

Institut für Automation Abt. für Automatisierungssysteme

# Technische Universität Wien

Projektbericht Nr. 183/1-100 February 2000

# Report on 3 Years of START-Project Y41-MAT

Ulrich Schmid



Salvador Dali, "Die Beständigkeit der Erinnerung"

# Report on 3 Years of START-Project Y41-MAT

#### ULRICH SCHMID

Technische Universität Wien Department of Automation Treitlstraße 1, A-1040 Vienna Email: s@auto.tuwien.ac.at

February 25, 2000

#### Abstract

This report on our START-project Y41-MAT consists of two parts: The first one surveys the accomplishments of the first three years (January 1997 – December 1999), which were primarily devoted to our multidisciplinary SynUTC clock synchronization research. Many scientific publications in first-rate international journals and conferences, a fully functional prototype implementation of hard- and software, and several pending technology transfer projects reveal that this project developed most successfully. In 1998, we also started our research on the SSCMP sequenced synchronized clock message protocol, which should become our major research activity by 1999/2000. The unexpected death of the primary investigator in January 1999, however, forced us to reshape the goals of the SSCMP project to secure an up-to-date research project. The second part of this report outlines aims and scope of the resulting project W<sub>2</sub>F, which basically extends SSCMP to spread-spectrum wireless communications.

## Contents

| 1            | General Overview                                               | 2  |  |  |  |  |  |  |  |  |  |
|--------------|----------------------------------------------------------------|----|--|--|--|--|--|--|--|--|--|
| 2            | Project SynUTC                                                 |    |  |  |  |  |  |  |  |  |  |
|              | 2.1 General Infrastructure                                     | 3  |  |  |  |  |  |  |  |  |  |
|              | 2.2 Quick Project Overview SynUTC                              |    |  |  |  |  |  |  |  |  |  |
|              | 2.3 Accomplishments SynUTC                                     |    |  |  |  |  |  |  |  |  |  |
|              | 2.4 Details SynUTC                                             |    |  |  |  |  |  |  |  |  |  |
| 3            | Project W <sub>2</sub> F/SSCMP                                 | 7  |  |  |  |  |  |  |  |  |  |
|              | 3.1 Ancestor Project SSCMP                                     | 7  |  |  |  |  |  |  |  |  |  |
|              | 3.2 Definition of Project W <sub>2</sub> F                     |    |  |  |  |  |  |  |  |  |  |
|              | 3.2.1 Spread Spectrum CDMA Layer                               |    |  |  |  |  |  |  |  |  |  |
|              | 3.2.2 Basic Protocol Layer (Intra-SN)                          |    |  |  |  |  |  |  |  |  |  |
|              | 3.2.3 Higher-Level Protocol Layer (Inter-SN)                   |    |  |  |  |  |  |  |  |  |  |
|              | 3.2.4 Hardware Architecture                                    |    |  |  |  |  |  |  |  |  |  |
|              | 3.3 Organization of Project W <sub>2</sub> F                   |    |  |  |  |  |  |  |  |  |  |
|              | 3.3.1 Definition of features, services and architecture of W2F |    |  |  |  |  |  |  |  |  |  |
|              | 3.3.2 Research on particular sub-projects                      |    |  |  |  |  |  |  |  |  |  |
| $\mathbf{A}$ | START Research Output (SynUTC)                                 | 13 |  |  |  |  |  |  |  |  |  |
|              | A.1 Papers SynUTC                                              | 13 |  |  |  |  |  |  |  |  |  |
|              | A.2 Diplomas and Dissertations SynUTC                          | 14 |  |  |  |  |  |  |  |  |  |
|              | A.3 Technical Reports SynUTC                                   |    |  |  |  |  |  |  |  |  |  |
|              | A.4 Presentations SynUTC                                       |    |  |  |  |  |  |  |  |  |  |
| В            | S START Research Output (W <sub>2</sub> F)                     | 16 |  |  |  |  |  |  |  |  |  |
|              | B.1 Technical Reports W <sub>2</sub> F                         | 16 |  |  |  |  |  |  |  |  |  |
| $\mathbf{C}$ | Some Relevant Literature for W <sub>2</sub> F                  | 16 |  |  |  |  |  |  |  |  |  |

# 1 General Overview

Before reporting on the accomplishments and future plans of our 1996 START-project Y41-MAT, it seems appropriate to point out its apparently non-standard nature: Unlike more recently granted START-projects, our application did not focus on a particular research project. After all, it was explicitly pointed out in the 1995 call-for-applications that START was not a usual project-based funding activity but had broader scope. We did, however, append the complete proposal of our new SSCMP-project in order to provide an example of a "sound" research project, namely, the one we intended to attack next at the time of writing the START-proposal.

Still, during 1996, we were also working on a former FWF-project P10244-ÖMA (SynUTC), which developed quite promisingly and revealed several directions of improvement. Therefore, we submitted an (independent) amendment to P10244-ÖMA to get the required funding. During its evaluation, however, the START-price was granted, so that the FWF eventually pushed the SynUTC amendment onto the START-project. Given the fact that SSCMP also depends upon some of the accomplishments of SynUTC, we finally decided to defer starting SSCMP. After all, the continuation of SynUTC involved a quite costly ASIC design, which would have caused considerable excess of the average annual START-funding (2 Mio. ATS/year) if performed concurrently with SSCMP.

Consequently, we terminated the FWF-project P10244-ÖMA by the end of 1996 and resumed working on the extensions of SynUTC —now in the context of START— on January 1, 1997. We are happy to say that our work developed most satisfactorily (see Section 2): Apart from scientific highlights like closing an open research problem in distributed computing and invited papers & talks, we also succeeded to build a comprehensive prototype implementation suitable for experimental evaluation. As envisioned, the latter eventually turned out to be very effective w.r.t. attracting technology transfer projects<sup>2</sup> — to us the only convincing proof of having done some reasonable research work.

Still, in order to have a new project ready when SynUTC would reach its end, we eventually started the SSCMP-project in January 1998 as well. More specifically, a very capable PhD-student, DI Dieter Höchtl, was put on the track of formal verification in SSCMP's context. Although this was only a minor activity compared to the efforts spent on SynUTC, it was nevertheless the mandatory first step for being able to gradually shift the major attention from SynUTC to SSCMP. Unfortunately, unlike SynUTC, those activities on SSCMP did not develop as expected (see Subsection 3.1): Dieter Höchtl died suddely only about one year after having started his work.

