tematic approach, leading to concepts of QoS support ranging from basic QoS ... Yet it is the obliga- tion of the service provider to satisfy the user's demands.
Towards Formal Semantics for QoS Support Jan-Peter Richter and Hermann de Meer University of Hamburg Computer Science Department, Telecommunications and Computer Networks Division E-mail: {richter, demeer}@informatik.uni-hamburg.de
Abstract The introduction of the concept of QoS has led to an extension of the traditional concepts of service and service specification. However, design of QoS support is usually done without a systematic approach, leading to concepts of QoS support ranging from basic QoS monitoring capabilities to hard real-time guarantees. In more advanced QoS support, intermediate layers should be designed in a way that enables the masking or controlled handling of sporadic QoS violations. To implement this degradation path support across multiple layers, a negotiation of preferred and supportable failure semantics is a requirement. To realize these advanced QoS support features, not only new QoS control mechanisms within the layers have to be developed but the semantics of QoS negotiation protocols between layers must be better understood and subsequently extended. A framework formally based on set theory and relations is presented that allows the specification of QoS hierarchies including a well-defined failure type model. The framework supports the development of QoS negotiation protocols and can be used as a formal base for a structured system analysis.
1. Introduction The introduction of the concept of QoS has led to an extension of the traditional concepts of service and service specification, adding a special kind of flexibility to the service. Reflecting the service user’s view to the way the service is provided to her, QoS is clearly a service user-oriented property [1]. Yet it is the obligation of the service provider to satisfy the user’s demands. This bilateralism and its implications on scope and structure of QoS support are still not well-understood. Instead, design of QoS support is usually done without a systematic approach, leading to concepts ranging from basic QoS monitoring capabilities [2] to hard real-time guarantees [3]. Also, design for QoS support is usually done based on static capabilities of the underlying systems and fixed assumptions on the needs of the service users [4], [5]. In a layered system architecture, underlying services cannot guarantee to meet a negotiated level of QoS under all circumstances, especially if techniques like statistical multiplexing are used for better utilization of network resources or random hardware failures have to be taken into account. Also, it may be too costly to implement the necessary reliability (i.e. probability to not violate the QoS contract) by pure resource reservation at the lowest layer. Instead, intermediate layers should be designed in a way that enables the masking or controlled handling of sporadic QoS violations. To implement this degradation path support across multiple layers, a negotiation of preferred and supportable
failure semantics [6] is a requirement. For an underlying service provider it is not necessary to know the details of the error recovery mechanisms of the next-upper layer. Instead, suitable abstractions must be found to express the relevant needs of the service provider w.r.t. the failure type hierarchy. To realize these advanced QoS support features, not only new QoS control mechanisms within the layers have to be developed but the semantics of QoS negotiation protocols between layers must be better understood and subsequently extended. In our contribution, we start by analyzing the basic abstractions of QoS support by showing how the most important aspects of the QoS contract can be divided into a set of ordering relations and a QoS limit. It is also shown, why in an advanced QoS support both aspects should be negotiable. Subsequently, a framework formally based on set theory and relations is presented that allows the specification of QoS hierarchies including a well-defined failure type model. The framework supports the development of QoS negotiation protocols and can be used as a formal base for a structured system analysis. The rest of the paper is organized as follows. In Section 2, it is shown how the notion of QoS extends the traditional concept of service specification and which of these extensions can be seen as mandatory in QoS support. Section 3 presents our formal framework along the lines of the semi-formal discussion of Section 2. In Section 4 an example application of the framework is presented. Finally, a short conclusion and outlook is given in Section 5.
2. Service Specification and QoS Traditional notions of service rely on the paradigm of specification and correctness. An abstract service is formally defined by a specification that divides the set of possible service provider reactions into two subsets - the set C of correct reactions and the set C of incorrect reactions. Note, however, the reactions of a service provider can be assessed only in relation to the input, or load, that the service user imposes on the service provider. Therefore, the two sets defined by the specification are in fact sets of pairs of a load and a reaction, called sessions in the sequel. The introduction of QoS extends the traditional paradigm in several ways. The extensions are based on the graduation of the separation between correct and incorrect sessions. 2.1 QoS as an Ordering Relation The most basic extension is the existence of an ordering relation on the set of sessions. This ordering relation reflects the fact that some reaction r1 to a load can be said to be ‘better’ than some other reaction r2.
