Transcript Slides
Data Plane Verification
Background:
What are network policies
• Alice can talk to Bob
• Skype traffic must go through a VoIP transcoder
• All traffic must go to the destination
– No blackholes
• No one should be able to send traffic to Eve
When Networks go Bad …
• Bad configs
• Bugs in Router code
• Bugs in router hardware
Detecting Addressing Problems
Verify config. Don’t catch bugs in
code
Verify config by examining the hardware,
The bug has already happened!!
SDN Changes things …
Network O.S.
Configuration of switches happen from
A central location
Simple interface for representing rules
For switches
SDN Changes things …
Network O.S.
Can verify rules before inserted
Into switches
SDN Changes things …
Network O.S.
Can verify rules before inserted
Into switches
Still no way to verify hardware bugs!!!
Problem Statement:
• Need Verification to be quick!
• Need verification to support a large range of
network invariants!
Key Insight
• Most config changes only impact a subset of
network
– You only need to re-evaluate invariant for this
subset
• A policies are applies to groups not individual
addresses
– So there are large swaths of addresses with same
actions being applied.
Veriflow’s Key Challenge
• Efficient Data structure for capturing:
– Equivalence classes (EC)
• Detecting overlapping rules.
• Detected affected EC after a change.
– Forwarding graphs
• How to capture a graph
Veriflow
Network O.S.
veriflow
Veriflow (in a distributed setting)
Network O.S.
Network O.S.
veriflow
Trie-Algorithm
• Recall forwarding rules look like this:
Match these parts of the packet
Perform action packets
Src-IP: 10.10.0.0 Dst-IP: 10.20.0.0
Forward packet
Src-IP: * Dst-IP: 10.20.0.0
Drop packet
Trie-Algorithm
Src-IP: 10.10.0.0 Dst-IP: 10.20.0.0
Forward packet
10.10.0.0
00001010.00001010.00000000.00000000
Src-IP: * Dst-IP: 10.20.0.0
*
*********************************
Drop packet
Trie-Algorithm
Src-IP: 10.10.0.0
Dst-IP: 10.20.0.0
Forward packet
00001010.00001010.00000000.00000000
Src-IP: 10.13.0.0
Dst-IP: 10.20.0.0
Forward packet
00001010.00001101.00000000.00000000
d
Forward packet
Src-IP: 10.14.0.0
Dst-IP: 10.20.0.0
00001010.00001110.00000000.00000000
Src-IP: 10.15.0.0
Dst-IP: 10.20.0.0
00001010.00001111.00000000.00000000
Forward packet
1
1
1
1
10.15.0.0
10.14.0.0
0
0
0
10.13.0.0
10.10.0.0
Trie Algorithms
Src-IP: 10.10.0.0 Dst-IP: 10.20.0.0
Forward packet
10.10.0.0
Dimension 1
00001010.00001010.00000000.00000000
10.20.0.0
Dimension 2
00001010.00010100.00000000.00000000
Trie Algorithms
Trie-Optimizations
• OpenFlow 1.0
– 14 different string of bits to match on
– 4 of them allow wild cards….
– 10 of them don’t (so you can do exact matches)
• Either you match or you don’t match
– Build a 4-dimensional trie
• For the 10 do linear look-ups
Verification
• Input: graph for a change equivalence Class.
• Output: Add rules, don’t add rules
Verification
• Input: graph for a change equivalence Class.
• Output: Add rules, don’t add rules
• Can do:
– Loop detection
– Verify that two nodes have same actions
– Detect black holes
Veriflow
Network O.S.
veriflow
Limitations/DrawBacks
• If the entire network changes
– VeriFlow has to check the whole network and will
be slow
• Limited to reachability style policies
– Can’t verify QoS
– Can’t verify encapsulation
– Can’t verify middlebox policies
Why……
• Is QoS (Buffering hard)
Why……
• Are MB, Encapsulation hard
Why……
• Are MB, Encapsulation hard
• Both are hard because they transform the
header space of a packet. E.g.
– NAT: changes the IP address and port
– So the equivalence class changes
– No way to capture these transformations.
Why……
• Are MB, Encapsulation hard
Src-IP: 10.10.0.0
Change to 10.20.0.0
Forward packet
Src-IP: 10.10.0.0
Forward packet
Src-IP: *
Drop packet
Src-IP: 10.20.0.0
Drop packet
Equivalence Class: 10.10.0.0
Why……
• Are MB, Encapsulation hard
Src-IP: 10.10.0.0
Change to 10.20.0.0
Forward packet
Src-IP: 10.10.0.0
Forward packet
Src-IP: *
Drop packet
Src-IP: 10.20.0.0
Drop packet
Header Space Framework
Key observation: A packet is a point in a
space of possible headers and a box is a
transformer on that space
Header Space Framework
• Step 1: Model a Packet Header
• A Packet Header is a point in space
L ,called the
{0,1}
Header Space
Header
0100111…1
L
Data
Header Space Framework
• Step 2: Model a switch
• A switch is a transformer
in the
header space
Transfer
Function:
T(h, p) : (h, p) ® {(h1, p1 ),(h2, p2 )...}
Port 2
Port 1
Packet Forwarding
Match
1xx1…0x
0xx1…x1
Port 3
Action
Sendtotoport
port32and
and
Send
Rewritewith
with1xx011..x1
1x01xx..x1
Rewrite
Header Space Framework
• Example: Transfer Function of an IPv4 Router
172.24.74.0, 255.255.255.0
Port 1
172.24.128.0, 255.255.255.0 Port 2
171.67.0.0, 255.255.0.0
T(h,p) =
Port 3
(h,1)
if dest_ip(h) =
172.24.74.X
(h,2)
if dest_ip(h) = 172.24.128.X
(h,3)
2
1
if dest_ip(h) = 172.67.X.X
3
Header Space Framework
• Example: Transfer Function of an IPv4 Router
172.24.74.0, 255.255.255.0
Port 1
172.24.128.0, 255.255.255.0 Port 2
171.67.0.0, 255.255.0.0
T(h,p) =
2
1
Port 3
(1) if dest_ip(h) = 172.24.74.X
(2) if dest_ip(h) = 172.24.128.X
(3) if dest_ip(h) = 172.67.X.X
3
Header Space Framework
• Transfer Function Properties:
• Composable:
T3 (T2 (T1 (h, p)))
S1
S2
S3
T2 (T1 (h, p))
T1 (h, p)
T3 (T2 (T1 (h, p)))
Header Space Framework
• Transfer Function Properties:
• Invertible:
T T
Doman (input)
-1
Range (output)
Header Space Framework
• Step 3: Develop an Algebra to work on these spaces
• A subspace correspond to a Wildcard
• We use this to define set operations on Wildcards:
• Intersection
• Complementation
• Difference
Use Cases
• “Can host A talk to host B?”
A
Switch 2
Switch 1
Switch 4
Switch 3
B
T3 (T2 (T1 (X, A)))ÈT3 (T4 (T1 (X, A)))
Discussion