Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Verification Star Wars amd The Empire Strikes Back.

Published bySilas Byron Daniel Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Verification Star Wars amd The Empire Strikes Back."— Presentation transcript:

1 Network Verification Star Wars amd The Empire Strikes Back

2 Long ago in a network far away, rebel forces began to claim that networking was a separate planet and required specialized verification engines... Early attempts to colonize networking using weapons from the Verification Empire such as Model Checking and SAT solvers resulted in these weapons blowing up....

3 What is the problem? Who cares? “It surprised me that forward rules are so complicated” - anonymous

4 Networks today 4 1001 P1 P2 10*  P1 1*  P2,P2 SQL Drop SQL Load balancing Access Control Lists (ACLs) Multiple Protocols: 6000 RFCs (MPLS, GRE...) Multiple Vendors: Broadcom, Arista, Cisco,... Manual Configurations: Additional arcane programs kept working by “masters of complexity” (Shenker) Crude tools: SNMP, NetFlow, TraceRoute,...

5 Motivation to do better Internal: > 1 hr customer visible outage/quarter (P. Patel) Azure: 30,000 cores down 3 hrs, L2/L3 configuration bug Bing: Entire data center, 8 hours, L2/L3 configuration bug External: (2012 NANOG Network Operator Survey): 35% > 25 tickets per month, > 1 hour to resolve Welsh: vast majority of Google “production failures” due to “bugs in configuration settings” As we migrate to services ($100B public cloud market), network failure a debilitating cost. 5

6 Networks Tomorrow Online services  latency, cost sensitive Merchant Silicon  Build your own router Rise of Data centers  Custom networks Software defined Networks (SDNs)  custom design “routing program” P4 (next generation SDN)  redefine hardware forwarding at runtime 6 Opportunity to custom design networks to optimize goal. Potential simplifications but hard to get right

7 What specific problems does this paper address? Reachability, slicing, loops...

8 What specific problems does this paper not address? Control Plane, Implementation errors, Dynamism, Synthesis...

9 What is model checking? Why is it different from proof assistants like Coq? Why is it used in hardware design (Ana Klimovic?)

10 Model Checking Before model checking, Hoare style proofs:  manual effort Model checking: automatic search over state space to check property Must tame “state space explosion” using compression. Clarke (2007) Advances: symbolic model checking (BDDs), bounded model checking, adding expressivity (e.g., real time model checking) 10

11 Why not use model checking for networks? Or SAT Solvers?

12 Standard model checkers work badly for networks So why not use standard model checking to check for reachability properties (S  D) across all possible packets that could be sent? Works poorly with network state-space explosion (120-bit headers, millions of rules) Also, networks need all headers that do not reach destination. Many model checkers use SAT solvers that provide one solution, not all. 12

13 Central question: is Header Space Analysis just model checking?

14 Classical perspective “Model checking “ networks, so to speak Conquers network state-space explosion (120-bit headers, 10 6 rules) Difference 1: Abstraction of router forwarding  compositional, invertible semantics Difference 2: Structure allows “difference of cubes” to compactly represent header space. Different from Binary Decision Diagrams Difference 2: All counterexamples not just one 14

15 Isn’t the HSA insight just that network forwarding can be represented by Match- Action, an SDN/OpenFlow idea?

16 Many forwarding flavors/ 1 essence 16 IP Router 10010 ESSENTIAL INSIGHT FOR OPENFLOW. BUT HSA PAPER USES SAME INSIGHT FOR UNDERSTANDING EXISTING PROTOCOLS 10*  P1 1*  P2 MAC Bridge 01A1A2 01A1A2  P1... PREFIX MATCH EXACT MATCH MPLS Switch 5, 6 5  P1,Pop 5... INDEXED LOOKUP

17 Besides abstracting routers, what is the more general idea in the HSA paper?

18 Idea: Treat Network as a Program Model header as point in high dimensional space and all networking boxes as transformers of header space, so that... 18 Packet Forwarding 1 2 3 0xx1..x1 Match + Send to port 3 Rewrite with 1xx011..x1 Action 11xx..0x + Send to port 2 Rewrite with 1x01xx..x1 ROUTER ABSTRACTED AS SET OF GUARDED COMMANDS.. NETWORK BECOMES A PROGRAM  CAN USE PL METHODS

19 HSA is a form of semantics but there is not a single theorem in the paper? Are there implicit theorems

20 Yes: Composition, Inversion T 1 (h, p) R1R2R3 Theorem: Network behavior = composition of router transfer functions (Compositionality) Theorem: given header h at destination p, we can invert to find (h’,s): headers sent at source s’ to produce (h,p) (Inversion) 20

21 Why the stress on “real time” in NetPlumber How is the dependency graph built (C.Z. Lee)?

22 Graph on rules not nodes, edge when range of rule R intersects domain of rule S 22................................................ S ? VERIFYING CHANGES BY SDN CONTROLLERS BEFORE THEY TAKE EFFECT

23 Incremental program verification is considered very hard. How did NetPlumber pull it off?

24 What can we learn from model checkers that is missing in the HAS/NetPlumber paper?

25 What we can learn from model checkers Best existing network verification tools (Veriflow, NetPlumber) are very fast and scale to large networks. Existing model checkers are more expressive because they have a: Specification Language: (e.g., Temporal Logic) to describe properties A modelling language (e.g., Promela in SPIN) to model the network By contrast, in all existing work the network model is hardcoded and the specification language is minimal (except NetPlumber) 25