0-7803-4386-7/98/$10.00 (c) 1998 IEEE
First of all, the ordering relation relates the unacceptable sessions: a service provider may fail to meet the demands of a service user in several ways. These failures can be appraised on a scale of ‘severeness’. The ordering relation of ‘severeness’ formally reflects what is informally called a (defined) degradation path. This feature is of importance especially in a layered system architecture where an intermediate layer is the (immediate) service user of the underlying layers and at the same time the (immediate) service provider for the layers above it. By offering a reaction that is still useful, at least to some extent, the service provider supports the service user which, in turn, may be able to meet its quality limits through the use of additional resources. Or, if the service user is not able to compensate the quality violation, the less ‘severe’ failure of the underlying service provider enables the service user to degrade its own service quality in a controlled way. Therefore, an implementation that supports this aspect of QoS will be designed to exhibit the least ‘severe’ failure. The ordering relation is not restricted to the set of unacceptable sessions: the relation of r1 and r2 is important even if r2 is already of acceptable quality for the service user. An implementation of a service provider that fully supports the QoS ordering relation will be designed in a way that it will always produce the ‘best’ reaction that can be achieved. The production of some ‘best’ reaction is restricted by the knowledge about what is ‘best’ for the specific service user and by the allocation of the system’s resources for the session under concern. However, some of the systems resources may be currently unused and preemtable. In this case, the system can enhance its over-all value to the service user by using these additional resources to provide the service at a grade higher than the requested limit. In a situation where preemtable resources are used to enhance the QoS beyond the negotiated limit for more than one service user, a global objective must be given to handle the trade-off between the enhanced qualities of the individual sessions. Since any acceptable reaction to some load is ‘better’ and ‘less severe’ than any failure, both aspects can be unified in a single ordering relation that covers correct sessions as well as failures. Note that the traditional concept of service specification can be seen as a special case of such an ordering relation. 2.2 Negotiability of the QoS Limit as a base for resource assignment decisions The second extension that is related to the QoS concept is the negotiability of the QoS limit, representing the borderline between the sets C and C of acceptable/unacceptable reactions to a load. The need for negotiable QoS limits is related to the trade-off between individual qualities of sessions. The assignment of resources within the service provider shall be done in a way that the number of service users that receive an unacceptable reaction is minimized. What is acceptable and what is unacceptable may be dependent on the specific service user. Therefore, the service user guides the service provider in its decision on resource assignment by stating that any reaction to the given load is acceptable if and only if the resulting session is a member of the negotiated C . If there is more than one such minimizing assignment, additional objectives may be defined.
The process of resource assignment and re-assignment is a dynamic one. Since service users start and terminate sessions at different points in time, call admittance is part of this process. Also, resource demand and utilization for a certain level of QoS depends on the load characteristics imposed by the service users. Finally, subsystems of the service provider may fail due to various reasons. Since loads are usually not known and cannot be characterized to arbitrary levels of accuracy in advance, evolving loads and subsystem failures are random in nature. Thus, resource assignment must be a continuous and reactive process. 2.3 Negotiability of the Ordering Relation The general concept of QoS as seen by the ITU-T [1] is defined as the “collective effect of service performances which determine the degree of satisfaction of a user of the service”. This definition clearly states that QoS is a user-oriented property, yet it is an obligation of the service provider to satisfy the user’s demands. This bilateralism implies the requirement for a second form of QoS negotiation. The QoS ordering relation itself should be negotiable to a certain degree in a QoS supporting system. This aspect of QoS support adds a special kind of flexibility to service specifications and service provider implementations. It not only enables the service user to communicate to the service provider the borderline between acceptable and unacceptable, but also what ‘better’ or more ‘severe’ means. The negotiability of the QoS ordering relation must - of course - be limited to aspects that can actually be supported by the service provider. If all QoS ordering relations that are supported by and negotiable with the service provider differ too much from the QoS ordering relation specific to the service user, the underlying service is inadequately chosen. A service provider that only supports a single QoS ordering relation is therefore usable for a limited group of service users only. The principle of negotiable QoS ordering relations shall be illustrated in an example. Consider a packet stream transport system that is used for the transmission of continuous media data. A synchronization unit, used to align the timing of media data streams, is fed with a remotely generated stream and a local one. The output timing is to be derived strictly by the local stream. For the transmitted packet stream, the QoS of a packet transmission is unacceptable if the packet is delivered after a certain deadline which is determined by the presentation time and some necessary processing time. Note that the moment immediately before the deadline is also the optimum in this situation. Any earlier delivery involves additional use of buffer space within the synchronization unit that may be a scarce resource. A delivery of a large number of packets long before the deadline may even cause the buffer to overflow, resulting in information loss which will be considered a QoS degradation for the service user at the layer above the synchronization unit. In contrast, if the same transport service is used for continuous media data in a video conferencing scenario, QoS w.r.t. the timing of packet delivery is more complex. The output timing can be adaptively tuned to shorten end-to-end delays, emptying internal buffers before overflow occurs. This also increases the QoS for the human user, since shorter end-to-end delays are more convenient in interactive applications.
