A Process Algebra for Link Layer Protocols

. We propose a process algebra for link layer protocols, featuring a unique mechanism for modelling frame collisions. We also formalise suitable liveness properties for link layer protocols speciﬁed in this framework. To show applicability we model and analyse two versions of the Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA) protocol. Our analysis conﬁrms the hidden station problem for the version without virtual carrier sensing. However, we show that the version with virtual carrier sensing not only overcomes this problem, but also the exposed station problem with probability 1. Yet the protocol cannot guarantee packet delivery, not even with probability 1.


Introduction
The (data) link layer is the 2nd layer of the ISO/OSI model of computer networking [18]. Amongst others, it is responsible for the transfer of data between adjacent nodes in Wide Area Networks (WANs) and Local Area Networks (LANs).
Examples of link layer protocols are Ethernet for LANs [16], the Point-to-Point Protocol [24] and the High-Level Data Link Control protocol (e.g. [14]). Part of this layer are also multiple access protocols such as the Carrier-Sense Multiple Access with Collision Detection (CSMA/CD) protocol for re-transmission in Ethernet bus networks and hub networks, or the Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA) protocol [19,17] in wireless networks.
One of the unique characteristics of the link layer is that when devices attempt to use a medium simultaneously, collisions of messages occur. So, any modelling language and formal analysis of layer-2 protocols has to support such collisions. Moreover, some protocols are of probabilistic nature: CSMA/CA for example chooses time slots probabilistically with discrete uniform distribution.
As we are not aware of any formal framework with primitives for modelling data collisions, this paper introduces a process algebra for modelling and analysing link layer protocols. In Section 2 we present an algebra featuring a unique mechanism for modelling collisions, 'hard-wired' in the semantics. It is the nonprobabilistic fragment of the Algebra for Link Layer protocols (ALL), which we introduce in Section 3. In Section 4 we formulate packet delivery, a liveness property that ideally ought to hold for link layer protocols, either outright, or with a high probability. In Section 5 we use this framework to formally model and analyse the CSMA/CA protocol.
Our analysis confirms the hidden station problem for the version of CSMA/ CA without virtual carrier sensing (Section 5.2). However, we also show that the version with virtual carrier sensing overcomes not only this problem, but also the exposed station problem with probability 1. Yet the protocol cannot guarantee packet delivery, not even with probability 1.

A Non-Probabilistic Subalgebra
In this section we propose a timed process algebra that can model the collision of link layer messages, called frames. 1 It can be used for link layer protocols that do not feature probabilistic choice, and is inspired by the (Timed) Algebra for Wireless Networks ((T-)AWN) [12,13,2], a process algebra suitable for modelling and analysing protocols on layers 3 (network) and 4 (transport) of the OSI model.
The process algebra models a (wired or wireless) network as an encapsulated parallel composition of network nodes. Due to the nature of the protocols under consideration, on each node exactly one sequential process is running. The algebra features a discrete model of time, where each sequential process maintains a local variable now holding its local clock value-an integer. We employ only one clock for each sequential process. All sequential processes in a network synchronise in taking time steps, and at each time step all local clocks advance by one unit. Since this means that all clocks are in sync and do not run at different speeds it is clear that we do not consider the problem of clock shift. For the rest, the variable now behaves like any other variable maintained by a process: its value can be read when evaluating guards, thereby making progress time-dependant, and any value can be assigned to it, thereby resetting the local clock. Network nodes communicate with their direct neighbours-those nodes that are in transmission range. The algebra provides a mobility option that allows nodes to move in or out of transmission range. The encapsulation of the entire network inhibits communications between network nodes and the outside world, with the exception of the receipt and delivery of data packets from or to clients (the higher OSI layers).

