A SemanticModel for Adaptive Communication

SebastianGutierrez-Nolasco�, Nalini Venkatasubramanian

�, andCarolynTalcott

��

Universityof California,Irvine, Irvine, CA 92697-3430USAseguti@ics.uci.edu, nalini@ics.uci.edu�

StanfordUniversity, Stanford,CA 94305USAclt@cs.stanford.edu

Abstract. Futureapplicationswill executein highly dynamicenvironments,wherecommunicationis notuniformdueto changingconditionsof network connectivity, reliability andresourceavailability. Designingcommunicationframeworks that are capableof dynamicallyadaptingthemselves to the environmentis an importantchallenge.Furthermore,differentapplicationsmaydemanddifferentpropertiesandguaranteesasfar astheQoS,securityandfailuresemanticsareconcerned.Althoughseveral frameworkshave beendesignedto supportmodularandrecon-figurablecommunicationprotocols,they supportcomplex programminginterfacesandprotocolbehavior is oftenexpressedvia informal descriptions.Clearsemanticmodelscapableof expressingdependenciesamongpropertiesrequiredby a givencommunicationsystemwill helpdesignsafecustomizablecommunicationframeworks.In thispaperwe presenta reflective communicationframework basedon a semanticmodelof distributedobject reflec-tion. We illustratehow suchan adaptive framework is usedto formalizeandreasonaboutinteractionsbetweencommunicationprotocolsandensuretheir safecomposition.

1 Intr oduction

Recentadvancesin componentbasedsoftwareandcommercialoff-the-shelfproductshave enabledthe creationofapplicationscapableof dynamicallyadaptingthemselvesto unpredictablechangesin thecomputationalandcommu-nicationenvironment.However, thesenew kindsof applicationmaydemanddiverseguaranteesfrom theunderlyingcommunicationsubsystemasfarasQoS(qualityof service),securityandfailuresemanticsareconcerned.Traditionalcommunicationframeworksarenotwell suitedto captureandexpressdependenciesamongpropertiesrequiredby theapplication.

For example,todaymany workersaccess(via VPNs)confidentialbusinessdatafrom almostany wirelesshot-spotlocationsuchascoffee houses,food-franchises,librariesandconferencehalls.Currently, thesehot-spotsoffer freenetwork access,but weforeseeashift in thisaltruisticvisionallowing freerestrictedaccess;while providing increasedbandwidthor greateraccessto paidcustomers.In thisscenario,apaidcustomerwill expectacertainminimumlevel ofQoSin theform of sustainedbandwidth,end-to-enddelayboundanda certaindegreeof security(evenif hedoesnottrust thehot-spotinfrastructureandusesa VPN, sinceuserauthenticationis donebeforeobtaininga securechannelor a VPN connection).However, currentsecurityprotocolsassumereliablecommunicationbetweenend-pointsandall communication(at theapplicationlevel) is stalledwhile bothend-pointsauthenticatethemselvesandestablishtheconnectionor whenthey executerefreshor rekey protocols.Therefore,they arenot immediatelysuitablefor useinhot-spots,whicharecharacterizedby suddenchangesin latency, bandwidthandreliability dueto unexpectedincreaseof customersin thevicinity or theuseof intensiveapplications(e.g.multimedia,file transfers,etc)by customersonthemove. Next generationof communicationframeworksmustmonitor their environmentin orderto adaptthemselvesto suddenchangeson reliability, latency, bandwidthandsecuritylevels providedby the hot-spotwithout disruptingcommunicationat theapplicationlevel. [Nalini - add 2 more

examples]As anotherexample,anunmannedair vehicle(UAV) recordssurveillancevideodataandtransmitsit via awirelesschannelto areceiveronanearbyship.Thereceivedvideostreammustbedistributedto severalviewersonthatshipandpossiblyonotherships.In thisenvisionedscenario,datain transfermustbeprotectedfrom beingreadby unauthorizedentitiesand compressedin order to overcomebandwidthconstraints.Moreover, in a battlefieldsituation the shiprequirestimelinessof delivery of the UAV picturesto assurethat decisionsaremadefrom timely data.Encryptionandcompressionareinherentlydataintensive andtheir useaffectsthetimelinessrequirement.To furthercomplicatethescenario,dependingon theircurrentlocation,viewersmayhavedifferentandconstantlychangingrequirementsintermsof securityandtimeliness.

Although thesesimple scenarioshighlight the relevanceof adaptive communication,they also underscoretherequirementfor a semanticmodelcapableof assuringsafeadaptation. [clt - will needto say

whatsafemeans– seeintro to TOSEM pa-per]

In thispaper, wedescribeareflectivecommunicationframework(RCF)anddevelopadetailedformalsemanticsforsuchframework usinga genericsemanticmodelof distributedobjectreflection.We thenillustratehow thesemanticspecificationof the RCF is usedto ensurecorrectnessof critical applicationpropertiesandhow it can be usedtosupportadaptive communication.The remainderof this paperis organizedasfollows. In Section2, we describethebasicreflective communicationframework. Formalspecificationof the framework is discussedin Section3. Section4 givesan overview of the formal semanticsof the reflective communicationframework; while Section5 discussescomposabilityandinteractionissuesthatarisein adaptivecommunication.We describerelatedwork andconcludeinSection6 with futureresearchdirections.

2 A Reflective Communication Framework

Sincetheactormodelof computation[7] incorporatesthe notionof encapsulationandinteractiononly via messagepassing,it offers a clear, flexible andsimplesemanticapproachto describedistributedsystemsbasedon incomingcommunications[9]. Thesystemis modeledasa groupof self containedandindependentautonomousobjects,calledactors,which communicatevia asynchronous(buffered)messagepassing.On receiving a communication,an actorprocessesthe messagein a mannerdeterminedby its currentbehavior. As a result, the actormay: (1) Createnewactors,(2) Changeits behavior and (3) Sendmessagesto itself or to other (existing) actors.Sincemail addressesmaybecommunicatedin messagestheconfigurationof thecommunicationis dynamicandtheactivationorder(onemessageactivatesanotherif thelatteris sentduringtheprocessingof theformer)determinescommunicationpatterns.

In ourmodel,asystemis composedof two kindsof actors,baseactorsandmetaactors,distributedoveranetworkof processingnodes.Baseactorscarryout applicationlevel computation,while metaactorsarepart of the run-timesystem,which managessystemresourcesandcontrolsthe run-timebehavior of the baselevel. Metaactorscommu-nicatewith eachothervia messagepassingasdo baseactors,andthey mayalsoexamineandmodify thestateof thebaseactorslocatedonthesamenode.Baselevel actorsandmessageshaveassociatedrun-timeannotationsthatcanbesetandreadby metaactors.Theannotationsareinvisible to baselevel computation.Actionswhich resultin a changeof baselevel state,arecalledeventsandmetaactorsmayreactto themif they occuron theirnode.A configurationhasasetof baseandmetalevel actorsandasetof undeliveredmessages.Theactorsaredistributedoverthesystemnodes.Eachactorhasauniquename(actoridentifier)andtheconfigurationassociatesacurrentstateto eachactorname.Theundeliveredmessagesaredistributedover thenetwork (somearetraveling alongcommunicationlinks andothersareheldin nodebuffers).

In orderto provide correctcompositionof communicationprotocolsin a transparentandscalablefashion,we ex-tendour modelwith a reflective communicationframework (RCF),which customizesthebaselevel communicationas follows (seeFigure1). Eachbaselevel actorhasa metalevel actor, calledmessenger, which servesas the cus-tomizedandtransparentmail queuefor thatbaselevel actor. Thereis onecommunicationmanager in every nodeofthedistributedsystem,which implementsandcontrolsthecorrectcompositionof communicationprotocolsspecifiedby messengerson thatnode.A messengerhastwo messagequeues:(i) Theupqueueis usedasthe(baselevel) actor’ssendbuffer, and(ii) The dwn queueis usedto deliver messagesto the (baselevel) actor, servingas its customizedmail queue.Thecommunicationmanagerhasa setof communicationprotocolactors,eachof themimplementingaparticularcommunicationprotocolprovidedby theframework (e.g.reliable,in-orderor security).Thisschemeallowsusto abstracta coresetof communicationprotocolsandshareit betweenthedifferentmessengerson a node,simpli-fying thesynchronizationandcompositionprocess.Furthermore,it encouragesseparationof concernsin theprocessof messagetransmissionandreception.However, in purely reflective architectures,reasoningaboutthesemanticsofcorrectcommunicationcompositionmaybecomplicated;moreover, its implementationmaybeinefficient.

In orderto maintainaccuratesemanticsandprovideanefficient implementationof thearchitecture,thecommuni-cationmanagerusesa pre-definedpool of metalevel entities,calledcommunicationmessagecoordinators(or simplymessage coordinators). Every messagerequiringa communicationprotocolis assigneda messagecoordinatorandatany instance,amessagecoordinatorhandlesthecompositionof thecommunicationprotocolsrequestedby a messen-gerfor anindividualmessage.Themessagecoordinatorassuresthecorrectorderof compositionof requiredprotocolsandprovidesa coordinationmechanismbetweenthe messengerand the protocolsthat provide it. This conceptofreusablemessagecoordinatorsis anefficient way to handletheservicerequestof eachmessengerwithout having topay thebottleneckassociatedwith thecentralizationof theservicesin thenodecommunicationmanagerandallowsusto processconcurrentlymultiple messages.

In theRCFmodel,acommunicationprotocolmaybeexplicitly requested(atany instance)by thesenderor implic-itly specifiedby its messenger, in casethesenderandthereceiverpreviouslyagreedto useaparticularcommunication

2

Fig.1. Thereflective communicationframework model.

protocol.In orderto providedynamiccustomizationof communicationprotocols(potentiallyonapermessagebasis),theRCFmodelseparatesspecification,compositionandimplementationof communicationprotocols.Thespecifica-tion is handledby the messengerthrougha messageservicelist (msl), which determinesthe setof communicationprotocolsto beusedin thecommunicationof a specificmessageto its target.Thecommunicationprotocolsrequiredby acommunicationmaybeexplicitly specifiedor constructedby themessengerusingtarget-actorinformationwithinthe message.The messengeralsoassignsevery outgoingmessagea uniquemessageidentifier (msgid), which is auniquesequenceof valuesassignedto every messageto besent.Themsgidis composedby concatenatingthecom-municationmanageridentifier (cmid), anapplicationidentifier (appid), a communicationmanagersequencenumber(cms) anda local time stamp(ts) definedby Lamport’s happened-beforerelation[16]. Theprotocolsthemselvesareimplementedby independentcommunicationprotocolactors.This schemeallowsusto add(plug in) or remove(plugout) communicationprotocolsdynamically.

3 RussianDolls: A semanticmodelof distrib uted object reflection

Theconcurrentstateof a distributedsystem,oftencalleda configuration,hastypically thestructureof a flat multisetmadeupof objectsandmessagesthatbehaveaccordingto a setof rulesdescribingthebehavior of individualobjects.We canvisualizethis configurationasa soupin which objectsandmessagesfloat andinteractwith eachother. Wemodela distributedsystemconfigurationusingtherewriting logic objectmodel[26] [13] whereanobjectin a givenstateis representedas

����� � �� � ����Where � is the object’s nameor identifier, � is its classand ������� its attribute set,andthe rewrite rulesdescribingthedynamicsof thesystemcanhavetheform

�����! �"#"#" �%$ �&� $ � $ �� � �� $ � "#"#" �&�(')� *'+ �� � ��,'-�.+/���&0�� 102 �� � ��302� "#"#" ���('2� �'4 �� � ��,'4�5���7698�: � �; � �� � "#"#" ���7698�:$ � $ �� � �� $ � � 6)8<:' "#"#" � 6)8<:6 =?>A@where r is the label, B ’s are messages,and C is the rule condition. That is, at any time, objectsand messagescancometogetherandparticipatein a concurrenttransitioncorrespondingto a communicationevent in which somenew objectsmaybecreated( �ED1F�G ), otherobjectsmaybedestroyed,othersmaychangetheir stateandnew messages( BHD*F�G ) maybecreated.

3

3.1 Componentsof the Model

In theRussianDolls model[14], objectsarestructuredin nestedconfigurationsof metaobjectsthatcancontrol(baseandmeta)objectsunderthem,calledsubobjects,with anarbitrarynumberof levelsof nesting.Thisallowsusto modelprocessingnodesasmetaobjectsthat encapsulateactors(baseandmeta)andmessages.Thus,we have threemaincomponentsin themodel:actors(baseandmeta),nodesandmessages.

Baseand meta actors: We usetheRussianDolls theoryto modelactorsasobjectswith identity andstate,con-figurationsassoupsof actorandmessages,andactorbehavior rulesasrewrite rules.Therefore,a baseactorsystemis representedasa specialcaseof objectmoduleconfiguration.A baseactoris representedasanobjectin somebaseactorclassIJC . Messageshavetheform �LKNM , where� is theactoridentifierof thetargetactorand M is themessagecontents.Baseactorrulesareconstrainedto have theform

�&�2� O @ �� � ����7P7Q ��R;SNT .+/ �U�2� O @WV �� � �� V �7P(X3Y�Z D >[=\> Y�Z D*]where I^C and I^CE_ arebaseclases,�*����� and �������9_ areattributevaluesetsappropriatefor thecorrespondingclasses,`;acb-d7e

is aconfigurationof newly createdbaseactorsandmessages,and fcg indicatesthatthemessagepartis optional.A metaactoris anobjectin somemetaactorclassBhC andmetamessageshave theform Mi�%KLMij , where Mi� is theidentifierof themetaactor. Metaactorsaregroupedassubobjectsconfigurationsof nodes.

Node:A nodeis anobjectof classk b4l�m andhasanattributeacb-d7e

whosevalueis aconfigurationcontainingmetaactorsandmessages.Eachnodehastwo specialmetaactors(seefigure2): A basebehavior taskmanagermetaactor` ��Mn� of classIpo!BhC thatrepresentsandcontrolsbaseexecutionbehavior, anda communicationmetaactor

a Mn� ofclassCqBhC thatrepresentsandcontrolsbasecommunicationsemantics.Thesemetaactorsalsoimplementtheeventhandlingsemanticsassociatedwith baseevents.Hence,a nodehastheform

�&r9� sLZ ];F Y�Z D > �#�UX< tSu�)� Owv � @ "#"#" �x�UY3Su�)� @ � @ "#"#" �ySLY�Z D > �

Fig.2. TheRussianDolls Model

Basebehavior task manager actor: A basebehavior taskmanagermetaobjectof class I�o%BhC hasattributes` B b4l,` C b-d7e ,

m-zEm){, | m)d(l�} j , ~����3�,� b-� .

�&X< tSL�2� OWv � @ X � Z ] � � O � P&X @ Z D > � � X�Y�P F��(F3� � F SL���4P&� F�D1]��7� � F�� P G � = t7Z���� ���I^B is the modulethatdescribesthe behavior of the baselevel objectasrewrite rulesandthus,thevalueof

` B b4lis themetarepresentationof thebasemodule I^B ; while thevalueof

` C b-d7e is themetarepresentationof thebaseconfiguration

;a. Hereweusetheconventionthatif � `;a denotesabaseentity then � � `;a denotesthemetarepresentation

of thatentity. Thefactthatrewriting logic is reflectiveguaranteesthat � � `;a is themetarepresentationof � `ca andsuchfaithful metarepresentationexists.

