📄 rfc963.txt
字号:
Network Working Group Deepinder P. SidhuRequest for Comments: 963 Iowa State University November 1985 SOME PROBLEMS WITH THE SPECIFICATION OF THE MILITARY STANDARD INTERNET PROTOCOLSTATUS OF THIS MEMO The purpose of this RFC is to provide helpful information on the Military Standard Internet Protocol (MIL-STD-1777) so that one can obtain a reliable implementation of this protocol standard. Distribution of this note is unlimited.ABSTRACT This paper points out several significant problems in the specification of the Military Standard Internet Protocol (MIL-STD-1777, dated August 1983 [MILS83a]). These results are based on an initial investigation of this protocol standard. The problems are: (1) a failure to reassemble fragmented messages completely; (2) a missing state transition; (3) errors in testing for reassembly completion; (4) errors in computing fragment sizes; (5) minor errors in message reassembly; (6) incorrectly computed length for certain datagrams. This note also proposes solutions to these problems.1. Introduction In recent years, much progress has been made in creating an integrated set of tools for developing reliable communication protocols. These tools provide assistance in the specification, verification, implementation and testing of protocols. Several protocols have been analyzed and developed using such tools. Examples of automated verification and implementation of several real world protocols are discussed in [BLUT82] [BLUT83] [SIDD83] [SIDD84]. We are currently working on the automatic implementation of the Military Standard Internet Protocol (IP). This analysis will be based on the published specification [MILS83a] of IP dated 12 August 1983. While studying the MIL Standard IP specification, we have noticed numerous errors in the specification of this protocol. One consequence of these errors is that the protocol will never deliver fragmented incoming datagrams; if this error is corrected, such datagrams will be missing some data and their lengths will be incorrectly reported. In addition, outgoing datagrams that are divided into fragments will be missing some data. The proof of these statements follows from the specification of IP [MILS83a] as discussed below.Sidhu [Page 1]
RFC 963 November 1985Some Problems with MIL-STD IP2. Internet Protocol The Internet Protocol (IP) is a network layer protocol in the DoD protocol hierarchy which provides communication across interconnected packet-switched networks in an internetwork environment. IP provides a pure datagram service with no mechanism for reliability, flow control, sequencing, etc. Instead, these features are provided by a connection-oriented protocol, DoD Transmission Control Protocol (TCP) [MILS83b], which is implemented in the layer above IP. TCP is designed to operate successfully over channels that are inherently unreliable, i.e., which can lose, damage, duplicate, and reorder packets. Over the years, DARPA has supported specifications of several versions of IP; the last one appeared in [POSJ81]. A few years ago, the Defense Communications Agency decided to standardize IP for use in DoD networks. For this purpose, the DCA supported formal specification of this protocol, following the design discussed in [POSJ81] and the technique and organization defined in [SDC82]. A detailed specification of this protocol, given in [MILS83a], has been adopted as the DoD standard for the Internet Protocol. The specification of IP state transitions is organized into decision tables; the decision functions and action procedures are specified in a subset of Ada[1], and may employ a set of machine-specific data structures. Decision tables are supplied for the pairs <state name, interface event> as follows: <inactive, send from upper layer>, <inactive, receive from lower layer>, and <reassembling, receive from lower layer>. To provide an error indication in the case that some fragments of a datagram are received but some are missing, a decision table is also supplied for the pair <reassembling, reassembly time limit elapsed>. (The event names are English descriptions and not the names employed by [MILS83a].)3. Problems with MIL Standard IP One of the major functions of IP is the fragmentation of datagrams that cannot be transmitted over a subnetwork in one piece, and their subsequent reassembly. The specification has several problems in this area. One of the most significant is the failure to insert the last fragment of an incoming datagram; this would cause datagrams to be delivered to the upper-level protocol (ULP) with some data missing. Another error in this area is that an incorrect value of the data length for reassembled datagrams is passed to the ULP, with unpredictable consequences. As the specification [MILS83a] is now written, these errors are ofSidhu [Page 2]
RFC 963 November 1985Some Problems with MIL-STD IP little consequence, since the test for reassembly completion will always fail, with the result that reassembled datagrams would never be delivered at all. In addition, a missing row in one of the decision tables creates the problem that network control (ICMP) messages that arrive in fragments will never be processed. Among the other errors are the possibility that a few bytes will be discarded from each fragment transmitted and certain statements that will create run-time exceptions instead of performing their intended functions. A general problem with this specification is that the program language and action table portions of the specification were clearly not checked by any automatic syntax checking process. Variable and procedure names are occasionally misspelled, and the syntax of the action statements is often incorrect. We have enumerated some of these problems below as a set of cautionary notes to implementors, but we do not claim to have listed them all. In particular, syntax errors are only discussed when they occur in conjunction with other problems. The following section discusses some of the serious errors that we have discovered with the MIL standard IP [MIL83a] during our initial study of this protocol. We also propose corrections to each of these problems.4. Detailed Discussion of the Problems Problem 1: Failure to Insert Last Fragment This problem occurs in the decision table corresponding to the state reassembling and the input "receive from lower layer" [MILS83a, sec 9.4.6.1.3]. The problem occurs in the following row of this table:[2] ________________________________________________________ check- SNP TTL where a reass ICMP sum params valid to frag done check- valid? valid? ? ? ? ? sum? __________________________________________________________________ YES YES YES ULP YES YES d reass_ delivery; state := INACTIVE __________________________________________________________________ The reass_done function, as will be seen below, returns YES if theSidhu [Page 3]