Instead of just restarting SSCMP, however, we decided to readjust the goals of the whole project to reestablish an up-to-date research project: Our new W2F project adopts the ideas of SSCMP to a novel CDMA wireless+wireline network (fieldbus) for factory/home automation purposes; aims and scope will be outlined in Section 3. This project shall become the primary activity in START for the remaining years (and beyond).

# 2 Project SynUTC

The project SynUTC (<u>Synchronized UTC</u> for Distributed Real-Time Systems) is devoted to the foundations and the development of a prototype implementation of a new paradigm for high-accuracy GPS time distribution and external clock synchronization in fault-tolerant distributed systems. Our research on this topic was initiated in a preceding FWF-project P10244-ÖMA, which was a joint activity with Dietmar Loy from the Institute of Computer Technology (ICT) at TU-Vienna. The FWF-project was terminated by the end of 1996; the work on the topic, however, was continued in the context of START on January 1, 1997<sup>3</sup> and terminated by December 1999.

<sup>&</sup>lt;sup>1</sup>The SSCMP-proposal was submitted as an ordinary FWF-project a few months before we applied for START; funding had been granted just before we received the START-price.

<sup>&</sup>lt;sup>2</sup>We particularly regret, however, that the basic-research-oriented nature of START does not allow us to engage in technology transfer projects and other promoting efforts like standardization activities. Of course, from a scientific point of view, such activities are not very interesting. Still, we are more and more convinced that only a primary researcher can adequately promote scientific results – but this is a very time-consuming task. For that reason, we had no alternative but to delegate all technology transfer issues to a former collaborator.

<sup>&</sup>lt;sup>3</sup>Clearly, this report considers only the time from January 1, 1997 – December 31, 1999, i.e., the work & publications performed in the context of START.

## 2.1 General Infrastructure

Before starting our actual research work in January 1997, we built up a suitable infrastructure for our research group. This involved acquiring additional rooms from TU-Vienna and purchasing<sup>4</sup> some equipment like 10 PC-workstations and a Sun-Server + peripherals.

|                          | START-Rooms |    |   |                             |  |  |  |
|--------------------------|-------------|----|---|-----------------------------|--|--|--|
| $\#$ Room $m^2$ $\#$ Wkp |             |    |   | Remarks                     |  |  |  |
| 2                        | offices     | 12 | 2 | newly built; ready end 1998 |  |  |  |
| 1                        | START-lab   | 27 | 4 | hosts special equipment     |  |  |  |

| Costs Infrastructure |      |  |  |
|----------------------|------|--|--|
| Cat.                 | kATS |  |  |
| Equipment            | 654  |  |  |
| Miscellaneous        | 47   |  |  |
| Total:               | 701  |  |  |

# 2.2 Quick Project Overview SynUTC

The research on SynUTC conducted in the framework of START was primarily devoted to

- developing a complete prototype implementation for experimental evaluation and demonstration of feasibility,
- experimental and advanced mathematical analysis of interval-based clock synchronization algorithms,

see Subsection 2.4 for details.

| General Information SynUTC               |                                                                     |  |  |  |  |
|------------------------------------------|---------------------------------------------------------------------|--|--|--|--|
| Homepage:                                | http://www.auto.tuwien.ac.at/Projects/SynUTC                        |  |  |  |  |
| Duration:                                | January 1997 – December 1999                                        |  |  |  |  |
| $Collaborations: \  \                  $ | Dept. of General Electrical Engineering and Electronics (TU-Vienna) |  |  |  |  |
|                                          | Dept. of Computer Technology (TU-Vienna)                            |  |  |  |  |

| Staff SynUTC (see Subsection 2.3) |        |                     |  |  |  |  |
|-----------------------------------|--------|---------------------|--|--|--|--|
| Type                              | #Heads | #Months             |  |  |  |  |
| TU-staff                          | 3      | 27+6+2=35           |  |  |  |  |
| PhD-stud.                         | 4      | 9+32+15+18=74       |  |  |  |  |
| Diploma-stud.                     | 7      | 12+6+3+24+4+3+15=67 |  |  |  |  |
| Practical-stud.                   | 4      | 5*3=15              |  |  |  |  |
| Others                            | 1      | 3                   |  |  |  |  |
| Total:                            | 20     | 194                 |  |  |  |  |

| Project Costs SynUTC |       |  |  |  |  |
|----------------------|-------|--|--|--|--|
| Cat.                 | kATS  |  |  |  |  |
| Staff                | 3.246 |  |  |  |  |
| Equipment            | 673   |  |  |  |  |
| Material             | 20    |  |  |  |  |
| Travelling           | 171   |  |  |  |  |
| Miscellaneous        | 30    |  |  |  |  |
| Total:               | 4.140 |  |  |  |  |

| Publications SynUTC |    |         |         |             |           |                                         |           |
|---------------------|----|---------|---------|-------------|-----------|-----------------------------------------|-----------|
| Type                | #  | #awards | #invit. | $\sum pag.$ | Avg. pag. | Min. pag.                               | Max. pag. |
| Journal papers      | 7  |         | 1       | 239         | 34        | 6                                       | 56        |
| Conference papers   | 14 | 1       | 2       | 149         | 11        | 2                                       | 24        |
| Editorials          | 1  |         | 1       | 360         | 360       | 360                                     | 360       |
| Diploma theses      | 3  |         |         | 433         | 144       | 62                                      | 218       |
| Dissertations       | 1  |         |         | 253         | 253       | 253                                     | 253       |
| Technical Reports   | 10 |         |         | 987         | 99        | 15                                      | 400       |
| Total:              | 36 | 1       | 4       | 2.421       |           | *************************************** |           |

| Highlights SynUTC                                        |  |  |  |  |
|----------------------------------------------------------|--|--|--|--|
| Solution of 13-year-old problem in distributed computing |  |  |  |  |
| Best paper at IFAC WRTP'99                               |  |  |  |  |
| Several invited papers & talks                           |  |  |  |  |
| Exhibition at "Hannover Messe Industrie"                 |  |  |  |  |
| Two patents (one pending)                                |  |  |  |  |
| Several pending technology transfer projects             |  |  |  |  |

 $<sup>^4</sup>$ We will give costs in ATS (including 20% VAT), with 1 Euro  $\approx$  14 ATS.

