ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts
description
Transcript of ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts
![Page 1: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/1.jpg)
1
ECCPA Formally-Verified Migration Protocol
For Mobile, Multi-Homed Hosts
Matvey Arye
Joint work with:Erik Nordström, Robert Kiefer
Jennifer Rexford, Michael J. Freedman
![Page 2: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/2.jpg)
2
Original Internet Architecture
Hosts did not move and had a single connection to the Internet
![Page 3: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/3.jpg)
3
Fast Forward
• Mobile devices have new capabilities– Devices move– Multiple points-of-attachment
• Servers have changed– VM migration – Multiple network attachments (NICs)– Data-center multihoming
![Page 4: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/4.jpg)
4
Extending Network Capabilities
• Host mobility, VM Migration– Connection shouldn’t break when hosts move
• Switching seamlessly between WiFi and 4G– Ability to switch between network interfaces
• Load balancing between network paths across interfaces– Ability to move individual flows between interfaces
• Having backup routes on alternative interfaces– Maintaining a list of alt. interfaces for connections
![Page 5: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/5.jpg)
Problems Arise From Current Abstractions
5
• No network changes• Independent of data delivery semantics
Application
Connection Control
Network
Data DeliveryTCP in “ESTABLISHED” state
Application
Network
Transport
![Page 6: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/6.jpg)
The Flow Abstraction
6
Application
Network
Connection Control
PID Connection PID
FlowID1 Flow1 FlowID1
Data Delivery
FlowID2 Flow2 FlowID2
IP1 Flow1 IP2IP3 Flow2
IP4
Application
Network
Connection Control
Data Delivery
![Page 7: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/7.jpg)
7
Our Approach For Handling Device Mobility
Alice
Bob:IP2My Address
has changed Bob:IP5
Network
Connection Control
FlowID1 Flow1 FlowID1
IP1 Flow1 IP2 Network
Connection Control
IP1 Flow1 IP5
![Page 8: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/8.jpg)
8
Contribution 1: ECCP
End-to-End Connection Control Protocol
• Host mobility through end-to-end signaling
• Transport-layer independence
• Multipath through new flow abstraction
![Page 9: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/9.jpg)
9
Contribution 2: Formal Verification
• Connection control protocols hard to get right– We show that TCP-Migrate and HIP are incorrect
• Non-Determinism makes it hard to verify– Unreliable network, changing network identifiers– Non-determinism leads to state-space explosion
• We show new techniques to enable verification– Verified ECCP in SPIN
![Page 10: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/10.jpg)
10
Other End-to-End ProtocolsECCP TCP-
MigrateMPTCP HIP
Formally Verified Incorrect IncorrectTransport IndependentRapid MigrationMultipath CapablePer-Flow Migration
![Page 11: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/11.jpg)
11
Protocols
• Establishing connections
• Moving flows to new addresses
• Adding flows to connection
• Handling NATs
• Simultaneous migrations
![Page 12: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/12.jpg)
12
Connection Establishment
• Three-way handshakes to establish states
• Each peer communicates flowID to other peer– Unlike IP addr., doesn’t change during migration– Packets demultiplexed on local flowID
• Optionally sends alternative addresses to peer for fail-over and additional flows
![Page 13: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/13.jpg)
13
The Protocol – Initial Flow
SYN (Service S)Flow ID-C
SYN-ACKFlow ID-CFlow ID-S
ACKFlow ID-CFlow ID-S
Client Server
Demux on: S
Demux on: Flowd ID-C
Demux on: Flowd ID-S
![Page 14: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/14.jpg)
14
The Protocol – Changing Addresses
RSYNVersion #-MFlow ID-MFlow ID-SSRC=IP5 RSYN-ACK
Version #-MFlow ID-MFlow ID-S
ACKVersion #-MFlow ID-MFlow ID-S
MobileNew Address IP5
Stationary
Demux on: Flow ID-SRecord addresses IP5
Demux on: Flow ID-M
Demux on: Flow ID-SChange address to IP5
![Page 15: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/15.jpg)
15
Version #s • Need to use versioning on migration messages• HIP, TCP-Migrate use TCP-like sequence #s – Ties connection control to data delivery– Creates problems -- need different semantics
