Integration von formal Geringqualifizierten in den Arbeitsmarkt.
Formal Checkings in Networks
29
Formal checkings in networks James Hongyi Zeng with Peyman Kazemian, George Varghese, Nick McKeown
Transcript of Formal Checkings in Networks
Formal checkings in networks
James Hongyi Zengwith Peyman Kazemian,
George Varghese, Nick McKeown
Software Defined Network (SDN)
Global Network View
Network Virtualization
PacketForwarding
PacketForwarding
PacketForwarding
PacketForwarding
Abstract Network View
ControlPrograms
ControlPrograms
ControlPrograms
PacketForwarding
Network OS
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1 2
31. <Match,
Action>2. <Match,
Action>3. <Match,
Action>4. <Match,
Action>5. <Match,
Action> 6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
“S” for Software
1.Static Checking (“compile time”)“Is my configuration correct?”
2.Dynamic checking (“run time”)“Is my data plane behaving correctly?”
Policy/Control SW
Configuration
Data plane
With SDN we will:1.Formally verify that our networks are behaving correctly.
2.Identify faults, then systematically track down their root cause.
1. Static checkingIs my configuration correct?
MotivationsIn today’s networks, simple questions are hard to answer:
– Can host A talk to host B?– What are all the packet headers from A that can reach B?
– Are there any loops in the network?
– Is Group X provably isolated from Group Y?
– What happens if I remove a line in the config file?
Software Defined Network (SDN)
Global Network View
Network Virtualization
PacketForwarding
PacketForwarding
PacketForwarding
PacketForwarding
Abstract Network View
ControlPrograms
ControlPrograms
ControlPrograms
PacketForwarding
Network OS1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
Static Checker1. <Match,
Action>2. <Match,
Action>3. <Match,
Action>4. <Match,
Action>5. <Match,
Action> 6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
“A can talk to B”
“Guests can’t reach
PatientRecords”
Policy
How it worksHeader Space Analysis
Header Space Analysis
1 2 3 4
1
23
4
Port ID
A B
Header Space Analysis
1 2 3 4
1
23
4
Port ID
A B
Can A talk to B?
1 2 3 4
1
23
4
Port ID
A B
Header Space AnalysisConsequences1. Finds all packets from A that can
reach B2. Find loops, regardless of
protocol or layer3. Can prove that two groups are
isolated4. Protocol Independent
Proves if network adheres to policyWorks on existing networks and SDNs
Stanford Backbone1) DST IP: 172.26.66.96/28,
VLAN: 330
2) DST IP: 171.64.2.128/27, VLAN: 206
3) DST IP: 172.20.10.64/27, VLAN: 10
4) DST IP: 172.24.2.128/27, VLAN: 206
5) DST IP: 172.26.4.80/29, VLAN: 206
6) DST IP: 172.26.4.88/29, VLAN: 208
7) IP Protocol: TCP DST IP: 171.64.2.24 SRC IP: 172.28.148.27 VLAN: 206...40) IP Protocol: UDP UDP DST Port: 514
750,000 IP forwarding rules.1,500 ACL rules.100 VLANs.
B
A
ToolHassel1. Reads Cisco IOS Configuration 2. Checks reachability, loops and
isolation3. 10 mins for Stanford Backbone to
check loops4. Easily made parallel: 1 sec is
feasible
Hassel is available for free, for you to runhttps://bitbucket.org/peymank/hassel-public/
2. Dynamic CheckingIs my data plane behaving correctly?
MotivationsConfigurations might correctly reflect the policy, but…hardware might not follow configurations
1. Hardware errors (e.g. memory or ASIC errors)2. Link failure3. Congestion4. Table overflow5. Intermittent problems
Such errors cannot be detected by static checking.
Need a independent checker to test the data plane
Software Defined Network (SDN)
Global Network View
Network Virtualization
PacketForwarding
PacketForwarding
PacketForwarding
Abstract Network View
ControlPrograms
ControlPrograms
ControlPrograms
PacketForwarding
Network OS
A BPacket
Forwarding
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
1. <Match, Action>
2. <Match, Action>
3. <Match, Action>
4. <Match, Action>
5. <Match, Action>
6. …7. …
Testing the network1.Monitor the network by sending test
packets2.Locate the faults with test results
Not a new idea…– Network admins already use ping/traceroute to test the network•Ad-hoc test case generation•Coarse granularity / Low coverage•Lacks fault localization
1. Test every rule in every table? 2. Isolate any fault?
What is the minimum number of test packets to
Test Packets
Fault Localization
How it worksAutomatic Test Packet Generation
Automatic Test Packet Generation
Test Packets
A B
How many packets needed?
Stanford Backbone– 16 routers– 4,000 packets (vs. 750,000 rules)
Internet2– 9 routers– 30,000 packets (vs. 100,000 IPv4 rules)
Testing 10x per second, requires <1% of link-rate
Fault Localization• Given: a set of pass/fail results
• Output: the minimum set of (potential) faulty rules
Demo
What’s next•Automatic performance testing
ExampleApplication mapped to a congested router
queueAutomatic Test Packet Generation will– Identify the queue– Determine which headers (applications)
incur poor performance
“S” for software
1.Static Checking (“compile time”)“Is my configuration correct?”
2.Dynamic checking (“run time”)“Is my data plane behaving correctly?”
Policy/Control SW
Configuration
Data plane
With SDN we will:1.Formally verify that our networks are behaving correctly.
2.Identify faults, then systematically track down their root cause.
Will you?