#### 2.3 Accomplishments SynUTC

The particular work on SynUTC in 1997 was devoted to the completion and further extension of our earlier —primarily theoretical— research in P10244-ÖMA. During 1998, we developed a professional prototype implementation of hardware and software in order to facilitate experimental evaluation and technology transfer into industrial applications. More specifically, enabled by additional support from the OeNB (Jubiläumsfonds-Projekt 6454) and the BMfWV (Auftragsforschung GZ 601.577/1-V/B/9/97), we developed working prototypes of

- UTCSU-ASIC,
- Network Time Interface (NTI) MA-Module,
- pSOS<sup>+m</sup> NTI Device-Driver for the Motorola-CPU MVME162,
- Interval-based clock synchronization algorithms,
- pSOS<sup>+m</sup> GPS Device-Driver.

Apart from the inherent complexity and quantity of the work involved, we had to overcome many unexpected problems, primarily with purchased COTS components. Our prototype implementation was first presented at the *Hannover Messe Industrie'98*, at the stand of the Austrian BMfWV in the "Halle für Forschung und Technologie".

This work was complemented by many scientific publications in international journals and conference proceedings, numerous comprehensive technical reports documenting our development results, several diploma theses and a dissertation. Included are a best paper at the IFAC WRTP'99 [13], invited papers in J. Real-Time Systems [14] and IASTED AMS'99 [15], and an invited talk at the 37th IFIP WG10.4 (http://www.dependability.org) Annual Meeting 2000 (Workshop on "Time and Dependability"). Recently, we also solved a 13-year-old problem in distributed computing [20] put forward by Leslie Lamport.

Last but not least, there is an increasing number of national and international industrial companies that consider adopting our approach for demanding applications. For example, the Austrian company Baur Prüf- und Meßtechnik suggested to use our technology for online fault detection+location in power distribution grids. This application has already been protected by a patent (German Gebrauchsmuster 296 23086.3). An application for another promising patent has been submitted recently.

The following list of members and collaborators of the SynUTC-group, along with their major responsibility, reveals the considerable efforts spent on this project:

| Name               | Туре                      | Duration      | Responsibility                              |
|--------------------|---------------------------|---------------|---------------------------------------------|
| Ulrich Schmid      | TU-staff                  | 1/97-now      | project head                                |
| Martin Horauer     | TU-staff                  | 1/99-now      | ${ m NTI}_2  { m development}$              |
| Nikolaus Kerö      | $\mathrm{TU}	ext{-staff}$ | 10/97-6/99    | ${ m head} \ { m NTI}_1 \ { m development}$ |
| Martin Horauer     | PhD-empl.                 | 1/97-9/97     | ${ m UTCSU}$ and ${ m NTI_0}$ development   |
| Klaus Schossmaier  | PhD-empl.                 | 1/97-8/99     | Theory & algorithms rate synchronization    |
| Herbert Nachtnebel | ${ m PhD-empl.}$          | 3/98-6/99     | NTI <sub>1</sub> development and evaluation |
| Bettina Weiss      | PhD-stip.                 | 3/98-8/99     | Simulation system SimUTC                    |
| Bettina Weiss      | Dipl-stip.                | 1/97-12/97    | Simulation system SimUTC                    |
| Günther Gridling   | Dipl-stip.                | 3/97-8/97     | Graphical user interface SimUTC             |
| Gerda Richter      | Dipl-stip.                | 10/97 - 12/97 | NTI Device-Driver                           |
| Thomas Mandl       | Dipl-stip.                | 3/97-2/99     | NTI/UTCSU integration and testing           |
| Dieter Höchtl      | Dipl-stip.                | 5/97-8/97     | GPS-receiver evaluation                     |
| Martina Umlauft    | Dipl-stip.                | 9/99-11/99    | Development GPS Device-Driver               |
| Albrecht Kadlec    | Diploma                   | 10/98-12/99   | pSOS-port for AcQ i6040 CPU                 |
| Thomas Mandl       | Practical                 | WS 96/97      | pSOS-port MVME-162 + SIO IPM10              |
| Michael Schmidt    | Practical                 | WS 98/99      | Revision NTI Device-Driver                  |
| Gerald Hummel      | Practical                 | SS 98         | Random Generator for SimUTC                 |
| Michael Kuen       | Practical                 | WS 99/00      | Shared Memory NTI Device-Driver             |
| Christian Thiery   | Practical                 | WS 99/00      | Development GPS Device-Driver               |
| Eva Kirpicsenko    | 25% empl.                 | 9/96–11/97    | Secretary                                   |

#### 2.4 Details SynUTC

This subsection is devoted to a more detailed description of the particular work conducted in SynUTC. We also outline possible directions of further research, which might or might not be pursued in the future.

## • Analysis of Interval-based Clock Synchronization Algorithms

This—undoubtly most interesting and challenging—part of SynUTC was devoted to a worst case analysis of the performance of our algorithms. Its importance lies in the fact that it provides guaranteed bounds on quantities like the maximum clock deviation, which cannot be obtained experimentally (experiments or simulation are only useful for measuring the average case performance, which is of course interesting in its own right). An elaborate interval-based analysis framework was established in [2], [S2], which greatly reduces the required efforts. Nevertheless, it took us more than two two years to complete the pivotal worst case analysis of our interval-based orthogonal accuracy [18] and optimal precision [19] algorithms.

A similar situation was encountered in the analysis of the important subject of fault-tolerant clock rate synchronization [4], [16], [S8], which is the core contribution of the excellent<sup>5</sup> 1998 dissertation [D4] of Klaus Schossmaier.

Finally, in 1999, we discovered the nice result that our FTI interval intersection function (known since 1995) closes a 13-year-old problem put forward by Leslie Lamport, see [20]. We find this experience particularly enlightening, since it shows that some discoveries simply need time to show up: For more than two years, we did not realize that our advanced analysis techniques apply to FTI. When we eventually realized this, it was a matter of a few days to write the paper and send it to the most renowned journal in the field. If START had not allowed us to do research without the usual short-term perspective, we would have never been able to work out our analysis technique and hence the solution to Lamport's problem.

Needless to say, there are still a few interesting problems that should/could be attacked in the future. Among these are:

- A comprehensive generic analysis of interval-based clock validation,
- The investigation of some alternative clock synchronization algorithms,
- An exploration of the internal/external tradeoff and lower bound results for accuracy and rate intervals,
- Extension of our scheme to multiple synchronization subnets.

