new directions for network verificationapanda/slides/mcheck-snapl.pdfbrief summary of this talk •...
TRANSCRIPT
![Page 1: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/1.jpg)
New Directions for Network Verification
Aurojit Panda, Katerina Argyraki, Mooly Sagiv, Michael Schapira, Scott Shenker
![Page 2: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/2.jpg)
Brief Summary of This Talk• Context:
• Proliferation of network verification tools.
• Build on assumption that the network state is immutable.
• Immutable = Data packets do not change behavior of network
![Page 3: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/3.jpg)
Brief Summary of This Talk• Context:
• Proliferation of network verification tools.
• Build on assumption that the network state is immutable.
• Immutable = Data packets do not change behavior of network
• My point:
• Many network elements have mutable state
• Verifying mutable networks requires new techniques
• Two technical challenges: Modeling and Scaling
![Page 4: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/4.jpg)
Outline
• Background on networks.
• Background on network verification.
• Verifying mutable networks.
![Page 5: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/5.jpg)
Classical Networking
Switch
Switch
Switch
• Networks provide end-to-end connectivity. • Just contain host and switches. • All interesting processing at the hosts.
AliceBob
TrentMallory
Ted Stevens was right
![Page 6: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/6.jpg)
Real Networks have Middleboxes!
Switch
Switch
Switch
AliceBob
TrentMallory
![Page 7: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/7.jpg)
Real Networks have Middleboxes!
Firewall
Switch
Switch
Switch
AliceBob
TrentMallory
• Security (firewalls, IDSs,…).
![Page 8: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/8.jpg)
Real Networks have Middleboxes!
Firewall
CacheSwitch
Switch
Switch
AliceBob
TrentMallory
• Security (firewalls, IDSs,…).• Performance (caches, load balancers,…).
![Page 9: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/9.jpg)
Real Networks have Middleboxes!
Firewall
Proxy CacheSwitch
Switch
Switch
AliceBob
TrentMallory
• Security (firewalls, IDSs,…).• Performance (caches, load balancers,…).• New functionality (proxies,…).
![Page 10: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/10.jpg)
Outline
• Background on networks.
• Background on network verification.
• Verifying mutable networks.
![Page 11: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/11.jpg)
Reachability Invariants• Focus on reachability invariants
• Most important in practice, simple to state but already hard
Balancer
Firewall
FirewallMallory
S1
S2
![Page 12: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/12.jpg)
Reachability Invariants• Focus on reachability invariants
• Most important in practice, simple to state but already hard
Balancer
Firewall
FirewallMallory
S1
S2Can S2 receive packets of type T from Mallory?
![Page 13: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/13.jpg)
Reachability Invariants• Focus on reachability invariants
• Most important in practice, simple to state but already hard
Balancer
Firewall
FirewallMallory
S1
S2Can S2 receive “infected” packets from Mallory?
![Page 14: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/14.jpg)
Reachability Invariants• Focus on reachability invariants
• Most important in practice, simple to state but already hard
Balancer
Firewall
FirewallMallory
S1
S2Can S2 receive packets from Mallory without a connection?
![Page 15: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/15.jpg)
Abstractions for Invariants
• Operators want to specify packet types using abstractions:
![Page 16: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/16.jpg)
Abstractions for Invariants
• Operators want to specify packet types using abstractions:
• “infected”
![Page 17: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/17.jpg)
Abstractions for Invariants
• Operators want to specify packet types using abstractions:
• “infected”
• from “authenticated user”
![Page 18: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/18.jpg)
Abstractions for Invariants
• Operators want to specify packet types using abstractions:
• “infected”
• from “authenticated user”
• from a given application
![Page 19: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/19.jpg)
Abstractions for Invariants
• Operators want to specify packet types using abstractions:
• “infected”
• from “authenticated user”
• from a given application
• How these types are determined in a network varies
![Page 20: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/20.jpg)
Abstractions for Invariants
• Operators want to specify packet types using abstractions:
• “infected”
• from “authenticated user”
• from a given application
• How these types are determined in a network varies
• Invariants should not depend on these details
![Page 21: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/21.jpg)
Network Verification Today• Switches: Forwarding rules in switches.
HSA, Veriflow, NetKAT, etc.