26 Wait a minute, NetPlumber has a policy language. What is it lacking? Differential reachability... Needs negation

27 SPEED From the viewpoint of verification EXPRESSIVITY Hassel, Veriflow NetPlumber  Model checkers, SAT Solvers, Datalog NSDI 2015 The Empire Strikes Back

28 What other aspects of static checking? Control Plane, Quantities, Dynamism, Specification Mining... c

29 NSDI 2015 Papers on Network Verification Catching Protocol Implementation Bugs (Kevin McKenzie): PIC Catching routing configuration errors: Batfish Doing reachability in Datalog to have a more expressive policy language and more expressive network model: NoD

30 Is network verification used in practice (C. Shah)?

31 Network Verification in Practice SecGuru: a simpler form of NoD is used in production in Azure and catches roughly 1 bug a day Veriflow Networks: from UIUC is commercializing Veriflow Forward Networks: from Stanford is commercializing HAS/NetPlumber

32 How can we push the idea of treating networks as programs further? What is the startup potential (Zak Stratton)?

33 33 Specificatio n Policy Language, Semantics Test Packet Generation Verification Synthesis (e.g., Forwarding Rules) Performance verification? Network Design Static checking (Local) Wiring Checkers Network Design Automation? Early work HOW MIGHT WE GO BEYOND EARLY WORK? WHAT NEW AREAS CAN WE TOUCH? JOIN THE PARTY! Dynamic checkers/ debuggers

Download ppt "Network Verification Star Wars amd The Empire Strikes Back."

Similar presentations

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
Models and techniques for verification of Software Defined Networks

Models and techniques for verification of Software Defined Networks
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—4-1 Implementing Inter-VLAN Routing Deploying Multilayer Switching with Cisco Express Forwarding.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—4-1 Implementing Inter-VLAN Routing Deploying Multilayer Switching with Cisco Express Forwarding.
OpenFlow Costin Raiciu Using slides from Brandon Heller and Nick McKeown.

OpenFlow Costin Raiciu Using slides from Brandon Heller and Nick McKeown.
Header Space Analysis: Static Checking For Networks Peyman Kazemian, Nick McKeown (Stanford University) and George Varghese (UCSD and Yahoo Labs). Presented.

Header Space Analysis: Static Checking For Networks Peyman Kazemian, Nick McKeown (Stanford University) and George Varghese (UCSD and Yahoo Labs). Presented.
VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.

VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.
Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.

Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.
The Structure of Networks with emphasis on information and social networks T-214-SINE Summer 2011 Chapter 8 Ýmir Vigfússon.

The Structure of Networks with emphasis on information and social networks T-214-SINE Summer 2011 Chapter 8 Ýmir Vigfússon.
H EADER S PACE A NALYSIS : S TATIC C HECKING F OR N ETWORKS Peyman Kazemian (Stanford University) George Varghese (UCSD, Yahoo Labs) Nick McKeown (Stanford.

H EADER S PACE A NALYSIS : S TATIC C HECKING F OR N ETWORKS Peyman Kazemian (Stanford University) George Varghese (UCSD, Yahoo Labs) Nick McKeown (Stanford.
Troubleshooting SDNs Peyman Kazemian. Why SDN Troubleshooting SDN decouples software (control plane) from hardware (data plane). Opens doors for innovation.

Troubleshooting SDNs Peyman Kazemian. Why SDN Troubleshooting SDN decouples software (control plane) from hardware (data plane). Opens doors for innovation.
Data Plane Verification. Background: What are network policies Alice can talk to Bob Skype traffic must go through a VoIP transcoder All traffic must.

Data Plane Verification. Background: What are network policies Alice can talk to Bob Skype traffic must go through a VoIP transcoder All traffic must.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.

Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
Class 3: SDN Stack Theophilus Benson. Outline Background – Routing in ISP – Cloud Computing SDN application stack revisited Evolution of SDN – The end.

Class 3: SDN Stack Theophilus Benson. Outline Background – Routing in ISP – Cloud Computing SDN application stack revisited Evolution of SDN – The end.
Languages for Software-Defined Networks Nate Foster, Arjun Guha, Mark Reitblatt, and Alec Story, Cornell University Michael J. Freedman, Naga Praveen Katta,

Languages for Software-Defined Networks Nate Foster, Arjun Guha, Mark Reitblatt, and Alec Story, Cornell University Michael J. Freedman, Naga Praveen Katta,
Data Center Network Redesign using SDN

Data Center Network Redesign using SDN
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.

Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Formal checkings in networks James Hongyi Zeng with Peyman Kazemian, George Varghese, Nick McKeown.

Formal checkings in networks James Hongyi Zeng with Peyman Kazemian, George Varghese, Nick McKeown.
Semester 1 Module 8 Ethernet Switching Andres, Wen-Yuan Liao Department of Computer Science and Engineering De Lin Institute of Technology

Semester 1 Module 8 Ethernet Switching Andres, Wen-Yuan Liao Department of Computer Science and Engineering De Lin Institute of Technology
How SDN will shape networking

How SDN will shape networking

Similar presentations

Ads by Google