data plane verification and anteater
play

Data Plane Verification and Anteater Brighten Godfrey University - PowerPoint PPT Presentation

Feb 03, 2023 •121 likes •482 views

Data Plane Verification and Anteater Brighten Godfrey University of Illinois Work with Haohui Mai, Ahmed Khurshid, Rachit Agarwal, Matthew Caesar, and Sam King Summer School on Formal Methods and Networks Cornell University, June 11, 2013

  1. Data Plane Verification and Anteater Brighten Godfrey University of Illinois Work with Haohui Mai, Ahmed Khurshid, Rachit Agarwal, Matthew Caesar, and Sam King Summer School on Formal Methods and Networks Cornell University, June 11, 2013

  2. Data Plane Verification

  3. Managing networks is challenging Production networks are complex Security policies • Traffic engineering • Legacy devices • Protocol inter-dependencies • … • • Even well-managed networks have downtime & security vulnerabilities • Few good tools to ensure all networking components working together correctly

  4. A real example from UIUC dorm Previously, an intrusion detection and prevention IDP (IDP) device inspected all traffic to/from dorms IDP couldn’t handle load; added bypass IDP only inspected traffic • … between dorm and campus bypass Seemingly simple changes • How do you know if it worked? Backbone

  5. Understanding your network Flow monitoring Configuration Screenshot from Scrutinizer verification NetFlow & sFlow analyzer, snmp.co.uk/scrutinizer/

  6. Past approach: Config. verification e.g.: RCC for BGP [Feamster & Balakrishnan, Input Configuration NSDI’05] Margrave for firewalls Control plane [Nelson, Barratt, Dougherty, Fisler, Predicted Krishnamurthi, Data plane state LISA’10] UCLA+MSR Network behavior [in progress...]

  7. Data plane verification Our approach: Verify the network as close as possible to its actual behavior Configuration Control plane Input Data plane state Network Predicted behavior

  8. Data plane verification Our approach: Verify the network as close as possible to its actual behavior • Simpler, unified analysis Configuration across control protocols • Catch bugs in control Control plane software • Checks current snapshot Input Data plane state Network Predicted behavior

  9. Architecture overview Operator Diagnosis Invariants Con fi rmation of from library correctness, or or custom violated invariants & counterexamples 2 (vulnerabilities) 4 Veri fl ow Network Veri fi cation Layer Construct formal model of network behavior 3 Check queried invariants against model Snapshot or real-time stream of: Topology 1 Data plane state (forwarding tables) Network Routers, switches, fi rewalls, ...

  10. Architecture overview Operator Diagnosis Invariants Con fi rmation of from library correctness, or or custom violated invariants & counterexamples 2 (vulnerabilities) 4 Veri fl ow Network Veri fi cation Layer Construct formal model of network behavior 3 Check queried invariants against model Snapshot or real-time stream of: Topology 1 Data plane state (forwarding tables) Network Routers, switches, fi rewalls, ...

  11. Architecture overview Operator Diagnosis Invariants Con fi rmation of from library correctness, or or custom violated invariants & counterexamples 2 (vulnerabilities) 4 Veri fl ow Network Veri fi cation Layer Construct formal model of network behavior 3 Check queried invariants against model Snapshot or real-time stream of: Topology 1 Data plane state (forwarding tables) Network Routers, switches, fi rewalls, ...

  12. Architecture overview Operator Diagnosis Invariants Con fi rmation of from library correctness, or or custom violated invariants & counterexamples 2 (vulnerabilities) 4 Veri fl ow Network Veri fi cation Layer Construct formal model of network behavior 3 Check queried invariants against model Snapshot or real-time stream of: Topology 1 Data plane state (forwarding tables) Network Routers, switches, fi rewalls, ...