A Language for Sequential Processes
The internal state of a process is determined, in part, by the values of certain data variables that are maintained by that process. To this end, we assume a data structure with several types, variables ranging over these types, operators and predicates. Predicate logic yields terms (or data expressions) and formulas to denote data values and statements about them. Our data structure always contains the types TIME, DATA, MSG, CHUNK, ID and P(ID) of discrete time values, which we take to be integers, network layer data, messages, chunks of messages that take one time unit to transmit, node identifiers and sets of node identifiers. We further assume that there are variables now of type TIME and rfr of type CHUNK. In addition, we assume a set of process names. Each process name X comes with a defining equation X(var 1 , . . . , var n ) def = P , in which n ∈ IN, var i are variables and P is a sequential process expression defined by the grammar below. It may contain the variables var i as well as X. However, all occurrences of data variables in P have to be bound. 2 The choice of the underlying data structure and the process names with their defining equations can be tailored to any particular application of our language.
The sequential process expressions are given by the following grammar: Here X is a process name, exp i a data expression of the same type as var i , ϕ a data formula, var := exp an assignment of a data expression exp to a variable var of the same type, ms a data expression of type MSG, and data, dest data variables of types DATA, ID respectively. Given a valuation of the data variables by concrete data values, the sequential process [ϕ]P acts as P if ϕ evaluates to true, and deadlocks if ϕ evaluates to false. In case ϕ contains free variables that are not yet interpreted as data values, values are assigned to these variables in any way that satisfies ϕ, if possible. The process [[var := exp]]P acts as P , but under an updated valuation of the data variable var. The process P + Q may act either as P or as Q, depending on which of the two processes is able to act at all. In a context where both are able to act, it is not specified how the choice is made. The process α.P first performs the action α and subsequently acts as P . The above behaviour is identical to AWN, and many other standard process algebras. The action transmit(ms) transmits (the data value bound to the expression) ms to all other network nodes within transmission range. The action newpkt(data, dest) models the injection by the network layer of a data packet data to be transmitted to a destination dest. Technically, data and dest are variables that will be bound to the obtained values upon receipt of a newpkt. Data is delivered to the network layer by deliver(data). In contrast to AWN, we do not have a primitive for receiving messages from neighbouring nodes, because our processes are always listening to neighbouring nodes, in parallel with anything else they do.
As in AWN, the internal state of a sequential process described by an expression P is determined by P , together with a valuation ξ associating values ξ(var) to variables var maintained by this process. Valuations naturally extend to ξ-closed expressions-those in which all variables are either bound or in the domain of ξ. We denote the valuation that assigns the value v to the variable var, and agrees with ξ on all other variables, by ξ[var := v]. The valuation ξ |S agrees with ξ on all variables var ∈ S and is undefined otherwise. Moreover we use ξ[var ++] as an abbreviation for ξ[var := ξ(var) + 1], for suitable types.
To capture the durational nature of transmitting a message between network nodes, we model a message as a sequence of chunks, each of which takes one time unit to transmit. The function dur : MSG → TIME >0 calculates the amount of time steps needed for a sending a message, i.e. it calculates the number of chunks. We employ the internal data type CHUNK := {m:c | m ∈ MSG, 1 ≤ c ≤ dur(m)} ∪ {conflict, idle}. The chunk m:c indicates the c th fragment of a message m. Data conflicts-junk transmitted via the medium-is modelled by the special chunk conflict, and the absence of an incoming chunk is modelled by idle.
Our process algebra maintains a variable rfr of type CHUNK, storing the fragment of the current message received so far. The structural operational semantics of Table 1 describes how one internal state can evolve into another by performing an action. The set Act of actions consists of transmit(m:c, ch), wait(ch), newpkt(d, dest), deliver(d), and internal actions τ, for each choice of m ∈ MSG, c ∈{1, . . . , dur(m)}, ch ∈ CHUNK, d ∈ DATA and dest ∈ ID, where the first two actions are time consuming. On every time-consuming action, each process receives a chunk ch and updates the variable rfr accordingly; moreover, the variable now is incremented on all process expressions in a (complete) network synchronously.
Besides the special variables now and rfr, the formal semantics employs an internal variable cntr ∈ IN that enumerates the chunks of split messages and is used to identify which chunk needs to be sent next. The variables now, rfr and cntr are not meant to be changed by ALL specifications, e.g. by using assignments. We call them read-only and collect them in the set RO = {now, rfr, cntr}.
Let us have a closer look at the rules of Table 1. The first two rules describe the sending of a message ms. Remember that dur(ms) calculates the time needed to send ms. The counter cntr keeps track of the time passed already. The action transmit(m:c, ch) occurs when the node transmits the fragment m:c; simultaneously, it receives the fragment ch.  , P Table 1. Structural operational semantics for sequential process expressions counter cntr is 0 before a message is sent, and is incremented before the transmission of each chunk. So, each chunk sent has the form ξ(ms):ξ(cntr)+1. To ease readability we abbreviate ξ(cntr)+1 by c+. In case the (already incremented) counter c+ is strictly smaller than the number of chunks needed to send ξ(ms), another transmit-action is needed (Rule 1); if the last fragment has been sent (c+ = dur(ξ(ms))) the process can continue to act as P (Rule 2). The actions newpkt(d, dest) and deliver(d) are instantaneous and model the submission of data d from the network layer, destined for dest, and the delivery of data d to the network layer, respectively. The process newpkt(d, dest).P has also the possibility to wait, namely if no network layer instruction arrives.
Rule 6 defines a rule for assignment in a straightforward fashion; only the valuation of the variable var is updated.
In Rules 7 and 8, which define recursion, ξ |RO [var i := ξ(exp i )] n i=1 is the valuation that only assigns the values ξ(exp i ) to the variables var i , for i = 1, . . . , n, and maintains the values of the variables now, rfr and cntr. These rules state that a defined process X has the same transitions as the body p of its defining equation. In case of a wait-transition, the sequential process does not progress, and accordingly the recursion is not yet unfolded.
Most transition rules so far feature statements of the form ξ(exp) where exp is a data expression. The application of the rule depends on ξ(exp) being defined. Rule 9 covers all cases where the above rules cannot be applied since at least one data expression in an action α is not defined. A state ξ, P is unvalued, denoted by ξ(p)↑, if P has the form transmit(ms).P , deliver(data).P , [[var := exp]]P or X(exp 1 , . . . , exp n ) with either ξ(ms) or ξ(data) or ξ(exp) or some ξ(exp i ) undefined. From such a state the process can merely wait.
A process P + Q can wait only if both P and Q can do the same; if either P or Q can achieve 'proper' progress, the choice process P + Q always chooses progress over waiting. A simple induction shows that if ξ, P wait(ch) − −−−− → ζ, P and ξ, Q wait(ch) − −−−− → ζ , Q then P = P , Q = Q and ζ = ζ . The first rule of (12), describing the semantics of guards [ϕ], is taken from AWN. Here ξ ϕ → ζ says that ζ is an extension of ξ, i.e. a valuation that agrees with ξ on all variables on which ξ is defined, and evaluates other variables occurring free in ϕ, such that the formula ϕ holds under ζ. All variables not free in ϕ and not evaluated by ξ are also not evaluated by ζ. Its negation ξ ϕ − → says that no such extension exists, and thus, that ϕ is false in the current state, no matter how we interpret the variables whose values are still undefined. If that is the case, the process [ϕ]p will idle by performing the action wait(ch).