4

Theremainingattributesdealwith executionof eventhandling.An executioneventis themodificationof anode’sbaseactorconfigurationdueto applyingeithera baseor a metarule. An executionevent is representedby the term������� � `;acb-d7e�� � ��| l ��� m���a Mn�9|�� , where

;a2b-d7eis theinitially baseconfiguration,��| l �*� m is abaseconfigurationthatspec-

ifies new statesfor existing baseactorsaswell asnewly createdbaseactorsandmessages.a Mn�9| mapsnewly created

baseactorsandmessagesto identifiersof existing baseactorson whosebehalfthey werecreated.Eventhandlingismodeledbysendingnotificationsto metaactorsregisteredfor theevent.A metaactoris registered

for aneventonly if it hasaneventhandlingrule matchingthis eventthatgeneratesa reply to thenotifying actor. Thevalue

m Mi�9| of theattributem-z!m){

mapsanexecutioneventto thesetof namesof metaactorsthatareregisteredto benotifiedabouttheevent.Themapingis computedusingthe term ���1����� � m Mi�9| ��m j m9d ��� . Thevalue

m j of theattribute| m9d(l�} j is eitheran executionevent or a specialvalue

d(b-d(m, indicatingthat no event handlingis in progress.The

value � of ~������,� b-� is thesetof metaactoridentifiersfor which thenotificationreply hasnot beenreceived.Communication actor A communicationmetaobject of class CqBhC hasattributes � m9d(l�� , � �-� ��j m4� ,

m-zEm2{,

| m9d(l�} j , ~����3�,� b-� . The valueof � m9d(l�� is a list of outgoingmessagesof the form � � Mn� {&� �#� d(l1� � , representingre-questsfrom baseactor � d(l1� to sendmessageMn� { ; whereasthevaluesof � �9�-� �3j m4� is a list of incomingmessagesoftheform � � Mn� {&� �#� d(l*�4� ��Mn�9|�� representingthearrival of messageM�� { from baseactor � d(l*� with messageannotationmap �*Mn�9| . Theremainingattributesareeventhandlingattributessimilar to thoseof Ipo%BhC .

�&Y3SL�2� @ � @ � F�D1]�� � �,Su� � ��P(�c��� = �cF,� � �;SL� � ��P F��(F3� � F SL���4P&� F�D1]��7� � F�� P G � = t7Z���� ���

3.2 Meta level transitions

Sincea systemconfigurationcanbevisualizedasa soupof nodesandmessageswith baseandmetaactorsformingsubgroupsinsidethenodes,anodetransitionmightbeeithera communicationtransitionor anexecutiontransition.

A communicationtransitionmovesa messageto actorsonothernodesfrom thenode’sbuffer to theexternalsoupor movesamessageto anactoron thenodefrom theexternalsoupinto thenode’smail buffer. An executiontransitionfirst applieseitherabaseor metatransitionrule.If thereis anassociatedbaseevent,theneacheventhandlingrule thatmatchestheeventmustbeapplied(in anunspecifiedorder)andtheassociatedannotationupdateappliedto thenewlocalbaseconfigurationandmessages.In general,a metatransitionrulehastheform

Su�[Q SuSL� � T .+/p�<�t��  69¡¢�£�¤�¥,¦ 8 SL� V PUSLY�Z D >A=\> Y�Z D*]whereMi� is a metaactor, f MiM�� { g is anoptionalmetamessageaddressedto Mi� , Mi��_ is thesamemetaactorwith itsstatepossiblymodified, M acb-d7e is a configurationof newly createdbaseactorsandmessagesand

a2b-d(lis a predicate

constrainingtheactor-messagepairsto which theruleapplies.�*| l ��� m is eitheremptyor hastheform � `;acb-d7e���a Mi�9|�� .Whentherule is applied,

;acb-d7eis boundto thebaseactorconfigurationon thenodewherethemetaactoris located.

As a resultof rule application,baseactorannotationsor messageannotationsmaybeupdated.Metaactorruleswithemptyupdatearerepresenteddirectlyasobjectrewrite rules

��SL�2� � @ �� � ����5Q SuSL� � T .+/ ��SL�2� � @7V �� � �� V �7PUSLY�Z D >A=\> Y�Z D*]Ruleswith non-emptyupdaterequiresynchronizationwith the

` ��Mn� sincethe` ��Mn� needsto notify all registered

metaactorsbeforeupdatingthe baseconfiguration.In order to clearly specifybaselevel execution,we divide theexecutionof a baseactor into four consecutive stepsor rewrite rules,eachof themmarked by a label of the formRR(label). (seefigure3). In eachstep,someattributesaremodifiedandtheir modificationwill enablethenext steptoexecute.Thatis, initially the

` ��Mi� will enquetheexecutioneventin its | m9d(l Bh� { attribute( step1),enablingstep2 toproceed,whichnotifiesall registeredmetaactorthattheevent

m j�� is goingto beexecuted.Notethat §�¨+©<ª «��1�+��� � � ��m j*���is thesetof messagesMi�qK d(b ��� e�¬ � m j*��� for Mi� in � . That is, � is thesetof metaactorsregisteredto benotifiedwhentheevent

m j*� occurs.Oncethenotificationshavebeensent,the` ��Mn� startsprocessingtheevent(step3), which

may producenew actorsandmessages.a Mi�9| mapsnew actorsandmessagesto actor � , That is, newly actorsand

messageswerecreatedon behalfof actor � . Whenthe executionof the event is beingprocessed(step4), the` ��Mi�

waits for acknowledgementsfrom the registeredMn� ’s. Whenall registeredmetaactorhave acknowledgednotifica-tion,

` ��Mn� completestheexecutioneventby updatingits modelof thebaseconfigurationandtransmittingnewly sent

5

messagesto thea Mi� (step5).

`;a _ is the resultof applying �*| l ��� m to � `;a , and �)M�� { �9_ containselementsof the form� � Mn� {&��a Mn�9| � � M�� { ��� for eachmessagespecifiedby ��| l ��� m

Step1 ­u­u®�¯?°w±*²�³4´¶µ�·�¸º¹�»1¼L½+¾;´¿·�ÀÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾c­u¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ-´¿Í2´Ô¾-ÒÕ¹�·�Å+Ù2·3¾cÏEÆ-Ó�Å1Ú�¹;¾ÉÛܶÝÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾c­u¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ4¾;½-·�ÒÞ¹�·3Å+Ùc·�¾;Ï!Æ+Ó�Å1Ú�¹;¾LÛµ<Óx¾c½-· ÜLÜàß�á4ß ²3Ð Ç!¸âÆÑÐ Â�Ö Ò;Ð ã-×�Ï4Å4·3¾4Ò Ö Ä^Å2×ØÀ�Å+´¿ÏºÐ ã-×�Ï4Å4·�¾ Üåäcæ1ç-è)é<ß ²3Ð Ç!¸ÎÒ;Ð Â�Ö Ò�Ð Â�Ö�ê ÀStep2 ­u­u®�¯?°w±*²�¹�·�Å+Ù2·�¸º¹�»1¼L½+¾;´¿·�ÀÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾c­u¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ4¾;½-·�ÒÞ¹�·3Å+Ùc·�¾;Ï!Æ+Ó�Å1Ú�¹;¾LÛܶÝÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾c­u¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ4¾;½-·�ÒÞ¹�·3Å+Ùc·�¾;Ï!Æ9·�Ù)ã�¾4Ò^ë�Å1µ�·3ìuÍ)Ù�Æ4íîÛLÒ´¿Íc·3µ<Ó�ï+Å1Ú?Ú�²�íiÒ�¾;½-·,ÀëNð�¾;Ù)¾ní Ü Åc×-×ØÚ\￲t¾;ÄJÅc×�Ò<¾;½-·,ÀStep3 ­u­u®�¯?°w±*²�¹�·�Å+Ù2·3¼Éñ�¾ Ö ã�·3µtÍ2´ÔÀÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾c­u¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ-´¿Í2´Ô¾-ÒÕ¹�·�Å+Ù2·3¾cÏEÆ2·3Ù2ãؾLÛܶÝÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾c­u¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ4¾;½-·�ÒÞ¹�·3Å+Ùc·�¾;Ï!Æ+Ó�Å1Ú�¹;¾LÛµ<Óò²3Ð ÅØÒ�Ù2´¿Å+ÄÞ¾-Ò�¹�ã  ¹�·�ÀWóÕ¾;´¿Å  Ú?¾;Ïز3Ð Ç!¸ÎÒ�Ð Â�Ö À^Å+´¶ÏxÐ ã-×�Ï4Å4·�¾ ÜLÜ ã-×�Ï4Å4·�¾4²3Ð Ç%¸yÒ�Ð Â�Ö Ò;Ð ÅØÒ�Ù)´¿Å+ÄÞ¾-Ò�¹;ã  ¹�·,ÀpÅ1´¿ÏÖ ÄJÅc× ÜLÜ ÄJÅ1ô1¾ Ö ÄJÅc×&²3Ð ã-×�Ï4Å+·3¾-Ò�Ð Å*À�Å+´¿Ïõ¾;½-· ÜLÜ ¾;ñؾ4²3Ð Ç!¸öÆÑÐ Â�Ö Ò;Ð ã-×�Ï4Å+·3¾-Ò Ö Ä^Åc׿ÀStep4 ­u­u®�¯?°w±*² Ö Í2´¿·�µt´¶ã�¾2¼Lñؾ Ö ã�·3µtÍ2´�ÀÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾c­u¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ4¾;½-·�ÒÞ¹�·3Å+Ùc·�¾;Ï!Æ9·�Ù)ã�¾4Ò^ë�Å1µ�·3ìuÍ)Ù�Æ4íºÄ^ÅqÛLÒ ·3Ä^Å�÷ø´¿Íc·3µ<Ó�µ�¾cÏ1ùÊÄ^ÅܶÝÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾c­u¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ4¾;½-·�ÒÞ¹�·3Å+Ùc·�¾;Ï!Æ9·�Ù)ã�¾4Ò^ë�Å1µ�·3ìuÍ)Ù�Æ4íîÛµ<Óy´¶Íc·�²�Ä^Å�óÕíúÀStep5 ­u­u®�¯?°w±*² Ö Í2Ä!×ØÚ?¾�·3¾2¼Lñؾ Ö ã�·3µtÍ2´�ÀÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾c­u¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ4¾;ñؾ4²3Ð Ç!¸âÆÑÐ Â�Ö Ò;Ð ã-×�Ï4Å4·3¾4Ò Ö Ä^Å2×ØÀ�Ò¹�·�Å1Ùc·�¾;Ï!Æ2·3Ù2ãؾ-Ò^ëNÅ+µ�·�ìuÍ2Ù%Æ9Ä^·�ÛLÒ ÁûÖ ÄJÅpÆ+ËL¸xËEÌ ¹c¾;´¿Ï+ü5Æ+¹�ÄÕ¹�»*¹NÛܶÝÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö�ê ÒÕ¾c­u¾�»EÆ-¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼É½qÆ)´¿Í)´¶¾-ÒA¹�·3Å+Ùc·�¾;ÏEÆ9·�Ù)ã�¾LÛLÒÁÃÖ ÄJÅpÆ+ËL¸xËEÌ ¹c¾;´¿Ï+ü5Æ+¹�ÄÕ¹�»*¹ ê Û

Fig.3. Executionrules

4 The ExtendedRussianDolls Model

TheRCFfunctionality is introducedin thebasicRussiandolls modelin orderto formalizeprotocolinteractionsandfor statingandproving certainpropertiesthatensuresafeprotocolcomposition.Basically, specializedprocessingofmessagesarehandledby theRCFbeforethey reachthe

a Mi� . TheRCFis aninstanceof classz CE�EM b4l ��ý m andhasan

attributeacb-d7e

whosevalueis aconfigurationcontaining:(i) acommunicationmanagermetaactor þ of classCqB {�� Cthatcoordinatesmessageprocessing,and(ii) asetof messenguermetaactorsÿ of classBh� {�� C thatcontrolsmessagesemanticsfor their baseactors.Thus,theRCFhastheform

����Y > � � @ (SLZ ]�� � F Y�Z D > ������ @ � � � @ "#"#" �x���1� � � � � @ "#"#" �xSLY�Z D > �We expandthecommunicationmanagerto encapsulateandcontrola setof availablecommunicationprotocols

�of classC�pC andapoolof messagecoordinatorsactors of classBhCqC , soit cancoordinatemessageprocessinginthenode.

6

Communication Manager: A metaobjectof classCqB {�� C hasattributes� d ,b �� , a |�C b-d7e ,

a2b-d7e. Thevaluesof

� d andb ��� arelists of incomingandoutgoingmessagesof theform � � M�� {�� � , representingprocessedmessages.The

valueofa |&C b-d7e is themetarepresentationof thecommunicationprotocolscurrentlyloaded;while thevalueof

acb-d7eis a configurationcontainingmessagecoordinatorsandcommunicationprotocols.

����� @ � � � @ = D � = SL� � P7Z � <� Z�SL� � P(Y�� @ Z D > � � Y��)��PUY�Z D > ��� c� � @7@ "#"#" �WPW����� @��(@ "#"#" �7P�SLY�Z D > �

MessageCoordinator: A metaobjectof class BhCqC hasattributes Mn���3ý�� , M^| � , M � �)� , Mi�?| ,b-�4l

, �)�,� {Øm , ��|¶� d .Thevalueof Mi����ý�� is a list of incomingmessagesof theform ��� � M�� {�� � � d(l*�4� ��Mn�)|&� � � M��9ý<� representingtherequesttoprocessmessageM�� { sentby baseactor � d(l*� andmessageannotationmap ��Mn�9| with thecommunicationprotocolsspecifiedin � Mn�9ý . Thevaluesof MJ| � , M � �)� and Mi�?| aremetarepresentationsof themasterprerequisites,restrictionsandinteractionparameters(respectively) of thecommunicationprotocolsspecifiedin � M��9ý ; while thevalueof

b-�-l ý isthemetarepresentationof thecompositionorderthatneedsto beobeyedto ensurecorrectcompositionof communi-cationprotocols.

�� c� � @7@ SL� = ��� � SL� � P��2��� �2� � �3 3PU���3 <� ���3 � �3 3P = �9� = � � �3 3PWZ�� ] � Z�� ] � P�3 �� �cF � �cY��3 �� �cF P��<� = D � > � � � F �

Communication Protocol: A metaobjectof class C�pC hasattributes � d(l � , �4a j�� , | � , � �)� , �\| , �)�,��� m4e ��ý<ý . Thevalueof � d(l � is a list of outgoingmessagesof theform � � Mn� { � � , representinga processedmessageto bereturnedtothecorresponding that requestedtheservice;whereasthevalueof

�-a j�� is a list of incomingmessagesof the form� � Mn� {&� �#� d(l1�4� �*Mn�9|�� representingthearrival of messageM�� { to beprocessedby theprotocol.Thevaluesof | � , � �)�and �?| aremetarepresentationsof theprotocolprerequisites,restrictionsandinteractionparametersrespectively.

����� @��(@ � D1] � � Z�Su� � PU��Y � � � = SL� � P��2��� �2� � �3 3PU���3 <� ���3 � �3 3P = �)� = � � �3 3PW�3 ��� F > � ��� � > � � � F �

Messenger:A metaobjectof classBh� {�� hasattributes�*| ,l ~ d , ý��Ø�)��Mn� { � l , ý<���)��M��9ý , M�� {�a ý<�Ø�9� . Thevaluesof

�*| andl ~ d arelistsof incomingandoutgoingmessagesof theform � � Mn� {&� �#� d(l*�4� ��Mn�9|�� , representingraw messages.

Thevaluesof ý��Ø�)��M�� { � l and ý��Ø�)��Mn�9ý aremetarepresentationsof themessageidentificationandmessageservicelistrespectively.

���1� � � � � @ � �)� ��Z�SL� � P ]�GUD � � = SL� � P � �c�3 tSL� � = ] � � SL� � = ] P � �c�� tSu� � � � SL� � �

Beforegiving a concreteillustrationof themodel,we needto formalizetheenqueingof a message,we definetheenqueingrelation

� ��� m9d7� � m � ��+� Mn� , � � is anenqueingof messageM onto��

by� ��� m9d7� � m � ��+� M�� { � ��� ���� �! ���"u� � for somesequence

� �$# M .

MessageArri val

Let usbriefly describethesystembehavior duringan incomingmessagewhentheRCFmoduleis both inactive andactive. A messagearrival eventhasthe form � �-� ��j m � � � �^KÉM�� � �#� d(l1�4� ��Mi�9|�� indicatingthearrival of messageM forbaseactor � , sentby � d(l*� and having annotations�*Mn�9| . On the other side,a messagesendevent hasthe form� m)d(l � � � �NK�Mn� � �#� d(l1�4� �*Mn�9|�� indicatingthatamessageM having annotations�*Mn�9| is goingto besentto � by � d(l*� 1.