RFC 963 November 1985Some Problems with MIL-STD IP fragment just received is the last fragment needed to assemble a complete datagram and NO otherwise. The action procedure reass_delivery simply delivers a completely reassembled datagram to the upper-level protocol. It is the action procedure reassemble that inserts an incoming fragment into the datagram being assembled. Since this row does not call reassemble, the result will be that every incoming fragmented datagram will be delivered to the upper layer with one fragment missing. The solution is to rewrite this row of the table as follows: ________________________________________________________ check- SNP TTL where a reass ICMP sum params valid to frag done check- valid? valid? ? ? ? ? sum? __________________________________________________________________ YES YES YES ULP YES YES d reassemble; reass_ delivery; state := INACTIVE __________________________________________________________________ Incidentally, the mnemonic value of the name of the reass_done function is questionable, since at the moment this function is called datagram reassembly cannot possibly have been completed. A better name for this function might be last_fragment. Problem 2: Missing State Transition This problem is the omission of a row of the same decision table [MILS83a, sec 9.4.6.1.3]. Incoming packets may be directed to an upper-level protocol (ULP), or they may be network control messages, which are marked ICMP (Internet Control Message Protocol). When control messages have been completely assembled, they are processed by an IP procedure called analyze. The decision table contains the row ________________________________________________________ check- SNP TTL where a reass ICMP sum params valid to frag done check- valid? valid? ? ? ? ? sum? __________________________________________________________________ YES YES YES ICMP YES NO d reassemble; __________________________________________________________________Sidhu [Page 4]
RFC 963 November 1985Some Problems with MIL-STD IP but makes no provision for the case in which where_to returns ICMP, a_frag returns YES, and reass_done returns YES. An additional row should be inserted, which reads as follows: ________________________________________________________ check- SNP TTL where a reass ICMP sum params valid to frag done check- valid? valid? ? ? ? ? sum? __________________________________________________________________ YES YES YES ICMP YES YES d reassemble; analyze; state := INACTIVE __________________________________________________________________ Omitting this row means that incoming fragmented ICMP messages will never be analyzed, since the state machine does not have any action specified when the last fragment is received. Problem 3: Errors in reass_done The function reass_done, as can be seen from the above, determines whether the incoming subnetwork packet contains the last fragment needed to complete the reassembly of an IP datagram. In order to understand the errors in this function, we must first understand how it employs its data structures. The reassembly of incoming fragments is accomplished by means of a bit map maintained separately for each state machine. Since all fragments are not necessarily the same length, each bit in the map represents not a fragment, but a block, that is, a unit of eight octets. Each fragment, with the possible exception of the "tail" fragment (we shall define this term below), is an integral number of consecutive blocks. Each fragment's offset from the beginning of the datagram is given, in units of blocks, by a field in the packet header of each incoming packet. The total length of each fragment, including the fragment's header, is specified in the header field total_length; this length is given in octets. The length of the header is specified in the field header_length; this length is given in words, that is, units of four octets. In analyzing this subroutine, we must distinguish between the "tail" fragment and the "last" fragment. We define the last fragment as the one which is received last in time, that is, the fragment that permits reassembly to be completed. The tail fragment is the fragment that is spatially last, that is, the fragment that is spatially located after any other fragment. TheSidhu [Page 5]
RFC 963 November 1985Some Problems with MIL-STD IP length and offset of the tail fragment make it possible to compute the length of the entire datagram. This computation is actually done in the action procedure reassembly, and the result is saved in the state vector field total_data_length; if the tail fragment has not been received, this value is assumed to be zero. It is the task of the reass_done function [MILS83a, sec 9.4.6.2.6] to determine whether the incoming fragment is the last fragment. This determination is made as follows: 1) If the tail fragment has not been received previously and the incoming fragment is not the tail fragment, then return NO. 2) Otherwise, if the tail fragment has not been received, but the incoming fragment is the tail fragment, determine whether all fragments spatially preceding the tail fragment have also been received. 3) Otherwise, if the tail fragment has been received earlier, determine whether the incoming fragment is the last one needed to complete reassembly. The evaluation of case (2) is accomplished by the following statment: if (state_vector.reassembly_map from 0 to (((from_SNP.dtgm.total_length - (from_SNP.dtgm.header_length * 4) + 7) / 8) + 7) / 8 is set) then return YES; The double occurrence of the subexpression " + 7 ) / 8" is apparently a misprint. The function f(x) = (x + 7) / 8 will convert x from octets to blocks, rounding any remainder upward. There is no need for this function to be performed twice. The second problem is that the fragment_offset field of the incoming packet is ignored. The tail fragment specifies only its own length, not the length of the entire datagram; to determine the latter, the tail fragment's offset must be added to the tail fragment's own length. The third problem hinges on the meaning of the English "... from ... to ..." phrase. If this phrase has the same meaning as the ".." range indication in Ada [ADA83, sec 3.6], that is, includes both the upper and lower bounds, then it is necessary to subtract 1 from the final expression. The expression following the word to, above, should thus be changed to readSidhu [Page 6]
RFC 963 November 1985Some Problems with MIL-STD IP from_SNP.dtgm.fragment_offset + ((from_SNP.dtgm.total_length - (from_SNP.dtgm.header_length * 4) + 7) / 8) - 1 Another serious problem with this routine occurs when evaluating case (3). In this case, the relevant statement is if (all reassembly map from 0 to (state_vector.total_data_length + 7)/8 is set then return YES If the tail fragment was received earlier, the code asks, in effect, whether all the bits in the reassembly map have been set. This, however, will not be the case even if the incoming fragment⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -