1. Formal Modeling of an Openflow Switch using Alloy Natali Ruchansky and Davide Proserpio

2. Outline  Background  Openflow  Alloy  Our model  Inside the switch  Functionalities  Properties (some of them)  Extensions and future work 2

3. SDN and Openflow  Software Defined Network (SDN)  decoupling between data and control plane access  Openflow  a standard interface for controlling computer network switches  Simplify networks administration  Very useful for research 3

4. Openflow scenario (Switch) 4

5. Alloy  Language and tool for relational models  Mixture of first order logic and relational algebra  Applications  Find security holes  Verify specifications (e.g. switching networks)  … 5

6. Our switch model  We model a Snapshot  Not a working system!  Possible events at any specific instance  We provide a context network  Network  Controller  End Hosts  Switches  Packets  Simplest network: 2 hosts, a switch and a controller Extend Nodes 6

7. What the (simplified) model looks like 7

8. Inside the Switch  Tables  Pipeline line implementation  Exists first/last table, no loops  Entries (flows)  Match fields  Compare to packet headers  Instructions  indicate what to do with packets  Counters  Keep track of statistics  Ports  Connect nodes  Every port has an owner 8

9. Functionalities  Packet handling  Checking for a match and act accordingly  Table modification  Add and delete  Messaging  Openflow  Controller-to-switch, asynchronous, symmetric  Data 9

10. Example: Add and Delete  Flow table modification messages  Add  If overlap flag & overlap: drop  No overlap flag: insert (replace if identical) entry  Delete  Strict (delete identical entries) ..and not strict version (delete all overlapped entries) 10 //Add entry to a table pred add[t,t':Table,e:Entry]{(t'.entries=t.entries+e)} pred delete[t,t':Table,e:Entry] {e in strictEntry =>t'.entries=t.entries-e else t'.entries=t.entries-findOverlap[e,t]}

11. Properties implemented (some) 1. NoForwardingLoop  This is ensured by checking that a packet entering a switch has not previously entered the switch. 2. NoBlackHoles  No packet mysteriously disappears from the system. 3. EchoAwareness  In our model, the Switch can be in two states – either it has received an echo reply, or it is awaiting one. 4. NoForgottenPackets  Any packet the Switch receives is eventually processed 5. CorrectInstall  Upon receipt of a new flow rule, the installation is correct. 11

12. NoForwardingLoop  We check for every packet if it has already been received/sent by any port of the switch pred noForwardingLoop[s:Switch, p:Packet] {no port:s.ports | port in (p.seen)} 12

13. EchoAwareness  the Switch can be in two states – either it has received an echo reply, or it is awaiting one. //send echo pred Switch.echoTest[] {this.s2c_sendPacket[s2cPacket,s2cPacket,EchoT3] && this.connectionStatus=waiting} //change status pred Switch.Echo[type: Type,]{type=EchoT1 => this.s2c_sendPacket[s2cPacket,s2cPacket,HelloT] && type=EchoT2 =>this.connectionStatus=acked} 13

14. More properties  FIFOprocessing  the model does not have a queue – we chose to set any queueing aside and have Packets processed on a first-come first-serve basis.  InstantOFRespones  When a Switch receives an Openflow message from the Controller, it answers right away  NoForgottenPackets  Any packet the Switch receives is eventually processed 14

15. Extensions  Notion of “time” (Done)  Implemented using module Ordering  Group tables and group types  Test specific applications/protocols 15

16. Thanks! 16