A Language for Node Expressions
We model network nodes in the context of a (wireless) network by node expressions of the form id:(ξ, P ):R .
Here id ∈ ID is the address of the node, P is a sequential process expression with a valuation ξ, and R ∈ P(ID) is the range of the node, defined as the set of nodes within transmission range of id. Unlike AWN, the process algebra does  Table 2. Structural operational semantics for node expressions not offer a parallel operator for combining sequential processes; such an operator is not needed due to the nature of link layer protocols.
In the semantics of this layer it is crucial to handle frame collisions. The idea is that all chunks sent are recorded, together with the respective recipient. In case a node receives more than one chunk at a time, a conflict is raised, as it is impossible to send two or more messages via the same medium at the same time.
All time-consuming actions on process level (transmit(m:c,ch) and wait(ch)) are transformed into an action traffic(T , R) on node level: the first argument T maps dest to m:c if and only if the chunk m:c is transmitted to dest. The second argument R maps id to m:c if and only if the chunk m:c is received on process level at node id. For the sos-rules of Table 2 we use the set-theoretic presentation of partial functions. The two rules for wait set T := ∅, as no chunks are transmitted; the rules for transmit allow a transmitted chunk m:c to travel to all nodes within transmission range: T := {(r, m:c) | r ∈ R}. In case that during the transmission or waiting no chunk is received (ch = idle) we set R = ∅; otherwise R = {(id, ch)}, indicating that chunk ch is received by node id.
The actions id : newpkt(d, dest) and id : deliver(d) as well as the internal actions τ are simply inherited by node expressions from the processes that run on these nodes.
The remaining rules of Table 2 model the mobility aspect of wireless networks; the rules are taken straight from AWN [12,13]. We allow actions connect(id, id ) and disconnect(id, id ) for id, id ∈ ID modelling a change in network topology. These actions can be thought of as occurring nondeterministically, or as actions instigated by the environment of the modelled network protocol. In this formalisation node id is in the range of node id, meaning that id can receive messages  Table 2 and replaces the synchronisation rules for connect and disconnect in Table 3 by interleaving rules (like the ones for deliver, newpkt and τ ) [12]. For some applications a wired or non-mobile network need to be considered. In such cases the last six rules of Table 2 are dropped. Whether a node id : P : R receives its own transmissions depends on whether id ∈ R. Only if id ∈ R our process algebra will disallow the transmission from and to a single node id at the same time, yielding a conflict.

A Language for Networks
A partial network is modelled by a parallel composition of node expressions, one for every node in the network. A complete network is a partial network within an encapsulation operator [ ], which limits the communication between network nodes and the outside world to the receipt and delivery of data packets to and from the network layer.
The syntax of networks is described by the following grammar: S models a partial network describing the behaviour of all nodes id ∈ S. The set T contains the identifiers of all nodes that are part of the complete network. This grammar guarantees that node identifiers of node expressions-the first component of id:P :R-are unique.
The operational semantics of network expressions is given in Table 3. Internal actions τ as well as the actions id : deliver(d) and id : newpkt(d,id) are interleaved in the parallel composition of nodes that makes up a network, and then lifted to encapsulated networks (Line 1 of Table 3).
Actions traffic and (dis)connect are synchronised. The rule for synchronising the action traffic (Line 3), the only action that consumes time on the network layer, uses the union of partial functions. It is formally defined as The synchronisation of the sets R i and T i has the following intuition: if a node identifier id ∈ ID is in both dom(T 1 ) and dom(T 2 ) then there exist two nodes that transmit to node id at the same time, and therefore a frame collision occurs. In our algebra this is modelled by the special chunk conflict. The sos rules of Tables 2 and 3 guarantee that there cannot be collisions within the set of received chunks R. The reason is that each node merely contributes to R a chunk for itself; it can be the chunk conflict though. Therefore we could have written Table 3.
The last rule propagates a traffic(T , R)-action of a partial network M to a complete network [M ]. By then T consists of all chunks (after collision detection) that are being transmitted by any member in the network, and R consists of all chunks that are received. The condition R = T determines the content of the messages in R. The traffic(T , R)-actions become internal at this level, as they cannot be steered by the outside world; all that is left is a time-step tick.

Results on the Process Algebra
As for the process algebra T-AWN [2], but with a slightly simplified proof, one can show that our processes have no time deadlocks: Theorem 2.1. A complete network N in our process algebra always admits a transition, independently of the outside environment, i.e. ∀N, ∃a such that The following results (statements and proofs) are very similar to the results about the process algebra AWN, as presented in [13]. A rich body of foundational meta theory of process algebra allows the transfer of the results to our setting, without too much overhead work.
Identical to AWN and its timed version T-AWN, our process algebra admits a translation into one without data structures (although we cannot describe the target algebra without using data structures). The idea is to replace any variable by all possible values it can take. The target algebra differs from the original only on the level of sequential processes; the subsequent layers are unchanged. The construction closely follows the one given in the appendix of [2]. The inductive definition contains the rules T ξ (deliver(data).P ) = deliver(ξ(data)).T ξ (P ) and . Most other rules require extra operators that keep track of the passage of time and the evolution of other internal variables. The resulting process algebra has a structural operational semantics in the (infinitary) de Simone format, generating the same transition system-up to strong bisimilarity, ↔ -as the original. It follows that ↔ , and many other semantic equivalences, are congruences on our language [23]. This is a deep result that usually takes many pages to establish (e.g. [25]). Here we get it directly from the existing theory on structural operational semantics, as a result of carefully designing our language within the disciplined framework described by de Simone [23].
Theorem 2.3. The operator is associative and commutative, up to ↔ .
Proof. The operational rules for this operator fits a format presented in [6], guaranteeing associativity up to ↔ . The ASSOC-de Simone format of [6] applies to all transition system specifications (TSSs) in de Simone format, and allows 7 different types of rules (named 1-7) for the operators in question. Our TSS is in de Simone format; the four rules for of Table 3 are of types 1, 2 and 7, respectively. To be precise, it has rules 1 a and 2 a for a ∈ {τ , id : deliver(d), Moreover, the partial communication function γ : Act × Act Act is given by The main result of [6] is that an operator is guaranteed to be associative, provided that γ is associative and six conditions are fulfilled. In the absence of rules of types 3, 4, 5 and 6, five of these conditions are trivially fulfilled, and the remaining one reduces to Here 1 a says that rule 1 a is present, etc. This condition is trivially met for as there neither exists a rule of the form 1 traffic(T,R) nor of the form 2 traffic(T,R) , or 1 c , 2 c with c as above. As on traffic actions γ is basically the union of partial functions ( ), where a collision in domains is indicated by an error conflict, it is straightforward to prove associativity of γ. Commutativity of follows by symmetry of the sos rules.