#### • Development of the UTCSU-ASIC

In the context of P10244, we had designed an ASIC called UTCSU [1] that provides most of the hardware support for high-accuracy clock synchronization. Due to the extremely high manufacturing costs (≈ US\$ 50.000) and certain problems when migrating from P10244 to START (see the final report on FWF-project P10244-ÖMA), we decided in 1996 to first produce a downsized version of the UTCSU (called UTCLIENT [3]).

In 1997, the START-project and additional funding from OeNB and BMfWV finally enabled us to complete the full version of the UTCSU. The very large chip (die size about 100 mm<sup>2</sup>) was sent to the manufacturer ES2 via the ESPRIT initiative EUROPRACTICE near the end of 1997 — over half a year later than expected. This delay was primarily caused by the tremendous complexity of the ASIC and the above mentioned uncertainty w.r.t. funding. Fabrication (as part of a multiproject wafer) and, in particular, testing of the UTCSU were eventually completed by the end of 1998, again with considerable delay due to manufacturing problems caused by the large die size.

#### • Development of the NTI Hardware

In 1997, we developed a first prototype of the *Network Time Interface* M-Module (NTI<sub>0</sub>) [9], which makes the UTCSU accessible to state-of-the-art CPU-boards. By means of this prototype, we mainly tested the downsized UTCLIENT chip to avoid pitfalls in the expensive UTCSU. An interesting and unexpected experience was the fact that using standard components (COTS) does not necessarily lead to shorter development time: Since both processor and network controller are usually provided on COTS CPU-boards, there was no need to accommodate them on-board the NTI. Those savings, however, finally proved quite expensive due to bugs of the purchased VME

<sup>&</sup>lt;sup>5</sup>We are satisfied to find our "quality before quantity" attitude justified by the fact that Klaus Schossmaier won the race for a very attractive job in the new LHC-project at CERN in Geneva, despite of keen international competitors.

carrier boards. Actually, the difficulty of spotting the problems and getting the manufacturers to fix them almost caused the project to fail.

Starting from our first prototype implementation NTI<sub>0</sub>, we then developed the "professional" version NTI<sub>1</sub> [S5], [10], [14] in 1998. Its realization was "outsourced" to the CAD-Group (Nikolaus Kerö) at the Institute of General Electrical Engineering and Electronics (IAEE) at TU Vienna. Their development work, which was also funded partially by the OeNB, was successfully completed in 1998. Note that we will continue the cooperation with IAEE also in the W<sub>2</sub>F-project.

In 1999, we eventually started the development of a second generation NTI<sub>2</sub> for 100 Mb/sec Ethernet networks [21]. This work is primarily conducted by Univ.Ass. DI Martin Horauer at the Dept. of Computer Technology, who is working on his dissertation. Our novel idea for MII-based data packet timestamping will eventually allow clock synchronization accuracies in the few 10 ns range over fast Ethernet networks.

Future directions of research and implementation are NTIs for different networks like CAN, including fault-tolerant versions employing multiple UTCSUs.

#### • Development of SimUTC for Simulation and Evaluation

In 1998, we finished the development of an elaborate simulation toolkit called SimUTC [17]. Apart from supporting the design of interval-based clock synchronization algorithms, SimUTC primarily facilitates long-term evaluation of the system performance under various operating conditions, including fault injection. Note that SimUTC raised certain interest in the scientific community, as shown e.g. by the invited paper [15].

The architecture of SimUTC has been designed from the scratch to allow replacement of simulated system components by their real counterparts, namely, network controller and NTI. Therefore, a modified "evaluation version" of our toolkit can be used for experimental long-term evaluation. For an initial version of this evaluation system, we primarily had to deploy/adapt the prototype NTI Device-Driver [S7], [S4] for our pSOS<sup>+m</sup> target system.

The initial version of the evaluation system was used to conduct an experimental evaluation of the time distribution accuracy achieved by the NTI in an Ethernet-based distributed system. These results won us the best paper at the IFAC WRTP'99 [13]. Note that papers dealing with a sound experimental evaluation are rare in our field and in fact very much appreciated at conferences and journals, cf. [14]. In view of the exhaustive development efforts underlying such papers, however, this fact is not really surprising.

The major activity in 1999 was the design and development of a sophisticated pSOS<sup>+m</sup> Device-Driver [S10], which allows to connect a GPS timing receiver to a pSOS<sup>+m</sup> target system equipped with an NTI.

What remains to be done in order to set up the full evaluation version of SimUTC is porting the SimUTC core to  $pSOS^{+m}$  and putting together all components. This will most likely be done in 2000, along with a thorough experimental evaluation of our whole setup.

# 3 Project W<sub>2</sub>F/SSCMP

The project W<sub>2</sub>F will be our major research activity for the remaining 3 years of START (and beyond). It is devoted to a next-generation fieldbus for distributed factory automation and home/facility automation, which will employ spread-spectrum CDMA technology both on wireline and wireless media. W<sub>2</sub>F is totally different from the comparatively "narrow" SynUTC project, since it will be set up as a large multidisciplinary research activity involving many —reasonably independent— sub-projects performed by different groups. Clearly, some of those sub-projects will be carried out by ourselves and hence funded by START.

## 3.1 Ancestor Project SSCMP

W2F is in fact the result of a re-shaping of the former Sequenced Synchronized Clock Message Protocol (SSCMP) project, which targeted novel protocols for reliable and timely multicast communications. For the reasons stated in Section 1, research on this project was deferred until 1998, when we put a very capable PhD-student of the SynUTC team, Dieter Höchtl, on the track of timed automaton specification and verification of reliable multicast protocols: Apart from collecting and reading the many relevant papers, he soon attacked the problem of designing a tool for semi-automatic verification of such specifications.

Nobody could forsee, however, that a sudden death while jogging would abruptly stop Dieter Höchtl's ambitious and untiring work in January 1999. Unfortunately, due to the "pioneering" character of his work, most of the acquired knowledge was only in his head — one year is not enough to establish a basis that would allow somebody else to proceed where Dieter left the scene.

For this reason, we had to face the fact that most of the initial efforts spent on SSCMP were lost. Just simply restarting this work, however, was impossible since one cannot delay a project like SSCMP by two years without reconsidering the question of novelty of research. The project W<sub>2</sub>F outlined in the following subsection is the attractive result of this re-shaping process.