Figure4showsthecommunicationrulesthatneedto beappliedwhenamessageof theforma Mi�LKN� �9� �3j m � � M�� {�� � � d(l*�4� ��Mn�)|&�

arrivesto the node.Sincethe RCF is not active by default, the messageis queuedfor laterprocessinginto thea Mn�

mail queue(step1). Beforethea Mi� candeliver a message,it needsto notify all metaactorsregisteredfor message

arrival (step2) andwaitsfor theacknowledgementof all notifiedmetaactors(step3). Finally, it deliversthemessageto the

` ��Mi� , which will deliver the messageto the target actor(step4). The completesemanticsof messagearrivalusingtheRCFis describedin theAppendixA.

1 wekeepmessageannotationsat themetalevel. In caseof baseactorannotations,welet themetaactorsmaintaintheminternally.Thus,annotationsaremodifiedthroughthemetalevel

7

Step1 ­u­&%�°w±*²�Å+Ù2Ù)µt½+¾('9ÀÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹NÛLÒ Ö Ä^ÅÊ÷ Å+Ù)Ù2µt½+¾4²3Ð ÄÞ¹�»ØÒ�Ð ¹�´¶Ï4Ù2Ò�Å+ÄJÅc׿ÀܶÝÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹*)ʲ3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+Ä^Å2×ØÀWÛStep2 ­u­&%�°w±*²�¹�·�Å1Ùc·,+�Ù)Ù2µt½4Å1Ú�ÀÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹*)ʲ3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+Ä^Å2×ØÀ�ÒJ¾c­u¾�»qÆ-¾cÄ^Åc×�Ò�×ؾ;´¶Ï1¸x¹�»qÆ9´¿Í2´¶¾�ÛܶÝÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹9ÒÉ×ؾ;´¿Ï1¸º¹�»qÆÑÐ ÄÕ¹�»ØÒ^ëNÅ+µ�·�ìuÍ2Ù%Æ4í ÛLÒJ´¿Íc·3µ<Ó�ï+Å1Ú?Ú�²�íiÒ,¾;½+¾;´¿·�Àµ<Óx¾c½+¾;´Ø· ÜLÜ Å+Ù)Ù2µt½+¾4²3Ð ÄÞ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+ÄJÅc׿ÀqÅ+´¿ÏÎí ÜLÜ Åc×-×ØÚ\￲t¾;ÄJÅc×�Ò<¾;½+¾;´Ø·,ÀStep3 ­u­ %�°w± ² Ö Í)´Ø·�µ�´¿ãؾ-+�Ù)Ù2µt½4Å*Ú?ÀÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹9ÒÉ×ؾ;´¿Ï1¸º¹�»qÆÑÐ ÄÕ¹�»ØÒ^ëNÅ+µ�·�ìuÍ2Ù%Æ4íºÄJÅEÛLÒ Ö ÄJÅ�÷ø´¿Í2·�µ�Ó�µ�¾;Ïز�ÄJÅ*ÀܶÝÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹9ÒÉ×ؾ;´¿Ï1¸º¹�»qÆÑÐ ÄÕ¹�»ØÒ^ëNÅ+µ�·�ìuÍ2Ù%Æ4í Ûµ<Óò²�ÄJÅ/.óÕíúÀStep4 ­u­ %�°w± ² Ö Í)Ä%×ØÚ?¾�·�¾-+�Ù)Ù2µt½4Å*Ú?ÀÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹9ÒÉ×ؾ;´¿Ï1¸º¹�»qÆÑÐ ÄÕ¹�»ØÒ^ëNÅ+µ�·�ìuÍ2Ù%Æ9Ä^·wÛLÒÁàÄJÅpÆ4Ç%¸ºËEÌ Â ¸yÍ2Ï�ÆÑÐ Ç%¸yÒ Â ËÊÍ)´ÔÓÞÆÑÐ Â�Ö Ò!×ؾ;´¶Ï1¸x¹�»qÆ-´¿Í2´Ô¾ÉÛܶÝÁÃÖ ÄJÅpÆ+ËL¸xËEÌ ×ؾ;´¶Ï1¸x¹�»pÆ9´¿Í2´Ô¾ÉÛLÒ Á  Ä^Å�Æ9Ç!¸xËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç!¸ÎÒ Â ËÊÍ2´ÔÓAÆ)Ï+¾cÚ\µt½+¾cÙ1²3Ð Ç!¸ÎÒ�Ð Â�Ö Ò�Ð ÄÕ¹�»*ÀwÛ

Fig.4. Messagearrival rules

5 Towards AdaptiveCommunication

In order to respondto suddenchangesin the communicationenvironmentwithout disruptingthe application,thecommunicationframework mustcontinuouslymonitorthenetwork environmentandadjust,replaceor composecom-municationprotocolsaccordingly. However, specificsof a communicationprotocolrestrict the adjustmentsthat canbemadeto theprotocolitself andmayposeconditions(on thesystemenvironment)thatpreventor constrainits com-binationor concurrentexecutionwith otherprotocols.Whentwo or morecommunicationprotocolsarecomposedinorderto obtaintheircombinedbenefitstheirguarantees(desirableproperties)arenotalwayspreserved.Preservationofprotocolguaranteesmaycrucially dependon thecompositionorderandtheir interactionparameters,which constraincommunicationprotocolbehaviors to achievetheir safecomposition.Check if safecompo-

sitionhasbeendefinedin theintro

Mostof thework on composablecommunication[27][19][20][2] hasfocusedon mechanismsto providedynamicprotocolcomposition.Much lesswork hasbeendoneto develop the underlyingsemanticsthatenablesus to reasonabouttheformalpropertiesof suchcompositionor to identify underwhatconditionsagivenprotocolimplementationsuceedsandhow (if at all) parameterscanchangeits performance.

5.1 CaseStudy: SecureDelivery in Hot-spots

Currentsecurityprotocolsareimplementedasa single(ordered)sequenceof messagesbetweenparticipantswithoutchoicepoints(ifs) or loops.In fact, they assumereliabletransferbetweenstaticend-pointsandstall all communica-tion (at theapplicationlevel) while theend-pointsareauthenticatedanda virtual secureconnectionis established(orre-established)betweenthem(i.e. theuseris watchinganhour-glasscursorall this time). As we briefly discussedinSection1, hot-spotsarecharacterizedby suddennetwork changesandmobileend-pointsthatconnectanddisconnectfrequently. In thisscenario,anestablishedmobile-to-mobileend-pointsessionmaycrosscutseveralnetwork domains,eachoneof themwith possibledifferentsecuritylevels andnetwork characteristics,andsessionrefreshmay be re-quired frequently. Thus, insteadof freezingall communicationevery time a refreshis triggered,we would like toexecutesessionrefresh(in thebackground)while (appliationlevel) communicationis in progress.For example,Let usconsiderthepopularSSL/TLSprotocol[4] asour secureprotocol.Here,we useRSA to authenticatebothend-points(the original motivation for SSL andstill by far its mostcommonuse).We recall thatRSA usesnonces2, a random

2 It is assumedthatthesenumbersaregeneratedin sucha way thatthey cannotbeguessed

8

numberthat is usedin a singleexecutionof the protocol,andpublic key cryptography. i.e. eachobjectpossessesapublic key which canbeaccessedby all objectsanda secretkey, which is requiredto decryptany messageencryptedwith its publickey. In orderto avoid freezingapplicationlevel communicationwhile thekey refreshis in progress,wemakea distinctionbetweenaconnectionandasession.A connectionrepresentsonespecificcommunicationchannel;while a sessionis avirtual contructrepresentingthenegotiatedalgorithmandthe Mn��)� m)�10 � m-a;�4m � usedto createthesecretkey. Then,we allow multiple connectionsto beassociatedto a givensessionandwe switchconnectionswhenthe new connectionis ready3. As a result,we candivide the executionof the combinedprotocolsin four phasesasfollows(seefigure5):

Sessionsetup: A securecommunicationchannelis createdby authenticatingboth the initiator 2 andtheresponderI andby establishingthekeying material(sharedsecretandparticipants’randomvalues)requiredto generateasecretkey4, which is usedto protectfurtherapplicationtraffic asfollows:

1. 2 createsa noncek32 , addsits addressasanidentifierandencryptsthis informationwith I ’s public key of�54ûI andsendsmessageB76 to I

2. Uponreceiving B76 , I decryptsthemessageusingits privatekey 894 I , createsanew noncekÃI , generatesa new sessionidentifier �)� l andchoosea ciphersuite,which determinestheencryptionalgorithmto beusedandsendsmessageB;: backto 2 , with a concatenationof both nonces,the sessionidentifier �)� l and thechipersuite

a �?|�< m9� encryptedwith 2 ’s publickey �54=23. 2 receives B;: anddecryptsit. In casethecontentsof B;: is theconcatenationof his own nonce( k32 ) plus

anothernonce( kÃI ), 2 generatesa | �4m>0 Mn���)� m9� secretandsendsit with the separatednonce kÃI to Iaspart of messageB@? . 2 usesthe | �-mA0 Mn�Ø�2� m9� secretin orderto generatethe secretkey 8B4 m9¬ usedtoactuallyencrypt/decryptfurther(application)traffic belongingto this session

4. Upon B@? reception,I decryptsit andusesthe | �4m$0 Mi�Ø�)� m9� secretto generatethesecretkey 8B4 m)¬Sessionestablished: Once B@? hasbeenreceived,thesessionis formally establishedandany furthercommunication

sentor receivedis encrypted/decryptedusingthesecretkeySessionrefresh: If oneof theparticipantssuspectseavesdroping,asessionrefreshmayberequested.Refreshreplaces

(partof) thesharedsecretusedto generatethesecretkey. In orderto avoid freezingapplicationlevel communica-tion while thekey refreshis in progress,wemakeadistinctionbetweenaconnectionandasession.A connectionrepresentsonespecificcommunicationchannel;while a sessionis a virtual contructrepresentingthenegotiatedalgorithm and the Mn���)� m9�C0 � m9ac�-m � usedto createthe secretkey. Then,we allow multiple connectionsto beassociatedto a givensessionandwe switchconnectionswhenthenew connectionis ready5:

1. 2 requestsasessionrefreshby sendingamessageBED with thecurrentsessionidentifier �)� l andanew noncek32 asparametersof therefreshrequest.D is encryptedusing 894 m9¬ andit is sentto I

2. Upon receiving BED , I decryptsthe messageandacceptsthe requestby generatinga new nonce kÃI andsendinga messageB;F back to 2 . B;F encapsulatesthe sessionidentifier and the concatenationof bothnoncesandit is encryptedby 8B4 m9¬

3. In casethecontentsof thereceivedanddecryptedB;F aretheconcatenationof 2 ’s nonce( k32 ) plusanothernonce( kÃI ) andthesessionidentifiercorrespondto thecurrentin progress,2 generatesa

d(m ~ 0 | �4m�0 Mn���)� m9�secretandsendsit with theseparatednoncekÃI andsessionidentifier �)� l to I asmessageB@G . Then,2 usesthe

d(m ~ 0 | �4m�0 Mn�Ø�)� m)� secretto generatea new secretkeyd(m ~�8B4 m9¬

4. When I receives B@G anddecryptsit, I usesthed(m ~ 0 | �4mH0 Mn�Ø�)� m)� secretto generatethenew secretkeyd(m ~�8B4 m9¬ andsendsbackan acknowledgementmessageBJI to 2 , with the sessionidentifier �2� l andthe

finishedkeyword, indicatingthatall furthercommunicationis processedusingthenew key5. Upon receiving BJI , 2 uses

d(m ~�894 m9¬ to processpreviously queued(applicationlevel) messagesandthekey refreshis terminated

Sessionteardown: When a securecommunicationis not longer desiredor needed,a teardown sessionrequestisgeneratedby oneof theparticipants,theconnectionis removed

3 Althoughall connectionsin a givensessionsharethesameÄJÅ*¹�·�¾;ÙLK�¹;¾ Ö Ù)¾�· , eachoneof themhasit own encryptionkeys.4 Thekey doesnotnecessarilyneedto bea symmetrickey5 Althoughall connectionsin a givensessionsharethesameÄJÅ*¹�·�¾;ÙLK�¹;¾ Ö Ù)¾�· , eachoneof themhasit own encryptionkeys.

9

Fig.5. Protocolsequencediagram.

Specifyingthe Protocolsin Our Model

Althoughbothprotocolsexecutecorrectlyin isolation,itis necesaryto ensurethatthey donot interactin harmfulwayswhenthey arecombinedandexecutedconcurrently. In orderto achievethis,weusetheextendedRussiandollsmodelto specify the combinedprotocolsas follows: We definethe class 2 {�m9d � asa genericclassandclassesM d ��������� b-�and

zEm ��| b-d(l*m9� asits subclasses,onefor eachpossiblerole of the protocol. 2 {Øm)d � have attributes � m-a 4 m9¬ , �)�,� {Øm ,m-acb M ,acb � d � m9� , � m �-�)� b-d ,

a �?|�< m)� �)����� m , �ON m9¬ , �-� m � m . Thevaluesof � m9a 4 m9¬ and �PN m)¬ aretheprivateandsecretkeys,a �?|�< m9� �)���3� m storesall the information regardingthe algorithm selected;whilem-acb M storesthe information about

the establishedcommunication.�2� l is the sessionidentifier, �)�,� {�m keepstrack of the protocol executionstage,soparticipantsknow whatmessagethey shouldexpect,and

acb � d � m9� is asequencenumber, usedto generatenonces.Thevalueof �-� m � m is a list of incomingmessagesof the form Mn� { representingthe requestto processmessageMn� { .M d �3������� b-� and

z!m ��| b-d(l�m9� have two privateattributes`;b+` M l and 2�ý�� a2m M l respectively.

`;b+` M l storestheidentifiersoftheintended

zEm ��| b-d(l�m9� ; while 2�ý�� acm M l storestheidentifierof the intended� d �3���3��� b-� . As a secondstep,we specifytheexecutionin rewriting rules,onefor eachmessageexchangedbetweenparticipants(seeFigures6-8).Finally, weintegratethemin to the extendedRussiandolls modelas follows (the completesetof rules requiredaredescribedin the AppendixB). Let us assumethatagent2 wishesto communicatewith agent I in a securemanner. When 2sendsmessageMQ6 to I , M=6 is interceptedby its correspondingmessengerBh� {�� � 2!� , who requests(on 2 ’s behalf)asecureconnectionby to its localcommunicationmanagerC!M {�� � 2!� . C!M {�� � 2%� in turnselectsamessagecoordinatorto handletherequestandinteractwith theprotocols(describedabove).Oncebothprotocolshave beenauthenticatedana securesessionhasbeenestablished,M=6 canbeencryptedandsendit securelyto throughthenetwork.

