Toward Formally Verifying Congestion Control Behavior
Venkat Arun, Mina Tahmasbi Arashloo*, Ahmed Saeed, Mohammad Alizadeh and Hari Balakrishnan
ACM SIGCOMM 2021
The diversity of paths on the Internet makes it difficult for designers and operators to confidently deploy new congestion control algorithms (CCAs) without extensive real-world experiments, but such capabilities are not available to most of the networking community. And even when they are available, understanding why a CCA under-performs by trawling through massive amounts of statistical data from network connections is challenging. The history of congestion control is replete with many examples of surprising and unanticipated behaviors unseen in simulation but observed on real-world paths. In this paper, we propose initial steps toward modeling and improving our confidence in a CCA’s behavior. We have developed Congestion Control Anxiety Controller (CCAC), a tool that uses formal verification to establish certain properties of CCAs. It is able to prove hypotheses about CCAs or generate counterexamples for invalid hypotheses. With CCAC, a designer can not only gaingreater confidence prior to deployment to avoid unpleasant surprises, but can also use the counterexamples to iteratively improve their algorithm. We have modeled additive-increase/multiplicative-decrease (AIMD), Copa, and BBR with CCAC, and describe some surprising results from the exercise.
This interactive graphic shows the network model described in the paper. You can move the square handles to move the lines. Double-click on the line to create and delete handles. Mousing over the handle shows the bounds by which the handle can be moved. If you try to move the handle to a place that is illegal in the model, it will prevent that and display a message showing why the move is illegal. This widget does not yet show how loss works. Safari and mobile phones are not yet supported.
The example shown is that of ack aggregation. Other presets are available in the drop down menu. You can pick different parameter values can be set on the right. a token bucket filter where S(t) can also burst along with A(t) upto 1 BDP. Here, D = 1 propagation delay.