network verification star wars amd the empire strikes back
TRANSCRIPT
Network VerificationStar Wars amd The Empire Strikes Back
Long ago in a network far away, rebel forces began to claim that networking was a separate planet and required specialized verification engines . . . Early attempts to colonize networking using weapons from the Verification Empire such as Model Checking and SAT solvers resulted in these weapons blowing up . . . .
What is the problem? Who cares?
“It surprised me that forward rules are so complicated” - anonymous
4
Networks today 1001
P1
P2
10* P1 1* P2
,P2SQL
Drop SQL
Load balancing Access Control Lists (ACLs)
• Multiple Protocols: 6000 RFCs (MPLS, GRE . . .)• Multiple Vendors: Broadcom, Arista, Cisco, . . .• Manual Configurations: Additional arcane programs kept
working by “masters of complexity” (Shenker)• Crude tools: SNMP, NetFlow, TraceRoute, . . .
Motivation to do better
• Internal: > 1 hr customer visible outage/quarter (P. Patel)• Azure: 30,000 cores down 3 hrs, L2/L3 configuration bug• Bing: Entire data center, 8 hours, L2/L3 configuration bug
• External: (2012 NANOG Network Operator Survey):• 35% > 25 tickets per month, > 1 hour to resolve• Welsh: vast majority of Google “production failures” due to “bugs in configuration
settings”
As we migrate to services ($100B public cloud market), network failure a debilitating cost.
5
6
Networks Tomorrow
• Online services latency, cost sensitive• Merchant Silicon Build your own router• Rise of Data centers Custom networks• Software defined Networks (SDNs) custom design “routing
program”• P4 (next generation SDN) redefine hardware forwarding at runtime
Opportunity to custom design networks to optimize goal. Potential simplifications but hard to get right
What specific problems does this paper address?
Reachability, slicing, loops . . .
What specific problems does this paper not address?
Control Plane, Implementation errors, Dynamism, Synthesis . . .
What is model checking? Why is it different from proof assistants like Coq?
Why is it used in hardware design (Ana Klimovic?)
10
Model Checking
• Before model checking, Hoare style proofs: manual effort• Model checking: automatic search over state space to check property• Must tame “state space explosion” using compression. Clarke (2007)• Advances: symbolic model checking (BDDs), bounded model checking,
adding expressivity (e.g., real time model checking)
Why not use model checking for networks? Or SAT Solvers?
12
Standard model checkers work badly for networks
• So why not use standard model checking to check for reachability properties (S D) across all possible packets that could be sent?• Works poorly with network state-space explosion (120-bit headers,
millions of rules)• Also, networks need all headers that do not reach destination. Many
model checkers use SAT solvers that provide one solution, not all.
Central question: is Header Space Analysis just model checking?
14
Classical perspective
• “Model checking “ networks, so to speak• Conquers network state-space explosion (120-bit headers, 106 rules)• Difference 1: Abstraction of router forwarding compositional,
invertible semantics• Difference 2: Structure allows “difference of cubes” to compactly
represent header space. Different from Binary Decision Diagrams• Difference 2: All counterexamples not just one
Isn’t the HSA insight just that network forwarding can be represented by Match-Action, an SDN/OpenFlow idea?
Many forwarding flavors/ 1 essence
16
IP Router10010
ESSENTIAL INSIGHT FOR OPENFLOW. BUT HSA PAPER USES SAME INSIGHTFOR UNDERSTANDING EXISTING PROTOCOLS
10* P1 1* P2
MAC Bridge01A1A2 01A1A2 P1 . . .
PREFIX MATCH
EXACT MATCH
MPLS Switch5, 6 5 P1,Pop 5 . . .
INDEXED LOOKUP
Besides abstracting routers, what is the more general idea in the HSA paper?
Idea: Treat Network as a Program• Model header as point in high dimensional space and all networking
boxes as transformers of header space, so that . . .
18
PacketForwarding
1
2
3
0xx1..x1
Match+ Send to port 3
Rewrite with 1xx011..x1
Action11xx..0x + Send to port 2
Rewrite with 1x01xx..x1
ROUTER ABSTRACTED AS SET OF GUARDED COMMANDS . . NETWORK BECOMES A PROGRAM CAN USE PL METHODS
HSA is a form of semantics but there is not a single theorem in the paper? Are there implicit theorems
Yes: Composition, Inversion
T1(h, p)R1 R2 R3
• Theorem: Network behavior = composition of router transfer functions (Compositionality)
• Theorem: given header h at destination p, we can invert to find (h’,s): headers sent at source s’ to produce (h,p) (Inversion)
20
Why the stress on “real time” in NetPlumber
How is the dependency graph built (C.Z. Lee)?
22
Graph on rules not nodes, edge when range of rule R intersects domain of rule S
...
...
...
......
...
...
...
S
?
VERIFYING CHANGES BY SDN CONTROLLERS BEFORE THEY TAKE EFFECT
Incremental program verification is considered very hard. How did NetPlumber pull it off?
What can we learn from model checkers that is missing in the HAS/NetPlumber paper?
25
What we can learn from model checkers• Best existing network verification tools (Veriflow, NetPlumber) are
very fast and scale to large networks.• Existing model checkers are more expressive because they have a:• Specification Language: (e.g., Temporal Logic) to describe properties• A modelling language (e.g., Promela in SPIN) to model the network
• By contrast, in all existing work the network model is hardcoded and the specification language is minimal (except NetPlumber)
Wait a minute, NetPlumber has a policy language. What is it lacking?
Differential reachability . . . Needs negation
SPEED
From the viewpoint of verification
EXPRESSIVITY
Hassel, Veriflow
NetPlumber
Model checkers,SAT Solvers,Datalog
NSDI2015
The Empire Strikes Back
What other aspects of static checking?
Control Plane, Quantities, Dynamism, Specification Mining . . . c
NSDI 2015 Papers on Network Verification•Catching Protocol Implementation Bugs (Kevin
McKenzie): PIC•Catching routing configuration errors: Batfish•Doing reachability in Datalog to have a more
expressive policy language and more expressive network model: NoD
Is network verification used in practice (C. Shah)?
Network Verification in Practice
• SecGuru: a simpler form of NoD is used in production in Azure and catches roughly 1 bug a day•Veriflow Networks: from UIUC is commercializing
Veriflow• Forward Networks: from Stanford is commercializing
HAS/NetPlumber
How can we push the idea of treating networks as programs further?
What is the startup potential (Zak Stratton)?
33
Specification
Policy Language, Semantics Test PacketGeneration
Verification
Synthesis (e.g., Forwarding Rules)
Performance verification?
Network Design
Static checking (Local)
Wiring Checkers
Network Design Automation?
Early work
HOW MIGHT WE GO BEYOND EARLY WORK? WHAT NEW AREAS CAN WE TOUCH? JOIN THE PARTY!
Dynamic checkers/ debuggers