An Algebra for Link Layer Protocols
We now introduce ALL, the Algebra for Link Layer protocols. It is obtained from the process algebra presented in the previous section by the addition of a probabilistic choice operator n 0 . As a consequence, the semantics of the algebra is no longer a labelled transition system, but a probabilistic labelled transition system (pLTS) [8]. This is a triple (S, Act, →), where As with LTSs, we usually write s α −→ ∆ instead of (s, α, ∆) ∈ →. The point distribution δ s , for s ∈ S, is the distribution with δ s (s) = 1. We simply write s α −→ t for s α −→ δ t . An LTS may be viewed as a degenerate pLTS, in which only point distributions occur. For a uniform distribution over s 0 , . . . , s n ∈ S we write U n i=0 s i . The pLTS associated to ALL takes S to be the disjoint union of the pairs ξ, P , with P a sequential process expression, and the network expressions. Act is the collection of transition labels, and → consists of the transitions derivable from the structural operational semantics of the language.
Rules (1)-(6), (9), (11) and (12) of Table 1 are adopted to ALL unchanged, whereas in Rules (7), (8) and (10) the state ζ, P (or ζ, Q ) is replaced by an arbitrary distribution ∆. Add to those the following rule for the probabilistic choice operator: Here the data variable i may occur in P . The rules of Tables 2 and 3 are adapted to ALL unchanged, except that P , M and N are now replaced by arbitrary distributions over sequential processes and network expressions, respectively.
Here we adapt the convention that a unary or binary operation on states lifts to distributions in the standard manner. For example, if ∆ is a distribution over sequential processes, id ∈ ID and R ⊆ ID, then id:∆:R describes the distribution over node expressions that only has probability mass on nodes with address id and range R, and for which the probability of id:P :R is ∆(P ). Likewise, if ∆ and

Formalising Liveness Properties of Link Layer Protocols
Link layer protocols communicate with the network layer through the actions id : newpkt(d, dest) and id : deliver(d). The typical liveness property expected of a link layer protocol is that if the network layer at node id injects a data packet d for delivery at destination dest then this packet is delivered eventually. In terms of our process algebra, this says that every execution of the action id : newpkt(d, dest) ought to be followed by the action dest : deliver(d). This property can be formalised in Linear-time Temporal Logic [22] as for any id, dest ∈ ID and d ∈ DATA. This formula has the shape G φ pre ⇒ Fφ post , and is called an eventuality property in [22]. It says that whenever we reach a state in which the precondition φ pre is satisfied, this state will surely be followed by a state were the postcondition φ post holds. In [7,13] it is explained how action occurrences can be seen or encoded as state-based conditions. Here we will not define how to interpret general LTL-formula in pLTSs, but below we do this for eventuality properties with specific choices of φ pre and φ post . Formula (1) is too strong and does not hold in general: in case the nodes id and dest are not within transmission range of each other, the delivery of messages from id to dest is doomed to fail. We need to postulate two side conditions to make this liveness property plausible. Firstly, when the request to deliver the message comes in, id needs to be connected to dest. We introduce the predicate cntd(id, dest) to express this, and hence take φ pre to be cntd(id, dest) ∧ id : newpkt(d, dest). Secondly, we assume that the link between id and dest does not break until the message is delivered. As remarked in [13], such a side condition can be formalised by taking φ post to be dest : deliver(d) ∨ disconnect(id, dest). Thus the liveness property we are after is We now define the validity of eventuality properties G φ pre ⇒ Fφ post . Here φ pre and φ post denote sets of transitions and actions, respectively, and hold if one of the transitions or actions in the set occurs. In (2), φ pre denotes the transitions with label id : newpkt(d, dest) that occur when the side condition cntd(id, dest) is met, whereas φ post = {dest : deliver(d), disconnect(id, dest), disconnect(dest, id)} is a set of actions.
A path in a pLTS (S, Act, →) is an alternating sequence s 0 , α 1 , s 1 , α 2 , . . . of states and actions, starting with a state and either being infinite or ending with a state, such that there is a transition s i The path is rooted if it starts with a state marked as 'initial', and complete if either it is infinite, or there is no transition starting from its last state. A state or transition is reachable if it occurs in a rooted path.
In a pLTS with an initial state, an eventually formula G φ pre ⇒ Fφ post , with φ pre and φ post denoting sets of transitions and actions, holds outright if all complete paths starting with a reachable transition from φ pre contain a transition with a label from φ post .
Definitions 3 and 5 in [9] define the set of probabilities that a pLTS with an initial state will ever execute the action ω. One obtains a set of probabilities rather than a single probability due to the possibility of nondeterministic choice. This definition generalises to sets of actions φ post (seen as disjunctions) by first renaming all actions in such a set into ω. It also generalises trivially to pLTSs with an initial transition. For t a transition in a pLTS, let Prob(t, φ post ) be the infimum of the set of probabilities that the pLTS in which t is taken to be the initial transition will ever execute φ post . Now in a pLTS with an initial state, an eventually formula G φ pre ⇒ Fφ post holds with probability at least p if for all reachable transitions t in φ pre we have Prob(t, φ post ) ≥ p.
Possible correctness criteria for link layer protocols are that the liveness property (2) either holds outright, holds with probability 1, or at least holds with probability p for a sufficiently high value of p.
Sometimes we are content to establish that (2) holds under the additional assumptions that the network is stable until our packet is delivered, meaning that no links between any nodes are broken or established, and/or that the network layer refrains from injecting more packets. This is modelled by taking We will refer to this version of (2) as the weak packet delivery property. Packet delivery is the strengthening without newpkt( * , * ) in (3), i.e. not assuming that the network layer refrains from injecting more packets.