5.2 Reasoningabout SafeComposition

Isolatedprotocol properties,suchas confidentiality, data integrity, authenticationor secrecy of sessionskeys, areworthyof studyandhavebeenexpressedandprovedelsewhere.However, protocolspecificationandreasoningshould

10

Step1 ­u­u¯SRUTc²�¹�·3Å+Ùc·�­Êã�´ÔÀÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆZY+Ò,¾ Ö Í2Ä Æ-´¿Í2´Ô¾-Ò Ö Í)ã�´¿·3¾;Ù!Æ\[*Ò�¹;¾2¹c¹;µtÍ2´[Æ)´¿Í)´¶¾-ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ9´¿Í)´¶¾-Ò�¹;ô*¾;ïpÆ-´¿Í2´Ô¾-Ò,'2ãؾ;ãؾLÆ-´¿Í2´Ô¾ÉÛܶÝÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆ�])Ò,¾ Ö Í2Ä Æ-´¿Í2´Ô¾-Ò Ö Í)ã�´¿·3¾;Ù!Æ\[5^_]9Ò�¹;¾2¹c¹;µtÍ2´�Æ)´¿Í)´¶¾-ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ9´¿Í)´¶¾-Ò�¹;ô*¾;ïpÆ-´¿Í2´Ô¾-Ò,'2ãؾ;ãؾLÆ-´¿Í2´Ô¾ÉÛLÒÇ ÷N¸`]9²t¾c´ Ö Ù)ïc×�·�²�²�´¶Í2´ Ö ¾4²a+�Òb[�À�Òc+uÀ�Ò\×�ã ÂdV ¾c￲tÇ%À�À�ÀStep2 ­u­u¯SRUTc²�´¿Í)´ Ö ¾-e Ö ð�Å+´Ø»1¾2ÀÁ ÇàÆ-­u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆ9´¿Í)´¶¾-Ò�¹�·3Å4»1¾ÊÆZY+Ò,¾ Ö Í2Ä Æ-´¿Í2´Ô¾-Ò Ö Í)ã�´Ø·3¾cÙ�Æ V Ò�¹;¾2¹c¹;µtÍ2´[Æ9´¿Í)´¶¾-ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ9´¿Í)´¶¾-Ò�¹;ô*¾;ïpÆ-´¿Í2´Ô¾-Ò,'2ãؾ;ãؾLÆ+¸f]-²t¾;´ Ö Ù2ïc×�·�²�²agC+ÉÒ,+ÊÀ�Òbh V Ç!ÀwÛܶÝÁ ÇàÆ-­u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆO+�Ò�¹�·�Å+»1¾ÊÆi]9Ò,¾ Ö Í)Ä Æ9´¿Í)´¶¾-Ò Ö Í2ã�´Ø·�¾;Ù%Æ V ^_]9Ò�¹;¾2¹c¹�µ�Í2´AÆ+¹�µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆ-´¿Í2´Ô¾-Ò,'2ãؾ;ãؾLÆ-´¿Í2´Ô¾ÉÛLÒ+ ÷ ¸kj+²t¾;´ Ö Ù)ïc×�·�²�²�²agC+�Ò�´¿Í)´ Ö ¾4²tÇqÒ V À�À�Ò,´¶¾;ëlW&µtÏزa+�Ò V À�Ò Ö µÑ×Øð�¾;Ù9À�Ò�×�ã ÂdV ¾c￲a+ÊÀ�À�À�µ�Ó�²tô1¾;ï\huÅ1µtÙ1²�W V ÇpÒmh V Ç!À�Å+´¿Ïز�¹�µtÏ Ü´¶¾;ë&WUµtÏزa+ÉÒ V À�À�ÀStep3 ­u­u¯SRUTc²�´¿Í)´ Ö ¾n+ Ö ô*ÀÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆ�])Ò,¾ Ö Í2Ä Æ-´¿Í2´Ô¾-Ò Ö Í)ã�´¿·3¾;Ù!Æ\[5^_]9Ò�¹;¾2¹c¹;µtÍ2´�Æ)´¿Í)´¶¾-ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ9´¿Í)´¶¾-Ò�¹;ô*¾;ïpÆ-´¿Í2´Ô¾-Ò,'2ãؾ;ãؾLÆ+¸oj1²t¾;´ Ö Ù2ïc×�·�²�²�²agC+ÉÒ,gÞÇ%À�Ò�¹�µtÏ�Ò Ö µÑ×Øð�¾cÙ9À�Òbh V +ÊÀ�À�ÛܶÝÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆXj4Ò,¾ Ö Í2Ä Æ4ÇqÒ Ö Í2ã�´Ø·�¾;Ù�Æ\[5^=j4Ò�¹;¾)¹c¹�µtÍ)´AÆ+¹�µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ-´¿Í2´¶¾�ÛLÒÇ ÷N¸op1²t¾c´ Ö Ù)ïc×�·�²�²agÞÇpÒ�¹�µ�Ï�Ò?×�Ù9¾BK�ÄJÅ*¹�·�¾;Ù-À�Ò ×�ã ÂdV ¾;ﶲtÇ%À�À�Àµ<Ó�²tô1¾;ïihuÅ+µtÙ1²�W V +ÉÒ,h V +ÊÀ�Å1´¿ÏزagC+ ÜLÜ ´¿Í)´ Ö ¾4²a+ÉÒq[�À�À�Å+´¿Ïز�¹;µtÏ Ü ´¶¾;ëlW&µtÏزa+�Ò V À�À�Å+´¿Ïز�WUô*¾;ï Ü ÄJÅ1ô1¾ V ¾;￲#×�Ù)¾3KÄ^Å*¹�·3¾;Ù)Ò�gC+�ÒcgJÇ!À�À�ÀStep4 ­u­ ¯SRUT ²a+Nã*·�ð�¾;´Ø·3µ Ö Å4·3¾cÏ1ÀÁ ÇàÆ-­u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆO+�Ò�¹�·�Å+»1¾ÊÆi]9Ò,¾ Ö Í)Ä Æ9´¿Í)´¶¾-Ò Ö Í2ã�´Ø·�¾;Ù%Æ V ^_]9Ò�¹;¾2¹c¹�µ�Í2´AÆ+¹�µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆ-´¿Í2´Ô¾-Ò,'2ãؾ;ãؾLÆ+¸rp*²t¾;´ Ö Ù2ïc×�·�²�²agÞÇqÒ�¹�µtÏ�Ò�×�Ù)¾9K[Ä^Å�¹�·3¾cÙ9À�Ò,h V Ç%À�ÀwÛܶÝÁ ÇàÆ-­u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆO+�Ò�¹�·�Å+»1¾ÊÆZj+Ò,¾ Ö Í)Ä ÆO+�Ò Ö Í)ã�´¿·3¾;Ù%Æ V ^sj+Ò�¹;¾2¹2¹�µtÍ2´[Æ4¹;µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ-´¿Í2´¶¾�ÛLÒµ<Ó�²tô1¾;ïihuÅ+µtÙ1²�W V ÇqÒ,h V Ç%À�Å+´¿ÏزagÞÇ ÜLÜ ´¶Í2´ Ö ¾4²tÇqÒ V À�À�Å1´¿Ïز�¹�µtÏ Ü ´¶¾;ëlW&µtÏزa+�Ò V À�À�Å+´¿Ïز�WUô*¾;ï Ü Ä^Å1ô*¾ V ¾;￲#×�Ù9¾tKÄ^Å*¹�·3¾;Ù)Ò�gC+�ÒcgJÇ!À�À�À

Fig.6. Sessionsetupandsessionestablichedrules

concernnot only theseintrinsic propertiesbut alsotheir interactionwith otherprotocols(afterall, protocolsarepartof a largersystem)andhow farcantheassumptionsberelaxedwithout compromisingprotocolcorrectness.

e.g. Rekey andrefreshprotocolsblockcommunicationattheapplicationlayerin ordertoensuresafekey generationandexchange.Inthisparticularscenario,safemeansthatnoapplicationlevelmessagesarefloatingin thenetworkwhenthekey is generatedor exchanged,ensuringthatevery messagesendwith theold key will bereceivedanddecryptedbeforekeys areswitched.Allowing messagesto besendandreceive while therefreshprotocolis in progress,requireus to definea synchronizationpoint wherekeys canbeswitched(evenif they aremessagesfloating in thenetwork).This impliesawayto identify andkeeptrackof everymessage,somessagessentbut notreceivedbeforethekeyswereswitchedcanbeproperlyretransmittedusigthenew key. As a resultof removing thesynchronization

Sincemessagesmaybefloatingin thenetwork whentheswitchtookplace,old messagesmayarriveafterthekeyshave beenswitched,andwill bediscardedascorruptmessages(sincethereis no way to decryptthemandthey havebeenretransmittedusingthenew key). Weuseourmodelasa framework for statingandproving thefollowing (safetyandliveness)properties:

1. RefreshIdempotency: Thereis only onesessionrefreshin progressbetweenparticipantsat any point of time.2. No MessageLossdueto SessionRefresh:All (base-level) messagessentwhile thesessionrefreshis in progress

areeventuallydeliveredto theapplication.3. No MessageDuplication:No duplicatedmessageis deliveredto theapplication.

11

Step5 ­u­u¯SRUTc²t­u¾2Ó�Ù)¾)¹;ð�­Ê¾-'9ÀÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆXj4Ò,¾ Ö Í2Ä Æ4ÇqÒ Ö Í2ã�´Ø·�¾;Ù�ÆZh�Ò�¹;¾2¹2¹�µtÍ2´[Æ4¹;µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ-´¿Í2´¶¾�ÛܶÝÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆZp+Ò,¾ Ö Í2Ä Æ4ÇqÒ Ö Í2ã�´Ø·�¾;Ù�ÆZh=^_])Ò�¹;¾)¹c¹�µtÍ)´AÆ+¹�µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ-´¿Í2´¶¾�ÛLÒÇ ÷N¸ru*²t¾c´ Ö Ù)ïc×�·�²�²�´¶Í2´ Ö ¾4²a+�ÒvhÉÀ�Òb+�Ò�¹�µ�Ï1À�ÒbW(ô1¾;ï*À�ÀStep6 ­u­u¯SRUTc²t­u¾2Ó�Ù)¾)¹;ð�+ Ö�Ö ¾,×*·�¾;Ï1ÀÁ ÇàÆ-­u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆO+�Ò�¹�·�Å+»1¾ÊÆZj+Ò,¾ Ö Í)Ä ÆO+�Ò Ö Í)ã�´¿·3¾;Ù%Æ4üEÒ�¹;¾2¹c¹�µ�Í2´AÆ+¹�µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ+¸wu�²t¾;´ Ö Ù2ïc×�·�²agx+�Ò,+ÉÒ�¹�µtÏ1À�ÒcWUô*¾;ï*ÀwÛܶÝÁ ÇàÆ-­u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆO+�Ò�¹�·�Å+»1¾ÊÆOp1Ò,¾ Ö Í)Ä ÆO+�Ò Ö Í)ã�´¿·3¾;Ù%Æ4üQ^Q]9Ò�¹;¾2¹2¹�µtÍ2´[Æ4¹;µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ-´¿Í2´¶¾�ÛLÒ+�÷�¸ky+²t¾c´ Ö Ù)ïc×�·�²�²agC+�Ò�´¿Í2´ Ö ¾4²tÇpÒ�ü%À�Ò,¹;µtÏ1À�ÒcW V ¾;ï*À�Àµ<Ó�²�²a+ ÜLÜ Å1Ú\µ Ö ¾c³4Ï1À�Å+´¿Ïز�¹�µtÏ ÜLÜ »1¾�·,WUµtÏز�Ï+¾ Ö Ù2ïc×�·�²�¸wu*ÒvW V ¾;ï�À�À�À�ÀStep7 ­u­u¯SRUTc²�´¶¾;ë V ¾;ï*ÀÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆZp+Ò,¾ Ö Í2Ä Æ4ÇqÒ Ö Í2ã�´Ø·�¾;Ù�ÆZh=^_])Ò�¹;¾)¹c¹�µtÍ)´AÆ+¹�µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ+¸oy1²t¾;´ Ö Ù2ïc×�·�²�²agx+�Ò,gJÇpÒ�¹�µtÏ1À�ÒcW V ¾;ï�À�ÀWÛܶÝÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆOu1Ò,¾ Ö Í2Ä Æ4ÇqÒ Ö Í2ã�´Ø·�¾;Ù�ÆZh=^sj4Ò�¹;¾)¹c¹�µtÍ)´AÆ+¹�µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆ-´¶¾;ëlWUô1¾;ï¿Òm')ã�¾cã�¾ÉÆ9´¶Í2´¶¾�ÛLÒÇ ÷N¸oz1²t¾c´ Ö Ù)ïc×�·�²�²agÞÇpÒ�¹�µ�Ï�Ò3´Ô¾;ëQK^×�Ù)¾9K�ÄJÅ*¹�·�¾;Ù9À�Ò,W V ¾;ï*À�Àµ<Ó�²�²agC+ ÜLÜ ´¿Í2´ Ö ¾4²a+�ÒbhÉÀ�À�Å+´¿Ïز�¹�µtÏ ÜLÜ »1¾�·,WUµtÏز�Ï+¾ Ö Ù2ïc×�·�²�¸oy+ÒvW V ¾;ï�À�À�À�ÀStep8 ­u­ ¯SRUT ²tìuµt´¿µ�¹;ð�¾;Ï1ÀÇ5Æ4­Ê¾)¹3×�Í2´¿Ï+¾;Ù�Ì ¹;¾ Ö�V ¾;ïEÆXW V ÇqÒ,Å*Ú µ Ö ¾;³4ÏEÆZ+�Ò,¹�·�Å4»1¾ÊÆZp1Ò�¾ Ö Í)Ä ÆZ+�Ò Ö Í2ã�´Ø·�¾;Ù%Æ-ü_^Q]9Ò�¹;¾2¹c¹;µtÍ2´[Æ4¹�µ�Ï�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ+¸rz*²t¾;´ Ö Ù2ïc×�·�²�²agJÇpÒ�¹�µtÏ�Ò�´¶¾;ëQK�×�Ù)¾LK[ÄJÅ*¹�·�¾;Ù9À�ÒbW V ¾;ï�À�ÀWÛܶÝÁ ÇàÆ-­u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆO+�Ò�¹�·�Å+»1¾ÊÆPu*Ò,¾ Ö Í)Ä ÆO+�Ò Ö Í)ã�´¿·3¾;Ù%Æ4üQ^3j+Ò�¹;¾2¹2¹�µtÍ2´[Æ4¹;µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆ-´¶¾;ëlWUô1¾;ï¿Òm')ã�¾cã�¾ÉÆ9´¶Í2´¶¾�Û+�÷�¸k{+²t¾c´ Ö Ù)ïc×�·�²�²�Ó�µ�´¿µ<¹;ð�¾;Ï�Ò�¹�µtÏ1À�ÒcW V ¾cï*À�Àµ<Ó�²�²agÞÇ ÜLÜ ´¶Í2´ Ö ¾4²tÇqÒ�ü%À�À�Å+´¿Ïز�¹�µtÏ ÜLÜ »1¾�·,WUµtÏز�Ï+¾ Ö Ù2ïc×�·�²�¸rz1ÒmW V ¾;ï*À�À�À�À

Fig.7. Sessionrefreshrules

Step9 ­u­u¯SRUTc²�W&µtÏ-Èʾ;Å+Ù}|EÍ)ë�´¶­u¾('-ÀÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆ-µ�Ò,¾ Ö Í2Ä Æ-ÇpÒ Ö Í)ã�´¿·3¾;Ù%Æ4­�Ò�¹;¾)¹c¹�µtÍ)´AÆ-¹;µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ-´¿Í2´¶¾�ÛLÒܶÝÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ9´¿Í2´Ô¾-Ò�¹�·3Å4»1¾uÆPY1Ò�¾ Ö Í2Ä Æ-´¿Í2´¶¾4Ò Ö Í2ã�´Ø·�¾;Ù!ÆPY1Ò�¹;¾2¹2¹�µtÍ2´[Æ9´¶Í2´¶¾-ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ9´¿Í)´¶¾-Ò�¹;ô*¾;ïpÆ-´¿Í2´Ô¾-Ò,'2ãؾ;ãؾLÆ-´¿Í2´Ô¾ÉÛLÒÇ ÷N¸y´(²t¾;´ Ö Ù2ï2×*·�²�² Ö Ú Í-¹;¾4²�¹�µ�Ï1À�À�ÒvWUô*¾;ï*À�ÀStep10 ­Ê­ ¯SRUT ²�W&µtÏ-ÈN¾;Å1Ù}|EÍ2ëN´ÔÀÁ ÇàÆ-­u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆO+�Ò�¹�·�Å+»1¾ÊÆ9µ�Ò,¾ Ö Í2Ä ÆZ+ÉÒ Ö Í2ã�´Ø·�¾;Ù%ÆZWUÒ,¹c¾2¹c¹�µtÍ)´AÆ+¹�µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXW V ¾;ïØÒv'2ãؾ;ãؾ�Æ-¸y´(²t¾;´ Ö Ù2ïc×�·�²�² Ö Ú\Í-¹;¾4²�¹�µtÏ1À�À�ÒbWUô*¾;ïpÛܶÝÁ ÇàÆ-­u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆ9´¿Í)´¶¾-Ò�¹�·3Å4»1¾ÊÆZY+Ò,¾ Ö Í2Ä Æ-´¿Í2´Ô¾-Ò Ö Í)ã�´Ø·3¾cÙ�ÆZY+Ò�¹;¾)¹c¹�µtÍ)´[Æ9´¿Í2´¶¾4ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ9´¿Í)´¶¾-Ò�¹;ô*¾;ïpÆ-´¿Í2´Ô¾-Ò,'2ãؾ;ãؾLÆ-´¿Í2´Ô¾ÉÛ

Fig.8. Sessionteardown rules

12

4. RefreshProgress:For all possiblerefreshprotocolexecutions,eithera successfullsessionrefreshis achievedorthesessionrefreshrequestis denied.

