Formal Checkings in Networks

29
Formal checkings in networks James Hongyi Zeng with Peyman Kazemian, George Varghese, Nick McKeown

Transcript of Formal Checkings in Networks

Formal checkings in networks

James Hongyi Zengwith Peyman Kazemian,

George Varghese, Nick McKeown

Software Defined Network (SDN)

Global Network View

Network Virtualization

PacketForwarding

PacketForwarding

PacketForwarding

PacketForwarding

Abstract Network View

ControlPrograms

ControlPrograms

ControlPrograms

PacketForwarding

Network OS

1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …

1 2

31. <Match,

Action>2. <Match,

Action>3. <Match,

Action>4. <Match,

Action>5. <Match,

Action> 6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

“S” for Software

1.Static Checking (“compile time”)“Is my configuration correct?”

2.Dynamic checking (“run time”)“Is my data plane behaving correctly?”

Policy/Control SW

Configuration

Data plane

With SDN we will:1.Formally verify that our networks are behaving correctly.

2.Identify faults, then systematically track down their root cause.

1. Static checkingIs my configuration correct?

MotivationsIn today’s networks, simple questions are hard to answer:

– Can host A talk to host B?– What are all the packet headers from A that can reach B?

– Are there any loops in the network?

– Is Group X provably isolated from Group Y?

– What happens if I remove a line in the config file?

Software Defined Network (SDN)

Global Network View

Network Virtualization

PacketForwarding

PacketForwarding

PacketForwarding

PacketForwarding

Abstract Network View

ControlPrograms

ControlPrograms

ControlPrograms

PacketForwarding

Network OS1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

Static Checker1. <Match,

Action>2. <Match,

Action>3. <Match,

Action>4. <Match,

Action>5. <Match,

Action> 6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

“A can talk to B”

“Guests can’t reach

PatientRecords”

Policy

How it worksHeader Space Analysis

Header Space Analysis

1 2 3 4

1

23

4

Port ID

A B

Header Space Analysis

1 2 3 4

1

23

4

Port ID

A B

Can A talk to B?

1 2 3 4

1

23

4

Port ID

A B

Header Space AnalysisConsequences1. Finds all packets from A that can

reach B2. Find loops, regardless of

protocol or layer3. Can prove that two groups are

isolated4. Protocol Independent

Proves if network adheres to policyWorks on existing networks and SDNs

Stanford Backbone1) DST IP: 172.26.66.96/28,

VLAN: 330

2) DST IP: 171.64.2.128/27, VLAN: 206

3) DST IP: 172.20.10.64/27, VLAN: 10

4) DST IP: 172.24.2.128/27, VLAN: 206

5) DST IP: 172.26.4.80/29, VLAN: 206

6) DST IP: 172.26.4.88/29, VLAN: 208

7) IP Protocol: TCP DST IP: 171.64.2.24 SRC IP: 172.28.148.27 VLAN: 206...40) IP Protocol: UDP UDP DST Port: 514

750,000 IP forwarding rules.1,500 ACL rules.100 VLANs.

B

A

ToolHassel1. Reads Cisco IOS Configuration 2. Checks reachability, loops and

isolation3. 10 mins for Stanford Backbone to

check loops4. Easily made parallel: 1 sec is

feasible

Hassel is available for free, for you to runhttps://bitbucket.org/peymank/hassel-public/

2. Dynamic CheckingIs my data plane behaving correctly?

MotivationsConfigurations might correctly reflect the policy, but…hardware might not follow configurations

1. Hardware errors (e.g. memory or ASIC errors)2. Link failure3. Congestion4. Table overflow5. Intermittent problems

Such errors cannot be detected by static checking.

Need a independent checker to test the data plane

Software Defined Network (SDN)

Global Network View

Network Virtualization

PacketForwarding

PacketForwarding

PacketForwarding

Abstract Network View

ControlPrograms

ControlPrograms

ControlPrograms

PacketForwarding

Network OS

A BPacket

Forwarding

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

1. <Match, Action>

2. <Match, Action>

3. <Match, Action>

4. <Match, Action>

5. <Match, Action>

6. …7. …

Testing the network1.Monitor the network by sending test

packets2.Locate the faults with test results

Not a new idea…– Network admins already use ping/traceroute to test the network•Ad-hoc test case generation•Coarse granularity / Low coverage•Lacks fault localization

1. Test every rule in every table? 2. Isolate any fault?

What is the minimum number of test packets to

Test Packets

Fault Localization

How it worksAutomatic Test Packet Generation

Automatic Test Packet Generation

Test Packets

A B

How many packets needed?

Stanford Backbone– 16 routers– 4,000 packets (vs. 750,000 rules)

Internet2– 9 routers– 30,000 packets (vs. 100,000 IPv4 rules)

Testing 10x per second, requires <1% of link-rate

Fault Localization• Given: a set of pass/fail results

• Output: the minimum set of (potential) faulty rules

Demo

What’s next•Automatic performance testing

ExampleApplication mapped to a congested router

queueAutomatic Test Packet Generation will– Identify the queue– Determine which headers (applications)

incur poor performance

“S” for software

1.Static Checking (“compile time”)“Is my configuration correct?”

2.Dynamic checking (“run time”)“Is my data plane behaving correctly?”

Policy/Control SW

Configuration

Data plane

With SDN we will:1.Formally verify that our networks are behaving correctly.

2.Identify faults, then systematically track down their root cause.

Will you?