Formal verification of safety and performance properties of TCP selective acknowledgment

We present a formal proof that the selective acknowledgment (SACK) mechanism that is being proposed as a new standard option for TCP does not violate the safety properties of the acknowledgment (ACK) mechanism that is currently used with TCP. The new mechanism is being proposed to improve the performance of TCP when multiple packets are lost from one window of data. With selective acknowledgment, non-contiguous blocks of data can be acknowledged, and the sender only has to retransmit data that is actually lost. The proposed mechanism for implementing the SACK option for TCP is sufficiently complicated that it is not obvious that it is indeed safe. Because this mechanism is being proposed as a new standard for TCP, we think it is important to formally verify its safety properties. We first present a formal automaton model of the SACK protocol. We then verify that SACK is indeed safe. The verification is done by first defining a simple specification of the required safety properties. The protocol is supposed to satisfy. We then use invariant assertion and simulation techniques to show the protocol indeed satisfies these properties. Using the model we also show that SACK can improve the time it takes for the sender to recover from multiple packet losses, compared to the cumulative ACK protocol. Since there is additional information at the sender, SACK can save a round-trip time while the cumulative ACK mechanism has to wait before retransmitting subsequent packets lost after the very first loss