0-7803-4386-7/98/$10.00 (c) 1998 IEEE
If the delay jitter can be limited to a small amount, a large average delay closely before the deadline is ‘better’ than a smaller one in the synchronization scenario. In contrast, a smaller average delay is ‘better’ than a larger one in the conferencing scenario. Therefore, a single system reaction may be considered ‘better’ or ‘worse’ than some reference reaction, dependent on the needs of the service user. The need for a variation of the QoS ordering relation is not limited to the area of acceptable system reactions. The ‘severeness’ of classes of failures must be classified depending on the nature of the higher service and the error recovery mechanisms applied by the service user. Imagine, the video conferencing scenario introduced above is based on a video compression scheme like MPEG [7]. Here, some of the individual video frames are coded in a self-contained way (I-type encoding), while others are coded relative to the preceding I-frame (P-type encoding). If a packet that contains information from an I-frame misses its deadline, the corresponding video frame cannot be correctly displayed, regardless of the failure being an excessive delay or a total loss. Therefore, the deadline defines the QoS limit that must not be violated by the service provider. The decoding of successive Pframes, however, depends on the information contained in the Iframe. A delay beyond the deadline that is limited to a few frametimes enables the timely decoding of at least a fraction of the succeeding P-frames. Thus, a failure of type limited delay violation is preferable to a failure of type total loss. In contrast, if the video conferencing application is based on the JPEG encoding standard [8], no inter-frame relations exist that prevent the decoding of timely received video frames. Here, total losses can be seen as preferable to limited delay violations because a total loss saves processing power that would be necessary to identify and discard an excessively delayed packet. Note that the concepts of negotiable QoS limits as discussed in the last section is conceptually orthogonal to the negotiability of the QoS ordering relation. Service providers are imaginable that flexibly support their service users’ needs by adapting, for example, their degradation path in the negotiated way. Yet the assignment of their resources can be independent of the acceptability limits of the individual sessions, making negotiations of these limits obsolete. 2.4 QoS Guarantees The concept of QoS is often informally identified with that of guaranteed behaviour. Ferrari has formalized different levels of guarantees in the case of transport services in packet-switched networks [9], [10]. Here, probabilistic statements are made on events like packet loss or bit errors. However, this formalization cannot easily be applied to a generic notion of service. Instead, our approach emphasizes the unconditional commitment of the service provider to a negotiated set of sessions. This set may be characterized in many ways, including a ratio of unwanted elementary events in a single session. This idea will be discussed in detail, when hierarchically defined QoS ordering relations are presented. The commitment itself is unconditional, yet probabilistic in a sense that there is always a final risk of events like hardware failure or unsuccessful exploitation of statistical multiplexing. The negotiation may include an estimation of the
probability for a QoS limit violation given by the service provider. Note, however, that a ratio is - at least in theory - verifiable to an arbitrary accuracy while probabilities can only be estimated. Therefore, we prefer properties of sessions like packet loss ratios to be the subject of QoS guarantees rather than probabilities of their occurrence. If the negotiated QoS limit cannot be met for whatever reasons, the service provider shall show a behaviour that is ‘least severe’ w.r.t. the degradation path which is part of the negotiated QoS ordering relation. Again, the service provider may or may not succeed to limit the ‘severeness’ of its behaviour. Dependent on the ‘severeness’ of the QoS violation, the service provider may have to ‘pay’ some ‘compensational fee’ which must have been agreed on in the QoS contract. Note that the service user is usually not interested in the cause of the QoS violation - may it be a hardware failure or the eventual occurrence of an unwanted effect probabilistically guaranteed not to happen. In a QoS negotiation, the service provider commits itself to a set of sessions that are acceptable for the service user. The characterization of this set can be achieved through predicates that are applicable to all possible loads. In the example of a packet stream transmission, such a predicate can be formulated as “the ratio of lost packets to transmitted packets is smaller than the limit lr”. Obviously, the amount of resources needed by the service provider to produce a reaction such that the predicate is fulfilled, is generally dependent on the load. Therefore, the guarantee is usually given relative to a restricted set of loads only. Consequently, a characterization of the load is also part of the QoS negotiation. Note that the characterization can be done along the structures of a service provider-oriented ordering relation of resource requirements not unlike the service user-oriented QoS ordering relation introduced above. QoS contracts can be designed to be arbitrarily complex. The main focus of this paper, however, is on the principles of QoS ordering relations. A detailed discussion of formally specified guarantees is therefore beyond the scope of this paper and will be given elsewhere. The concept of QoS guarantee is closely related to the concept of negotiability of the QoS limit as presented above. While the definition of the acceptable subset of sessions is a prerequisite of any QoS contract, a negotiation of compensational actions or payments beyond the service under concern is an extension of the concept of service specification not covered by the aforementioned QoS concepts. 2.5 Failure Semantics Many services that are relevant in the context of QoS support can be seen as being composed of elementary services at a lower level of granularity. For ATM [11], for example, two levels of granularity can be identified. A session of the cell stream transfer service is composed of an arbitrary number of sessions of the single cell transfer service. In such a setting, QoS parameters can be defined in a hierarchical way. By definition of a QoS ordering relation and an appropriate QoS limit for the elementary level of granularity, QoS violations, or failures, can be identified that, in turn, accumulate to rates and ratios that characterize the QoS of the composed session. In case of ATM this is done in an
0-7803-4386-7/98/$10.00 (c) 1998 IEEE
informal way [5]. For a generic definition of such scheme, however, a formal approach to the concept of failure types is a prerequisite. To be useful for the service user, parameters that describe rates and ratios of QoS violations at the finer level of granularity must be defined with respect to the type of these failures. This, in turn, is necessary to deliberately choose and evaluate error recovery methods for QoS support as will be discussed next. In a layered architecture, QoS violations may happen at any layer. If no further measures are taken to handle these QoS violations, they propagate upwards in an uncontrolled way. QoS demands that limit the risk of such an arbitrary failure event to a probability that is acceptable to the human user may require a level of guaranteed QoS at the lower layers that cannot be supported or is too costly to be implemented. Without enhanced approaches to QoS management, call admittance control will reject the connection request. The premeditated application of error recovery mechanisms can enable an intermediate layer to hide the QoS violation of the underlying service provider to its own service user. Or, if this is not possible, it can degrade its own QoS along a degradation path that optimally supports the next-higher layer in applying similar methods. Optimum support in this case means the realization of a type of QoS violation that the next upper layer can handle best. This principle applies to all interfaces across the layered architecture and the severeness ordering relation is determined (inherited) from top to bottom. The service provider does not need to know the methods used to handle its QoS violations as long as the service user can negotiate the requirements for their successful application. Similar to limitations in the negotiability of the QoS ordering relation above the QoS limit, not all failure types may be supportable. To optimally choose from a set of possible error recovery methods or general fault tolerance techniques, the service user must negotiate the failure semantics of the service provider (cf. [6]). A formal approach to failure types that enables the efficient and adaptive use of error recovery methods also contributes to the solution of the well known QoS mapping problem. A better understanding of the preconditions and mechanism of failure management will help the designer of QoS mapping algorithms in the necessary qualitative and quantitative system analysis [12]. Note that our approach closely relates the concepts of degradation path and failure semantics. The term degradation path is mostly used in the context of human-machine negotiation. In contrast, we apply this concept at all layers and at any level of granularity. Since sessions at the finer level of granularity are extremely short-lived, negotiation of the degradation path is an integral part of QoS negotiations before the service is actually provided.