5. RefreshTermination:Everyrefreshprotocolexecutioneventuallyterminates.

6 RelatedWork and Concluding Remarks

Commerciallyavailabledistributedmiddlewareinfrastructureshave incorporatedthe notion of reflectionin ordertoprovide the desiredlevel of configurabilityandopennessin a controlledmanner[5][1][25]. The focusof the workpresentedin this paperis on developingformal semanticsandreasoningfor safecompositionof middlewareservicesand communicationprotocols.The OpenOrbreflective architecture[17] [6] [11] is basedon the RM-ODP objectmodelandinspiredby theAL-1/D reflectiveprogramminglanguagefor distributedapplications[10]. In theOpenOrbarchitectureevery object is representedby multiple modelsallowing behavior to be describedat different levels ofabstractionandfrom differentpointsof view. Similarly, [12] providesa metalevel architectureat the languagelevelto supporta limited fault tolerantsystemmechanisms,in particularreplication.Two reflective architecturesfor actorcomputationhave beenusedasa basisfor definingandreasoningaboutcomposableservicesin dynamicadaptabledistributedsystems:Theonionskin model[15] andthetwo-level actormachine(TLAM) model[23] [22]. Theonionskin modelhasbeenusedto supporthigh level abstractionssuchassynchronizers[30], real time synchronizers[29],actorspaces[8], anddynamicarchitectures[18] [3]; while theTLAM hasbeenusedto reasonaboutsafecompositionof system-level activities, suchasdistributedgarbagecollection[24], migrationandglobalsnapshot[21], andglobalsnapshotin thepresenceof failures[28].

References

[1] AshishSinghai,AamodSaneandRoy Campbel.Reflective ORBs:supportingrobust,time-criticaldistribution. In Proceed-ingsof theEuropeanConferenceon Object-OrientedPrograming, 1997.

[2] BenoitGarbinatoandRachidGuerraoui.Using theStrategy DesignPatternto ComposeReliableDistributedProtocols.InUsenixConferenceon Object-OrientedTechnologiesandSystems, 1997.

[3] DanielSturman.ModularSpecificationof Interactionof InteractionPoliciesin DistributedComputing. PhDthesis,Universityof Illinois at Urbana-Champaing,1996.

[4] Eric Rescorla.SSLandTLS:DesigningandBuildingSecure Systems. Addison-Wesley, 2001.[5] Fabio Costa,GordonBlairandGeoff Coulson. Experimentswith Reflective Middleware. TechnicalReportMPG-98-11,

LancasterUniversity,1998.[6] F.M. Costaand G. Blair. Integrating meta-informationmanagementand reflectionin middleware. In 2nd International

SymposiumonDistributedObjectsandApplications(DOA’00), 2000.[7] Gul Agha. Actors: A modelof ConcurrentComputationin DistributedSystems. MIT Press,1986.[8] Gul Agha andCallsen. Actorspace:An OpenDistributedProgrammingParadigm. In Proceedingsof ACM symposiumon

PrinciplesandPracticeof Parallel Programming, 1993.[9] Gul Agha,IanA Mason,ScottF SmithandCarolynTalcott.A Foundationfor Actor Computation.FunctionalProgramming,

1993.[10] H. Okamura,Y. Ishikawa andM. Tokoro. AL-1/d: A distributedprogrammingsystemwith multimodelreflectionframework

. In ReflectionandMeta-level Architectures, 1992.[11] H.A. Duran-LimonandG. Blair. The importanceof ResourceManagementin EngineeringDsitributedObjects. In 2nd

InternationalWorkshoponEngineeringDistributedObjects, 2000.[12] Jean-CharlesFabreandTanguyPerennou.A MetaobjectArchitecturefor Fault-tolerantDistributedSystems:TheFRIENDS

Approach.In IEEETransactionson Computers, (47):78-95, 1998.[13] JoseMeseguer.ConditionalRewriting Logic asaUnifiedModelof Concurrency. In TheoreticalComputerScience96(1):73-

155, 1992.[14] JoseMeseguerandCarolynTalcott. SemanticModelsfor DistributedObjectReflection.In Stanford University, 2002.[15] JoseMeseguer,CarolynTalcottandDenker G. Rewriting Semanticsof Meta-ObjectsandComposableDistributedServices.

In Proceedingsof the3rd InternationalWorkshoponRewriting Logic andIts Applications, 2000.[16] LeslieLamport.Timeandclocksandtheorderingof eventsin adistributedsystem.Communicationsof theACM, 21(7):558-

565,1978.[17] LynneBlair andGordonBlair. The Impactof Aspect-OrientedProgrammingon Formal Methods. In Proceedingsof the

EuropeanConferenceon Object-OrientedPrograming, 1998.[18] Mark Astley andGul Agha. CustomizationandCompositionof DistributedObjects:MiddlewareAbstractionsfor Policy

Management.In 6th InternationalSymposiumon thefoundationof Software Engineering, 1998.

13

[19] Mark GarlandHayden.TheEnsembleSystem. PhDthesis,CornellUniversity,1998.Departmentof ComputerScience.[20] Matti A. Hiltunen,VijaykumarImmanuelandRichardD. Schlichting.SupportingCustomizedFailureModelsfor Distributed

Software.In DistributedSystemEngineering, (6):103-111, 1999.[21] Nalini VenkatasubramanianandCarolynTalcott. Integrationof ResourceManagementActivities in DistributedSystems.

TechnicalReportTR-Stanford,StanfordUniversity,1999.[22] Nalini Venkatasubramanianand Carolyn Talcott. A SemanticFramework for Modeling and ReasoningaboutReflective

Middleware. In IEEEDistributedSystemsOnline, 2(6), 2001.[23] Nalini Venkatasubramanian,CarolynTalcott andGul Agha. A FormalModel for ReasoningaboutAdaptive QoS-Enabled

Middleware. In FormalMethodsEurope(FME 2001), 2001.[24] Nalini Venkatasubramanian,Gul AghaandCarolynTalcott. ScalableDistributedGarbageCollectionfor Systemsof Active

Objects.In InternationalWorkshopon MemoryManagement, 1992.[25] Nalini Venkatasubramanian,MayurDeshpande,Shivjit Mohapatra,SebastianGutierrez-NolascoandJehanWickramasuriya.

DesignandImplementationof aComposableReflectiveMiddlewareFramework. In InternationalConferenceonDistributedComputerSystems, 2001.

[26] PLincoln, N Marti-Oliet andJMeseguer.Specification,TransformationandProgrammingof ConcurrentSystemsin Rewrit-ing Logic. In Specificationsof Parallel Algorithms, 1994.

[27] RobbertvanRenesse,KennethBirmanandSilvanoMaffeis. Horus:A Flexible GroupCommunicationSystem.Communi-cationof theACM, 39(4):76-83,1996.

[28] SebastianGutierrez-NolascoandNalini Venkatasubramanian.ReachabilitySnapshotsin thePresenceof Failures:An exercisein Protocol-ServiceComposition. In Proceedingsof the DSN2002Workshopon DependableMiddleware-BasedSystems,2002.

[29] ShangpingRen,Nalini Venkatasubramanianand Gul Agha. Formalizing Multimedia QoS Constraintsusing Actors. InProceedingsof SecondInternationalConferenceon FormalMethodsfor OpenObjectBasedDistributedSystems, 1997.

[30] SvendFrolund.CoordinatingDistributedObjects:An Actor-BasedApproach to Synchronization. MIT Press,1996.

A MessageArri val using the RCF:

Let us assumethat the RCF module is active, then every messagemay be processedby a set of communicationprotocolsthat the

a Mi� is not capableto identify or read.As a result,thea Mn� is not ableto extract theinformationit

requiresto determinethe possiblesetof metaactorsthatneedto be notified for a messagearrival. Thus,a messagemayneedto beunwrappedbeforethe

a Mn� cannotify its arrival. In orderto achieve this, we defineaninterface(seefigure9) betweenthe

�4a2eandthe

a Mn� suchthatall incomingmessagesareforwardedto the�4a2e

assoonasthearrivetobeunwrapped(step1) andall unwrappedmessagesarereturnedto the

a Mn� for furtheteventnotificationanddelivery(step2) following thesamemessagearrival rulesdescribedin figure4. We furtherdivide theunwrappingprocessinthreesections:messagehandling,messageprocessingandmessagedelivery.

Step1 ­u­l~ %,� ² Ö Ä^Å�j Ö Ä�»+Ù-ÀÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹9Ò3¹c¾;´¿Ï+üúÆ+¹�ÄÕ¹�»*¹ÊÛLÒ Ö ÄJÅN÷ Å+Ù)Ù2µt½+¾+²3Ð ÄÞ¹�»ØÒ�Ð ¹�´¶Ï4Ù2Ò�Å+ÄJÅc׿À�ÒÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»ØÒ Ö ×¿ËÊÍ2´ÔÓÕÆÑÐ Ö ×ع-Ò Ö Í2´ÔÓAÆ Á3� Æ+¸xËLËEÌd�����1ÛLÒ Ás� Æ+ËlhÉËEÌc������ÛLÒ^Ä Ö Í)´ÔÓÞÛܶÝÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹9Ò3¹c¾;´¿Ï+üúÆ+¹�ÄÕ¹�»*¹ÊÛLÒÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»ØÒ Ö ×¿ËÊÍ2´ÔÓÕÆÑÐ Ö ×ع-Ò Ö Í2´ÔÓAÆ Á3� Æ+¸xËLËEÌd�����1ÛLÒ Ás� Æ+ËlhÉËEÌc������ÛLÒ^Ä Ö Í)´ÔÓÞÛ� ÷ Å+Ù2Ù)µt½+¾4²3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+ÄJÅc׿ÀStep2 ­u­ ~ %,�+² Ö Ä�»+ÙOj Ö ÄJÅ*ÀÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»&)u²3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò3Å+Ä^Å2×ØÀ�Ò Ö ×¿ËÊÍ2´�ÓÕÆÑÐ Ö ×¿¹9Ò Ö Í)´ÔÓÕÆ Á3� Æ+¸xËLËEÌq�(���1ÛLÒÁ3� Æ4ËlhÉËEÌq�d�(�*ÛLÒ^Ä Ö Í)´ÔÓAÛܶÝÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»ØÒ Ö ×¿ËÊÍ2´ÔÓÕÆÑÐ Ö ×ع-Ò Ö Í2´ÔÓAÆ Á3� Æ+¸xËLËEÌd�����1ÛLÒ Ás� Æ+ËlhÉËEÌc������ÛLÒ^Ä Ö Í)´ÔÓÞÛLÒÖ ÄJÅ�÷ Å+Ù)Ù2µt½+¾+²3Ð ÄÞ¹�»ØÒ�Ð ¹;´¿Ï4Ù2Ò�Å+ÄJÅc׿À

Fig.9. RCFInterfacerules

Messagehandling: Whenthe communicationmanager, þ , receivesthe forwardedmessage,it queuesinto its � dqueuefor later processing(step1). Thus,we canintegratemessagequeuepriority in a straightforward mannerby

14

queueinga messagein a particularplace.Somequeuedmessagesmay not requireany processing(i.e. they arerawmessages),they mustbeidentifiedandsentto the

a Mn� for messagenotificationanddelivery. Sincethemessageservicelist ( M��9ý ) is alreadyincludedin themessage,thecommunicationmanagercanclassifymessagesasprocessedor rawmessageby inspectingits Mn�9ý . Raw messagesarequeuedinto the

b ��� queuein orderto bereturnedinmmediatelyto thea Mn� (step2). In orderto unwrapa processedmessage,thecommunicationmanagerassignsamessagecoordinator, ,to unwraptheprocessedmessage(step3) andtheassignedmessagecoordinatorqueuestherequestfor laterprocessing(step4). In orderto unwrapthemessage,themessagecoordinatorextractsthe M��9ý from themessageanddeterminesthe correct interactionparametervaluesand the remaininginformation of the communicationprotocolsspecified(step5). Figure10 shows themessagehandlingrulesdescribedabove.

Step1 ­u­ %�°�� ~)²�µ�´�'9ÀÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»ØÒ Ö ×¿ËÊÍ2´ÔÓÕÆÑÐ Ö ×ع-Ò Ö Í2´ÔÓAÆ Á3� Æ+¸xËLËEÌd�����1ÛLÒ Ás� Æ+ËlhÉËEÌc������ÛLÒ^Ä Ö Í)´ÔÓÞÛLÒ� ÷ Å+Ù2Ù)µt½+¾4²3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+ÄJÅc׿ÀܶÝÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»l)ʲ3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+Ä^Å2×ØÀ�Ò^Í2ã�·�Æ9Í)ÄÞ¹�»ØÒ Ö ×¿ËÊÍ2´�ÓÕÆÑÐ Ö ×¿¹9Ò Ö Í)´ÔÓÕÆ Á3� Æ+¸xËLËEÌq�(���1ÛLÒÁ3� Æ4ËlhÉËEÌq�d�(�*ÛLÒ^Ä Ö Í)´ÔÓAÛStep2 ­u­ %�°�� ~ ²?·3ã�´¿´¶¾cÚ�ÀÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»l)ʲ3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+Ä^Å2×ØÀ�Ò^Í2ã�·�Æ9Í)ÄÞ¹�»ØÒ Ö ×¿ËÊÍ2´�ÓÕÆÑÐ Ö ×¿¹9Ò Ö Í)´ÔÓÕÆ Á3� Æ+¸xËLËEÌq�(���1ÛLÒÁ3� Æ4ËlhÉËEÌq�d�(�*ÛLÒ^Ä Ö Í)´ÔÓAÛܶÝÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»&)u²3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò3Å+Ä^Å2×ØÀ�Ò Ö ×¿ËÊÍ2´�ÓÕÆÑÐ Ö ×¿¹9Ò Ö Í)´ÔÓÕÆ Á3� Æ+¸xËLËEÌq�(���1ÛLÒÁ3� Æ4ËlhÉËEÌq�d�(�*ÛLÒ^Ä Ö Í)´ÔÓAÛµ<Óò²�ÄÕ¹;Ú ÜLÜ ´¶ã�Ú?Ú�ÀStep3 ­u­ %�°�� ~ ² Ö Ä^»+ÙPj2Ä Ö ÀÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»l)ʲ3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+Ä^Å2×ØÀ�Ò^Í2ã�·�Æ9Í)ÄÞ¹�»ØÒ Ö ×¿ËÊÍ2´�ÓÕÆÑÐ Ö ×¿¹9Ò Ö Í)´ÔÓÕÆ Á3� Æ+¸xËLËEÌq�(���1ÛLÒÁ3� Æ4ËlhÉËEÌq�d�(�*ÛLÒ^Ä Ö Í)´ÔÓAÛܶÝÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»ØÒ Ö ×¿ËÊÍ2´ÔÓÕÆÑÐ Ö ×ع-Ò Ö Í2´ÔÓAÆ Á3� Æ+¸xËLËEÌd�����1ÛLÒ Ás� Æ+ËlhÉËEÌc������ÛLÒ^Ä Ö Í)´ÔÓÞÛÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ9´¿Í)´¶¾-Ò�×�Ù�Æ-´¿Í)´¶¾-Ò�Ù9¹�·�Æ9´¿Í2´¶¾4Ò,µÑ×ÞÆ9´¶Í2´¶¾-Ò,Í)Ù2ÏqÆ9´¿Í2´Ô¾ÉÛLÒ� ÷ø¾;ñؾ Ö ã*·�¾4²3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+Ä^Å2×ØÀStep4 ­u­u°�%2²�Ä Ö ÄJÅ+µ�Ú�'9ÀÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ9´¿Í)´¶¾-Ò�×�Ù�Æ-´¿Í)´¶¾-Ò�Ù9¹�·�Æ9´¿Í2´¶¾4Ò,µÑ×ÞÆ9´¶Í2´¶¾-Ò,Í)Ù2ÏqÆ9´¿Í2´Ô¾ÉÛ� ÷ø¾;ñؾ Ö ã*·�¾4²3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+Ä^Å2×ØÀܶÝÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ-¾;ñؾ Ö ã�·3¾+²3Ð ÄÞ¹�»ØÒ,Ð ¹�´¿Ï4Ù)Ò�Å+ÄJÅc׿À�Ò\×�ÙÉÆ-´¿Í)´¶¾-Ò,Ù9¹�·WÆ-´¿Í2´Ô¾-Ò,µÑ×ÞÆ-´¿Í2´¶¾4Ò3Í)Ù2ÏqÆ-´¿Í)´¶¾ÉÛStep5 ­u­ °�% ²t¾;ñ�·3Ù2Å Ö ·�ÄÕ¹;Ú�ÀÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ-¾;ñؾ Ö ã�·3¾+²3Ð ÄÞ¹�»ØÒ,Ð ¹�´¿Ï4Ù)Ò�Å+ÄJÅc׿À�Ò\×�ÙÉÆ-´¿Í)´¶¾-Ò,Ù9¹�·WÆ-´¿Í2´Ô¾-Ò,µÑ×ÞÆ-´¿Í2´¶¾4Ò3Í)Ù2ÏqÆ-´¿Í)´¶¾ÉÛܶÝÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ9´¿Í)´¶¾-Ò�×�Ù�Æ�×�Ù)Ú�¹�·�Ò�Ù-¹�·wÆ9Ù-¹�·3Ú�¹�·�Ò3µÑ×ÞÆ9µ�×�Ú�¹�·�Ò3Í2Ù2Ï�Æ)Í)Ù2Ï+Ú�Û

Fig.10.RCFmessagehandlingrules

Messageprocessing:Oncetheinformationhave beenobtained,themessagecoordinatorproceedsto unwrapthemessageby coordinatingtheexecutionorderof theprotocolsasfollows(seefigure11):Messagecoordinatorrequeststo unwrapmessageto a specificcommunicationprotocol (step6). Note that the communicationprotocol,

�, only

receivesthe messageandafter finish its processing,returnsthe messageto the messagecoordinator, which selectsandrepeatsthe processif needed.That is, messagecoordinatorneedsto keeptrack the stageandprotocolcurrentlyprocessingthemessage.