Modelling and Analysing the CSMA/CA Protocol
In this section we model two versions of the CSMA/CA protocol, using the process algebra ALL. Moreover, we briefly discuss some results we obtained while analysing these protocols.
The Carrier-Sense Multiple Access (CSMA) protocol is a media access control (MAC) protocol in which a node verifies the absence of other traffic before transmitting on a shared transmission medium. If a carrier is sensed, the node waits for the transmission in progress to end before initiating its own transmission. Using CSMA, multiple nodes may, in turn, send and receive on the same medium. Transmissions by one node are generally received by all other nodes connected to the medium.
The CSMA protocol with Collision Avoidance (CSMA/CA) [19,17] 4 improves the performance of CSMA. If the transmission medium is sensed busy before transmission then the transmission is deferred for a random time interval. This interval reduces the likelihood that two or more nodes waiting to transmit will simultaneously begin transmission upon termination of the detected transmission. CSMA/CA is used, for example, in Wi-Fi.
It is well known that CSMA/CA suffers from the hidden station problem (see Section 5.2). To overcome this problem, CSMA/CA is often supplemented by the request-to-send/clear-to-send (RTS/CTS) handshaking [19]. This mechanism is known as the IEEE 802.11 RTS/CTS exchange, or virtual carrier sensing. While this extension reduces the amount of collisions, wireless 802.11 implementations do not typically implement RTS/CTS for all transmissions because the transmission overhead is too great for small data transfers.
We use the process algebra ALL to model both the CSMA/CA without and with virtual carrier sensing.

A Formal Model for CSMA/CA
Our formal specification of CSMA/CA consists of four short processes written in ALL. It is precise and free of ambiguities-one of the many advantages formal methods provide, in contrast to specifications written in English prose.
The syntax of ALL is intended to look like pseudo code, and it is our belief that the specification can easily be read and understood by software engineers, who may or may not have experience with process algebra.
As the underlying data structure of our model is straightforward, we do not present it explicitly, but introduce it while describing the different processes.
The basic process CSMA, depicted in Process 1, is the protocol's entry point.

)
This process maintains a single data variable id in which it stores its own identity. It waits until either it receives a request from the network layer to transmit a packet data to destination dest, or it receives from another node in the network a CSMA message (data frame) destined for itself.
In case of a newly injected data packet (Line 1), the process INIT is called; this process (described below) initiates the sending of the message via the medium. When passing the message on to INIT we use a function dataframe : DATA × ID × ID → MSG that generates a message in a format used by the protocol: next to the header fields (from which we abstract) it contains the injected data as well as the designated receiver dest and the sender id-the current node.
In case of an incoming dataframe destined for this node (the third argument carrying the destination is id) (Line 2)-any other incoming message is ignored by this process-the data is handed over to the network layer (deliver(data)) followed by the transmission of an acknowledgement back to the sender of the message (src). CSMA/CA requires a short period of idling medium before sending the acknowledgement: in [19] this interval is called short interframe space (sifs). The process waits until the time of the interframe spacing has passed, and then transmits the acknowledgement. The acknowledgement sent is not always received by src, e.g. due to data collision; therefore src could send the same message again (see Process 4) and id could deliver the same data to the network layer again. The process INIT (Process 2) initiates the sending of a message via the medium. Next to the variable id, which is maintained by all processes, it maintains the variable tries and dframe: tries stores the number of attempts already made to send message dframe. When the process is called the first time for a message dframe (Line 1 of Process 1) the value of tries is 0.
The constant max retransmit specifies the maximum number of attempts the protocol is allowed to retransmit the same message. If the limit is not yet reached (Line 1) the message dframe is sent. As mentioned above, CSMA/CA defers messages for a random time interval to avoid collision. The node must start transmission within the contention window cw, a.k.a. backoff time. cw is calculated in Line 2; it increases exponentially. 5 After cw is determined, the process CCA is called, which performs the actual transmit-action. In case the maximum number of retransmits is reached (Line 4), the process notifies the network layer and restarts the protocol, awaiting new instructions from the application layer, or a new incoming message.
Process 3 takes care of the actual transmission of dframe. However, the protocol has a complicated procedure when to send this message.