3. A Uniform and Formal Framework of QoS Concepts The complexity of the QoS concepts that extend the traditional notion of service specification makes the need for a formal framework of QoS evident. Such a framework should be usable to reason about the semantics of QoS negotiation protocols and guide the design and analysis of QoS management mechanisms. The framework should be uniform in a sense that it is applicable to services of any purpose and structure and at any level of gran-
ularity, not restricted to transport services in communication systems or the top-level of hierarchically composed services. Yet the representation of these classes of services in the framework should be in line with work already done and well-established in this area. The framework presented in this paper formalizes the basic QoS concepts as discussed in Section 2 and gives a base for the definition of formal guarantee semantics. It is based on algebraic concepts of sets and relations. 3.1 Basic Definitions Since QoS is a concept that deals with the relations between a service provider and a service user, yet each system component can play both roles in a layered architecture, the first step in the application of our framework is the definition of one or more views. A view separates the entire system into two abstract subsystems connected with each other over an (abstract) interface. The roles of service user and service provider are assigned to the two subsystems based on facts that lie outside the formalization. For example, the subsystem that contains a human user should be assigned the role of the service user. The application of our framework is always relative to a given view. For the analysis of QoS mapping problems, at least two views must be defined. Interaction at the connecting interface is defined as a sequence of events that are characterized by their type, the point in time, and possibly additional event attributes, including the concrete interface at which the event is triggered. Attributes can be used to formalize, for example, the delivery of a certain SDU in a service primitive. Triggering and perception of events occur instantaneously and simultaneously. The second step in our approach is the definition of a set L of possible loads and a set R of possible reactions which is a superset of all reactions that the modelled service provider may show. It includes intended reactions as well as reactions that do not comply with the needs of the service user. Therefore, the definition of R also implies a preformal failure model of the service provider. Note that each load and reaction can be composed of a sequence of events. Thus, load and reaction usually evolve interlockingly. Next, the set LR of all possible sessions is defined as a subset LR ⊆ L × R . By exclusion of certain reactions for certain loads, definitions in subsequent steps may be formulated with more ease. The restriction of LR to a subset of L × R is a refinement of the preformal failure model. 3.2 QoS Parameters and the QoS Ordering Relation In traditional QoS architectures, QoS is usually expressed by a collection of QoS parameters. Each of these parameters rate a session w.r.t. a limited aspect of quality. By this, an ordering relation on the set LR of sessions can be identified with each parameter. Since any two sessions are comparable w.r.t. each parameter, an ordering relation induced by a parameter takes the form of a transitive and reflexive relation with comparability. In contrast, QoS - if not limited to a particular parameter - is a multi-dimensional concept. Therefore, two sessions s1 and s2 may not be comparable w.r.t. their (global) QoS. Quality of Service in our approach is represented by an ordering relation on LR that is transitive and reflexive but usually lacks comparability.
0-7803-4386-7/98/$10.00 (c) 1998 IEEE
The QoS ordering relation contains the intersection of all QoS parameter ordering relations. Therefore, if some session s1 is ‘better’1 than some s2 w.r.t all QoS parameters it is regarded as ‘better’ w.r.t. the QoS ordering relation. However, additional pairs of sessions (s1, s2) can be defined to be a member of the QoS ordering relation, making session s1 that would otherwise be incomparable to s2 ‘better’ than that session s2. This can be used, for example, to express the preference of one failure type to another, depending on the user requirements. Therefore, the degradation path can be made an integral part of the formal representation of QoS. The QoS ordering relation and QoS parameters are formally specified based on algebraic ordering relations with the following properties: Def.: Let R be a relation on a set S, i.e., R ⊆ S × S . Let ( x, y ) ∈ R be denoted by xRy . R is called a pre-order on S ⇔ R is reflexive on S and R is transitive, i.e., ∀s ∈ S : sRs and ∀x, y, z : xRy ∧ yRz ⇒ xRz . If R is a pre-order xRy can also be denoted as x ≤R y . (1) Def.: A QoS ordering relation Q on LR is a pre-order ≤ Q on
¬ ( x ≤A y ) (read: “The A-value of x is not less or equal than the A-value of y.”) can be equivalently written as x > A y (read: “The A-value of x is really greater than the A-value of y.”). The QoS ordering relation must be compatible with the QoS parameters. This is represented algebraically by the following definition: Def.: Let P be a family of quality parameters P = { ≤ A , ≤ B , ≤ C , … } on LR and ≤ Q be a QoS order-
∩
ing relation on LR. P is conforming to Q ⇔ P⊆Q. (6) Note that this condition is equivalent to x ≤A y ∧ x ≤ B y ∧ x ≤C y ∧ … ⇒ x ≤Q y which implies ¬ ( x ≤ Q y ) ⇒ ∃ ( A ∈ P ) : ¬ ( x ≤ A y ) . Furthermore, note that quality orders are usually not total quasi orders, and thus ¬ ( x ≤Q y ) ⇒ / ( y ≤Q x ) , i.e., there may be pairs of sessions that are incomparable with respect to Q. Also, the precondition ( x, y ) ∈ P is sufficient but not necessary for x ≤Q y . Therefore, Q may contain pairs of sessions that are comparable with respect to Q, i.e., x ≤Q y , even if for some parameters A and B in P the condition ¬ ( y ≤A x ) ∧ ¬ ( x ≤B y ) is true, i.e., y > A x ∧ x >B y .
