[Css-csts] RE: Ambiguities in SLE RAF B-3

John Pietras john.pietras at gst.com
Mon Jan 30 16:20:23 EST 2012


Wolfgang,

Thank you for the clarifications. Regarding the two updates that you have recommended, I agree with first and with respect to the second, I think that the resetting parameters clause should be removed unless there are such parameters  identified elsewhere in the specification(s) (which there appear not to be).

 

Regarding the IF - THEN - ELSE cases, I had not realized until I read your response that every entry in the RAF state table that has IF -THEN clauses also includes an ELSE clause. It is my understanding that the ELSE clause is optional, and only used if there is an action to be taken when the IF condition evaluates false. This is the way it is used throughout the CSTS Specification Framework. The CSTS SF also terminates every IF-THEN-[ELSE] with ENDIF, which I  think is helpful but not strictly necessary unless actions follow the that are not part of the IF ... construct. There is one case in the RAF state tables where the ENDIF would be useful.

 

With this understanding in mind, I looked at the state table again and found a number of items involving [ignore]s that are problematic because they imply (to me, at least) that the incoming event is to be ignored even though some actions are being taken. I also came across two possibly erroneous items (see (b), below).

 

a. Row 2, state 1: I suggest the following restructuring to eliminate the [ignore]: 

          IF "bind pending"

          THEN {return timeout}    -> 1     

             IF "provision period"

             THEN {invoke bind}

             ELSE                  -> 1                  

          ELSE  Not Applicable     -> 1          

 

    (Note that I don't know if the outer IF-THEN-ELSE is even necessary, since the only way for the timer to be in a state to be able to expire is if "bind pending" is true, and the service is already in state 1.)

 

b. Row 2, states 2 and 3: The only operation that the provider can invoke is the BIND, and therefore the only time that the service instance can be waiting for a return is in state 1. That is, the return timer can't be running and expire when in states 2 or 3. So a peer abort for this reason (return timeout) will never occur in these states, and in fact the provider will never peer-abort an association for return timeout. These are cases where "not applicable" is the appropriate "action" because it can't happen.

 

e. Row 4, state 1: This one is tricky, because the test for compatibility is stated after the transition to state 2. The cleanest way to handle this would be to introduce ENDIF, in which case I suggest the following restructuring to eliminate the first [ignore]:

          IF "bind pending"

          THEN set "bind pending" FALSE -> 2     

               stop return <n> timer

               IF NOT "compatible"

               THEN {invoke unbind}

               ENDIF

          ELSE [ignore]            -> 1  

 

   If you don't want to introduce ENDIF in to the SLE specs, I think the following is legitimate (if perhaps awkward):

          IF "bind pending"

          THEN set "bind pending" FALSE -> 2     

               stop return <n> timer

               IF NOT "compatible"

               THEN {invoke unbind}

               ELSE                -> 2    ** this really means " if it is compatible, go to or stay in state 2"                  

          ELSE [ignore]            -> 1               

 

f. Row 7, state 2: I suggest the one of the two following restructurings to eliminate the first [ignore]. First, using ENDIF:

          IF "unbind pending"

          THEN {provider unbind} -> 1    

               IF "done"

               THEN release resources

               ENDIF

          ELSE {peer abort 'protocol error'} -> 1

 

   Or using an ELSE to put/keep it in state 1:

          IF "unbind pending"

          THEN {provider unbind} -> 1    

               IF "done"

               THEN release resources

               ELSE              -> 1

          ELSE {peer abort 'protocol error'} -> 1

 

f. Row 8, state 2: Delete the final line: "ELSE [ignore]". It's not necessary because the IF-THEN nestings are unambiguous without it. 

 

 

Best regards,

John

 

-----Original Message-----
From: Wolfgang.Hell at esa.int [mailto:Wolfgang.Hell at esa.int] 
Sent: Monday, January 30, 2012 11:49 AM
To: John Pietras
Cc: css-csts at mailman.ccsds.org; css-csts-bounces at mailman.ccsds.org; Martin Götzelmann
Subject: Re: [Css-csts] RE: Ambiguities in SLE RAF B-3

 

John and Martin,

 

Thank you for the close look that you have taken at these issues. It is

really amazing that after such long time being in actual use, such issues

still surface.

 

What I'm stating in what follows is my recollection of the related

discussions in the WG. However, since these have happened such long time ago,

chances are that what I believe to remember is not correct and of course I'm

open to any updates that remove actual or perceived ambiguities.

