Days
Verification & Research

Protocol instantiations

Trace families, replay state, and core obligations for the current LeanGuard checkers.

All protocol instantiations share the same acceptance semantics (canonicalize-and-replay) and reuse the same obligation families (ParamFreeze, MonotoneTime, PendingMatch, Gate, Accounting, SnapshotEq). What differs is the event vocabulary, the checker replay state, and which obligations matter most.

See also:

Summary table

Protocol familyTrace file / event kinds (representative)Checker replay state (high level)Core obligations enforced
AQM / ECN markingaqm_events.csv: decisionper-queue frozen params; optional per-queue accountingParamFreeze, SnapshotEq (decision legality), optional Accounting
PFCpfc_events.csv: pfc_sent, pfc_recv (optional refresh)per-port/per-priority pause state + pending-mapPendingMatch, Gate (refresh/cooldown), ParamFreeze, optional hysteresis
WFQ schedulerwfq_events.csv: enqueue, schedule, departqueued packets + virtual time + pending scheduled packetAccounting, PendingMatch (schedule/depart), SnapshotEq (tags/time), choice rule (min finish tag)
DRR schedulerdrr_events.csv: enqueue, scheduleper-class FIFO queues + deficit counters + RR pointerAccounting, SnapshotEq (deficit/pointer), choice rule (deficit eligibility), ParamFreeze
CUBIC microbenchcubic_events.csv: CC micro-events (e.g. timeout-driven updates)per-endpoint CC state + frozen parametersSnapshotEq, ParamFreeze, MonotoneTime

Notes by instantiation

AQM / ECN marking (aqm_events.csv)

The trace logs one row per marking/drop decision at a particular queue. Rows include queue identity, packet identity, occupancy context, policy parameters, and the chosen action.

Typical checks:

  • policy parameters are stable per queue (freeze-on-first-use)
  • the logged action is legal under the policy and the logged context
  • if the policy is probabilistic, any logged witness (random draw) is validated

PFC (pfc_events.csv)

The trace logs PFC frames at emission and reception, and (depending on instrumentation) refresh/cooldown behavior.

Typical checks:

  • pfc_recv must match a distinct earlier pfc_sent (no spurious receives)
  • refresh/cooldown gates are respected when modeled
  • per-port parameters stay constant across rows

WFQ scheduler (wfq_events.csv)

Schedulers are a good fit for trace certificates because correctness hinges on small local state and choice rules.

Typical checks:

  • schedule chooses a packet with minimal finish tag
  • tags and virtual time witnesses match the deterministic reference computation
  • scheduled packets depart exactly once (schedule/depart pairing)

DRR scheduler (drr_events.csv)

DRR uses a different replay structure (deficit counters + round-robin pointer).

Typical checks:

  • scheduled packets satisfy deficit eligibility at service time
  • deficit/pointer updates match the reference rule
  • queue contents are conserved under enqueue/schedule

CUBIC microbench (cubic_events.csv)

The CUBIC trace family demonstrates that the design generalizes to end-host congestion-control update rules.

Typical checks:

  • per-endpoint parameters are frozen and consistent
  • the logged post-state snapshot matches the replayed update rule
  • time is monotone per endpoint under canonical order

Trace-certificate checking (design)

More formal design notes on canonicalize-and-replay, trust boundaries, and reusable obligations.

Paper summary

High-level summary of the LeanGuard/Days research narrative.

On this page

Summary tableNotes by instantiationAQM / ECN marking (aqm_events.csv)PFC (pfc_events.csv)WFQ scheduler (wfq_events.csv)DRR scheduler (drr_events.csv)CUBIC microbench (cubic_events.csv)