Modeling the SIP
proxy using Promela
Jong Yul Kim
December 21, 2009
Session Initiation Protocol
INVITE sip:alice@columbia.edu
User
Agent
Client
(UAC)
180 Ringing
200 OK
ACK
“Hi, how are you?”



(UAS)
A signaling protocol widely used for multimedia session setup and
teardown
Used with Real Time Protocol (RTP) to send voice/video
During setup (negotiation):



User
Agent
Server
UAC offers a range of session types and codecs
UAS answers with a range of session types and codecs
During teardown:

One of the parties sends a BYE message. The other replies “OK”.
Related Work

“Understanding SIP through Model-Checking”
by Dr. Pamela Zave

Her Promela code models the initial session
setup + termination between one UAC and
one UAS.
Abstractions in the Basic
model

We’re modeling the
topmost layer of the
SIP stack.
UAC / UAS core
Transaction

No syntax checking, no
retransmission, no
timers, …
Transport
The SIP Stack

Many failure messages
are also out.
The FIFO/Pruned Model

Two channels


Two processes



Assume one TCP connection each
from both sides
One UAC process
One UAS process
Many messages

invite, prack, update, ack, cancel,
info, bye, unProv, relProv, invSucc,
invFail, prackRsp, cancRsp,
updSucc, updFail, infoRsp,
byeRsp
proctype
UAC
proctype
UAS
SIP proxy



A SIP proxy is a server that relays SIP signals between two
endpoints.
Usually, UAS registers to a proxy to receive calls.
Two modes of operation:


Stateless : “blindly” forwards message from one side to the other
Stateful : keeps track of state to do more interesting things
Modeling a SIP proxy

Four channels

Three processes

Same messages
proctype
proxy
proctype
UAC
proctype proxy() {
mtype message, sdp;
end: do
:: c2p?message,sdp; p2s!message,sdp
:: s2p?message,sdp; p2c!message,sdp
od
}
proctype
UAS
Stateless SIP Proxy
INVITE bob
INVITE bob
UAC
Proxy
failed

If there are multiple
UAS registered,
then pick one and
forward.
UAS1
failed
UAS2
proctype proxy() {
mtype message, sdp;
byte uasid;
c2p?invite,sdp;
do
:: true; uasid = 0; break;
:: true; uasid = 1; break;
od;
p2s[uasid]!invite,sdp;
end:
do
:: c2p?message,sdp; p2s[uasid]!message,sdp
:: s2p[uasid]?message,sdp; p2c!message,sdp
od
}
Stateful SIP Proxy: Sequential Search
INVITE bob
INVITE bob
UAC
Proxy
OK
failed
INVITE
OK



UAS1
UAS2
Search multiple UAS in order.
Establish connection with first one that answers.
However,




Had to change UAC as well.
Proxy forwards provisional response to UAC.
UAC may receive provisional responses from multiple UAS.
Variables intended for single UAC-UAS transaction changed to arrays.
Simulation of Sequential
Search

Verification of the
model using



Partial Order Reduction
Compression
Reveals that there’s an
invalid end state at
depth 284.

Hopefully will be fixed by
Wednesday.
Lessons Learned

Promela / SPIN is a tool that can be used to check
network protocols.

To make a model, need to abstract a lot of details
out. Finding the right level of abstraction in the
problem you’re interested in is important.

Making or modifying a model from plain Englishbased standards documents is not an easy task. But
the resulting model is very useful.