 

The reason why paragraph 3.1.9.2.12 addresses the abort case only is that for

an orderly closure of the SLE session the extracting of frames and

notifications from the online frame buffer stops due to the RAF-STOP

invocation and not due to the RAF-UNBIND invocation. As such the requirement

stipulated in 3.1.9.2.12 in fact only applies to the case that the

association is aborted as in the other case the data flow was already stopped

before the association is released by the RAF-UNBIND. From a provider

perspective the issue of 'incompleteness' applies only when the association

gets aborted because in that case the transfer buffer content gets lost. I

agree that the NOTE in 3.1.9.2.12 should for the reason addressed above not

address the case of a released association. This was probably intended to

cover the case of a not very smart user implementation that stops processing

frames as soon as the RAF-STOP has been invoked. We do not really prescribe

the user side state machine.

 

The unbind-reason 'end' was intended to allow a friendly user that signal to

the provider that everything has been accomplished and the resources are no

longer needed. Speaking of the ESA implementation, I confirm that we remove

the service instance and free all resources that it took to implement it

including the online frame buffer. In real life this resulted in all users

being 'unfriendly' and all implementations (except for initial configuration

errors) use 'suspend'. Therefore we don't have problem with 'permanent' SIs

in offline delivery mode. But please note that a conforming implementation is

free to keep the SI alive. This is an implementation choice to be made on the

provider side.

 

The UNBIND invocation in case of 'suspend' is not ignored. The compound

action {user unbind} is performed, but no further actions are taken. John,

how would you suggest to express that in the given IF THEN ELSE nesting? This

may not be the best way to express it, but I would not regards this to be an

error.

 

Looking at what is supposed to happen in case of STOP plus UNBIND and

PEER-ABORT, I think that the actions to be performed are correctly specified

with one exception. That is the discussion of resetting the parameters to

those specified in the service package. I can't think of any such parameter

and therefore (although due the absence of such parameters this error has no

effect) this should be removed - or if people feel more comfortable just in

case something might be in a service package as specified tomorrow, then it

has to be made consistent regardless which party initiates the PEER-ABORT.

 

In summary, it appears to me that two updates are advisable:

 

- In the NOTE in 3.1.9.2.12 the reference to a released association should be

removed.

- Either any reference to resetting parameter values to those defined in the

service package should be removed or made consistent. I would prefer the

former.

 

Best regards,

 

Wolfgang

 

 

                                                                                                                                              

  From:       "John Pietras" <john.pietras at gst.com>                                                                                           

                                                                                                                                              

  To:         Martin Götzelmann <martin.goetzelmann at vega.de>, "Wolfgang Hell " <Wolfgang.Hell at esa.int>                                        

                                                                                                                                              

  Cc:         css-csts at mailman.ccsds.org                                                                                                      

                                                                                                                                              

  Date:       30/01/2012 15:37                                                                                                                

                                                                                                                                              

  Subject:    [Css-csts] RE: Ambiguities in SLE RAF B-3                                                                                       

                                                                                                                                              

  Sent by:    css-csts-bounces at mailman.ccsds.org                                                                                              

                                                                                                                                              

 

 

 

 

 

Martin,

Thank you. Going through the nominal path of STOPping first before UNBINDing

provides the “stop release timer” and “reinitialize transfer buffer” actions

comparable to those performed in response to (rafPeerAbortInvocation). That

leaves the “reset parameter values to those specified in the service package”

action, which is performed  in response to (rafPeerAbortInvocation) but not

for (rafUnbindInvocation) or when a peer-abortable error is detected by the

provider. Besides not being able to think off the top of my head of

parameters might be initially specified in the service package but then

changed by the execution of the service instance (such that they would have

to be reset on abort), I’m curious if there is a reason why they would be

reset in response to a user-generated PEER-ABORT invocation but not reset

when the provider itself peer-aborts, or if this is just an omission in the

specification.

 

Best regards,

John

 

From: Martin Götzelmann [mailto:martin.goetzelmann at vega.de]

Sent: Sunday, January 29, 2012 4:56 PM

To: John Pietras; Wolfgang Hell

Cc: css-csts at mailman.ccsds.org

Subject: RE: Ambiguities in SLE RAF B-3

 

Dear John,

 

As I was just looking into the B3 Books because of other issues, I have

cross-checked the state table.  I think the difference between PEER-ABORT and

UNBIND is that UNBIND is not accepted in the state 'active' and the user must

invoke STOP first. Row 10 in the RAF book specifies the behaviour for the

online complete and offline modes when STOP is invoked and it does  say that

any pending transfer buffer shall be transmitted before the STOP return. Of

course, if a BIND is issued in the state 'active' the the provider will abort

the connection because of a protocol error and the data will be lost, but I

beleive that is not the case you wanteded to address.

 

The other points you raised might still be valid - I also do not understand

why the note following 3.1.9.2.12 refers to "release or abort".