∩
LR.
3.3 QoS negotiations and specifications As discussed in Section 2, when the negotiation phase is terminated, a mutual agreement on a QoS specification is established between the service user and the service provider. QoS specifications can be formally represented as follows: Def. A (lower) quality limit for a QoS ordering relation ≤ Q is a
Def.: A quality parameter A on LR is a total pre-order ≤ A on LR. (4) Note that total pre-orders are not necessarily anti-symmetric, / x=y . i.e., x ≤R y ∧ y ≤R x ⇒ QoS parameters in traditional QoS architectures not only assess sessions relatively to each other but also assign an absolute parameter value to each session. This is reflected in our approach by an alternative, yet equivalent, representation of total pre-orders. The alternative representation is based on the fact that any total pre-order ≤R on S can be defined by an equivalence relation =E on S and a total order ≤ t on the equivalence classes of =E : x ≤R y ⇔ E(x) ≤t E(y) , where E(x) denotes the equivalence class of x w.r.t. =E . Therefore, any total pre-order is equivalent to an indexed partition PI, where the index set I is totally ordered by ≤ . The sets pi that comprise the partition are interpreted as the equivalence classes of =E and the total order ≤ on the index set I is inherited to the total order ≤ t of the sets: p i ≤t pj ⇔ i ≤ j . If the total pre-order ≤ A of a quality parameter is given by an indexed partition PI, an A-quality parameter value, or A-value for short, is associated with each session ( l, r ) ∈ LR : Def.: Let ≤ A be a total pre-order on LR given by an indexed partition PI. i is called the A-quality parameter value of x ⇔ x ∈ P i . A(x) denotes the A-quality parameter value of x. (5) Since quality parameters are total quasi orders, the statement
subset Z ⊆ LR with ∀z', z ∈ Z : ( ( z = ( l, r ) ∧ z' = ( l, r' ) ) ⇒ ( z ≤Q z' ⇒ z' ≤ Q z ) ) .
(2) QoS parameters have a similar formal representation but additionally possess the property of comparability. Therefore, a total pre-order relation is defined: Def.: Let ≤R be a pre-order on S. ≤R is called a total pre-order on S ⇔ ∀x, y ∈ S : x ≤R y ∨ y ≤R x . (3)
1. The term ‘better’ w.r.t. some ordering relation is to be understood as ‘comparable and better-or-equally-good’ in this paper.
(7)
Def.: A quality specification is a pair (Q, Z) of a QoS ordering relation Q and a quality limit Z. (8) Def.: A session (l, r) is called a failure with respect to a QoS specification (Q,Z), iff ∀z ∈ Z : z = ( l, r' ) ⇒ ¬ ( z ≤Q ( l, r ) ).(9) Definition (7) that formalizes the quality limit defines the set of acceptable sessions to be implicitly represented by its ‘lower edge’ within the QoS ordering relation. The condition on the set Z in Def. (7) states that no two members of the limit shall be comparable in only one direction if they have an identical load. A violation of this condition would compromise the formal definition of the concept of failure type that will be given in the sequel. A system with QoS support will usually be able to support a certain set of QoS ordering relations only. All supported QoS ordering relations have some static aspects in common which are supported in a single way only, while other variable aspects are supported obeying the specific needs of the service user. For example, a service provider for a packet stream transport service may allow to specify an optimal target packet delay, making this aspect of the QoS ordering relation variable, while deviations from the optimal target packet delay are always appraised without respect to the direction in time of the deviation. Therefore, the symmetry of this timing quality parameter can be said to be a static aspect of the QoS ordering relation. Note that the negotiation of an optimal target packet delay is fundamentally different
0-7803-4386-7/98/$10.00 (c) 1998 IEEE
3.4 Failures and failure types If the QoS specification agreed on in a QoS negotiation can be expressed in terms of the formalization as given in Defs. (1), (2) and (7) through (9), a simple failure concept is included as formally defined in Def. (9). As an extension to this, a formal concept of failure type can be defined, based on QoS parameters as introduced in Def. (4). Note, however, that the definition of QoS parameters is not necessary for QoS support - the existence of a QoS ordering relation and a QoS limit is sufficient. Instead QoS parameters and limiting parameter values are a convenient way to define the QoS ordering relation and the QoS limit. If a formally based concept of failure types is needed, conforming QoS parameters have to be defined. The algebraic definition of the formal failure type concept is given in Definitions (10) and (11): Def.: A session (l, r) is called an F-failure w.r.t. a QoS specification (Q, Z) and a conforming family of quality parameters P iff F ⊆ P , and (l, r) is a failure with respect to (Q, Z), and ∃z ∈ Z : z = ( s, r' ) ∧ ∀f ∈ F : ¬ ( z ≤ f ( s, r ) ) ∧ ( z, ( s, r ) ) ∈ ( P – F) ,
∩
