Inconsistencies between TCP/IP protocol stack implementations and RFC specifications often lead to functional deviations and security vulnerabilities, yet existing detection methods lack support for multi-version, automated, and scalable conformance verification. This paper proposes the first automated framework integrating large language models (LLMs) with differential analysis. It first employs an LLM to parse RFC documents and extract protocol state machines, generating structured intermediate representations (IRs). Next, it models RFC evolution across versions and aligns kernel code semantics to enable incremental IR comparison. Finally, it precisely identifies functional discrepancies and potential vulnerabilities. Evaluated on mainstream kernels—including Linux and FreeBSD—the framework successfully uncovered multiple security defects arising from unsynchronized RFC updates. Our approach significantly advances the automation and scalability of protocol conformance verification.

As the core of the Internet infrastructure, the TCP/IP protocol stack undertakes the task of network data transmission. However, due to the complexity of the protocol and the uncertainty of cross-layer interaction, there are often inconsistencies between the implementation of the protocol stack code and the RFC standard. This inconsistency may not only lead to differences in protocol functions but also cause serious security vulnerabilities. At present, with the continuous expansion of protocol stack functions and the rapid iteration of RFC documents, it is increasingly important to detect and fix these inconsistencies. With the rise of large language models, researchers have begun to explore how to extract protocol specifications from RFC documents through these models, including protocol stack modeling, state machine extraction, text ambiguity analysis, and other related content. However, existing methods rely on predefined patterns or rule-based approaches that fail to generalize across different protocol specifications. Automated and scalable detection of these inconsistencies remains a significant challenge. In this study, we propose an automated analysis framework based on LLM and differential models. By modeling the iterative relationship of the protocol and based on the iterative update relationship of the RFC standard, we perform incremental code function analysis on different versions of kernel code implementations to automatically perform code detection and vulnerability analysis. We conduct extensive evaluations to validate the effectiveness of our framework, demonstrating its effectiveness in identifying potential vulnerabilities caused by RFC code inconsistencies.