# 3.2 Definition of Project W<sub>2</sub>F

The idea of W2F (Wireless/Wired Factory/Facility Fieldbus) [W1] is to apply the protocols envisioned in SSCMP, along with additional ones, including SynUTC's very high-accuracy clock synchronization, to the hot topic of spread spectrum wireless communications. Our final goal is a novel CDMA wireline + wireless network for factory/home automation purposes, that is, an unconventional fieldbus for arbitrary topologies of LAN-type subnets (SNs), which shall guarantee

- real-time data transmission
- fault-tolerance
- security

even in case of failures, attacks, and overloads. Our work will target theoretical/conceptual foundations and formal correctness proofs as well as a prototype implementation of hardware and software.

From an architectural point of view, W2F consists of a variety of services implemented via suitable protocols. According to the forthcoming W2F service specification [W3], we group the services in three major layers (from bottom to top, see Figure 1):

- 1. Spread Spectrum CDMA Layer
- 2. Basic Protocol Layer (Intra-SN)
- 3. Higher-Level Protocol Layer (Inter-SN)

#### 3.2.1 Spread Spectrum CDMA Layer

Unlike all other existing fieldbusses, we will not employ simple baseband transmission on wireline interconnections. Instead, we will use spread spectrum CDMA [Goi98] for transmission both on wireline and wireless channels. This offers a number of advantages: No real-time communications scheduling problem as with conventional shared channels, inherent security, superior noise immunity, receiver-based addressing, etc.



Figure 1: Overview of the services at a node and their major dependencies

Still, the ambitious goals of W<sub>2</sub>F demand novel CDMA schemes supporting sporadic many-to-many communication with a bit-error rate comparable to that of baseband wireline technology. Advanced security & admission control as well as fault/interference detection and locationing are also of primary importance. It is pretty obvious that many interesting research problems must be solved at this layer to achieve those goals.

We will not dive into further details here, since this part of the project will be handed over to an expert in the field (Alois Goiser at TU Vienna, see Subsection 3.3). We should mention, however, that one of our key ideas to solve the challenging problems at this layer is to exploit high-level knowledge—like topology information and global time—provided by services in higher layers. We are reasonably convinced that this will eventually boost CDMA performance and features as required.

#### 3.2.2 Basic Protocol Layer (Intra-SN)

The protocols summarized in this layer are responsible for communication within a single subnet. They will provide services like

- fault-tolerant external clock synchronization
- fault-tolerant position acquisition
- secure connection/connectivity management (transient disconnection & hidden nodes)
- interference and interferer location detection
- reliable at-most-once data transmission
- group management
- atomic multicasting

optimized for performance within each SN. Primary features will be fault-tolerance, security and real-time performance guarantees under normal conditions and graceful degradation under exceptional conditions like partitioning and denial-of-service attacks, for example. Particular emphasis will be put on overload protection and security proofs [GSG99].

The envisioned protocols will differ from existing ones by the fundamental role dedicated to a global knowledge of *position* and *time* in all protocols. More specifically, a fault-tolerant topology service SN\_TOPOL will be responsible for continuously providing an accurate view of the positions (and hence mutual distances) of all nodes. Using this information, the quality of service of many other protocols can be considerably improved. This is particularly true for the clock synchronization service CLOCKSYNC, which will use similar techniques as those developed in SynUTC [SKM<sup>+</sup>00], [FC97b] to establish a highly accurate common notion of time at all nodes.

By making synchronized interval clocks with very high accuracy available at the lowest layer, we can rely upon timestamped messages (which are usually required by the atop running applications anyway) in all our protocols. For example, contrasting usual approaches based on sequence numbers, our Sequenced Synchronized Clock Message Protocol SSCMP [SP95] provides sequenced at-most-once delivery of messages by means of a clock-based connection management protocol. Unlike handshake-based ones, this protocol is also well-suited for W<sub>2</sub>F's sporadic request/reply communication patterns.

Last but not least, synchronized clocks enable both synchronous atomic broadcasting [Mul93] and time-driven transmission scheduling algorithms. Therefore, our approach offers conceptual coherence and improved performance at the same time. Graceful degradation (at least fail-awareness [Fet97]) can be achieved by using the accuracy information made available by SynUTC's interval-based clock synchronization.

#### 3.2.3 Higher-Level Protocol Layer (Inter-SN)

W<sub>2</sub>F will finally provide a suite of protocols that offer transparent services across SN boundaries. Examples of such services are

- naming service,
- routing across SN borders,
- topology management,
- system configuration, monitoring and maintenance,
- global group management,

• global atomic multicasting.

We will build those protocols atop the basic ones, following a layered approach. This allows the design of well-defined and high-performance basic protocols (intra-SN), which can be used as building blocks for almost any high-level protocol (inter-SN). Particular emphasis will also be put on system configuration, monitoring and maintenance, since ease of use is a key feature for any fieldbus-based system.

#### 3.2.4 Hardware Architecture

Some of the envisioned protocols need certain hardware support, which is to be integrated with the required communications facilities. At the bottom layer, we have to deal with issues like wireless/wired interfacing, power supply over wire, low-level security/encryption mechanisms, very high-accuracy synchronized clocks, etc. In addition, there are basic protocols like SSCMP that must be implemented partly in hardware for performance reasons as well. Another important issue affecting the hardware architecture is the idea of employing secure coprocessors [SW99] for establishing a trusted and continuously operational computing base for the whole system.

The electrotechnical part of this work will of course be delegated to an expert in the field (Nikolaus Kerö at TU-Vienna, see Subsection 3.3).

It seems appropriate to end this subsection with some facts that back up our belief: That W<sub>2</sub>F is an excellent project to work on for the coming years.

First, there is definitely a need for this technology, as it allows true real-time communications, exploits all the bandwidth available by (existing) cable infrastructure, and supports mobile nodes. Second, several experts in related fields gave us enthusiastic feedback on our proposal, and some of them (like Christof Fetzer from AT&T Research) explicitly declared their interest to participate in this research. Third, research on real-time spread spectrum computer communications is scarce. Of course, there is much research in the hot topic spread spectrum wireless communications, but we did not find even a single ongoing research project that is related to W2F. Some recent experience with a planned year-2000 special issue of J. Real-Time Systems on "Wireless Real-Time Computing" also confirms this fact: When we proposed this special issue to the Editor-in-Chief, Jack Stankovic, he called this a fantastic proposal but told us that he was not aware of any good research in that area. The meager response to our call for papers confirms that he was indeed right.

Therefore, we think that there is a very good chance for a head start in a very attractive research area.