where P - F denotes the family of QoS parameters that are members of P but not of F. (10) Def.: A session (l, r) is called a failure of type T w.r.t. a QoS specification (Q, Z) and a conforming family of quality parameters P iff ∀t ∈ T : (l, r) is a t-failure w.r.t. (Q, Z) and P. (11) Note that F in Definition (10) of an F-failure is the set of violated parameters while T in Definition (11) of the failure type is the set of sets of violated parameters. The concept of formal failure types is defined here in its full generality. In practice, the type of a failure can often be restricted to a single set of parameters by appropriately choosing the QoS ordering relation and/or QoS limit. In such a setting, both concepts can be unified. It is, however, important to see that there are situations in which a session violates different sets of parameters at the same time. This must be taken into account if the set of violated parameters is relevant to the choice of error recovery measures or ‘payment’ of ‘compen-
z2 = (b, a)
H ‘H-better’
from the negotiation of a maximum packet delay deviation (cf. Section 2). When the negotiation protocol is designed, it should be structured along the variable parts of the QoS structures that the service provider supports. Note that it is generally convenient to negotiate the variable aspects of the QoS ordering relation first. Then, the set of acceptable sessions can more easily be defined implicitly by limiting parameter values that must be met at least. The implicit specification of a QoS limit through limiting parameter values is uniform w.r.t. possible loads. The formalization of the QoS limit concept as given in Def. (7) points out that, in the general case, a QoS limit may be given differently for each load. Therefore, the framework can also be used to formally describe negotiations that result in more than a single set of limiting parameter values. Note that static aspects are a part of the service specification just like the negotiated aspects. However, they are known to the service user at the moment when the service provider is chosen and thus need not be negotiated and therefore they need not be included in the negotiation protocol.
r2
r3
r1
{{H}}
r2
{{W, H}}
r3
{{W}, {H}}
z1 = (a, b) r1 ‘W-better’ W
Fig.1 Formal Failure Types sational fees’. The concept is illustrated in Fig. 1. Consider a service that produces oriented rectangles. A service user demands a rectangle of size a × b or larger. The orientation, however, is irrelevant to her and therefore the QoS limit Z comprises z1 = (a, b) and z2 = (b, a). The service provider produces rectangle r1 (cf. Fig. 1) which is not high enough for both z1 and z2, i.e., an {H}-failure and therefore a failure of type {{H}}. In contrast, r2 is not high enough and not wide enough for both z1 and z2 and therefore a {W, H}-failure and of type {{W, H}}. r3 finally, is a {W}-failure w.r.t. z1 but an {H}-failure w.r.t. z2. Thus, r3 has type {{W}, {H}}. If in an interaction it is relevant that any failure has a type consisting of only a single set of parameters, the QoS ordering relation or the QoS limit must be defined in a way that all failures are comparable to only one member of the limit with identical load. A sufficient precondition is the existence of exactly one z ∈ Z for each l ∈ L .
4. Example application To illustrate the basic concepts of the formal framework, an application of the presented framework is given for a service that roughly resembles the physical layer service in ATM [11] at the granularity of single cell transfer. To simplify the example, the transmission of the Generalized Flow Control (GFC) field and the Cell Loss Priority (CLP) is neglected and the Payload Type (PT) field shall consist of a single bit only that is used to code the ATM-layer SDU-type bit. The view taken divides a simplified ATM network into two subsystems. The service user consists of two ATM-layer entities at the end-points of an ATM connection together with a pair of ATM adaptation layer (AAL) entities and additional higher layer entities. The service provider is a single physical layer connection which directly connects the ATM-layer entities. The service can be characterized as follows: the service user issues a PHY-UNITDATA.Request at some point in time τ and with the following attributes: a 28-bit virtual path/channel identifier (VPI/VCI) v, a 1-bit PT field t, and a ( 48 ⋅ 8 ) -bit payload p. The service provider reacts by issuing a PHY-UNITDATA.Indication with attributes v’, t’, and p’ at time τ + ∆, for some constant positive ∆, or it responds with an empty reaction. The sets L and R of loads and reactions, respectively, can therefore be specified as follows:
0-7803-4386-7/98/$10.00 (c) 1998 IEEE
Def.: L = { PHY-UNITDATA.Request } × Time × V × T × P , where the set with the only member PHY-UNITDATA.Request indicates the type of (all) events in L, Time is the set of all points in time, V is the set of all possible VPI/VCI values, T is the set of all possible PT values, and P is the set of all possible payloads. (12) Def.: R = { PHY-UNITDATA.Indication } (13) × Time × V × T × P ∪ { ∅ } The preformal failure model induced by the definition of R in Def. (13) specifies, for example, that the service provider will never react with an event of the wrong type. Also, if the reaction is non-empty, there is exactly one PHY-UNITDATA.Indication event. For the sake of brevity, event types will be omitted in the sequel. Def.: The set LR of all possible sessions shall be defined as: LR = { ( l, r ) ∈ L × R | l = ( τ, v, t, p ) ∧ r = ( τ + ∆, v', t', p' ) ∨ r = ∅ } where ∆ is the constant delay specific to the physical layer service provider. (14) With Def. (14), the preformal failure model is refined by specifying that a cell is delivered exactly ∆ time units after its submission or never at all, i.e., there is no delay jitter at the PHY-SAP. Since the example does not make any