  13. Control software bugs 78 bugs sampled randomly from Bugzilla repository of Quagga (open source software router) 67 could cause data plane effect • Under heavy load, Quagga 0.96.5 fails to update Linux kernel’s routing tables • In Quagga 0.99.5, a BGP session could remain active after it has been shut down 11 would not affect data plane • Mgmt. terminal hangs in Quagga 0.96.4 on “show ip bgp”

  14. Q: Where does SDN fit in? Unified data plane interface • Helpful, but not absolutely necessary Centralized control of network • Critical for real time verification

  15. Our Two Tools Anteater • [Mai, Khurshid, Agarwal, Caesar, Godfrey, King, SIGCOMM 2011] • Offline verification of data plane Veriflow • [Khurshid, Zhou, Caesar, Godfrey, HotSDN 2012] • [Khurshid, Zou, Zhou, Caesar, Godfrey, NSDI 2013] • Online real-time verification of data plane • Interoperates with OpenFlow controller

  16. Anteater

  17. Modeling the network is nontrivial What if only longest prefix match rules on one field?

  18. Modeling the network is nontrivial What if only longest prefix match rules on one field? 1 2 3 2 1

  19. Modeling the network is nontrivial What if only longest prefix match rules on one field? 1 2 3 3’ 2 1’ 1 # equivalence classes ≤ 2 • #rules

  20. Modeling the network is nontrivial What if only longest prefix match rules on one field? • easy: reachability is polynomial time Add one-bit packet filters: “if p[43] = 0 then drop” • reachability is NP-complete p[4] = 1 p[7] = 1 p[1] = 0 ( x 4 ∨ x 7 ∨ ¯ x 1 ) ∧ ( . . . ) ∧ ( . . . ) ∧ ( . . . )

  21. Modeling the network is nontrivial What if only longest prefix match rules on one field? • easy: reachability is polynomial time Add one-bit packet filters: “if p[43] = 0 then drop” • reachability is NP-complete Add packet header transformations... • even harder (depends on assumptions, e.g. packet header length bound)

  22. Anteater’s solution Express data plane and invariants as SAT • ...up to some max # hops Check with off-the-shelf SAT solver (Boolector)

  23. Data plane as boolean functions Define P(u, v) as the policy function for packets Destination Iface traveling from u to v 10.1.1.0/24 v • A packet can flow over (u, v) if and only if it u v satisfies P(u, v) P(u, v) = dst_ip ∈ 10.1.1.0/24

  24. Simpler example Destination Iface 0.0.0.0/0 v u v P(u, v) = true Default routing

  25. Some more examples Destination Iface Destination Iface 10.1.1.0/24 v 10.1.1.0/24 v Drop port 80 t 80 to v 10.1.1.128/25 v’ 10.1.2.0/24 v u v u v P(u, v) = dst_ip ∈ 10.1.1.0/24 P(u, v) = (dst_ip ∈ 10.1.1.0/24 ∧ dst_port ≠ 80 ∧ dst_ip ∉ 10.1.1.128/25) ∨ dst_ip ∈ 10.1.2.0/24 Packet filtering Longest prefix matching

  26. Reachability as SAT solving Goal: reachability from u to w u v w C = (P(u, v) ∧ P(v,w)) is satisfiable ⇔ ∃ A packet that makes P(u,v) ∧ P(v,w) true ⇔ ∃ A packet that can flow over (u, v) and (v,w) ⇔ u can reach w • SAT solver determines the satisfiability of C • Problem: exponentially many paths - Solution: Dynamic programming (a.k.a. loop unrolling) - Intermediate variables: “Can reach x in k hops?” - Similar to [Xie, Zhan, Maltz, Zhang, Greenberg, Hjalmtysson, Rexford, INFOCOM’05]

  27. Packet transformation Essential to model dst_ip ∈ label = 5? 0.1.1.0/24 MPLS, QoS, NAT, etc. u v w • Model the history of packets: vector over time • Packet transformation ⇒ boolean constraints over adjacent packet versions ( p i .dst ip ∈ 0 . 1 . 1 . 0 / 24) ∧ ( p i +1 .label = 5) More generally: p i +1 = f ( p i )

  28. Invariants Loop detection u … w lost Packet loss (black holes) … u w u … w Consistency u’

  29. Experience with the UIUC Network

  30. Experiences with UIUC network Evaluated Anteater with UIUC campus network • ~ 178 routers supporting >70,000 machines • Predominantly OSPF, also uses BGP and static routing • 1,627 FIB entries per router (mean) • State collected using operator’s SNMP scripts Revealed 23 bugs with 3 invariants in 2 hours Loop Packet loss Consistency Being fixed 9 0 0 Stale config. 0 13 1 False pos. 0 4 1 Total alerts 9 17 2

  31. Forwarding loops IDP was overloaded, dorm operator introduced IDP bypass • IDP only inspected traffic for campus bypass routed campus traffic to IDP through … static routes bypass Introduced 9 loops Backbone

  32. Bugs found by other invariants Packet loss Consistency Admin. X u u interface u’ 192.168.1.0/24 • Blocking compromised machines at IP level • One router exposed web • Stale configuration admin interface in FIB From Sep, 2008 • Different policy on private IP address range

  33. Refs: O ffl ine Data Plane Verification Static reachability in IP networks [Bush et al’03, Xie et al’05] FlowChecker [Al-Shaer, Al-Haj, SafeConfig ’10] ConfigChecker [Al-Shaer, Al-Saleh, SafeConfig ’11] Anteater [SIGCOMM’11] http://code.google.com/p/anteater Header Space Analysis [Kazemian, Varghese, McKeown, NSDI ’12] Abstractions for Network Update [Reitblatt, Foster, Rexford, Schlesinger, Walker, SIGCOMM’12] Verification of Computer Switching Networks: An Overview [Shuyun Zhang, Sharad Malik, Rick McGeer]

  34. Looking ahead: An Opportunity Operator Diagnosis Invariants Con fi rmation of from library correctness, or or custom violated invariants & counterexamples 2 (vulnerabilities) 4 Veri fl ow Network Veri fi cation Layer Construct formal model of network behavior 3 Check queried invariants against model Snapshot or real-time stream of: Topology 1 Data plane state (forwarding tables) Network Routers, switches, fi rewalls, ...

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Debugging the Data Plane with Anteater Haohui Mai, Ahmed Khurshid Rachit Agarwal, Matthew Caesar

Debugging the Data Plane with Anteater Haohui Mai, Ahmed Khurshid Rachit Agarwal, Matthew Caesar

Debugging the Data Plane with Anteater Haohui Mai, Ahmed Khurshid Rachit Agarwal, Matthew Caesar P. Brighten Godfrey, Samuel T. King University of Illinois at Urbana-Champaign Network debugging is challenging Production networks are

929 views • 50 slides
Control Plane Compression Ryan Becke* Aar- Gupta Ratul Mahajan David Walker 3 Good news!

Control Plane Compression Ryan Becke* Aar- Gupta Ratul Mahajan David Walker 3 Good news!

1 Control Plane Compression Ryan Becke* Aar- Gupta Ratul Mahajan David Walker 3 Good news! Some Solu/ons 5 Data Plane Verification Anteater [Mai 2011] HSA [Kazemian 2012] [Kurshid 2013] Veriflow NoD [Lopes 2015] Symmetries

389 views • 38 slides
Network Data Plane Network Data Plane Network Data Plane (S. S. Lam) 3/23/2017 1 Network layer

Network Data Plane Network Data Plane Network Data Plane (S. S. Lam) 3/23/2017 1 Network layer

Network Data Plane Network Data Plane Network Data Plane (S. S. Lam) 3/23/2017 1 Network layer d li delivers segments from s s ts f sending to receiving host application transport network sender encapsulates segments p g

912 views • 44 slides
1 Background | Problems | Challenges | Design | Evaluation | Summary Control Plane Applications

1 Background | Problems | Challenges | Design | Evaluation | Summary Control Plane Applications

SPEED Resource-Ef+icient and High-Performance Deployment for Data Plane Programs Xiang Chen , Hongyan Liu, Qun Huang, Peiqiao Wang, Dong Zhang, Haifeng Zhou, Chunming Wu Control Plane Applications Monitor Security Routing Data Plane

826 views • 45 slides
Internet Control Plane Security Yongdae Kim KAIST Two Planes Data Plane: Actual data

Internet Control Plane Security Yongdae Kim KAIST Two Planes Data Plane: Actual data

Internet Control Plane Security Yongdae Kim KAIST Two Planes Data Plane: Actual data delivery Control Plane To support data delivery (efficiently, reliably, and etc.) Routing information exchange In some sense, every protocol

396 views • 39 slides
Data Plane Programmability in SDN H. Farhady, H. Lee, A.

Data Plane Programmability in SDN H. Farhady, H. Lee, A.