)
First, the process senses the medium and awaits the point in time when it is idle (Line 6). In case, before this happens, it receives from another node in the network a CSMA message destined for itself (Line 1), this message is handled just as in Process 1, except that after acknowledging this message the protocol returns to Process 3.
To guarantee a gap between messages sent via the medium, CSMA/CA (as well as other protocols) specifies the distributed (coordination function) interframe space (difs ∈ TIME), which is usually small, 6 but larger than sifs, so that acknowledgements get priority over new data frames. When the medium becomes busy during the interframe space, another node started transmitting and the process goes back to listening to the medium (Line 9). In case nothing happens on the medium and the end of the interframe space is reached (Line 10), the process determines the actual time to start transmitting the message, taking the backoff time b into account (Line 11). If the medium is idle for the entire backoff period (Line 15), the message is transmitted (Line 16), and the process calls the process ACKRECV that will await an acknowledgement from the recipient of dframe (Line 17); the third argument specifies the maximum time the process should wait for such an acknowledgement. (As mentioned before an acknowledgement may never arrive.) If another node transmits on the medium during the backoff period, the protocol restarts the routine (Lines 13 and 14), with an adjusted backoff value b-the process already started waiting and should not be punished when the waiting is restarted; this update guarantees fairness of the protocol.
The process awaiting an acknowledgement (Process 4) is straightforward. It waits until either it receives a CSMA message destined for itself (Line 1), or it receives an acknowledgement (Line 6), or it has waited for this acknowledgement as long as it is going to (Line 8).
In the first case, the message is handled just as in Process 1, except that after acknowledging this message the protocol returns to Process 4. In the second case the network layer is informed that the sending of dframe was successful and the process loops back to Process 1 (Line 7). Line 8 describes the situation where no acknowledgement message arrives and the process times out. Here CSMA/CA retries to send the message; the counter tries is incremented. [new(dataframe(data,src,id))] deliver(data) .

The Hidden Station Problem
As mentioned in the introduction to this section, CSMA/CA suffers from the hidden station problem. This refers to the situation where two nodes A and C are not within transmission range of each other, while a node B is in range of both. In this situation C may be transmitting to B, but A is not able to sense this, and thus may start a transmission to B at roughly the same time, leading to data collisions at B. While CSMA/CA is not able to avoid such collisions as a whole-it is always possible that two (or more) nodes hidden from each other happen to (randomly) choose the same backoff time to send messages-it is the exponential growth of the backoff slots that makes the problem less pressing in the long run, as the following theorem shows.
Theorem 5.1. If max retransmit=∞ then weak packet delivery holds with probability 1. Proof sketch. Since the number of messages that nodes transmit is bounded, and all nodes select random times to start transmitting out of an increasing longer time span, with probability 1 each message will eventually go through. 2 In practice, max retransmit is set to a value that is not high enough to approximate the idea behind the above proof. In fact, the transmission time of a single message may be larger than the maximal backoff period allowed. For this reason the hidden station problem does occur when running the CSMA/CA protocol, as studies have shown [5]. Nevertheless, the above analysis still shows that link layer protocols can be formally analysed by process algebra in general, and ALL in particular.

A Formal Model for CSMA/CA with Virtual Carrier Sensing
To overcome the hidden station problem the usage of a request-to-send/clearto-send (RTS/CTS) handshaking [19] mechanism is available. This mechanism is also known as virtual carrier sensing. The exchange of RTS/CTS messages happens just before the actual data is sent, see Figure 1. The mechanism serves two purposes: (a) As the RTS and CTS messages are very short-they only contain two node identifiers as well as a natural number indicating the time it will take to send the actual data (plus overhead)-the likelihood of a collision is reduced. (b) While the handshaking does not help with solving the hidden station problem for the RTS message itself, it avoids the problem for the sending of data. The reason is that a hidden node, which could interfere with the sending of data will receive the CTS message from the designated recipient of data and the hidden node will remain silent until the data has been sent. As for the CSMA/CA protocol we have modelled this extension in ALL, based on the model of CSMA/CA we presented earlier.
Our extended model uses two functions to generate rts and cts messages, respectively. The signature of both is ID × ID × TIME → MSG. The first argument carries the sender (source) of the message, the second the indented destination, and the third argument a duration (time period) of silence that is The main contributions of this paper are the following: • extension of SBRS to PSBRS with sharing; • an application of PSBRS with sharing to the 802.11 CSMA/CA RTS/CTS protocol for anywireless network topology, including interference; • analysis of example properties for quantitative analysis.
Some aspects of the CSMA protocol have been modelled previously: for example collision detection on Ethernet is modelled by a MDP (Markov Decision Process) in [DFH + 05]. A similar approach was taken in [KNS02] where probabilistic timed automata are used to model the basic two-way handshake mechanism 1 of the 802.11 protocol. The authors assume a fixed network topology consisting of two senders and two receivers. Furthermore, in their model there is exactly one shared signal, and thus each station can sense any other station. Properties of the system are specified in CSL (Continuous Stochastic Logic) [ASSB96] and automatically verified using probabilistic model checker PRISM [KNP11]. The model we present here differs in the following significant ways: support for arbitrary network topologies, and explicit representation of potentially overlapping wireless signals for all the stations in the network. These features are essential to represent networks in which two or more stations transmit to the same receiver and they cannot sense each other, thus causing a transmission collision. This is generally known in the literature as the hidden node problem.
The paper is organised as follows. The protocol is described informally in the next section and in Sect. 3 we give a brief overview of SBRS with sharing. Section 4describes the bigraphical model for WLANs with arbitrary network topology. In Sect. 5 we present the graphical form of the reaction rules used to model the protocol. The evolutions of an example WLAN of three stations is given in Sect. 6. Section 7outlines the CTMC encoding and some analysis results. Conclusions and directions for future work are in Sect. 8.