## 3.3 Organization of Project W2F

The multiple-project nature of WyF imposes two different lines of action on our group, namely:

- 1. Working out the definition of features, services and architecture of W<sub>2</sub>F and setting up collaborations,
- 2. Conducting research on particular sub-projects.

Starting with 1., both activities will eventually be performed concurrently during the whole lifetime of the project.

#### 3.3.1 Definition of features, services and architecture of W2F

The first prerequisite for setting up W<sub>2</sub>F is an initial specification of the entire system, since defining subprojects and establishing collaborations depend critically upon it. This part of our work has already been started in 1999 and comprises W<sub>2</sub>F basic features [W1] and its initial service and architectural specification [W3]. We hope to complete the initial versions by mid 2000 (although a continuous update/adaption during the whole lifetime of the project will of course take place).

The research work will be carried out by assigning sub-projects to interested collaborators. Clearly, it will be the responsibility of each collaborator to set up a research group and acquire resources. Note carefully that this apparently risk-prone construction is in fact well-suited for W2F: Since sub-projects are in fact reasonably independent of each other, inevitable delays or even unsuccessful launching of sub-projects will not do much harm to each other.

More specifically, the particular research projects in W<sub>2</sub>F, like fault-tolerant locationing, timely data transmission or atomic multicasting, are —like the former SynUTC— reasonably orthogonal to each

other and challenging per se. Moreover, the dependencies of a service from other parts of W<sub>2</sub>F can neatly be encapsulated within the interfaces, hence allowing simulation/emulation of not-yet-available services. Therefore, work on a particular sub-project in W<sub>2</sub>F can be started as soon as some (initial) service specification—and some researchers + the required resources— is at hand, and it will not be invalidated if another sub-project should fail.

At the beginning, we will be quite restrictive w.r.t. launching sub-projects. Most importantly, we will by no means try to set up each and any activity/collaboration right from the beginning. After all, it makes sense to delay starting the work on higher-level protocols until some progress has been made in lower-level ones.

At the moment, W<sub>2</sub>F will be a joint activity of the following groups:

- Ulrich Schmid (project head), Department of Automation, TU Vienna
- Christof Fetzer (topology services), AT&T Research, USA
- Alois M.J. Goiser (spread spectrum CDMA), Institute of Applied Electronics and Quantum Electronics, TU Vienna
- Nikolaus Kerö (hardware architecture), Institute of Applied Electronics and Quantum Electronics, TU Vienna

#### 3.3.2 Research on particular sub-projects

Apart from specifying and designing the whole architecture of W<sub>2</sub>F, the next years of START (and beyond) will primarily be devoted to the work on two sub-projects in W<sub>2</sub>F:

#### 1. Secure and reliable communication

This (major) sub-project will be devoted to the basic protocols ADM\_CTRL, DATAGRAM, SN\_CONN and (perhaps) SN\_ATOMIC in Figure 1, which constitute the basic communications facilities of W2F. Connection management, reliable transmission, rate & flow control are some of the key communication issues here. A different —but nevertheless tightly integrated—problem domain are security-related issues like admission control, authentication and encryption and appropriate correctness proofs.

Our research will focus upon proven-correct protocol design and analytical worst case performance analysis; simulation will also be used where appropriate. Moreover, ultimately, we will try to build up a reasonably complete prototype implementation for experimental evaluation. Our workplan assumes two concurrent directions for developing the solutions, one from the security point of view and one from the communications point of view. The latter will be started mid 2000, the former has already been started in 1999 by assessing suitable security proof/verification methods [W2].

#### 2. Clock synchronization

This (minor) sub-project will be devoted to the problem of establishing very high accuracy synchronized clocks. In our attempt to develop CLOCKSYNC, we will of course adopt and extend the results of the SynUTC-project.

Our appropriate workplan assumes that we first close two open issues of SynUTC required in this context, namely, interval-based clock validation and the experimental evaluation framework, see Subsection 2.4. Adopting everything to the W<sub>2</sub>F framework should then be relatively easy.

Then work on those parts of the W<sub>2</sub>F-project started about September 1, 1999 and is/will<sup>6</sup> be performed by the following primary staff:

| Name             | Type          | Duration | Responsibility                     |
|------------------|---------------|----------|------------------------------------|
| Ulrich Schmid    | TU-staff      | 4/99-    | project head                       |
| Bettina Weiss    | PhD-empl.     | 9/99-    | Security                           |
| N.N.             | PhD-empl.     | 6/00-    | Communication                      |
| N.N.             | PhD-empl.     | 3/00-    | SynUTC Clock validation & adaption |
| Günther Gridling | 50% PhD-empl. | 3/00-    | SynUTC evaluation system           |

<sup>&</sup>lt;sup>6</sup>Being currently in the phase of setting up our group, the present staff falls of course short of the required final size of our group. Note also that we do not list less costly staff like diplomands.

In this early phase of the project, there is no need for much special equipment (recall that the CDMA part of W<sub>2</sub>F will be outsourced). Therefore, in the first and second years, we will spend most of the funding still available in the START project (approx. kATS 6.500 for the next three years) for staff. Still, as in the past, we will try to limit the scheduled annual expenses to about kATS 1.800 to create some savings for "unexpected" demands.

# A START Research Output (SynUTC)

This appendix contains all SynUTC-related papers submitted/published after January 1, 1997.