If the protocol is statefull,it processesthe messageandnotifiesthe messagecoordinatorto expect future infor-mation(step7). Herewe usethespinflag to keepthemessagecoordinatorspinningandthestatefullflag to keepthe

15

protocolstate.Note that we usethe event handlingto notify messagecoordinatorthat it needsto spin, but we donot wait for anacknowledgement.In casetheprotocolis stateless,it processesthemessageandnotifiesthemessagecoordinatorwhenit finishes(step8).

Oncethemessagehasbeenunwrapped,theprotocolreturnsthemessageto themessagecoordinator(step9). Incasethemessageneedsto beprocessedby anotherprotocol,themessagecoordinatorwill repeattheprocess(step6)with thecorrespondingprotocol;otherwise,themessagehasbeencompletelyunwrapped.

Step6 ­u­u°�%2²�Ä Ö j Ö ×¿ÀÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ9´¿Í)´¶¾-Ò�×�Ù�Æ�×�Ù)Ú�¹�·�Ò�Ù-¹�·wÆ9Ù-¹�·3Ú�¹�·�Ò3µÑ×ÞÆ9µ�×�Ú�¹�·�Ò3Í2Ù2Ï�Æ)Í)Ù2Ï+Ú<Ò�¹�·�Å+»1¾uÆ)´¿Í)´¶¾�ÛLÒÁ3� Æ4ËlhÉËEÌ ¹�´¿ÏZ'!Æ9Í2ÄÕ¹�»ØÒ�Ù Ö ½Z'!Æ9µtÄÞ¹�»pÛLÒ � ÷U×�Ù2Í Ö ¾2¹2¹-² � Ò�Ð ÄÞ¹�»*ÀܶÝÁ3� Æ4ËlhÉËEÌ ¹�´¿ÏZ'!Æ9Í2ÄÕ¹�»ØÒ�Ù Ö ½Z'!Æ9µtÄÞ¹�»l)�×�Ù2Í Ö ¾2¹2¹-² � Ò�Ð ÄÞ¹�»*ÀWÛÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ9´¿Í)´¶¾-Ò�×�Ù�Æ�×�Ù)Ú�¹�·�Ò�Ù-¹�·wÆ9Ù-¹�·3Ú�¹�·�Ò3µÑ×ÞÆ9µ�×�Ú�¹�·�Ò3Í2Ù2Ï�Æ)Í)Ù2Ï+Ú<Ò�¹�·�Å+»1¾uÆ)Å Ö ·3ã�Å*Ú?¹�·�Å4»1¾LÛµ<Óò²�Å Ö ·3ã�Å1Ú�¹�·�Å+»1¾ ÜLÜ »1¾�·3Í2Ù2Ï+Ú�¹�·3Å4»1¾4²�À�ÀStep7 ­u­ %a� ²�¹�·�Å4·�¾2Ó�ãØÚ?Ú ×�Ù)Í Ö ¾2¹�µt´¿»*ÀÁ3� Æ4ËlhÉËEÌ ¹�´¿ÏZ'!Æ9Í2ÄÕ¹�»ØÒ�Ù Ö ½Z'!Æ9µtÄÞ¹�»l)�×�Ù2Í Ö ¾2¹2¹-² � Ò�Ð ÄÞ¹�»*À�Ò,¹�·3Å4·�¾2Ó�ãØÚ\ÚÔÆ+Ó�Ú\Å*¹;¾-ÒJÄ Ö ¹3×�µt´¿´¿µ�´Ø»�Æ9´¿Í2´¶¾�ÛܶÝÁ3� Æ4ËlhÉËEÌ ¹�´¿ÏZ'!Æ9Í2ÄÕ¹�»ØÒ�Ù Ö ½Z'!Æ9µtÄÞ¹�»*À�Ò�¹�·3Å4·�¾2Ó�ãØÚ?Ú�Æ)·3Ù2ãؾ-Ò3Ä Ö ¹3×�µt´¿´¶µt´Ø»�Æ � ÛLÒ � ÷NÓ�µt´¿µ�¹;ð�² � Ò;Ð ÄÕ¹�»*À´¿Íc·3µ<Ó�￲ � Ò,¹3×�µt´ÔÀStep8 ­u­&%a�1²�¹�·�Å4·�¾cÚ?¾2¹c¹�×�Ù)Í Ö ¾2¹c¹�µ�´Ø»*ÀÁ3� Æ4ËlhÉËEÌ ¹�´¿ÏZ'!Æ9Í2ÄÕ¹�»ØÒ�Ù Ö ½Z'!Æ9µtÄÞ¹�»l)�×�Ù2Í Ö ¾2¹2¹-² � Ò�Ð ÄÞ¹�»*À�Ò,¹�·3Å4·�¾2Ó�ãØÚ\ÚÔÆ+Ó�Ú\Å*¹;¾LÛܶÝÁ3� Æ4ËlhÉËEÌ ¹�´¿ÏZ'!Æ9Í2ÄÕ¹�»ØÒ�Ù Ö ½Z'!Æ9µtÄÞ¹�»*À�Ò�¹�·3Å4·�¾2Ó�ãØÚ?Ú�Æ4Ó�Ú\Å*¹;¾ÉÛLÒ � ÷�Ó�µt´¿µ<¹;ð�² � Ò;Ð ÄÕ¹�»*ÀStep9 ­u­&%a�1² Ö ×�jcÄ Ö ÀÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ9´¿Í)´¶¾-Ò�×�Ù�Æ�×�Ù)Ú�¹�·�Ò�Ù-¹�·wÆ9Ù-¹�·3Ú�¹�·�Ò3µÑ×ÞÆ9µ�×�Ú�¹�·�Ò3Í2Ù2Ï�Æ)Í)Ù2Ï+Ú�ÛLÒ� ÷�Ó�µt´¿µ<¹cðÔ² � Ò;Ð ÄÕ¹�»*ÀܶÝÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ4Ó�µt´¶µ<¹;ð�² � Ò�Ð ÄÕ¹�»*À�Ò?×�Ù�Æ�×�Ù)Ú�¹�·�Ò�Ù-¹�·�Æ)Ù9¹�·3Ú�¹�·�Ò�µ�×ÞÆ9µÑ×ØÚ�¹�·�Ò�Í2Ù2ÏpÆ9Í)Ù2Ï+Ú�Û

Fig.11.RCFmessageprocessingrules

Messagedelivery: Beforethemessagecanbereturnedto thea Mn� , themessagecoordinatorchecksif themessage

wasprocessedby at leastonestatefullprotocol(seefigure12) in orerto determineif it needsto wait (spin)for furtherinformation(a tagor acknowledgement)beforeit canprocessanothermessage(step10); otherwiseit canbereuseitby thecommunicationmanager(step11).In bothcases,themessageis returnedto thecommunicationmanager, whichqueuesthemessageinto its

b ��� queue(step12)Oncetheunwrappedmessageis in thecommunicationmanager’sb ���

queue,it canbe forward it to thea Mn� (step2). Oncethemessageis receivedby the

a Mn� , messagenotificationanddelivery follows thesamerulesdescribedfor thecasewhenthe

�4a2emoduleis inactive(step1 to step4).

B CompleteSetof Rules

16

Step10 ­Ê­ °�% ²�¹�×�µ�´¿Ä Ö j Ö Ä^»+Ù9ÀÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ4Ó�µt´¶µ<¹;ð�² � Ò�Ð ÄÕ¹�»*À�Ò?×�Ù�Æ�×�Ù)Ú�¹�·�Ò�Ù-¹�·�Æ)Ù9¹�·3Ú�¹�·�Ò�µ�×ÞÆ9µÑ×ØÚ�¹�·�Ò�Í2Ù2ÏpÆ9Í)Ù2Ï+Ú<Ò�¹3×�µt´AÆ4Ó�Å1Ú�¹;¾ÉÛܶÝÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ4Ó�µt´¶µ<¹;ð�² � Ò�Ð ÄÕ¹�»*À�Ò?×�Ù�Æ�×�Ù)Ú�¹�·�Ò�Ù-¹�·�Æ)Ù9¹�·3Ú�¹�·�Ò�µ�×ÞÆ9µÑ×ØÚ�¹�·�Ò�Í2Ù2ÏpÆ9Í)Ù2Ï+Ú<Ò�¹3×�µt´AÆ)·�Ù)ã�¾ÉÛLÒ� ÷U×�Ù2Í Ö ¾2¹c¹c¾;Ïز3Ð ÄÕ¹�»ØÒ�Ð ¹;´¿Ï4Ù2Ò�Å+ÄJÅc׿À

Step11 ­Ê­u°�%2²�Ä Ö j Ö Ä�»+Ù-ÀÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ4Ó�µt´¶µ<¹;ð�² � Ò�Ð ÄÕ¹�»*À�Ò?×�Ù�Æ�×�Ù)Ú�¹�·�Ò�Ù-¹�·�Æ)Ù9¹�·3Ú�¹�·�Ò�µ�×ÞÆ9µÑ×ØÚ�¹�·�Ò�Í2Ù2ÏpÆ9Í)Ù2Ï+Ú<Ò�¹3×�µt´AÆ4Ó�Å1Ú�¹;¾ÉÛܶÝÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ9´¿Í)´¶¾-Ò�×�Ù�Æ-´¿Í)´¶¾-Ò�Ù9¹�·�Æ9´¿Í2´¶¾4Ò,µÑ×ÞÆ9´¶Í2´¶¾-Ò,Í)Ù2ÏqÆ9´¿Í2´Ô¾-Ò�¹3×�µt´AÆ+Ó�Å1Ú�¹;¾ÉÛLÒ� ÷U×�Ù2Í Ö ¾2¹c¹c¾;Ïز3Ð ÄÕ¹�»ØÒ�Ð ¹;´¿Ï4Ù2Ò�Å+ÄJÅc׿ÀStep12 ­Ê­ °�Tm� ~-²�Í)ã*·v'9ÀÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»ØÒ Ö ×¿ËÊÍ2´ÔÓÕÆÑÐ Ö ×ع-Ò Ö Í2´ÔÓAÆ Á3� Æ+¸xËLËEÌd�����1ÛLÒ Ás� Æ+ËlhÉËEÌc������ÛLÒ^Ä Ö Í)´ÔÓÞÛLÒ� ÷U×�Ù2Í Ö ¾2¹c¹c¾;Ïز3Ð ÄÕ¹�»ØÒ�Ð ¹;´¿Ï4Ù2Ò�Å+ÄJÅc׿ÀܶÝÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»&)u²3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò3Å+Ä^Å2×ØÀ�Ò Ö ×¿ËÊÍ2´�ÓÕÆÑÐ Ö ×¿¹9Ò Ö Í)´ÔÓÕÆ Á3� Æ+¸xËLËEÌq�(���1ÛLÒÁ3� Æ4ËlhÉËEÌq�d�(�*ÛLÒ^Ä Ö Í)´ÔÓAÛ