The protocol: IEEE 802.11 CSMA/CA with RTS/CTS handshake
We now describe informally the functioning of the protocol. Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) is the basic access mechanism in the 802.11 protocol [IEE05]. CSMA/CA adopts a slotted binary exponential backoff scheme to reduce collisions due to stations transmitting simultaneously. It defines two access mechanisms: the default, two-way handshaking technique called basic access and the optional fourway handshaking RTS/CTS reservation scheme. We focus on the latter here. Observe that this mechanism is more complicated because an extra handshake is introduced to reduce the collisions caused by the hidden node problem. 1 Note that this protocol is different from RTS/CTS. Fig. 2. The use of virtual channel sensing using CSMA/CA [3] requested/granted. For example, before the message rts(src,dest,d) is transmitted, the time period d is calculated by [[d := sifs + dur cts + sifs + dur(dataframe(data,id,dest)) + sifs + dur ack]] .
The calculation is straightforward as it follows the protocol logic and determines the amount of time needed until the acknowledgement would be received (see Figure 2). After the rts message has been received the medium should be idle for the interframe space sifs; then a cts message is sent back, which takes time dur cts; then another interframe space is needed, followed by the actual transmission of the message-the sending will take dur(dataframe(data,id,dest)) time units; after the message is received (hopefully) another interframe space is required before the acknowledgement is sent back.
Process 2 remains essentially unchanged; it is merely equipped with the destination dest of the message that needs to be transmitted, and an additional timed variable nav ∈ TIME. These variables are not used in this process, but required later on. Variable nav holds the point in time until the process should not transmit any rts or cts message. This period of silence is necessary as the node figures out that until time nav another node will transmit message(s). 7 Process 5 is the modified version of Process 1. Identical to Process 1 it awaits an instruction from the network layer, or an incoming CSMA message destined for itself. Lines 1-3 are identical to Process 1. Lines 4-11 handle the two new message types. In case an rts message rts(src,dest,d) is received that is intended for another recipient (dest = id) the node concludes that another node wants to use the medium for the amount of d time units; the process updates the variable nav if needed, indicating the period the node should remain silent, by taking the maximum of the current value of nav, and now+d, the point in time until the sender src of the rts message requires the medium. The same behaviour occurs if a cts message is received that is not intended for the node itself (Line 4). If the incoming message is an rts message intended for the node itself (Line 6) by default the node answers with a clear-to-send message back to the sender (Line 9). However, when the receiver of the rts has knowledge about other nodes requiring the medium (now ≤ nav), a clear-to-send cannot be granted, and the request is dropped (Line 6). Similar to the sending of an acknowledgement (Line 2), the process waits for the short interframe space (sifs) before sending the CTS (Line 6). Line 8 handles the case where the medium becomes busy (¬idle) during this period; also here a clear-to-send cannot be [now ≥ timeout] transmit(ackframe(src)) . CSMA(id,nav) 4. + [(new(rts(src,dest,d)) ∨ new(cts(src,dest,d))) ∧ dest = id ∧ nav < now+d]   ) granted, and the request is dropped. 8 Only when the medium stays idle during the entire interframe space the node id can inform the source of the rts message that the medium is clear to send; the cts is transmitted in Line 9. The time a receiver of this message has to be silent is adjusted by deducting the time elapsed before this happens. In Line 10 the process resets nav to remind itself not to issue any rts message until the present exchange has been completed. 9 Process 6 is the modified version of Process 3. The goal of this process is to send an rts message (Line 22). Before it can start its work, it waits until the medium is idle, and any time it is required to be silent has elapsed (Line 11). Until this happens incoming data frames, rts or cts messages are treated just as in Process 5: Lines 1-10 copy Lines 2-11 of Process 5, except that afterwards the process returns to itself. Then Lines 12-20 are copied from Lines 7-15 from Process 3. Line 21 calculates the time other nodes ought to keep silent when receiving the rts message, and Line 23 passes control to the process CTSRECV, which awaits a cts response to the rts message transmitted in Line 22. The fourth argument of CTSRECV specifies the maximum time that process should wait for such a response; a good value for max cts wait is sifs + dur cts.
Process CTSRECV listens for this time to a cts message with source dest and destination id. In case the expected cts message arrives in time (Line 1), the node waits for a time sifs (Line 2) and then transmits the data frame and pro- transmit(rts(id,dest,d)) .

25.
) ceeds to await an acknowledgement (Line 3). The fourth argument of ACKRECV specifies the maximum time the process should wait for such an acknowledgement; a good value for max ack wait is sifs + dur ack. If the cts message does not arrive in time (Line 6), the process returns to INIT to send another rts message, while incrementing the counter tries (Line 7). While waiting for the cts message, any incoming rts or cts message destined for another node is treated exactly as in Process 5 (Lines 4-5). Incoming data frames cannot arrive when this process is running, and incoming rts messages to id are ignored.
Process 8 handles the receipt of an acknowledgement in response to a successful data transmission. If an acknowledgement arrives, it must be from the node to which id has transmitted a data frame. In that case (Line 1), the network layer is informed that the sending of dframe was successful and the process loops back to Process 5 (Line 2). Line 5 describes the situation where no acknowledgement message arrives and the process times out. Also here CSMA/CA retries to send the message; the counter tries is incremented. Lines 3-4 describe the usual handling of incoming rts or cts messages destined for another node.