# A.1 Papers SynUTC

# References

- [1] Klaus Schossmaier, Ulrich Schmid, Martin Horauer, Dietmar Loy. Specification and Implementation of the Universal Time Coordinated Synchronization Unit (UTCSU), J. Real-Time Systems, 12(3), 1997, p. 295–327.
- [2] Ulrich Schmid, Klaus Schossmaier. Interval-Based Clock Synchronization, J. Real-Time Systems, 12(2), 1997, p. 173–228.
- [3] Martin Horauer, Dietmar Loy. UTCLIENT an ASIC Supporting Clock Synchronization in Distributed Real-Time Systems, Proceedings AUSTROCHIP'97, Technische Universität Wien, Dept. of Computer Technology, 1997, p. 290–296.
- [4] Klaus Schossmaier. An Interval-based Framework for Clock Rate Synchronization, Proceedings of the 16th ACM Symposium on Principles of Distributed Computing, St. Barbara, USA, August 21-24th, 1997, p. 169–178.
- [5] Dietmar Loy. Time-Services Hardware Support in Fault-Tolerant Real-Time Systems, Proceedings of the 5th international conference on VLSI and CAD (ICVC'97), Seoul, Korea, October 13-15, 1997, (3 dpages).
- [6] Ulrich Schmid. Hochgenaue Uhrensynchronisation über LANs, Elektronikschau, 10/97, Oktober 1997, p. 20–23.
- [7] Dieter Höchtl, Ulrich Schmid. Long-Term Evaluation of GPS Timing Receiver Failures, Proceedings of the 29th IEEE Precise Time and Time Interval Systems and Applications Meeting PTTI'97, Long Beach, California, December 1997, p. 165–180.
- [8] Ulrich Schmid (ed.) The Challenge of Global Time in Large-Scale Distributed Real-Time Systems, Special Issue of J. Real-Time Systems, 12(1-3), 1997, 360 p.
- [9] Martin Horauer, Ulrich Schmid, Klaus Schossmaier. NTI: A Network Time Interface M-Module for High-Accuracy Clock Synchronization, Proceedings of the 6th International Workshop on Parallel and Distributed Real-Time Systems (WPDRTS'98), Orlando, USA, March 30 April 3, 1998, p. 1067–1076.
- [10] Herbert Nachtnebel, Nikolaus Kerö, Gerhard R. Cadek, Thomas Mandl, Ulrich Schmid. Rapid Prototyping mit programmierbarer Logik: Ein Fallbeispiel, Proceedings AUSTROCHIP'98, October 1998, Wiener Neustadt, Austria, p. 99–104.
- [11] Martin Horauer, Dietmar Loy. Hardware Unterstützte Uhrensynchronisation in Verteilten Systemen, Proceedings AUSTROCHIP'98, October 1998, Wiener Neustadt, Austria, p. 67–72.
- [12] Ulrich Schmid. Challenges in Interval-based Clock Synchronization, Seminar-Report 185 of Dagstuhl-Seminar 9728 on "Average Case Analysis of Algorithms" (Germany, July 1997), 1998, p. 19–20.
- [13] Ulrich Schmid, Herbert Nachtnebel. Experimental Evaluation of High-Accuracy Time Distribution in a COTS-based Ethernet LAN, Proceedings 24th IFAC/IFIP Workshop on Real-Time Programming WRTP'99, May/June 1999, p. 59–68.
- [14] Ulrich Schmid, Johann Klasek, Thomas Mandl, Herbert Nachtnebel, Gerhard Cadek and Nikolaus Kerö. A Network Time Interface M-Module for Distributing GPS-time over LANs, to appear in J. Real-Time Systems 18(1), 2000, (35 pages).

- [15] Ulrich Schmid, Bettina Weiss, Günther Gridling, Klaus Schossmaier. A Unified Approach for Simulation and Experimental Evaluation of Fault-Tolerant Distributed Systems, Proceedings IASTED International Conference Applied Modelling and Simulation AMS'99, September 1999, Cairns, Australia, p. 43–48.
- [16] Klaus Schossmaier, Bettina Weiss. An Algorithm for Fault-Tolerant Clock State & Rate Synchronization, Proceedings 18th IEEE Symposium on Reliable Distributed Systems (SRDS'99), Lausanne, Switzerland, October 1999, p. 36–47.
- [17] Bettina Weiss, Günther Gridling, Ulrich Schmid, Klaus Schossmaier. The SimUTC Fault-Tolerant Distributed Systems Simulation Toolkit, Proceedings 7th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems MAS-COTS'99, College Park, MD, USA, 1999, p. 68–74.
- [18] Ulrich Schmid. Orthogonal Accuracy Clock Synchronization, TR 183/1-77, Technische Universität Wien, Dept. of Automation, November 1999. (53 pages, submitted to Chicago Journal on Theoretical Computer Science)
- [19] Ulrich Schmid. Interval-based Clock Synchronization with Optimal Precision, TR 183/1-78, Technische Universität Wien, Dept. of Automation, December 1999. (39 pages, submitted to Information and Computation)
- [20] Ulrich Schmid, Klaus Schossmaier. How to Reconcile Fault-Tolerant Interval Intersection with the Lipschitz Condition, August 1999. (11 dpages, submitted to Distributed Computing)
- [21] Ulrich Schmid, Martin Horauer, and Nikolaus Kerö. How to distribute GPS-time over COTS-based LANs. In *Proceedings of the 31th IEEE Precise Time and Time Interval Systems and Application Meeting (PTTI'99)*, Dana Point, California, December 1999. (to appear). (16 pages)
- [22] Ulrich Schmid. High-Accuracy Time Services and Fault-Tolerant Clock Synchronization, 37th (Invited) IFIP WG10.4 Annual Meeting (Workshop on "Time and Dependability"), Martinique, France, January 2000. (to appear). (37 pages)

# A.2 Diplomas and Dissertations SynUTC

# References

- [D1] Bettina Weiss. Simulation Environment for Clock Synchronization, Diploma Thesis, Technische Universität Wien, Dept. of Automation, June 1997, 62 p.
- [D2] Gerda Richter. Device Driver for Real-Time Communication Coprocessor, Diploma Thesis, Technische Universität Wien, Dept. of Automation, June 1997, 218 p.
- [D3] Thomas Mandl. Network Time Interface Benutzerhandbuch. Diploma Thesis Technische Universität Wien, Department of Automation, February 1999, 153 p.
- [D4] Klaus Schossmaier. Interval-based Clock State and Rate Synchronization, Dissertation Technische Universität Wien, Faculty of Technical and Natural Sciences, Department of Automation, September 1998, 253 p.

## A.3 Technical Reports SynUTC

# References

- [S1] Ulrich Schmid. Kabel-Fehlerortung mit SynUTC, Technical Report 183/1-81, Technische Universität Wien, Department of Automation, July 1997, approx. 20 p. (Patent: German Gebrauchsmuster 296 23086.3)
- [S2] Ulrich Schmid, Klaus Schossmaier. *Interval-based Clock Synchronization Revisited*, Technical Report 183/1-80, Technische Universität Wien, Department of Automation, July 1997, p. 1–24.