“Sequence”Received 0 to N-1Cannot skip ahead
“Version”All previous #s < NCan skip ahead
Semantics when getting packet N:
![Page 16: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/16.jpg)
16
Sequence # Semantics are Dangerous
16
RSYNSequence #n
RSYN-ACKSequence #n
StationaryMobileNew Address IP5
New Address IP6
RSYNSequence #n+1
Can’t process sequence #n+1
because didn’t finish #n
![Page 17: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/17.jpg)
17
Formal Verification
![Page 18: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/18.jpg)
18
Formal Verification - Overview
• Modeled in SPIN
• Checks for deadlocks – Neither party can send or receive messages
• Checks for livelocks– Neither party can do anything useful– Each host can ping the other host
![Page 19: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/19.jpg)
19
Goals of Connection Control
• Robust connectivity across mobility events– Maintain up-to-date mapping between flows & IPs– Correct if each host can ping its peer
• What connection control is NOT– Reliable delivery– Bit-correctness of data (i.e. checksums)– Ordering of data
![Page 20: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/20.jpg)
20
Model Checking 101: Explore All Interleavings
Process 1 Process 2
![Page 21: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/21.jpg)
21
Model Checking 101: Explore All Interleavings
Process 1 Process 2
![Page 22: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/22.jpg)
22
Model Checking 101: Build Global State-Space
State 1
State 2
State 3
State 4
State 2
State 4
State 5
![Page 23: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/23.jpg)
23
Verification Challenges
• Most protocols verified in SPIN sit on top of a reliable data-delivery layer– But for ECCP, the network is unreliable: loss,
duplication, and reordering of packets are possible but can cause state-space explosion
• State-space explosion due to random FlowIDs
• No notion of time in SPIN – timeouts are tricky– But are needed to recover from packet loss
![Page 24: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/24.jpg)
24
Modeling an Unreliable Network
Process 1 Process 2Network Sim
Network simulator can drop, reorder or duplicate packets
![Page 25: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/25.jpg)
25
Creates Unnecessary States
Process 1 Process 2
2
Network Sim
1
![Page 26: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/26.jpg)
26
Creates Unnecessary States
Process 1 Process 2
2
Network Sim
1
![Page 27: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/27.jpg)
27
Creates Unnecessary States
Process 1 Process 2
2
Network Sim
1
Relative order does not matterFor protocol execution
![Page 28: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/28.jpg)
28
More Efficient Implementation
Process 1 Process 2
Network simulator runs as part of the sending process
![Page 29: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/29.jpg)
29
Formal Verification - Completeness• Each version # creates new state-space tree
• So, verification does not reach a fixed point– But, verifies up to 6 migrations for base protocol– 4 migrations for full protocol
#1 #2 #3
![Page 30: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/30.jpg)
30
Implementation
• ECCP part of larger Serval project– Next-generation service-oriented network stack– http://www.serval-arch.org/
• Loadable kernel module – Runs on Linux, Android,…
• Adapts “ESTABLISHED” state of TCP
![Page 31: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/31.jpg)
31
Evaluation – Client Interface Changes
One of the authors walks through campus, playing musicthrough Google Play Music. No loss in playback quality.
WIFI
WIFI
4G
4G
Saves > 2GB cellular data per month
![Page 32: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/32.jpg)
32
Conclusion
• New abstractions– Decoupling data delivery and connection control– Flows as path-dependent parts of connections
• Design of demultiplexing keys is important– Independent of network identifiers
• Ordering semantics are tricky to get right• Formal verification is important and possible
![Page 33: ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts](https://reader036.fdocuments.us/reader036/viewer/2022070423/56816633550346895dd99db1/html5/thumbnails/33.jpg)
33
Formal Modelshttp://www.serval-arch.org/eccp/
Implementationhttp://www.serval-arch.org/