Formal checkings in networks James Hongyi Zeng with Peyman Kazemian, George Varghese, Nick McKeown.
-
Upload
collin-melton -
Category
Documents
-
view
215 -
download
1
Transcript of Formal checkings in networks James Hongyi Zeng with Peyman Kazemian, George Varghese, Nick McKeown.
Software Defined Network (SDN)
Global Network View
Network Virtualization
PacketForwarding
PacketForwarding
PacketForwarding
PacketForwarding
Abstract Network View
ControlPrograms
ControlPrograms
ControlPrograms
PacketForwarding
Network OS
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1 2
3
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
“S” for Software
1. Static Checking (“compile time”)“Is my configuration correct?”
2. Dynamic checking (“run time”)“Is my data plane behaving correctly?”
Policy/Control SW
Configuration
Data plane
With SDN we will:1. Formally verify that our networks are
behaving correctly.2. Identify faults, then systematically
track down their root cause.
Motivations
In today’s networks, simple questions are hard to answer:
– Can host A talk to host B?– What are all the packet headers from A that can
reach B?– Are there any loops in the network?– Is Group X provably isolated from Group Y?– What happens if I remove a line in the config file?
Software Defined Network (SDN)
Global Network View
Network Virtualization
PacketForwarding
PacketForwarding
PacketForwarding
PacketForwarding
Abstract Network View
ControlPrograms
ControlPrograms
ControlPrograms
PacketForwarding
Network OS1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
Static Checker
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
“A can talk to B”
“Guests can’t reach PatientRecords”
Policy
Header Space Analysis
Consequences1. Finds all packets from A that can reach B2. Find loops, regardless of protocol or layer3. Can prove that two groups are isolated4. Protocol Independent
Proves if network adheres to policyWorks on existing networks and SDNs
Stanford Backbone
1) DST IP: 172.26.66.96/28, VLAN: 330
2) DST IP: 171.64.2.128/27, VLAN: 206
3) DST IP: 172.20.10.64/27, VLAN: 10
4) DST IP: 172.24.2.128/27, VLAN: 206
5) DST IP: 172.26.4.80/29, VLAN: 206
6) DST IP: 172.26.4.88/29, VLAN: 208
7) IP Protocol: TCP DST IP: 171.64.2.24 SRC IP: 172.28.148.27 VLAN: 206...40) IP Protocol: UDP UDP DST Port: 514
750,000 IP forwarding rules.1,500 ACL rules.100 VLANs.
B
A
Tool
Hassel1. Reads Cisco IOS Configuration 2. Checks reachability, loops and isolation3. 10 mins for Stanford Backbone to check loops4. Easily made parallel: 1 sec is feasible
Hassel is available for free, for you to runhttps://bitbucket.org/peymank/hassel-public/
Motivations
Configurations might correctly reflect the policy, but…hardware might not follow configurations
1. Hardware errors (e.g. memory or ASIC errors)2. Link failure3. Congestion4. Table overflow5. Intermittent problems
Such errors cannot be detected by static checking.
Need a independent checker to test the data plane
Software Defined Network (SDN)
Global Network View
Network Virtualization
PacketForwarding
PacketForwarding
PacketForwarding
Abstract Network View
ControlPrograms
ControlPrograms
ControlPrograms
PacketForwarding
Network OS
A BPacket
Forwarding
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …
Testing the network
1. Monitor the network by sending test packets2. Locate the faults with test results
Not a new idea…– Network admins already use ping/traceroute
to test the network• Ad-hoc test case generation• Coarse granularity / Low coverage• Lacks fault localization
1. Test every rule in every table? 2. Isolate any fault?
What is the minimum number of test packets to
How many packets needed?
Stanford Backbone– 16 routers– 4,000 packets (vs. 750,000 rules)
Internet2– 9 routers– 30,000 packets (vs. 100,000 IPv4 rules)
Testing 10x per second, requires <1% of link-rate
Fault Localization
• Given: a set of pass/fail results• Output: the minimum set of (potential) faulty
rules
Demo
What’s next
• Automatic performance testing
ExampleApplication mapped to a congested router queue
Automatic Test Packet Generation will– Identify the queue– Determine which headers (applications)
incur poor performance
“S” for software
1. Static Checking (“compile time”)“Is my configuration correct?”
2. Dynamic checking (“run time”)“Is my data plane behaving correctly?”
Policy/Control SW
Configuration
Data plane
With SDN we will:1. Formally verify that our networks are
behaving correctly.2. Identify faults, then systematically
track down their root cause.