_per_fragment := maximum subnet transmission unit + - (((20 + number of bytes of option data)+3)/4*4); + + (Actually, this statement must be changed to + + data_per_fragment := (maximum subnet transmission unit + - (((20 + number of bytes of option data)+3)/4*4)/8*8; + + in order to accomplish its intended purpose, for reasons which + have been discussed above.) + + A similar problem occurs in the statement which computes the + header length for individual fragments: + + to_SNP.dtgm.header_length := 5 + + (number of copy options octets/4); + + To allow for padding, this should be changed to + + to_SNP.dtgm.header_length := 5 + + (number of copy options octets+3/4); + + Notice that all of these errors can also be corrected if the + English phrase "number of bytes of option data", and similar + phrases, are always understood to include any necessary padding. + + 5.2 Subnetworks with Small Transmission Sizes + + When an outgoing datagram is too large to be transmitted as a + single packet, it must be fragmented. On certain subnetworks, the + possibility exists that the maximum number of bytes that may be + transmitted at a time is less than the size of an IP packet header + for a given datagram. In this case, the datagram cannot be sent, + even in fragmented form. Note that this does not necessarily mean + that the subnetwork cannot send any datagrams at all, since the + size of the header may be highly variable. When this problem + arises, it should be detected by IP. The proper place to detect + this situation is in the function can_frag. + + +Sidhu [Page 14] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + + The can_frag decision function [MILS83a, sec 9.4.6.2.2] is used to + determine whether a particular outgoing datagram, which is too + long to be transmitted as a single fragment, is allowed to be + fragmented. In the current specification, this function consists + of the single statement + + if (from_ULP.dont_fragment = TRUE) + then return NO + else return YES + end if; + + (A minor syntax error is that the return statements should be + terminated by semicolons; see [ADA83, sec 5.1, sec 5.3, sec 5.9].) + + If the above problem occurs, the procedure fragment_and_send will + obtain negative numbers for fragment sizes, with unpredictable + results. This should be prevented by assuring that the subnetwork + can send the datagram header and at least one block (eight octets) + of data. The can_frag function should be recoded as + + if ((8 + ((number of bytes of option data)+3)/4*4 + 20) + > maximum transmission unit of the local subnetwork) + then return NO; + elsif (from_ULP.dont_fragment = TRUE) + then return NO + else return YES + end if; + + This is similar to the logic of the function need_to_frag, + discussed above. + + 5.3 Subnetwork Interface + + Provision is made for the subnetwork to report errors to IP + [MILS83a, sec 6.3.6.2], but no provision is made for the IP entity + to take any action when such errors occur. + + In addition, the specification [MILS83a, sec 8.2.1.1] calls for + the subnetwork to accept type-of-service indicators (precedence, + reliability, delay, and throughput), which may be difficult to + implement on many local networks. + + + + + + + + +Sidhu [Page 15] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + + 5.4 ULP Errors + + The IP specification [MILS83a, sec 9.4.6.3.6] states + + The format of error reports to a ULP is implementation + dependent. However, included in the report should be a value + indicating the type of error, and some information to identify + the associated data or datagram. + + The most natural way to provide the latter information would be to + return the datagram identifier to the upper-level protocol, since + this identifier is normally supplied by the sending ULP [MILS83a, + sec 9.3.5]. However, the to_ULP data structure makes no provision + for this information [MILS83a, sec 9.4.4.3], probably because this + information is irrelevant for datagrams received from the + subnetwork. Implementors may feel a need to add this field to the + to_ULP data structure. + + 5.5 Initialization of Data Structures + + The decision function reass_done [MILS83a, sec 9.4.6.2.6] makes + the implicit assumption that data structures within each finite + state machine are initialized to zero when the machine is created. + In particular, this routine will not function properly unless + state_vector.reassembly_map and state_vector.total_data_length are + so initialized. Since this assumption is not stated explicitly, + implementors should be aware of it. There may be other + initialization assumptions that we have not discovered. + + 5.6 Locally Defined Types + + The procedures error_to_source [MILS83a, sec 9.4.6.3.5] and + error_to_ULP [MILS83a, sec 9.4.6.3.6] define enumeration types in + comments. The former contains the