Data Plane Programmability in SDN H. Farhady, H. Lee, A. Nakao The University of Tokyo CoolSDN14 Contents Current SDN The Gap: Data plane

382 views • 12 slides
Quantum Position Verification in the Plane Serge Fehr and Dominique Unruh CWI

Quantum Position Verification in the Plane Serge Fehr and Dominique Unruh CWI

Quantum Position Verification in the Plane Serge Fehr and Dominique Unruh CWI University of Tartu Dominique Unruh Position Verification Speed of light Position verified Quantum Position Verification in 2D 2 Dominique

268 views • 14 slides
Data Plane Broker Integration, Configuration & Implementation. Paul McCherry Data Plane

Data Plane Broker Integration, Configuration & Implementation. Paul McCherry Data Plane

Data Plane Broker Integration, Configuration & Implementation. Paul McCherry Data Plane Broker Integration OSM Creation: Connection Points, Bandwidth Deletion: Service_Id DPB WIM Connector Modify: In development, Service_Id

241 views • 20 slides
SCION: Data Plane Overview Adrian Perrig Network Security Group, ETH Zrich SCION Data Plane

SCION: Data Plane Overview Adrian Perrig Network Security Group, ETH Zrich SCION Data Plane

SCION: Data Plane Overview Adrian Perrig Network Security Group, ETH Zrich SCION Data Plane Overview Data plane: How to send packets [Chapter 2.2, Chapter 8] Path lookup Path combination Path encoding in packet 2 Path

387 views • 18 slides
L. Subramanian, V. Roth, I. Stoica, S. Shenker, R. H. Katz Presented by Ashish Vulimiri Focus on

L. Subramanian, V. Roth, I. Stoica, S. Shenker, R. H. Katz Presented by Ashish Vulimiri Focus on

L. Subramanian, V. Roth, I. Stoica, S. Shenker, R. H. Katz Presented by Ashish Vulimiri Focus on invalid routes Invalid routes in the control plane Invalid routes in the data plane Solution: both control and data plane verification

392 views • 17 slides
Network Attacks I Yongdae Kim KAIST Two Planes Data Plane: Actual data delivery Control

Network Attacks I Yongdae Kim KAIST Two Planes Data Plane: Actual data delivery Control

Network Attacks I Yongdae Kim KAIST Two Planes Data Plane: Actual data delivery Control Plane To support data delivery (efficiently, reliably, and etc.) Routing information exchange In some sense, every protocol except data

751 views • 51 slides
Extending SDN to the Data Plane Anirudh Sivaraman, Keith Winstein, Suvinay Subramanian, Hari

Extending SDN to the Data Plane Anirudh Sivaraman, Keith Winstein, Suvinay Subramanian, Hari

Extending SDN to the Data Plane Anirudh Sivaraman, Keith Winstein, Suvinay Subramanian, Hari Balakrishnan M.I.T. http://web.mit.edu/anirudh/www/sdn-data-plane.html Switch Data Planes today Two key decisions on a per-packet basis:

682 views • 34 slides
Virtualization for NFV/Data Plane SDN Bob Lantz Open Networking Laboratory ONS 2016 Talk

Virtualization for NFV/Data Plane SDN Bob Lantz Open Networking Laboratory ONS 2016 Talk

Virtualization for NFV/Data Plane SDN Bob Lantz Open Networking Laboratory ONS 2016 Talk Outline - What is NFV? - One Way to Do It - A Better Way - Control Plane NFV/SDN - Data Plane SDN - VM Configuration - Container Configuration -

363 views • 17 slides
Integrated Modeling and Verification of Processes and Data Verification Diego Calvanese, Marco

Integrated Modeling and Verification of Processes and Data Verification Diego Calvanese, Marco

Integrated Modeling and Verification of Processes and Data Verification Diego Calvanese, Marco Montali Research Centre for Knowledge and Data (KRDB) Free University of Bozen-Bolzano, Italy KRDB 1 15th International Conference on Business

1.08k views • 83 slides
Runtime Verification of P4 Switches with Reinforcement Learning Apoorv Shukla (TU Berlin) with

Runtime Verification of P4 Switches with Reinforcement Learning Apoorv Shukla (TU Berlin) with