![Page 22: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/22.jpg)
Network Verification Today• Switches: Forwarding rules in switches.
HSA, Veriflow, NetKAT, etc.
• SDN Controller: Code generating these rules.
Vericon, FlowLog, etc.
![Page 23: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/23.jpg)
Network Verification Today• Switches: Forwarding rules in switches.
HSA, Veriflow, NetKAT, etc.
• SDN Controller: Code generating these rules.
Vericon, FlowLog, etc.
• Firewalls: Verify firewall configuration.
Fang, Margrave, etc.
![Page 24: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/24.jpg)
Existing Assumptions/LimitationsSwitches• Limited computational model (rule-based forwarding). • Immutable, functionality only changes with new rules. • Limited set of invariants enforced by networks.
![Page 25: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/25.jpg)
Existing Assumptions/LimitationsSwitches• Limited computational model (rule-based forwarding). • Immutable, functionality only changes with new rules. • Limited set of invariants enforced by networks.
Controllers• All state and actions are centralized. (Globally ordered) • Data plane itself is immutable.
![Page 26: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/26.jpg)
Existing Assumptions/LimitationsSwitches• Limited computational model (rule-based forwarding). • Immutable, functionality only changes with new rules. • Limited set of invariants enforced by networks.
Controllers• All state and actions are centralized. (Globally ordered) • Data plane itself is immutable.
Firewalls
• Treated as if they contain Immutable state. • Assume a particular (simple) computational model.
![Page 27: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/27.jpg)
Existing Assumptions/LimitationsSwitches• Limited computational model (rule-based forwarding). • Immutable, functionality only changes with new rules. • Limited set of invariants enforced by networks.
Controllers• All state and actions are centralized. (Globally ordered) • Data plane itself is immutable.
Firewalls
• Treated as if they contain Immutable state. • Assume a particular (simple) computational model.
Violated by many middleboxes
![Page 28: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/28.jpg)
Outline
• Background on networks.
• Background on network verification.
• Verifying mutable networks.
![Page 29: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/29.jpg)
Verification of Mutable Networks• Naive approach
• Verify a program equivalent to the entire network.
![Page 30: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/30.jpg)
Verification of Mutable Networks• Naive approach
• Verify a program equivalent to the entire network.
• Feasibility is not clear
• Large, proprietary code bases (Bro ~102K lines of code).
![Page 31: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/31.jpg)
Verification of Mutable Networks• Naive approach
• Verify a program equivalent to the entire network.
• Feasibility is not clear
• Large, proprietary code bases (Bro ~102K lines of code).
• Scalability is crucial
• Networks contain several 1000 middleboxes or more.
![Page 32: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/32.jpg)
Modeling Middleboxes
![Page 33: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/33.jpg)
Modeling Middleboxes
Classify Packet Determines what application sent a packet, etc. Complex, proprietary processing.
![Page 34: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/34.jpg)
Modeling Middleboxes
Classify Packet
Update Packet
Determines what application sent a packet, etc. Complex, proprietary processing.
Updating payload is complex (compression, etc.) Updating header is simple (fixed format).
![Page 35: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/35.jpg)
Modeling Middleboxes
Classify Packet
Update State
Update Packet
Determines what application sent a packet, etc. Complex, proprietary processing.
Could be simple (remember packets) or complex (update many hash tables).
Updating payload is complex (compression, etc.) Updating header is simple (fixed format).
![Page 36: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/36.jpg)
Modeling Middleboxes
Classify Packet
Update State
Update Packet
Forward Packet
Determines what application sent a packet, etc. Complex, proprietary processing.
Could be simple (remember packets) or
Updating payload is complex (compression, etc.) Updating header is simple (fixed format).
Always simple: forward or drop packets.
![Page 37: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/37.jpg)
Modeling Middleboxes
Classify Packet
Update State
Update Packet
Forward Packet
Determines what application sent a packet, etc. Complex, proprietary processing.
Could be simple (remember packets) or
Updating payload is complex (compression, etc.) Updating header is simple (fixed format).
Always simple: forward or drop packets.
Oracle: Specify data dependencies and outputs
![Page 38: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/38.jpg)
Modeling Middleboxes
Classify Packet
Update State
Update Packet
Forward Packet
Determines what application sent a packet, etc. Complex, proprietary processing.