The Exposed Station Problem
Another source of collisions in CSMA/CA is the well-known exposed station problem. This refers to a linear topology A−B−C−D, where an unending stream of messages between C and D interferes with attempts by A to get a message across to B. In the default CSMA/CA protocol as formalised in Section 5.1, transmissions from A to B may perpetually collide at B with transmissions from C destined for D. CSMA/CA with virtual carrier sensing mitigates this problem, for a cts sent by B in response to an rts sent by A will tell C to keep silent for the required duration. In fact, we can show that in the above topology, if max retransmit=∞ then packet delivery holds with probability 1. A non-probabilistic guarantee cannot be given since nodes A and C could behave in the same way, meaning if one node is sending out a message the other does the same at the very same moment, and if one is silent the other remains silent as well. In this scenario all messages to be sent are doomed.
Based on our formalisation, we can prove that once the RTS/CTS handshake has been successfully concluded, meaning that all nodes within range of the intended recipient have received the cts, then packet delivery holds outright. So the only problem left is to achieve a successful RTS/CTS handshake. Since rts and cts messages are rather short, even by modest values of max retransmit it becomes likely that such messages do not collide.
In spite of this, CSMA/CA with (or without) virtual channel sensing cannot achieve packet delivery with probability 1 for general topologies. Assume the following network topology Here it may happen that one of the C i s is always busy transmitting a large message to D i ; any given C i is occasionally silent (not sending any message), but then one of the others is transmitting. As C i is disconnected from C j , for j = i, coordination between the nodes is impossible. As a consequence, the medium at A will always be busy, so that A cannot send an rts message to B.

Related Work
The CSMA protocol in its different variants has been analysed with different formalisms in the past.
Multiple analyses were performed for the CSMA/CD protocol (CSMA with collision detection), a predecessor of CSMA/CA that has a constant backoff, i.e. the backoff time is not increased exponentially, see [10,11,26,20,21]. In all these approaches frame collisions have to be modelled explicitly, as part of the protocol description. In contrast, our approach handles collisions in the semantics; thereby achieving a clear separation between protocol specifications and link layer behaviour.
Duflot et al. [10,11] use probabilistic timed automata (PTAs) to model the protocol, and use probabilistic model checking (PRISM) and approximate model checking (APMC) for their analysis. The model explained in [26] is based on PTAs as well, but uses the model checker Uppaal as verification tool. These approaches, although formal, have very little in common with our approach. On the one hand it is not easy to change the model from CSMA/CD to CSMA/CA, as the latter requires unbounded data structures (or alike) to model the exponential backoff. On the other hand, as usual, model checking suffers from state space explosion and only small networks (usually fewer than ten nodes) can be analysed. This is sufficient and convenient when it comes to finding counter examples, but these approaches cannot provide guarantees for arbitrary network topologies, as ours does.
Jensen et al. [20] use models of CSMA/CD to compare the tools SPIN and Uppaal. Their models are much more abstract than ours. It is proven that no collisions will ever occur, without stating the exact conditions under which this statement holds.
To the best of our knowledge, Parrow [21] is the only one who uses process algebra (CCS) to model and analyse CSMA. His untimed model of CSMA/CD is extremely abstract and the analysis performed is limited to two nodes only, avoiding scenarios such as the hidden station problem.
There are far fewer formal analyses techniques available when it comes to CSMA/CA (with and without virtual medium sensing). Traditional approaches to the analysis of network protocols are simulation and test-bed experiments. This is also the case for CSMA/CA (e.g. [4]). While these are important and valid methods for protocol evaluation, in particular for quantitative performance evaluation, they have limitations in regards to the evaluation of basic protocol correctness properties.
Following the spirit of the above-mentioned research of model checking CSMA, Fruth [15] analyses CSMA/CA using PTAs and PRISM. He considers properties such as the minimum probability of two nodes successfully completing their transmissions, and maximum expected number of collisions until two nodes have successfully completed their transmissions. As before, this analysis technique does not scale; in [15] the experiments are limited to two contending nodes only.
Beyond model checking, simulation and test-bed experiments, we are only aware of two other formal approaches. In [1] Markov chains are used to derive an accurate, analytical model to compute the throughput of CSMA/CA. Calculating throughput is an orthogonal task to our vision of proving (functional) correctness.
An approach aiming at proving the correctness of CSMA/CA with virtual carrier sensing (RTS/CTS), and hence related to ours, is presented in [3]. Based on stochastic bigraphs with sharing it uses rewrite rules to analyse quantitative properties. Although it is an approach that is capable to analyse arbitrary topologies, to apply the rewrite rules a particular topology needs to be modelled by a directed acyclic graph structure, which is part of the bigraph.

Conclusion
In this paper we have proposed a novel process algebra, called ALL, that can be used to model, verify and analyse link layer protocols. Since we aimed at a process algebra featuring aspects of the link layer such as frame collisions, as well as arbitrary data structures (to model a rich class of protocols), we could not use any of the existing algebras. The design of ALL is layered. The first layer allows modelling protocols in some sort of pseudo code, which hopefully makes our approach accessible for network and software researchers/engineers. The other layers are mainly for giving a formal semantics to the language. The layer of partial network expressions, the third layer, provides a unique and sophisticated mechanism for modelling the collision of frames. As it is hard-wired in the semantics there is no need to model collisions manually when modelling a protocol, as it was done before [21]. Next to primitives needed for modelling link layer protocols (e.g. transmit) and standard operators of process algebra (e.g. nondeterministic choice), ALL provides an operator for probabilistic choice.
This operator is needed to model aspects of link layer protocols such as the exponential backoff for the Carrier-Sense Multiple Access with Collision Avoidance protocol, the case study we have chosen to demonstrate the applicability of ALL. We have modelled and analysed two versions of CSMA/CA, without and with virtual carrier sensing. Our analysis has confirmed the hidden station problem for the version without virtual carrier sensing. However, we have also shown that the version with virtual carrier sensing overcomes not only this problem, but also the exposed station problem with probability 1. Yet the protocol cannot guarantee packet delivery, not even with probability 1.
To perform this analysis we had to formalise suitable liveness properties for link layer protocols specified in our framework.