- [S3] Christian Kral, Thomas Mandl, Ulrich Schmid, Klaus Schossmaier. *Tips für die Messe-Präsentation von Forschungsergebnissen*, Technical Report 183/1-83, Technische Universität Wien, Department of Automation, April 1998, approx. 15 p.
- [S4] Ulrich Schmid, Thomas Mandl. Implementation of the NTI Device-Handler. Technical Report 183/1-86, Department of Automation, TU Vienna, January 1999, approx. 40 dpages.
- [S5] Thomas Mandl, Herbert Nachtnebel, Ulrich Schmid. Network Time Interface User Manual. Technical Report 183/1-87, Department of Automation, TU Vienna, January 1999, approx. 150 p.
- [S6] Bettina Weiss. Simulation Environment for Clock Synchronization. Technical Report 183/1-88, Department of Automation, TU Vienna, February 1999, 105 p.
- [S7] Gerda Richter, Michael Schmidt, Ulrich Schmid. i82596 NTI Device-Driver Software Documentation. Technical Report 183/1-90, Department of Automation, TU Vienna, February 1999, approx. 400 p.
- [S8] Klaus Schossmaier, Johann Klasek. Implementing the Optimal Precision Algorithm for Clock State & Rate Synchronization. Technical Report 183/1-91, Department of Automation, TU Vienna, February 1999, p. 1–86.
- [S9] Gerald Hummel, Bettina Weiss. *Random Generators*. Technical Report 183/1-92, Department of Automation, TU Vienna, February 1999, p. 1–17.
- [S10] Martina Umlauft and Ulrich Schmid. GPS Device-Driver Software Documentation. Technical Report 183/1-97, Department of Automation, TU Vienna, October 1999, approx. 110 pages.

## A.4 Presentations SynUTC

- Dietmar Loy. UTCLIENT an ASIC Supporting Clock Synchronization in Distributed Real-Time Systems, AUSTROCHIP'97, Technische Universität Wien, Dept. of Computer Technology, 1997.
- Klaus Schossmaier. An Interval-based Framework for Clock Rate Synchronization, 16th ACM Symposium on Principles of Distributed Computing, St. Barbara, USA, August 21-24th, 1997.
- Dieter Höchtl. Long-Term Evaluation of GPS Timing Receiver Failures, 29th IEEE PTTI Systems and Application Meeting, Long Beach, California, December 1997.
- Dietmar Loy. Time-Services Hardware Support in Fault-Tolerant Real-Time Systems, 5th international conference on VLSI and CAD (ICVC'97), Seoul, Korea, October 13-15, 1997.
- Ulrich Schmid. Challenges in Interval-based Clock Synchronization, Dagstuhl-Seminar 9728 on "Average Case Analysis of Algorithms", Germany, July 1997.
- Klaus Schossmaier. NTI: A Network Time Interface M-Module for High-Accuracy Clock Synchronization, 6th International Workshop on Parallel and Distributed Real-Time Systems (WPDRTS), Orlando, USA, March 30 April 3, 1998.
- Herbert Nachtnebel. Rapid Prototyping mit programmierbarer Logik: Ein Fallbeispiel, AUSTRO-CHIP'98, October 1998, Wiener Neustadt, Austria.
- Martin Horauer. Hardware Unterstützte Uhrensynchronisation in Verteilten Systemen, AUSTRO-CHIP'98, October 1998, Wiener Neustadt, Austria.
- Ulrich Schmid. Experimental Evaluation of High-Accuracy Time Distribution in a COTS-based Ethernet LAN, 24th IFAC/IFIP Workshop on Real-Time Programming WRTP'99, May/June 1999.

(Best Paper)

- Bettina Weiss. A Unified Approach for Simulation and Experimental Evaluation of Fault-Tolerant (Invited) Distributed Systems, IASTED International Conference Applied Modelling and Simulation AMS'99, Cairns, Australia, September 1999.
- Klaus Schossmaier. An Algorithm for Fault-Tolerant Clock State & Rate Synchronization, Symposium on Reliable Distributed Systems (SRDS '99), Lausanne, Switzerland, October 1999.

- Bettina Weiss. The SimUTC Fault-Tolerant Distributed Systems Simulation Toolkit, 7th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems MASCOTS'99, October 1999.
- Ulrich Schmid. High-Accuracy Time Services and Fault-Tolerant Clock Synchronization, 37th IFIP WG10.4 Annual Meeting (Workshop on "Time and Dependability"), Martinique, France, January 2000.

(Invited)

# B START Research Output (W<sub>2</sub>F)

Right now, this appendix only contains some technical reports written in the course of setting up W2F.

# B.1 Technical Reports W2F

# References

- [W1] Ulrich Schmid. Basic Features of the WoF Fieldbus. Technical Report 183/1-95, Department of Automation, TU Vienna, August 1999, p. 1-5.
- [W2] Bettina Weiss. Security in Distributed Systems A Survey. Technical Report 183/1-99, Department of Automation, TU Vienna, February 2000.
- [W3] Christof Fetzer and Ulrich Schmid. Architecture and Services of the WoF Fieldbus. Technical Report 183/1-101, Department of Automation, TU Vienna, (forthcoming).

# C Some Relevant Literature for W<sub>2</sub>F

## References

- [FC97b] Christof Fetzer and Flaviu Cristian. Integrating external and internal clock synchronization. J. Real-Time Systems, 12(2):123–172, March 1997.
- [Fet97] Christof Fetzer. Fail-Awareness in Timed Asynchronous Systems. Dissertation, University of California, San Diego, Computer Science, 1997.
- [Goi98] Alois M.J. Goiser. Handbuch der Spread-Spectrum Technik. Springer, Wien, New York, 1998.
- [GSG99] S. Gritzalis, D. Spinellis, and P. Georgiadis. Security protocols over open networks and distributed systems: formal methods for their analysis, design, and verification. Computer Communications, 22:697-709, 1999.
- [Mul93] Sape Mullender. Distributed Systems. ACM Press/Addison Wesley, New York, 2nd ed. edition, 1993.
- [SKM+00] Ulrich Schmid, Johann Klasek, Thomas Mandl, Herbert Nachtnebel, Gerhard R. Cadek, and Nikolaus Kerö. A Network Time Interface M-Module for distributing GPS-time over LANs. J. Real-Time Systems, 18(1), 2000. (to appear).
- [SP95] Ulrich Schmid and Alfred Pusterhofer. SSCMP: The sequenced synchronized clock message protocol. *Computer Networks and ISDN Systems*, 27:1615–1632, 1995.
- [SW99] Sean W. Smith and Steve Weingart. Building a high-performance, programmable secure coprocessor. *Computer Networks*, 31:831–860, 1999.