rfc963.SOME PROBLEMS WITH THE SPECIFICATION OF THE

NetworkWorkingGroupDeepinderP.SidhuRequestforComments:963IowaStateUniversityNovember1985SOMEPROBLEMSWITHTHESPECIFICATIONOFTHEMILITARYSTANDARDINTERNETPROTOCOLSTATUSOFTHISMEMOThepurposeofthisRFCistoprovidehelpfulinformationontheMilitaryStandardInternetProtocol(MIL-STD-1777)sothatonecanobtainareliableimplementationofthisprotocolstandard.Distributionofthisnoteisunlimited.ABSTRACTThispaperpointsoutseveralsignificantproblemsinthespecificationoftheMilitaryStandardInternetProtocol(MIL-STD-1777,datedAugust1983[MILS83a]).Theseresultsarebasedonaninitialinvestigationofthisprotocolstandard.Theproblemsare:(1)afailuretoreassemblefragmentedmessagescompletely;(2)amissingstatetransition;(3)errorsintestingforreassemblycompletion;(4)errorsincomputingfragmentsizes;(5)minorerrorsinmessagereassembly;(6)incorrectlycomputedlengthforcertaindatagrams.Thisnotealsoproposessolutionstotheseproblems.1.IntroductionInrecentyears,muchprogresshasbeenmadeincreatinganintegratedsetoftoolsfordevelopingreliablecommunicationprotocols.Thesetoolsprovideassistanceinthespecification,verification,implementationandtestingofprotocols.Severalprotocolshavebeenanalyzedanddevelopedusingsuchtools.Examplesofautomatedverificationandimplementationofseveralrealworldprotocolsarediscussedin[BLUT82][BLUT83][SIDD83][SIDD84].WearecurrentlyworkingontheautomaticimplementationoftheMilitaryStandardInternetProtocol(IP).Thisanalysiswillbebasedonthepublishedspecification[MILS83a]ofIPdated12August1983.WhilestudyingtheMILStandardIPspecification,wehavenoticednumerouserrorsinthespecificationofthisprotocol.Oneconsequenceoftheseerrorsisthattheprotocolwillneverdeliverfragmentedincomingdatagrams;ifthiserroriscorrected,suchdatagramswillbemissingsomedataandtheirlengthswillbeincorrectlyreported.Inaddition,outgoingdatagramsthataredividedintofragmentswillbemissingsomedata.TheproofofthesestatementsfollowsfromthespecificationofIP[MILS83a]asdiscussedbelow.Sidhu[Page1]RFC963November1985SomeProblemswithMIL-STDIP2.InternetProtocolTheInternetProtocol(IP)isanetworklayerprotocolintheDoDprotocolhierarchywhichprovidescommunicationacrossinterconnectedpacket-switchednetworksinaninternetworkenvironment.IPprovidesapuredatagramservicewithnomechanismforreliability,flowcontrol,sequencing,etc.Instead,thesefeaturesareprovidedbyaconnection-orientedprotocol,DoDTransmissionControlProtocol(TCP)[MILS83b],whichisimplementedinthelayeraboveIP.TCPisdesignedtooperatesuccessfullyoverchannelsthatareinherentlyunreliable,i.e.,whichcanlose,damage,duplicate,andreorderpackets.Overtheyears,DARPAhassupportedspecificationsofseveralversionsofIP;thelastoneappearedin[POSJ81].Afewyearsago,theDefenseCommunicationsAgencydecidedtostandardizeIPforuseinDoDnetworks.Forthispurpose,theDCAsupportedformalspecificationofthisprotocol,followingthedesigndiscussedin[POSJ81]andthetechniqueandorganizationdefinedin[SDC82].Adetailedspecificationofthisprotocol,givenin[MILS83a],hasbeenadoptedastheDoDstandardfortheInternetProtocol.ThespecificationofIPstatetransitionsisorganizedintodecisiontables;thedecisionfunctionsandactionproceduresarespecifiedinasubsetofAda[1],andmayemployasetofmachine-specificdatastructures.Decisiontablesaresuppliedforthepairsstatename,interfaceeventasfollows:inactive,sendfromupperlayer,inactive,receivefromlowerlayer,andreassembling,receivefromlowerlayer.Toprovideanerrorindicationinthecasethatsomefragmentsofadatagramarereceivedbutsomearemissing,adecisiontableisalsosuppliedforthepairreassembling,reassemblytimelimitelapsed.(TheeventnamesareEnglishdescriptionsandnotthenamesemployedby[MILS83a].)3.ProblemswithMILStandardIPOneofthemajorfunctionsofIPisthefragmentationofdatagramsthatcannotbetransmittedoverasubnetworkinonepiece,andtheirsubsequentreassembly.Thespecificationhasseveralproblemsinthisarea.Oneofthemostsignificantisthefailuretoinsertthelastfragmentofanincomingdatagram;thiswouldcausedatagramstobedeliveredtotheupper-levelprotocol(ULP)withsomedatamissing.AnothererrorinthisareaisthatanincorrectvalueofthedatalengthforreassembleddatagramsispassedtotheULP,withunpredictableconsequences.Asthespecification[MILS83a]isnowwritten,theseerrorsareofSidhu[Page2]RFC963November1985SomeProblemswithMIL-STDIPlittleconsequence,sincethetestforreassemblycompletionwillalwaysfail,withtheresultthatreassembleddatagramswouldneverbedeliveredatall.Inaddition,amissingrowinoneofthedecisiontablescreatestheproblemthatnetworkcontrol(ICMP)messagesthatarriveinfragmentswillneverbeprocessed.Amongtheothererrorsarethepossibilitythatafewbyteswillbediscardedfromeachfragmenttransmittedandcertainstatementsthatwillcreaterun-timeexceptionsinsteadofperformingtheirintendedfunctions.Ageneralproblemwiththisspecificationisthattheprogramlanguageandactiontableportionsofthespecificationwereclearlynotcheckedbyanyautomaticsyntaxcheckingprocess.Variableandprocedurenamesareoccasionallymisspelled,andthesyntaxoftheactionstatementsisoftenincorrect.Wehaveenumeratedsomeoftheseproblemsbelowasasetofcautionarynotestoimplementors,butwedonotclaimtohavelistedthemall.Inparticular,syntaxerrorsa