Could be simple (remember packets) or
Updating payload is complex (compression, etc.) Updating header is simple (fixed format).
Always simple: forward or drop packets.
Oracle: Specify data dependencies and outputs
Forwarding Model: Specify Completely
![Page 39: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/39.jpg)
Example
Classify Packet
Update State
Update Packet
Forward Packet
Oracle: Specify data dependencies and outputs
Forwarding Model: Specify Completely
![Page 40: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/40.jpg)
Example
Classify Packet
Update State
Update Packet
Forward Packet
Oracle: Specify data dependencies and outputs
Forwarding Model: Specify Completely
OutputsIs packet infected.
DependenciesSee all packets in connection (flow).
![Page 41: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/41.jpg)
Example
Classify Packet
Update State
Update Packet
Forward Packet
Oracle: Specify data dependencies and outputs
Forwarding Model: Specify Completely
OutputsIs packet infected.
DependenciesSee all packets in connection (flow).
if (infected) { infected_connections.add(packet.flow) }
![Page 42: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/42.jpg)
Example
Classify Packet
Update State
Update Packet
Forward Packet
Oracle: Specify data dependencies and outputs
Forwarding Model: Specify Completely
OutputsIs packet infected.
DependenciesSee all packets in connection (flow).
if (packet.flow not in infected_connections) { forward (packet); }
if (infected) { infected_connections.add(packet.flow) }
![Page 43: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/43.jpg)
Scaling Verification
![Page 44: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/44.jpg)
Scaling Verification
• Middleboxes are “flow-parallel”
![Page 45: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/45.jpg)
Scaling Verification
• Middleboxes are “flow-parallel”
• State is partitioned between “flows.”
![Page 46: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/46.jpg)
Scaling Verification
• Middleboxes are “flow-parallel”
• State is partitioned between “flows.”
• This enables “compositional verification”
![Page 47: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/47.jpg)
Scaling Verification
• Middleboxes are “flow-parallel”
• State is partitioned between “flows.”
• This enables “compositional verification”
• 30,000 middlebox networks verified in 5 minutes
![Page 48: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/48.jpg)
Compositional Verificationmboxmbox
mbox
mbox
mbox
mbox
mbox
mbox
mbox
mbox
mbox
mbox
![Page 49: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/49.jpg)
Compositional Verificationmboxmbox
mbox
mbox
mbox
mbox
mbox
mbox
mbox
mbox
mbox
mbox
![Page 50: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/50.jpg)
Compositional Verificationmboxmbox
mbox
mbox
mbox
mbox
mbox
mbox
mbox
mbox
mbox
mbox
•Invariants talk about pairs of hosts. •When flow-parallel, need-only verify path.
![Page 51: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/51.jpg)
Conclusion• Real networks:
• Contain mutable middleboxes. • Used to enforce rich connectivity invariants.
• Network verification needs to evolve to handle this. • Several challenges
• Right level of abstraction for specifying middleboxes. • Scalability, by leveraging compositional verification. • Future: Tractability of verification.
Some pictures taken from the Noun Project
![Page 52: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/52.jpg)
Backup
![Page 53: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/53.jpg)
Does State Mutation Matter• Do we even need to look at state evolution? • Check invariant for all possible states. • Approach used in tools like Margrave. • # of states is small (just whether connection established).
• False positives, some states may never occur.
![Page 54: New Directions for Network Verificationapanda/slides/mcheck-snapl.pdfBrief Summary of This Talk • Context: • Proliferation of network verification tools. • Build on assumption](https://reader035.vdocuments.us/reader035/viewer/2022070807/5f0556ac7e708231d412793f/html5/thumbnails/54.jpg)
Does State Mutation Matter
Firewall
• Do we even need to look at state evolution? • Check invariant for all possible states. • Approach used in tools like Margrave. • # of states is small (just whether connection established).
• False positives, some states may never occur.
Firewall
a bb ! a ()⌥conn(a ! b)
a ! b ()⌥conn(b ! a)
conn(a ! b) Connection started by a to b. Requires a to send packet to b, and b to respond
Can a packet from 'a' reach 'b'?