assumptions on the specific needs of the higher layers, only a generic QoS ordering relation can be given. First, a set of QoS parameters is defined using the technique of partitions with totally ordered index sets as given in Section 3.2. The Accuracy of the delivered VPI/VCI value is specified by the parameter AV: Def.: AV 1 = { ( l, r ) ∈ L × R | l = ( τ, v, t, p ) ∧ r = ( τ', v, t', p' ) ∨ r = ∅ } and (15) AV 0 = LR – AV 1 Given a pair of sessions (s1, s2) with s 1 ∈ AV 1 and s 2 ∈ AV 0 , s1 can be said to be ‘better’ than s2 w.r.t. the accuracy of the delivered VPI/VCI value AV, since (16) ( AV ( s 1 ) = 1, AV ( s 2 ) = 0 ) ⇒ AV ( s 2 ) ≤ AV ( s 1 ) ⇒ s 2 ≤AV s1 Note that a lost cell is regarded to be in the ‘best’ class of reactions w.r.t. AV. This contra-intuitive definition is necessary to ensure that for a lost cell AV is not part of the formal failure type. Similar definitions can be given for the Accuracy of the delivered PT value, AT, and the Accuracy of the delivered Payload value, AP. The QoS parameter that reflects the service user’s needs w.r.t. the timing of a session is modelled by the quality parameter CD (Cell Delay) given by a family of continuously-many subsets of LR, indexed by the set ℜ 0 of non-positive real numbers. Def.: CD 0 = { ( l, r ) ∈ L × R | r = ∅ } and – (17) ∀d ∈ ℜ : CD = { ( l, r ) ∈ L × R | l = ( τ, v, t, p ) ∧ d
r = ( τ – d, v', t', p' ) } Note that the index d is the negative delay. This ensures that a session s1 is ‘better’ than some s2 w.r.t. CD if the delay of s1 is smaller than that of s2. This simple definition reflects a notion of
quality w.r.t. the timing that will be common to many service users: the sooner the better. Also, this notion is implicitly used in the standard documents on QoS in ATM [4], [5]. In our example application of the framework, cell loss is separated from excessive cell delay. This is done to demonstrate the potential of our framework, rather than to exactly model the QoS concepts of ATM where, in fact, both failure types are unified. Therefore, loss is defined in Def. (17) to have the ‘best’ rather than the ‘worst’ cell delay parameter value and a separate quality parameter Cell Loss (CL) is defined in Def. (18): Def.: CL 1 = { ( l, r ) ∈ L × R | r ≠ ∅ } , CL 0 = LR – CL 1 (18) Given the QoS parameters as defined in Defs. (15), (17), and (18), the core cQ of the QoS ordering relation can be defined: { AV, AT, AP, CD, CL } Def.: cQ = (19) With Definition (19), a session s1 is ‘better’ w.r.t. a (global) QoS cQ iff it is ‘better’ w.r.t. all quality parameters AV, AT, AP, CD and CL. The service user, however, has an additional preference: since a cell with an inaccurately delivered VPI/VCI value is lost for the original connection anyway, but generates the danger of an additional misinsertion for another connection, a lost cell is ‘better’ than a cell with inaccurate VPI/VCI value. Also, the generic service user prefers2 cell losses over inverted SDUType attributes. This is reflected in the definition of the QoS ordering relation Q by inclusion of additional session pairs: Def.: Q = cQ ∪ { ( ( l, r ) , ( l, r' ) ) | (20)
∩
( ( l, r ) ∈ AV 0 ∨ ( l, r ) ∈ AT 0 ) ∧ ( l, r' ) ∈ CL 0 } The QoS limit that the service user demands can be easily specified implicitly by a tuple of quality parameter values that must be met at least. The generic service user needs ‘best accuracy’ w.r.t. all information fields, a delay smaller than some ∆˜ , and no loss. Thus, the limiting parameter values for (AV, AT, AP, CD, CL) are (1, 1, 1, ∆˜ , 1), respectively. If the demanded delay ∆˜ is larger than the (only) supported delay ∆, the set Z that specifies the QoS limit is implicitly defined by the tuple of parameter values to be the set of ‘correct’ sessions: Def.: Z = { ( l, r ) ∈ LR | l = ( τ, v, t, p ) ⇒ r = ( τ + ∆, v, t, p ) } (21) If, in contrast, the demanded delay ∆˜ is smaller than the (only) supported delay ∆, the implicitly defined QoS limit Z is the empty set and the service provider will always react in a way that the session is a failure (cf. Def. (9)). The physical layer as specified in ATM supports the QoS ordering relation and limit in two ways. First, by using the resources (i.e., bandwidth and processing power) to simply implement the service correctly in the absence of signal distortions in the bare link and not waste time, the core cQ of the QoS ordering relation is obeyed. Second, additional resources, i.e., extra bandwidth and extra processing power, are used to support those parts of the QoS ordering relation explicitly named in Def. (20). A CRC-based Header Error Control (HEC) code is added to the cell header at the sender side and cells are discarded at the re2. This is an assumption based on the design of the Header Error Control mechanism in ATM
0-7803-4386-7/98/$10.00 (c) 1998 IEEE
ceiver side if HEC procedures detect a bit error. By this, most of the signal distortions that would otherwise result in (at least) {AV}-failures or {AT}-failures are passed upward as {CL}-failures, shifting the session ‘up’ the QoS ordering relation, i.e., making the failure ‘less severe’. The definition of the QoS ordering relation and limit presented so far has been done based on assumptions on a generic service user. If the service user contains the standardized AAL 1 or AAL 3/4 [13], some of the definitions have to be revised. In AAL 1 and 3/4 the SDU-type bit is not used and therefore, the accurate or inaccurate transmission of the SDU-type bit in the PT field is no quality criterion for the service user. Consequently, there is no need for a quality parameter AT and the QoS ordering relation must be redefined as follows: Def.: (22) { AV, AP, CD, CL } ∪ Q = 1, 3 ⁄ 4