 

Kind Regards, Martin

 

 

 

From: css-csts-bounces at mailman.ccsds.org [css-csts-bounces at mailman.ccsds.org]

on behalf of John Pietras [john.pietras at gst.com]

Sent: 27 January 2012 22:44

To: Wolfgang Hell

Cc: css-csts at mailman.ccsds.org

Subject: [Css-csts] Ambiguities in SLE RAF B-3

Wolfgang,

I started to trace through the requirements for handling the online frame

buffer in RAF-B-3, and ended up stumbling across some ambiguities and in at

least one case what I believe to be an error. (I believe that these comments

also hold for RCF and ROCF.)

 

      1.       Paragraph 3.1.9.2.12 states “In the complete online delivery

      mode, the transfer buffer shall be cleared and removal of frames and

      synchronous notifications from the online frame buffer shall stop

      whenever the association is aborted. ” Should this not also be the case

      when the association is released via the UNBIND? The NOTE that follows

      states “The requirement 3.1.9.2.12 implies that a truly complete

      delivery can only be achieved within a given association. Recovery from

      data loss caused by an association termination (release or abort) can

      only be accomplished by using the offline delivery mode.” This note

      implies that 3.1.9.2.12 also applies to UNBIND as well as abort.

 

      I looked at the state table to see if it could help my understanding.

         a)      In response to (rafUnbindInvocation) while in state 2, for a

         was user-initiated association:

            1)      The provider performs {user unbind} (stop reporting cycle

            timer, stop all return timers, issue (rafUnbindReturn) and

            transitions to state 1;

            2)      if the UNBIND invocation has ‘end’ for the unbind-reason,

            the provider releases resources. “Release resources” is used in

            section 3.3.2.4.2 but not defined. I assume that it includes

            clearing the online frame buffer.  If this is so, it might be

            helpful to state so in section 3.3.2.4.2 . See more comments

            below in item 2 related to the ‘end’ unbind-reason.

            3)      Curiously,  according to the state table, if the UNBIND

            invocation does not have ‘end’ for the unbind-reason, the

            provider is supposed to “[ignore]”. What is to be ignored? The

            UNBIND invocation can’t be said to be ignored if the provider has

            acted on it (stopped timers, issued an UNBIND return). This

            appears to be an error.

         b)      In response to (rafPeerAbortInvocation), the provider

         performs {clean up} (stop release timer, stop all return timers,

         stop reporting-cycle timer, reinitialize transfer buffer, and reset

         parameter values to those specified in the service package). {clean

         up} contains three more actions (stop release timer, reinitialize

         transfer buffer , and reset parameter values to those specified in

         the service package) than in the {user unbind} occurs in response to

         an UNBIND invocation. Is this correct?

         c)       Triggered by various error conditions encountered by the

         performer, the performer performs {peer-abort ‘xxxx’} (stop release

         timer, stop all return timers, stop reporting-cycle timer,

         reinitialize transfer buffer, and send (rafPeerAbortInvocation) with

         diagnostic set to ‘xxxx’). However, it doesn’t reset parameter

         values to those specified in the service package, as required in

         response to a PERR-ABORT invocation. Is this correct?

 

      2.       In section 3.3.2.4.2 (a) ‘end’ value for the unbind-reason

      parameter states “If unbind-reason is ‘end’, any subsequent attempt to

      invoke RAF-BIND will fail even if the service instance provision period

      has not expired, since the service provider may release the resources

      allocated to that service instance.”

         a)      As a NOTE, this is informative. However, I can’t find any

         normative text that supports it. In particular, I would expect the

         BIND negative result return to have a diagnostic something like

         ‘service instance ended’. The presence of the diagnostic would also

         add that conditions to the ones that would force the

         (-rafBindReturn) that would keep the service instance in the

         unbound. Is the inhibition of subsequent BINDs actually implemented

         in the API and/or operational implementations.

         b)      If the intention of the ‘end’ value does indeed include that

         subsequent BIND invocations are forbidden, this seems like a

         potentially dangerous value for service instances in the offline

         delivery mode, especially those that are set up to be basically

         “unscheduled”. Given that the user on an offline service instance

         has to provide the data start and end times in the START, can STOP

         the transfer any time, and can UNBIND with ‘suspend’, the ‘end’

         seems unnecessary for offline. This is just an observation – I’m not

         making a recommendation.

 

Best regards,

John _______________________________________________

Css-csts mailing list

Css-csts at mailman.ccsds.org

http://mailman.ccsds.org/cgi-bin/mailman/listinfo/css-csts

 

 

This message and any attachments are intended for the use of the addressee or addressees only. The unauthorised disclosure, use, dissemination or copying (either in whole or in part) of its content is not permitted. If you received this message in error, please notify the sender and delete it from your system. Emails can be altered and their integrity cannot be guaranteed by the sender.

 

Please consider the environment before printing this email.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ccsds.org/pipermail/css-csts/attachments/20120130/21f62786/attachment-0001.html


More information about the Css-csts mailing list