Data Plane Verification

Background: What are network policies

• Alice can talk to Bob

• Skype traffic must go through a VoIP transcoder

• All traffic must go to the destination– No blackholes

• No one should be able to send traffic to Eve

When Networks go Bad …

• Bad configs

• Bugs in Router code

• Bugs in router hardware

Detecting Addressing Problems

Verify config. Don’t catch bugs incode

Verify config by examining the hardware,The bug has already happened!!

SDN Changes things …

Network O.S.

Simple interface for representing rulesFor switches

Configuration of switches happen fromA central location

SDN Changes things …

Network O.S.

Can verify rules before insertedInto switches

SDN Changes things …

Network O.S.

Can verify rules before insertedInto switches

Still no way to verify hardware bugs!!!

Problem Statement:

• Need Verification to be quick!

• Need verification to support a large range of network invariants!

Key Insight

• Most config changes only impact a subset of network– You only need to re-evaluate invariant for this

subset

• A policies are applies to groups not individual addresses– So there are large swaths of addresses with same

actions being applied.

Veriflow’s Key Challenge

• Efficient Data structure for capturing:– Equivalence classes (EC)• Detecting overlapping rules.• Detected affected EC after a change.

– Forwarding graphs• How to capture a graph

Veriflow

Network O.S.

veriflow

Veriflow (in a distributed setting)

Network O.S.

veriflow

Network O.S.

Trie-Algorithm

• Recall forwarding rules look like this:

Match these parts of the packet Perform action packets

Src-IP: 10.10.0.0 Dst-IP: 10.20.0.0 Forward packet

Src-IP: * Dst-IP: 10.20.0.0 Drop packet

Trie-Algorithm

Src-IP: 10.10.0.0 Dst-IP: 10.20.0.0

00001010.00001010.00000000.00000000

Forward packet

10.10.0.0

Src-IP: * Dst-IP: 10.20.0.0 Drop packet

*********************************

*

Trie-AlgorithmSrc-IP: 10.10.0.0 Dst-IP: 10.20.0.0 Forward packet

Src-IP: 10.13.0.0 Dst-IP: 10.20.0.0

Src-IP: 10.14.0.0 Dst-IP: 10.20.0.0

Src-IP: 10.15.0.0 Dst-IP: 10.20.0.0

Forward packet

Forward packet

Forward packet

10.10.0.010.13.0.010.15.0.0 10.14.0.0

00001010.00001010.00000000.00000000

00001010.00001101.00000000.00000000

00001010.00001110.00000000.00000000

00001010.00001111.00000000.00000000

11

0

0

1

01

d

Trie Algorithms

Src-IP: 10.10.0.0 Dst-IP: 10.20.0.0

00001010.00001010.00000000.00000000

Forward packet

10.10.0.0

00001010.00010100.00000000.00000000

10.20.0.0

Dimension 2

Dimension 1

Trie Algorithms

Trie-Optimizations

• OpenFlow 1.0– 14 different string of bits to match on– 4 of them allow wild cards….– 10 of them don’t (so you can do exact matches)• Either you match or you don’t match

– Build a 4-dimensional trie • For the 10 do linear look-ups

Verification

• Input: graph for a change equivalence Class.• Output: Add rules, don’t add rules

Verification

• Input: graph for a change equivalence Class.• Output: Add rules, don’t add rules

• Can do:– Loop detection– Verify that two nodes have same actions– Detect black holes

Veriflow

Network O.S.

veriflow

Limitations/DrawBacks

• If the entire network changes– VeriFlow has to check the whole network and will

be slow

• Limited to reachability style policies– Can’t verify QoS – Can’t verify encapsulation– Can’t verify middlebox policies

Why……

• Is QoS (Buffering hard)

Why……

• Are MB, Encapsulation hard

Why……

• Are MB, Encapsulation hard

• Both are hard because they transform the header space of a packet. E.g.– NAT: changes the IP address and port– So the equivalence class changes– No way to capture these transformations.

Why……

• Are MB, Encapsulation hard

Src-IP: 10.10.0.0 Change to 10.20.0.0Forward packet

Src-IP: * Drop packet

Src-IP: 10.10.0.0 Forward packet

Src-IP: 10.20.0.0 Drop packet

Equivalence Class: 10.10.0.0

Why……

• Are MB, Encapsulation hard

Src-IP: 10.10.0.0 Change to 10.20.0.0Forward packet

Src-IP: * Drop packet

Src-IP: 10.10.0.0 Forward packet

Src-IP: 10.20.0.0 Drop packet

Header Space Framework

Key observation: A packet is a point in a space of possible headers and a box is a transformer on that space

Header Space Framework

• Step 1: Model a Packet Header• A Packet Header is a point in space ,called the

Header Space

Header Data

L

0100111…1

Header Space Framework

• Step 2: Model a switch• A switch is a transformer in the header space

Packet Forwarding

Port 1 Port 2

Port 3

0xx1…x1 Send to port 3 and Rewrite with 1xx011..x1

Match Action

1xx1…0x Send to port 2 and Rewrite with 1x01xx..x1

Transfer Function:

Header Space Framework

• Example: Transfer Function of an IPv4 Router1

3

2172.24.74.0, 255.255.255.0 Port 1

T(h,p) = (h,1) if dest_ip(h) = 172.24.74.X

172.24.128.0, 255.255.255.0 Port 2

(h,2) if dest_ip(h) = 172.24.128.X

171.67.0.0, 255.255.0.0 Port 3

(h,3) if dest_ip(h) = 172.67.X.X

Header Space Framework

• Example: Transfer Function of an IPv4 Router1

3

2172.24.74.0, 255.255.255.0 Port 1

T(h,p) =

172.24.128.0, 255.255.255.0 Port 2

171.67.0.0, 255.255.0.0 Port 3

(1) if dest_ip(h) = 172.24.74.X

(2) if dest_ip(h) = 172.24.128.X (3) if dest_ip(h) = 172.67.X.X

Header Space Framework

• Transfer Function Properties:• Composable:

S1 S3S2

Header Space Framework

• Transfer Function Properties:• Invertible:

Doman (input) Range (output)

Header Space Framework

• Step 3: Develop an Algebra to work on these spaces• A subspace correspond to a Wildcard• We use this to define set operations on Wildcards:• Intersection• Complementation• Difference

Use Cases

• “Can host A talk to host B?”

A

B

Switch 1

Switch 3Switch 4

Switch 2

Discussion