Fig.12.RCFmessagedelivery rules

17

Step1 ­u­u¯SRUT ~ %v�1²v];À����� � %3¯�� ~(� � � � ������ T�� ~�� ����� � Tm� ~c�*� � � � � � �}� � �q� �\� ~b� °�Tm� � R ±(T3¯\°�Tm� ��� � R#°�T�� ���n� R ±(T3¯?°�TmR � R#°�TvR �����  ° �¡n¢�£��� � %3¯�� ~(� � � � ������ T�� ~�� ����� � Tm� ~c�*� � � � � ° � � � � � � � �q� �\� ~b� °�T�� � R ±�T3¯?°�Tm� ��� � °�Tm� ���-� R ±(T3¯\°�TvR � °�TvR �� � �S� � Tm� ~(� ��� ¡ � � ¯ � Tm� ~�� ���S� ± � �-� °�Tm� ��� ¡ �P� � � Tm� ���-� ° � �S� ± � �-� � ¡ � � ¯¥¤O� �n~ % � � ° � ��� ± � �-� � ¡ � � ¯S¦�± ~ � � ¯ � ° � �S� ± � �n� °�TvR ¡ % ~ � ±;¯ �v� TvR � ° � � � � � �S���Step2 ­u­ ¯SRUT ~ %v� ²�j)À�£� Tm� ~�� ����� � Tm� ~q��� � � � � ° � � � � � � � �q� �\� ~c� °�Tm� � R ±(T�¯?°�Tm� ��� � °�Tm� ���-� R ±(T3¯?°�TvR � °�TmR �¡n¢��� T�� ~�� ����� � Tm� ~c�*� � � � � � �}� � �q� �\� ~b� °�Tm� � R ±(T3¯\°�Tm� ��� � � � �}� � R ±(T�¯?°�TvR � � � �P� ���� °�� ~�� ���   � ° � � � � � � °�Tm� ���-� °�TmR �� � ��� °�� ~(� ��� ¡ � � ¯�%�° ���-� ���S�Step3 ­u­u¯SRUT ~ %v�1²ap9À� � °�� ~�� ����� � � � ~c��� � �X� � °�Tm�d§ � ° � � � � � � °�Tm� ���-� °�TvR � � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� ����� � � � ~c��� � �\� � °�Tm� � � � ¯ � ��°�Tm� � ¨X© RUT3¯ � TvRUT3¯ � %a� � � � � � ª %���T � %�� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%m� � � ���°�% �   � T � �n� ° � � � � � � °�Tm� ���-� °�TvR �S�� � �S� � � ¯?°�%,¬ ~ ��° � TvR � �v­ ¯ ~ ±d%3¯ � TvR � T � �n� ° � � � � � � °�Tm� ���-� °�TvR �S��� ¡�¡�®9¯ ¨\¨ � ± � �-� °�% � ¡ T � R � %3¯?°�% � °�%a���b�cR �S�S�Step4 ­u­ ¯SRUT ~ %v� ²ap2Å�À� � °�� ~�� ����� � � � ~c��� � �X� � °�Tm�d§ � ° � � � � � � °�Tm� ���-� °�TvR � � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� ����� � � � ~c��� � �\� � °�Tm� � � � ¯ � ��°�Tm� � ¨X© RUT3¯ � TvRUT3¯ � %a� � � � � � ª %���T � %�� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%m� � � ���°�% �   � T � �n� ° � � � � � � °�Tm� ���-� °�TvR �S�� � � °�% � ¡�¡ � � � ¯?°�%v¬ ~ ��° � TvR � �v­ ¯ ~ ±�%�¯ � TmR � T � �-� ° � � � � � � °�T�� ���n� °�TvR �S�S���S�Step5 ­u­u¯SRUT ~ %v�1²¥u-À� °�% � � � ���*� °w± � R ° � � T � �n� ° � � � � � � °�Tm� ���-� °�TvR ��� � � ~ � � � �P� � ~ T3¯ � � � �P� � � � � � � �}� � � ~,� � � � �P� � T3¯\±�� �q� ©d� T�� � �\� ��±(RUT � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� � � T�� � �X� ��±(RUT � ���%�� � ¦ ¨ ¤ �   �S� �v� % ~c± �;¯ � ° � � � � � ��� � °�Tm� ���n� °�% ��� �� � �S� ¦ ¨ ¤ ¡�¡ �v­ ¯ ~ ±d%3¯ � TvR � T � �n� ° � � � � � � °�Tm� ���-� °�TvR �S� ± � �-� °�% ��� ¡�¡ � � ¯?°�% ���-� °�% � �S�S�S�Step6 ­u­ ¯SRUT ~ %v� ²�y)À� %�� � ¦ ¨ ¤ ��� ��«���� T � � ° � � � �P� � ~ %v²q° � �S� �v� % ~b± ��¯ � ° � � � � � �S� � °�Tm� ���-� °�% � � � ~ �cR �q� � � �}� � T � %,³ � ± � ¤X³ � � % � �(´ � ~ T �}� ¯ �q� � � �P� � T,³ � ± � � � �P� � � %���° � � � �}� � � %���° �� � �P� � %m� � � ¯ � ~ � µ � T � TvT � � �X� � � �}� � T3¯ ±�� �c� ©d� T3¯ ±;¯ � � � RUR � ��±(RUT � �¡n¢� %�� � ¦ ¨ ¤ ��� ��«��*� T � � ° � ° � � ~ %m²q° � � � �P� � ~ �cR �q� ¶c� � ¯ � ±;¯�� ~,� T � %,³ � ± � ¤X³ � � % � �(´ � ~ T �}� ¯ �q� � � �P� � T,³ � ± � � � �P� � � %���° � � � � %m��° � � � �P� � %m� � � ¯ � ~ � µ § � � T � TvT � � �\�� � �P� � T3¯\±�� �q� � � T3¯\±;¯ � � � RUR � ¯ ~c� � ���°�% �   � � � � � � °�T�� ���n� T�� � � °�% �� � �S� � %m��°!·¡ � � ± � �n� � %���°l·¡ � � ± � �-� � � ¡ �v� % ~b± ��¯ �S� � � � % � � � � µO� � ��� � � � ®m³ � ±}� � �S�S� ± � �n� T�� � � °�% ¡ � � ¯S¤+¯ ±;¯ � � � RUR � �S�S�Step7 ­u­ ¯SRUT ~ %v� ²az9À� °�% � � � ���*� °w± � R ° � � � � � � � °�Tm� ���-� T�� � � °�% � � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯SRUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~b� R � T3¯ ±�� �c� � � T�� � �\� ��±(RUT � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� � � T�� � �X� ¯ ~b� � ���� °�� ~�� ���   � � � � � � °�Tm� ���n� °�TvR � °�% ��� �� � �S� � � ¡ �m� % ~b± ��¯ �S� � � � % � � � � µO� � ��� � � � ®�³ � ±}� � �S�S� ± � �-� T�� � � ¡ � � ¯¥¤}� � � °�% �S� � � � � � °�Tm� ���-� °�TmR � T�� � � °�% �S� ± � �-� T�� � � ¡�¡ ¦£¸ ¯�¹ � ± � �n� °�% ��� ¡�¡� � ¯\°�% ���n� °�% � �S���S�Step8 ­u­u¯SRUT ~ %v�1²�{)À� � °�� ~�� ����� � � � ~c��� � �X� � °�Tm� � � � ¯ � ��°�Tm�d§ � � � � � � °�Tm� ���-� °�TmR � °�% � � � ¨\© RUT�¯ � TvRUT�¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� ����� � � � ~c��� � �\� � °�Tm� � � � ¯ � ��°�Tm� � ¨X© RUT3¯ � TvRUT3¯ V � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ���*� � � � ��� � %a� � ��«��*� � � � ��� °�%m� � � ���� °�� ~�� � �   � � � � � � °�Tm� ���-� °�TvR �� � �S� TmRUT3¯ V ¡ ± �c�n� TvRUT3¯ � � °�TvR � °�% ��� �S�S� ± � �-��� °�� ~�� � � ¡ � � ¯�%3° ���n� � �S� ± � �-� � � ¡�¡ �m� % ~b± ��¯ �S� � � � % � � � � µO� � ��� � � � ®�³ � ±}� � �S�S�S�

Fig.13.TLS-RCFrules:message1

18

Step9 ­u­u¯SRUT ~ %v�1²aº9À� � °�� ~�� � ��� � � � ~c�*� � �\� � °�Tm��§ � � � � � � °�Tm� ���-� °�TvR � � � � ¯ � ��°�Tm� � ¨\© RUT3¯ � TvRUT3¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ���*� � � � ��� � %a� � ��«��*� � � � ��� °�%m� � � �¡n¢� � °�� ~�� � ��� � � � ~c�*� � �X� � °�Tm� � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � ���°�% �   ��~ %v² � � � � � � °�Tm� ���n� °�TvR �S�� � �S� � � ¯?°�%,¬ ~ ��° � TvR � �v­ ¯ ~ ±d%3¯ � TvR � � � � � � °�T�� ���n� °�TvR �S� ¡�¡�®9¯ ¨i¨ � ± � �n� °�% � ¡ T � R � %�¯?°�% � °�%��d�b�qR ���S�Step10 ­Ê­ ¯SRUT ~ %,� ²aº)Å*À� � °�� ~�� � ��� � � � ~c�*� � �\� � °�Tm��§ � � � � � � °�Tm� ���-� °�TvR � � � � ¯ � ��°�Tm� � ¨\© RUT3¯ � TvRUT3¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ���*� � � � ��� � %a� � ��«��*� � � � ��� °�%m� � � �¡n¢� � °�� ~�� � ��� � � � ~c�*� � �X� � °�Tm� � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � ���°�% �   ��~ %v² � � � � � � °�Tm� ���n� °�TvR �S�� � � °�% � ¡�¡ � � � ¯?°�%v¬ ~ ��° � TvR � �v­ ¯ ~ ±�%�¯ � TmR � T � �-� ° � � � � � � °�T�� ���n� °�TvR �S�S���S�Step11 ­Ê­u¯SRUT ~ %,�1²a»-À� °�% � � � ���*� °w± � R ° � ��~ %v² � � � � � � °�T�� ���n� °�TvR �S� � � ~ � � � �P� � ~ T3¯ � � � �}� � � � � � � �P� � � ~,� � � � �}� � T3¯ ±�� �c� ©d� T�� � �\� ��±(RUT � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� � � T�� � �X� ��±(RUT � ���%�� � ¦ ¨ ¤ �   �U� � % ~c± �;¯ � � � � � � � °�Tm� ���n� °�% ��� �� � �S� ¦ ¨ ¤ ¡�¡ �v­ ¯ ~ ±d%3¯?°�TmR ��~ %v² � � � � � � °�Tm� ���-� °�TmR �S�S� ± � �n� °�% ��� ¡�¡ � � ¯\°�% ���n� °�% � �S���Step12 ­Ê­ ¯SRUT ~ %,� ²v](Y-À� %�� � ¦ ¨ ¤ ��� ��«���� T � � ° � � � �P� � ~ %v²q° � �U� � % ~b± ��¯ � � � � � � � °�Tm� ���-� °�% ��� � � ~ �cR �q� � � �P� � T � %,³ � ± � ¤X³ � � % � �-´ � ~ T �n� ¯ �q� � � �P� � Tv³ � ± � � � �P� � � %���° � � � �}� � � %���° �� � �P� � %m� � � ¯ � ~ � ³ � T � TvT � � �\� � � �P� � T�¯\±�� �q� ©d� T�¯\±;¯ � � � RUR � ��±(RUT � �¡n¢� %�� � ¦ ¨ ¤ ��� ��«��*� T � � ° � � � �}� � ~ %v²c° � � � �}� � ~ �cR �q� ¸ � T��d� � � � ~,� T � %v³ � ± � ¤\³ � � % � �(´ � ~ T �}� ¯ �q� % � �-´ � ~,� T,³ � ± � � � �P� � � %m��° � � � � %m��° � � � �P� � %m� � � ¯ � ~ � ³�§ � � T � TvT � � �\�T ���-� T3¯ ±�� �c� � � T3¯ ±;¯ � � � RUR � ¯ ~b� � ���°�% �   � � � � � � °�Tm� ���-� T�� � � °�% �� � �S��¼ � ±(« ± ��~�� ¤X³ � � «�� ®�³ � ±}� � �S�S� ± � �-� � %���°l·¡ ��� ± � �n� � %���°l·¡ ��� ± � �n� �P� � ¤ ���n� � � ³ �S� ± � �n� Ta� � � °�% ¡ � � ¯¥¤4¯\±�¯ � � � RUR � �S� ± � �n� � � ¡�¡�v� % ~c± �;¯ ���S� ® � � � � � % � � � � ³ �S� � �}� � ¤ ���-� � � ³ � � % � �-´ � ~ � � � � ®m³ � ±}� ���S�S�S�Step13 ­Ê­ ¯SRUT ~ %,� ²v]P]cÀ� °�% � � � ���*� °w± � R ° � � � � � � � °�Tm� ���-� T�� � � °�% � � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯�RUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~,� R � T3¯\±�� �q� � � T�� � �\� ��±(RUT � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� � � T�� � �X� ¯ ~b� � ���� °�� ~�� � �   � � � � � � °�Tm� ���n� °�TvR � °�% ��� �� � �S� � � ¡�¡ �v� % ~b± ��¯ �S�S� ® � � � � � % � � � � ³ �S� � �P� � ¤ ���n� � � ³ � � % � �(´ � ~ � � � � ®�³ � ±}� ���S��� ± � �-� T�� � � ¡ � � ¯S¤P� � � °�% � � � � � � °�Tm� ���n� Ta� � � °�% �S� ± � �n� T�� � � ¡�¡¦£¸ ¯£¹ � ± � �-� °�% ��� ¡�¡ � � ¯?°�% ���-� °�% � �S�S�Step14 ­Ê­ ¯SRUT ~ %,� ²v]-j9À� � °�� ~�� � ��� � � � ~c�*� � �\� � °�Tm� � � � ¯ � ��°�Tm��§ � � � � � � °�Tm� ���-� °�TmR � °�% ��� � � ¨X© RUT3¯ � TmRUT3¯ � %a� � � � � � ª %���T � %m� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� � ��� � � � ~c�*� � �X� � °�Tm� � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ V � %a� � � � � � ª %���T � %�� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%m� � � ���� °�� ~�� ���   � � � � � � °�Tm� ���-� °�TvR �� � �S� TmRUT3¯ V ¡ ± �c�n� TvRUT3¯ � � °�TvR � °�% ��� �S�S� ± � �-��� °�� ~�� ��� ¡ � � ¯�%3° ���-� ���S� ± � �n� � � ¡�¡ �v� % ~b± ��¯ �S�S� ® � � � � � % � � � � ³ �S� � �P� � ¤ ���n� � � ³ � � % � �(´ � ~ � � � � ®�³ � ±}� �����S�S�

Fig.14.TLS-RCFrules:message2

19

Step15 ­Ê­ ¯SRUT ~ %,� ²v](p-À� � °�� ~�� ����� � � � ~c��� � �X� � °�Tm�d§ � � � � � � °�T�� ���n� °�TvR � � � � ¯ � ��°�T�� � ¨X© RUT3¯ � TvRUT3¯ V � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� ����� � � � ~c��� � �\� � °�Tm� � � � ¯ � ��°�Tm� � ¨X© RUT3¯ � TvRUT3¯ V � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ���*� � � � ��� � %a� � ��«��*� � � � ��� °�%m� � � ���°�% �   ��~ %v² � � � � � � °�Tm� ���-� °�TvR �S�� � � °�% � ¡�¡ � � � ¯?°�%v¬ ~ ��° � TvR � �v­ ¯ ~ ±�%�¯ � TmR �S� � � � � � °�Tm� ���-� °�TvR ���S�S�Step16 ­Ê­ ¯SRUT ~ %,� ²v]�u4À� °�% � � � ���*� °w± � R ° � ��~ %v² � � � � � � °�Tm� ���-� °�TvR ��� � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯�RUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~,� R � T3¯\±�� �q� � � T�� � �\� ¯ ~b� � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� ½ � T�� � �X� ¯ ~b� � ���%�� � ¦ ¨ ¤ �   �S� � � % ~b± �;¯ � � � � ���S� � °�Tm� ���-� °�% ��� �� � �S� ¦ ¨ ¤ ¡�¡ �v­ ¯ ~ ±d%3¯?°�TmR ��~ %v² � � � � � � °�T�� ���n� °�TvR �S�S� ± � �-� °�% ��� ¡�¡ � � ¯?°�% ���-� °�% � �S�S�Step17 ­Ê­u¯SRUT ~ %,�1²v]-y9À� %�� � ¦ ¨ ¤ ��� ��«���� T � � ° � ° � � ~ %v²c° � �S� � � % ~b± �;¯ � � � � ���S� � °�Tm� ���-� °�% ��� � � ~ �cR �q� ¶c� � ¯ � ±;¯�� ~,� T � %,³ � ± � ¤X³ � � % � �(´ � ~ T �}� ¯ �q� � � �P� � T,³ � ± � � � �P� � � %���° � � � � %m��° �� � �P� � %m� � � ¯ � ~ � µ § � � T � TvT � � �\� � � �P� � T�¯\±�� �q� � � T�¯\±;¯ � � � RUR � ¯ ~b� � �¡n¢� %�� � ¦ ¨ ¤ ��� ��«��*� T � � ° � ° � � ~ %m²q° � � � �P� � ~ �cR �q� ¶c� � ¯ � ±;¯�� ~,� T � %,³ � ± � ¤X³ � � % � �(´ � ~ T �}� ¯ �q� % � �-´ � ~,� T,³ � ± � ¤X³ � ±n� � %���° � � � � %m��° � � � %�� � � ¯ � ~ � µ § � � T � TvT � � �X�T ���-� T3¯ ±�� �c� � � T3¯ ±;¯ � � � RUR � ¯ ~b� � ���°�% �   � ��½ � � � °�T�� ���n� T�� � � °�% �� � �S��¼ � ±(« ± ��~�� ¤X³ � � « ³ ���S� ± � �-� ® � ¡�¡ � � � % � � � � µO�S� ± � �n� � %���° ¡�¡ � � ± � �-� T ��� ¡ �P� � ¤ ���n� � � ³ �S� ± � �n� ¤ ¼ � ± ¡ °w± ¼ � ³ � ±}� � ~ �q¾°w±(T3¯ � ~b� ® � � ® � �S� ± � �n� �$½ ¡�¡ �v� % ~b± ��¯ �S� ® � � T ���-� � ~ �q¾ °w±(T3¯ � ~ � � � � ®�³ � ±}� � �S�S� ± � �-� T�� � � °�% ¡ � � ¯¥¤4¯\±;¯ � � � RUR � �S���Step18 ­Ê­u¯SRUT ~ %,�1²v](z-À� °�% � � � ���*� °w± � R ° � � �$½ � � � °�Tm� ���-� T�� � � °�% � � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯SRUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~b� R � T3¯ ±�� �c� ½ � T�� � �\� ¯ ~c� � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� ¿ � T�� � �X� ¯ ~b� � ���� °�� ~�� ���   � ��½ � � � °�Tm� ���n� °�TvR �� � �S� �$½ ¡�¡ �v� % ~b± ��¯ �S� ® � � T ���-� � ~ �q¾ °w±(T3¯ � ~ � � � � ®�³ � ±}� � �S�S� ± � �-� T�� � � ¡ � � ¯¥¤}� � � °�% ��� ��½ � � � °�Tm� ���n� Ta� � � °�% �S�S�S�Step19 ­Ê­u¯SRUT ~ %,�1²v]-{9À� � °�� ~�� ����� � � � ~c��� � �X� � °�Tm� � � � ¯ � ��°�Tm�d§ � ��½ � � � °�Tm� ���-� °�TmR � � ¨X© RUT3¯ � TmRUT3¯ V � %a� � � � � � ª %���T � %�� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%m� � � �¡n¢� � °�� ~�� ����� � � � ~c��� � �\� � °�Tm� � � � ¯ � ��°�Tm� � ¨X© RUT3¯ � TvRUT3¯ V � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ���*� � � � ��� � %a� � ��«��*� � � � ��� °�%m� � � ���� °�� ~�� � �   � �$½ � � � °�Tm� ���-� °�TvR �� � �S��� °�� ~�� � � ¡ � � ¯�%3° ���-� � ��� ± � �-� �$½ ¡�¡ �v� % ~b± �;¯ �S� ® � � T ���n� � ~ �q¾ °w±(T3¯ � ~ � � � � ®�³ � ±}� � �S�S�S�

