data plane verification. background: what are network policies alice can talk to bob skype traffic...
TRANSCRIPT
Background: What are network policies
• Alice can talk to Bob
• Skype traffic must go through a VoIP transcoder
• All traffic must go to the destination– No blackholes
• No one should be able to send traffic to Eve
Detecting Addressing Problems
Verify config. Don’t catch bugs incode
Verify config by examining the hardware,The bug has already happened!!
SDN Changes things …
Network O.S.
Simple interface for representing rulesFor switches
Configuration of switches happen fromA central location
SDN Changes things …
Network O.S.
Can verify rules before insertedInto switches
Still no way to verify hardware bugs!!!
Problem Statement:
• Need Verification to be quick!
• Need verification to support a large range of network invariants!
Key Insight
• Most config changes only impact a subset of network– You only need to re-evaluate invariant for this
subset
• A policies are applies to groups not individual addresses– So there are large swaths of addresses with same
actions being applied.
Veriflow’s Key Challenge
• Efficient Data structure for capturing:– Equivalence classes (EC)• Detecting overlapping rules.• Detected affected EC after a change.
– Forwarding graphs• How to capture a graph
Trie-Algorithm
• Recall forwarding rules look like this:
Match these parts of the packet Perform action packets
Src-IP: 10.10.0.0 Dst-IP: 10.20.0.0 Forward packet
Src-IP: * Dst-IP: 10.20.0.0 Drop packet
Trie-Algorithm
Src-IP: 10.10.0.0 Dst-IP: 10.20.0.0
00001010.00001010.00000000.00000000
Forward packet
10.10.0.0
Src-IP: * Dst-IP: 10.20.0.0 Drop packet
*********************************
*
Trie-AlgorithmSrc-IP: 10.10.0.0 Dst-IP: 10.20.0.0 Forward packet
Src-IP: 10.13.0.0 Dst-IP: 10.20.0.0
Src-IP: 10.14.0.0 Dst-IP: 10.20.0.0
Src-IP: 10.15.0.0 Dst-IP: 10.20.0.0
Forward packet
Forward packet
Forward packet
10.10.0.010.13.0.010.15.0.0 10.14.0.0
00001010.00001010.00000000.00000000
00001010.00001101.00000000.00000000
00001010.00001110.00000000.00000000
00001010.00001111.00000000.00000000
11
0
0
1
01
d
Trie Algorithms
Src-IP: 10.10.0.0 Dst-IP: 10.20.0.0
00001010.00001010.00000000.00000000
Forward packet
10.10.0.0
00001010.00010100.00000000.00000000
10.20.0.0
Dimension 2
Dimension 1
Trie-Optimizations
• OpenFlow 1.0– 14 different string of bits to match on– 4 of them allow wild cards….– 10 of them don’t (so you can do exact matches)• Either you match or you don’t match
– Build a 4-dimensional trie • For the 10 do linear look-ups
Verification
• Input: graph for a change equivalence Class.• Output: Add rules, don’t add rules
• Can do:– Loop detection– Verify that two nodes have same actions– Detect black holes
Limitations/DrawBacks
• If the entire network changes– VeriFlow has to check the whole network and will
be slow
• Limited to reachability style policies– Can’t verify QoS – Can’t verify encapsulation– Can’t verify middlebox policies
Why……
• Are MB, Encapsulation hard
• Both are hard because they transform the header space of a packet. E.g.– NAT: changes the IP address and port– So the equivalence class changes– No way to capture these transformations.
Why……
• Are MB, Encapsulation hard
Src-IP: 10.10.0.0 Change to 10.20.0.0Forward packet
Src-IP: * Drop packet
Src-IP: 10.10.0.0 Forward packet
Src-IP: 10.20.0.0 Drop packet
Equivalence Class: 10.10.0.0
Why……
• Are MB, Encapsulation hard
Src-IP: 10.10.0.0 Change to 10.20.0.0Forward packet
Src-IP: * Drop packet
Src-IP: 10.10.0.0 Forward packet
Src-IP: 10.20.0.0 Drop packet
Header Space Framework
Key observation: A packet is a point in a space of possible headers and a box is a transformer on that space
Header Space Framework
• Step 1: Model a Packet Header• A Packet Header is a point in space ,called the
Header Space
Header Data
L
0100111…1
Header Space Framework
• Step 2: Model a switch• A switch is a transformer in the header space
Packet Forwarding
Port 1 Port 2
Port 3
0xx1…x1 Send to port 3 and Rewrite with 1xx011..x1
Match Action
1xx1…0x Send to port 2 and Rewrite with 1x01xx..x1
Transfer Function:
Header Space Framework
• Example: Transfer Function of an IPv4 Router1
3
2172.24.74.0, 255.255.255.0 Port 1
T(h,p) = (h,1) if dest_ip(h) = 172.24.74.X
172.24.128.0, 255.255.255.0 Port 2
(h,2) if dest_ip(h) = 172.24.128.X
171.67.0.0, 255.255.0.0 Port 3
(h,3) if dest_ip(h) = 172.67.X.X
Header Space Framework
• Example: Transfer Function of an IPv4 Router1
3
2172.24.74.0, 255.255.255.0 Port 1
T(h,p) =
172.24.128.0, 255.255.255.0 Port 2
171.67.0.0, 255.255.0.0 Port 3
(1) if dest_ip(h) = 172.24.74.X
(2) if dest_ip(h) = 172.24.128.X (3) if dest_ip(h) = 172.67.X.X
Header Space Framework
• Step 3: Develop an Algebra to work on these spaces• A subspace correspond to a Wildcard• We use this to define set operations on Wildcards:• Intersection• Complementation• Difference