comment + + error_param : (PARAM_PROBLEM, EXPIRED_TTL, PROTOCOL_UNREACH); + + and the latter + + error_param : (PARAM_PROBLEM, CAN'T_FRAGMENT, NET_UNREACH, + PROTOCOL_UNREACH, PORT_UNREACH); + + These enumerated values are used before they are encountered + [MILS83a, sec 9.4.6.1.1, sec 9.4.6.1.2, sec 9.4.6.1.3, et al.]; + implementors will probably wish to define some error type + globally. + + + +Sidhu [Page 16] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + + 5.7 Miscellaneous Difficulties + + The specification contains many Ada syntax errors, some of which + have been shown above. We have only mentioned syntax errors + above, however, when they occurred in conjunction with other + problems. One of the main syntactic difficulties that we have not + mentioned is that the specification frequently creates unnamed + types, by declaring records within records; such declarations are + legal in Pascal, but not in Ada [ADA83, sec 3.7]. + + Another problem is that slice assignments frequently do not + contain the same number of elements on the left and right sides, + which will raise a run-time exception [ADA83, sec 5.2.1]. While + we have mentioned some of these, there are others which are not + enumerated above. + + In particular, the procedure error_to_source [MILS83a, sec + 9.4.6.3.5] contains the statement + + to_SNP.dtgm.data [8..N+3] := from_SNP.dtgm.data [0..N-1]; + + We believe that N+3 is a misprint for N+8, but even so the left + side contains one more byte than the right. Implementors should + carefully check every slice assignment. + +6. An Implementation of MIL Standard IP + + In our discussion above, we have pointed out several serious problems + with the Military Standard IP [MILS83a] specification which must be + corrected to produce a running implementation conforming to this + standard. We have produced a running C implementation for the MIL + Standard IP, after problems discussed above were fixed in the IP + specification. An important feature of this implementation is that + it was generated semi-automatically from the IP specification with + the help of a protocol development system [BLUT82] [BLUT83] [SIDD83]. + Since this implementation was derived directly from the IP + specification with the help of tools, it conforms to the IP standard + better that any handed-coded IP implementation can do. + + The problems pointed out in this paper with the current specification + of the MIL Standard IP [MILS83a] are based on an initial + investigation of the protocol. + + + + + + + +Sidhu [Page 17] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + +NOTES + + [1] Ada is a registered trademark of the U.S. Government - Ada Joint + Program Office. + + [2] d indicates a "don't care" condition. + +ACKNOWLEDGEMENTS + + The author extends his gratitude to Tom Blumer Michael Breslin, Bob + Pollack and Mark J. Vincenzes, for many helpful discussions. Thanks + are also due to B. Simon and M. Bernstein for bringing to author's + attention a specification of the DoD Internet Protocol during 1981-82 + when a detailed study of this protocol began. The author is also + grateful to Jon Postel and Carl Sunshine for several informative + discussions about DoD IP/TCP during the last few years. + +REFERENCES + + [ADA83] Military Standard Ada(R) Programming Language, United + States Department of Defense, ANSI/MIL-STD-1815A-1983, 22 + January 1983 + + [BLUT83] Blumer, T. P., and Sidhu, D. P., "Mechanical Verification + and Automatic Implementation of Communication Protocols," + to appear in IEEE Trans. Softw. Eng. + + [BLUT82] Blumer, T. P., and Tenney, R. L., "A Formal Specification + Technique and Implementation Method for Protocols," + Computer Networks, Vol. 6, No. 3, July 1982, pp. 201-217. + + [MILS83a] "Military Standard Internet Protocol," United States + Department of Defense, MIL-STD-1777, 12 August 1983. + + [MILS83b] "Military Standard Transmission Control Protocol," United + States Department of Defense, MIL-STD-1778, 12 August 1983. + + [POSJ81] Postel, J. (ed.), "DoD Standard Internet Protocol," Defense + Advanced Research Projects Agency, Information Processing + Techniques Office, RFC-791, September 1981. + + [SDC82] DCEC Protocol Standardization Program: Protocol + Specification Report, System Development Corporation, + TM-7172/301/00, 29 March 1982 + + [SIDD83] Sidhu, D. P., and Blumer, T. P., "Verification of NBS Class + 4 Transport Protocol," to appear in IEEE Trans. Comm. + + +Sidhu [Page 18] + + + +RFC 963 November 1985 +Some Problems with MIL-STD IP + + + [SIDD84] Sidhu, D. P., and Blumer, T. P., "Some Problems with the + Specification of the Military Standard Transmission Control + Protocol," in Protocol Specification, Testing and + Verification IV, (ed.) Y. Yemini et al (1984). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Sidhu [Page 19] + |