Fig.15.TLS-RCFrules:message3

20

Step20 ­Ê­ ¯SRUT ~ %,� ²v](º-À� � °�� ~�� � ��� � � � ~c�*� � �\� � °�Tm��§ � �$½ � � � °�Tm� ���-� °�TvR � � � � ¯ � ��°�Tm� � ¨\© RUT3¯ � TvRUT3¯ V � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� � ��� � � � ~c�*� � �X� � °�Tm� � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ V � %a� � � � � � ª %���T � %�� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%m� � � ���°�% �   ��~ %v² � ��½ � � � °�Tm� ���n� °�TvR �S�� � � °�% � ¡�¡ � � � ¯?°�%v¬ ~ ��° � TvR � �v­ ¯ ~ ±�%�¯ � TmR �S� ��½ � � � °�T�� ���n� °�TvR �S�S���Step21 ­Ê­ ¯SRUT ~ %,� ²v](»-À� °�% � � � ���*� °w± � R ° � ��~ %v² � ��½ � � � °�T�� ���n� °�TvR �S� � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯SRUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~b� R � T3¯ ±�� �c� � � T�� � �\� ¯ ~c� � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� ½ � T�� � �X� ¯ ~b� � ���%�� � ¦ ¨ ¤ �   �S� � � % ~b± �;¯ � ��½ � � �S� � °�Tm� ���-� °�% ��� �� � �S� ¦ ¨ ¤ ¡�¡ �v­ ¯ ~ ±d%3¯?°�TmR �S��~ %v² � ��½ � � � °�Tm� ���n� °�TvR �S�S�S� ± � �-� °�% ��� ¡�¡ � � ¯?°�% ���-� °�% � �S�S�Step22 ­Ê­u¯SRUT ~ %,�1²�j}Y-À� %�� � ¦ ¨ ¤ ��� ��«���� T � � ° � � � �P� � ~ %v²q° � �S�U� � % ~b± ��¯ � �$½ � � ��� � °�Tm� ���n� °�% ��� � � ~ �cR �q� ¸ � T��d� � � � ~b� T � %,³ � ± � ¤X³ � � % � �-´ � ~ T �n� ¯ �q� % � �(´ � ~,� T,³ � ± � � � �}� � � %m��° � � � � %m��° �� � �P� � %m� � � ¯ � ~ � ³�§ � � T � TvT � � �\� T ���-� T3¯\±d� �q� � � T3¯\±�¯ � � � RUR � ¯ ~b� � �¡n¢� %�� � ¦ ¨ ¤ ��� ��«��*� T � � ° � � � �}� � ~ %v²c° � � � �}� � ~ �cR �q� ¸ � T��d� � � � ~,� T � %v³ � ± � ¤\³ � � % � �(´ � ~ T �}� ¯ �q� % � �-´ � ~,� T,³ � ± � ¤X³ � ±}� � %m��° � � � � %m��° � � � %�� � � ¯ � ~ � ³�§ � � T � TvT � � �X�T ���-� T3¯ ±�� �c� � � T3¯ ±;¯ � � � RUR � ¯ ~b� � ���°�% �   � ��¿ � ���� � �S��¼ � ±(« ± ��~�� ¤X³ � � « ³ � �S� ± � �-� ® � ¡�¡ � � � % � � � � ³ �S� ± � �-�U� %m��° ¡�¡ ��� ± � �n� T ��� ¡ �P� � ¤ ���n� � � ³ �S� ± � �n� ¤ ¼ � ± ¡ °W± ¼ � ³ � ±}� � ~ �c¾°w±(T3¯ � ~b� ® � � ® � �S� ± � �n� �$¿ ¡�¡ �v� % ~b± ��¯ � � � � � Tv´ � �n� ¤X³ � ± �S�S�Step23 ­Ê­u¯SRUT ~ %,�1²�jX]cÀ� °�% � � � ���*� °w± � R ° � � �$¿ � ��� � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯�RUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~,� R � T3¯\±�� �q� ½ � T�� � �\� ¯ ~b� � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� ¿ � T�� � �X� ¯ ~b� � ���� °�� ~�� � �   � �$¿ � � � °�TvR �� � � �$¿ ¡�¡ �v� % ~b± �;¯ � � � � � T,´ � �-� ¤X³ � ± �S�Step24 ­Ê­u¯SRUT ~ %,�1²�jPj9À� � °�� ~�� � ��� � � � ~c�*� � �\� � °�Tm� � � � ¯ � ��°�Tm��§ � �$¿ � � � °�TvR � � ¨\© RUT3¯ � TvRUT3¯ V � %a� � � � � � ª %���T � %m� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� � ��� � � � ~c�*� � �X� � °�Tm� � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ V � %a� � � � � � ª %���T � %�� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%m� � � ���� °�� ~�� ���   � ��¿ � � � °�TvR �� � �S��� °�� ~�� ��� ¡ � � ¯�%�° ���n� ���S� ± � �-� ��¿ ¡�¡ �v� % ~c± �;¯ � � � � � T,´ � �-� ¤X³ � ± ���S�

Fig.16.TLS-RCFrules:message4

21

Step25 ­Ê­u¯SRUT ~ %,�1²�j}p-À� � °�� ~�� ����� � � � ~c��� � �X� � °�Tm�d§ � ��¿ � � � °�TmR � � � � ¯ � ��°�Tm� � ¨X© RUT3¯ � TmRUT3¯ V � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ���*� � � � ��� � %a� � ��«��*� � � � ��� °�%m� � � �¡n¢� � °�� ~�� ����� � � � ~c��� � �\� � °�Tm� � � � ¯ � ��°�Tm� � ¨X© RUT3¯ � TvRUT3¯ V � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ���*� � � � ��� � %a� � ��«��*� � � � ��� °�%m� � � ���°�% �   ��~ %v² � ��¿ � � � °�TvR �S�� � � °�% � ¡�¡ � � � ¯?°�%v¬ ~ ��° � TvR � �v­ ¯ ~ ±�%�¯ � TmR �S� � � � � � °�Tm� ���-� °�TvR ���S�S�Step26 ­Ê­ ¯SRUT ~ %,� ²�jnu4À� °�% � � � ���*� °w± � R ° � ��~ %v² � ��¿ � � � °�TvR �S� � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯SRUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~b� R � T3¯ ±�� �c� ¿ � T�� � �\� ¯ ~c� � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� À � T�� � �X� ¯ ~b� � ���%�� � ¦ ¨ ¤ �   �S� � � % ~b± �;¯ � ��¿ � ���S� � °�% ��� �� � �S� ¦ ¨ ¤ ¡�¡ �v­ ¯ ~ ±d%3¯?°�TmR ��~ %v² � ��¿ � � � °�TmR �S�S� ± � �n� °�% ��� ¡�¡ � � ¯\°�% ���n� °�% � �S���Step27 ­Ê­ ¯SRUT ~ %,� ²�jPy9À� %�� � ¦ ¨ ¤ ��� ��«���� T � � ° � ° � � ~ %v²c° � �S� � � % ~b± �;¯ � ��¿ � ���S� � °�% ��� � � ~ �cR �q� ¶b� � ¯ � ±;¯�� ~,� T � %v³ � ± � ¤\³ � � % � �-´ � ~ T �n� ¯ �q� % � �(´ � ~b� T,³ � ± � ¤X³ � ±}� � %m��° � � � � %m��° � � � %m� � � ¯ � ~ �µ § � � T � TvT � � �\� T ���-� T3¯ ±�� �c� � � T3¯ ±;¯ � � � RUR � ¯ ~b� � �¡n¢� %�� � ¦ ¨ ¤ ��� ��«��*� T � � ° � � � �}� � ~ %v²c° � � � �}� � ~ �cR �q� ¶b� � ¯ � ±;¯�� ~,� T � %v³ � ± � ¤\³ � � % � �-´ � ~ T �n� ¯ �q� % � �(´ � ~b� T,³ � ± � ¤X³ � ±}� � %m��° � � � � %m��° � � � %m� � � ¯ � ~ � µ § ½ � T � TvT � � �\�T ���-� T3¯ ±�� �c� ½ � T3¯ ±;¯ � � � RUR � ¯ ~b� � ���°�% �   � �1À � � � °�T�� ��� �� � �S� �$¿ ¡�¡ �v� % ~b± ��¯ � � � � � Tv´ � �n� ¤X³ � ± �S� ± � �n� �1À ¡�¡ �v� % ~b± ��¯ � ° � � ¤\³ � ± �S�S�Step28 ­Ê­u¯SRUT ~ %,�1²�j}z-À� °�% � � � ���*� °w± � R ° � � ��À � � � °�Tm� ��� � � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯�RUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~,� R � T3¯\±�� �q� À � T�� � �\� ¯ ~b� � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� Á � T�� � �X� ¯ ~b� � ���� °�� ~�� ���   � �1À � � � °�Tm� ���n� °�TvR �� � � ��À ¡�¡ �v� % ~b± �;¯ � ° � � ¤X³ � ± �S�Step29 ­Ê­ ¯SRUT ~ %,� ²�jP{9À� � °�� ~�� ����� � � � ~c��� � �X� � °�Tm� � � � ¯ � ��°�Tm�d§ � �1À � � � °�Tm� ���-� °�TmR � � ¨X© RUT3¯ � TmRUT3¯ V � %a� � � � � � ª %���T � %�� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%m� � � �¡n¢� � °�� ~�� ����� � � � ~c��� � �\� � °�Tm� � � � ¯ � ��°�Tm� � ¨X© RUT3¯ � TvRUT3¯ V � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ���*� � � � ��� � %a� � ��«��*� � � � ��� °�%m� � � ���� °�� ~�� � �   �S� �1À � � � °�Tm� ���-� °�TmR �� � �S��� °�� ~�� � � ¡ � � ¯�%3° ���-� � ��� ± � �-� ��À ¡�¡ �v� % ~b± �;¯ � ° � � ¤X³ � ± �S�S�

Fig.17.TLS-RCFrules:message5

22

Step30 ­Ê­ ¯SRUT ~ %,� ²�j}º-À� � °�� ~�� � ��� � � � ~c�*� � �\� � °�Tm��§ �S� ��À � � � °�Tm� ���-� °�TvR � � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� � ��� � � � ~c�*� � �X� � °�Tm� � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � ���°�% �   ��~ %v² � �1À � � � °�Tm� ���n� °�TvR �S�� � � °�% � ¡�¡ � � � ¯?°�%v¬ ~ ��° � TvR � �v­ ¯ ~ ±�%�¯ � TmR � T � �-� ° � � � � � � °�T�� ���n� °�TvR �S�S���S�Step31 ­Ê­u¯SRUT ~ %,�1²�j}»-À� °�% � � � ���*� °w± � R ° � � � �}� � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯�RUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~,� R � T3¯\±�� �q� ¿ � T�� � �\� ¯ ~b� � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� À � T�� � �X� ¯ ~b� � ���%�� � ¦ ¨ ¤ �   �S� � � % ~b± �;¯ � �1À � � �S� � °�Tm� ���-� °�% ��� �� � �S� ¦ ¨ ¤ ¡�¡ �v­ ¯ ~ ±d%3¯?°�TmR �S��~ %v² � �1À � � � °�Tm� ���n� °�TvR �S�S�S� ± � �-� °�% ��� ¡�¡ � � ¯?°�% ���-� °�% � �S�S�Step32 ­Ê­ ¯SRUT ~ %,� ²apPY-À� %�� � ¦ ¨ ¤ ��� ��«���� T � � ° � � � �P� � ~ %v²q° � � � �P� � ~ �qR �c� ¸ � T��d� � � � ~b� T � %,³ � ± � ¤X³ � � % � �(´ � ~ T �}� ¯ �q� % � �-´ � ~,� T,³ � ± � ¤X³ � ±n� � %���° � � � � %���° � � � %�� � � ¯ � ~ � ³�§ � � T � TmT � � �X�T ���-� T3¯ ±�� �c� � � T3¯ ±;¯ � � � RUR � ¯ ~b� � �¡n¢� %�� � ¦ ¨ ¤ ��� ��«��*� T � � ° � � � �}� � ~ %v²c° � � � �}� � ~ �cR �q� ¸ � T��d� � � � ~,� T � %v³ � ± � ¤\³ � � % � �(´ � ~ T �}� ¯ �q� % � �-´ � ~,� T,³ � ± � ¤X³ � ±}� � %m��° � � � � %m��° � � � %�� � � ¯ � ~ � ³�§ ½ � T � TvT � � �X�T ���-� T3¯ ±�� �c� ½ � T3¯ ±;¯ � � � RUR � ¯ ~b� � ���°�% �   � ° � � � �� � � ° � ¡�¡ � � % ~b± �;¯ � �1À � ¤X³ � ± �S�Step33 ­Ê­ ¯SRUT ~ %,� ²ap\]cÀ� °�% � � � ���*� °w± � R ° � � ° � � � � � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯SRUT3¯ � � � � � �(RUT�¯ � � ~,� � � ~,� R � T3¯\±d� �q� À � T�� � �X� ¯ ~b� � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� Á � T�� � �X� ¯ ~b� � ���� °�� ~�� � �   � ° � � � �Step34 ­Ê­u¯SRUT ~ %,�1²apOj9À� � °�� ~�� � ��� � � � ~c�*� � �\� � °�Tm� � � � ¯ � ��°�Tm��§ � �$¿ � � � °�TvR � � ¨\© RUT3¯ � TvRUT3¯ V � %a� � � � � � ª %���T � %m� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� � ��� � � � ~c�*� � �X� � °�Tm� � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ V � %a� � � � � � ª %���T � %�� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%m� � � ���� Tm� ~�� � �   � ° � � � �� � �S��� °�� ~�� � � ¡�¡ � � ¯�%3° ���n� � �S� ± � �-� � Tm� ~�� � � ¡ � � ¯ � Tm� ~�� � �S�S�Step35 ­Ê­ ¯SRUT ~ %,� ²apPp-À�£� Tm� ~�� � �a� � T�� ~c��� � � � � � �P� � �q� �\� ~b� °�T���§ � ° � � � R ±(T3¯?°�T�� ��� � R#°�Tm� ���-� R ±(T�¯?°�TvR � R#°�TvR ���� � � � %3¯�� ~(� � � � �¡n¢��� T�� ~�� � ��� � Tm� ~c��� � � � � � �P� � �d� �X� ~b� °�Tm� � R ±(T3¯?°�T�� ��� � R#°�Tm� ���-� R ±(T�¯?°�TvR � R#°�TvR ���� � � � %3¯�� ~(� °w± � R ° � ° � � � � � �

Fig.18.TLS-RCFrules

23