∩
{ ( ( l, r ) , ( l, r' ) ) | ( l, r ) ∈ AV 0 ∧ ( l, r' ) ∈ CL 0 } The physical layer in ATM does not support any form of QoS negotiation. Therefore, the service user must accept the supported QoS ordering relation as defined in Def. (20). The service user cannot communicate its needs to the service provider. As a result, resources are wasted within the service provider for unrequested aspects of the service (i.e., the transmission of the PT field) or even adverse actions: suppression of cells which suffers an inverted PT field only. Note that the negotiation of a different QoS limit alone would not solve the problem. An alternative limit could be defined as in Def. (23) that can also be characterized by the tupel (1, 0, 1, ∆˜ , 1), stating that the transmitted PT field must be ‘at least incorrect’: Def.: (23) Z 1, 3 ⁄ 4 = {( l, r ) ∈ LR | l = ( τ, v, t, p ) ⇒ ( r = ( τ + ∆, v, t', p ) ∧ t ≠ t' ) } Since the service provider still supports QoS ordering relation as given in Def. (20) instead of the one given in Def. (22), it could - from its point of view - ‘enhance’ the quality of a reaction that has (only) an inverted PT field by completely discarding the cell. The service provider could even decide to stop doing anything at all, and by this save resources and at the same time fulfil the contract with a deterministic guarantee and at a level of QoS that is ‘really better’ than the requested limit. Since this is not what the service user wants, the service user has to demand a level of QoS that is higher than actually needed. In the general case, this will entail unnecessary resource usage and a higher service fee or even an unnecessary denial of service if call admittance control decides that not enough resources are available.
5. Conclusion and Outlook We have shown that the notion of QoS must be extended beyond the negotiation of limiting QoS parameter values. Instead, the service provider should support a variety of QoS ordering relations to better meet the needs of various service users. Negotiation protocols must be designed in a way that their execution efficiently and unambiguously leads to a mutual agreement on a QoS specification that is supported by the service provider and meets the demands of the service user.
The high complexity of the QoS management problem demands the use of formal methods. We have presented a framework that enables the formal representation of QoS ordering relations and QoS limits, yet it incorporates conventional notions of QoS parameters and degradation paths. The framework is based on set algebra, allowing for formal reasoning on QoS management algorithms and negotiation protocols. An application of our framework to a simplified model of the physical layer in ATM was presented and it was shown that the negotiation of the quality limit alone cannot always reflect the needs of the service user. The work presented in this report is part of an on-going research effort. In the future, the presented framework will be extended to include probability distributions over the set LR of sessions, opening the framework for quantitative analysis of error recovery methods and the QoS mapping problem [14]. Also, the negotiation of load limits as part of a QoS contract will be formalized and different notions of guarantee will be examined.
6. References [1] ITU-T Recommendation I.350: “General Aspects of Quality of Service and Network Performance in Digital Networks, including ISDNs”, ITU-T, 03/93. [2] Schulzrinne, H., Casner, S., Frederick, R., Jacobson, V.: “RTP: A Transport Protocol for Real-Time Applications”, RFC 1889, January 1996. [3] Ferrari, D., Banerjea, A. and Zhang, H.: “Network support for multimedia -- A discussion of the Tenet Approach”, Computer Networks and ISDN Systems, Vol. 26, No. 10, pp. 1267-1280, July 1994. [4] The ATM Forum: “ATM User-Network Interface Specification - Version 3.1”, September 1994. [5] ITU-T Recommendation I.356: “B-ISDN ATM Layer Cell Transfer Performance”, ITU-T, 11/93. [6] Cristian, F.: “Understanding Fault-Tolerant Distributed Systems”, CACM, Vol. 34, No. 2, pp. 57-78, February 1991. [7] Le Gall, D.: ”MPEG: A Video Compression Standard for Multimedia Applications”, CACM, Vol. 34, No. 4, April 1991. [8] Wallace, G. W.: “The JPEG Still Picture Compression Standard”, CACM, Vol. 34, No. 4, April 1991. [9] Ferrari, D.: “Real-Time Communication in PacketSwitching Wide-Area Networks”, ICSI Technical Report, TR89-022, May 1989. [10] Ferrari, D.: “Client Requirements for Real-Time Communication Services”, ICSI Technical Report, TR-90-007, March 1990. [11] Chen, T. M., Liu, S. S.: “ATM switching systems”, Artech House, 1995. [12] Richter, Jan-Peter: “Qualitative and Quantitative Analysis of the HEC Mechanism in ATM”, accepted for 6th international Conference on Telecommunication Systems / Modeling and Analysis, Nashville, TN, March 5 - 8, 1998. [13] ITU-T: “B-ISDN Adaptation Layer (AAL) Specification”, ITU-T Recommendation I.363, 1992. [14] Knoche, H. and de Meer, H.: “Quantitative QoS-Mapping: A Unifying Approach”, Proceedings of theFifth IFIP International Workshop on Quality of Service IWQOS’97, pp. 347-358, Columbia University, New York, May 21-23, 1997.
0-7803-4386-7/98/$10.00 (c) 1998 IEEE