Runtime Verification of P4 Switches with Reinforcement Learning Apoorv Shukla (TU Berlin) with Kevin Nico Hudemann (TU Berlin), Artur Hecker (Huawei), Stefan Schmid (Vienna Uni.) Apoorv Shukla| NetAI19 P4 [1] : Data plane Programming Language

644 views • 25 slides
4. Coordinate geometry A special kind of geometry where the position of points on the plane is

4. Coordinate geometry A special kind of geometry where the position of points on the plane is

D AY 107 A RECTANGLE AND A SQUARE ON THE X - Y PLANE I NTRODUCTION A plane figure in the x-y plane can resemble one of the common quadrilaterals we have come across, but that is not enough to show that the figure meets all the basic

1.45k views • 24 slides
Ant-immigrant populism is not really a recent phenomenon Didier Ruedin University of the

Ant-immigrant populism is not really a recent phenomenon Didier Ruedin University of the

Ant-immigrant populism is not really a recent phenomenon Didier Ruedin University of the Witwatersrand & University of Neuchtel Contestng the Populist Challenge Malm, 17 November 2017 immigraton is increasingly politcized Share of all

561 views • 10 slides
Build Build Build Build System building The process of compiling and linking software

Build Build Build Build System building The process of compiling and linking software

Build Build Build Build System building The process of compiling and linking software components into an executable system Different systems are built from different combinations of components Invariably supported by automated

557 views • 20 slides
Ant Build Maintenance with Formiga R. Hardt and E. V. Munson University of Wisconsin-Milwaukee,

Ant Build Maintenance with Formiga R. Hardt and E. V. Munson University of Wisconsin-Milwaukee,

Ant Build Maintenance with Formiga R. Hardt and E. V. Munson University of Wisconsin-Milwaukee, USA Research Problem and Motivation Build maintenance refers to changes made to the build system as a software project evolves over time

321 views • 15 slides
Nested Loops Plan for today Green Screen Single looping: a deeper look Nested looping Drawing

Nested Loops Plan for today Green Screen Single looping: a deeper look Nested looping Drawing

Nested Loops Plan for today Green Screen Single looping: a deeper look Nested looping Drawing grids Julia in the past Julia in the past The beginning of my journey programming ability my neighbor me time The beginning of my journey The

755 views • 62 slides
Formal Verification of Computer Switch Networks Sharad Malik ; Department of Electrical

Formal Verification of Computer Switch Networks Sharad Malik ; Department of Electrical

Formal Verification of Computer Switch Networks Sharad Malik ; Department of Electrical Engineering; Princeton Univeristy (with Shuyuan Zhang (Princeton), Rick McGeer (HP Labs)) 1 SDN: So what changes for verification? SDN: So what changes for

665 views • 34 slides
A Hypothesis Testing Framework for Network Security P. Brighten Godfrey University of Illinois

A Hypothesis Testing Framework for Network Security P. Brighten Godfrey University of Illinois

A Hypothesis Testing Framework for Network Security P. Brighten Godfrey University of Illinois at Urbana-Champaign TSS Seminar, September 15, 2015 Part of the SoS Lablet with David Nicol Kevin Jin Matthew Caesar Bill Sanders Work with

939 views • 49 slides
Making Teaching a Shared Brian Sato Office of the Vice Provost of Teaching and Learning

Making Teaching a Shared Brian Sato Office of the Vice Provost of Teaching and Learning

Making Teaching a Shared Brian Sato Office of the Vice Provost of Teaching and Learning Responsibility through Ray Vadnais Departmental Reports Office of Information Technology UCI Strategic Plan First in Class - Elevating the student

1.32k views • 25 slides
Model Checking Dynamic Datapaths Aurojit Panda, Katerina Argyraki, Scott Shenker UC Berkeley,

Model Checking Dynamic Datapaths Aurojit Panda, Katerina Argyraki, Scott Shenker UC Berkeley,

Model Checking Dynamic Datapaths Aurojit Panda, Katerina Argyraki, Scott Shenker UC Berkeley, ICSI, EPFL Networks: Not Just for Delivery Enforce a variety of invariants: Packet Isolation: Packets from A can not reach B Content

585 views • 42 slides

More recommend