Declara'veInfrastructure Configura'onSynthesisand Debugging - - PowerPoint PPT Presentation

declara ve infrastructure configura on synthesis and
SMART_READER_LITE
LIVE PREVIEW

Declara'veInfrastructure Configura'onSynthesisand Debugging - - PowerPoint PPT Presentation

Oct 04, 2023 212 likes •365 views

Declara'veInfrastructure Configura'onSynthesisand Debugging ConfigAssuresystem SanjaiNarain,GaryLevinandVikramKaul,Telcordia Technologies,Inc.

slide-1
SLIDE 1

Declara've
Infrastructure
 Configura'on
Synthesis
and
 Debugging



ConfigAssure
system
 Sanjai
Narain,
Gary
Levin
and
Vikram
Kaul,
Telcordia
 Technologies,
Inc.

 Sharad
Malik,
Princeton
University

 Presented
by
Adam
Bergstein
 Oct
10,
2011


slide-2
SLIDE 2

Overview


  • Background

  • Goals

  • ImplementaMon

  • Example

  • Missing
clarity

  • Analysis
of
soluMon

  • QuesMons

slide-3
SLIDE 3

Background


  • Difficult
to
verify
configuraMon
of
large‐scale


networking
implementaMons


  • Well
researched
constraints
and
best
pracMces

  • f
network
implementaMons

  • Common
modeling
techniques
using
SAT‐

Solvers



  • Common
languages
to
express
logic,
like


Prolog


slide-4
SLIDE 4

Goals


  • Formally
proving
a
network
configuraMon
over


all
known
values


  • Leverage
known
networking
best
pracMces


and
previous
research


  • Looking
for
an
“end‐to‐end”
soluMon
that


takes
requirements
and
specifies
appropriate
 configuraMon


  • IdenMfy
problemaMc
configuraMon
for


unsolvable
soluMons


slide-5
SLIDE 5

ImplementaMon


  • Developed
ConfigAssure
as
a
way
to
do
staMc
analysis
on
a


network



  • Define
requirements
and
prove
a
specific
configuraMon


meets
the
requirements


  • Inputs:


– General
requirements
to
define
networking
operaMons
 – Configura'on
database
to
model
a
specific
network,
in
 variables
and
terms
 – Domain
of
allowable
networking
values
(IP
address
ranges)


  • ParMal
evaluator
converts
into
a
quanMfier‐free
form
of


Boolean
logic
statement
(QFF)


  • QFFs
sent
to
a
solver
(Kodkod/Zchaff
SAT
Solver)

  • Solver
returns
possible
soluMons
or
idenMfies
configuraMons


that
are
problemaMc


slide-6
SLIDE 6
slide-7
SLIDE 7

ImplementaMon


  • Requirements
are
known
constraints,
implemented
as


Prolog
programs


  • A
configuraMon
is
a
series
of
terms
and
variables
that


implement
a
defined
requirement


  • A
configuraMon
database
is
the
series
of
configuraMons


that
define
one
network
instance


  • ConfiguraMons
are
converted
into
QFF
statements

  • All
QFF
statements
are
solved
by
Kodkod
based
on
the


Prolog
equivalent
of
the
requirement


  • Kodkod
returns
a
soluMon
or
an
unsolvable
QFF


– A
soluMon
is
a
set
of
variables
and
accepMng
values
in
 configuraMon
 – An
unsolvable
QFF
idenMfies
a
specific
configuraMon
that
is
 not
solvable,
which
assists
with
mediaMon


slide-8
SLIDE 8
slide-9
SLIDE 9

ImplementaMon


  • If
Kodkod
can
idenMfy
problemaMc


configuraMons,
how
do
you
resolve
them?


– Remove
the
specific
configuraMon
 – IdenMfy
how
the
configuraMon
needs
altered
 (which
changes
the
implementaMon)


  • ConfigAssure
also
supports
a
“relaxable”
set
of


values
for
variables


– Each
variable
can
have
a
set
of
possible
values
 – If
Kodkod
cannot
solve
a
configuraMon
with
 specific
values
of
variables,
it
will
subsMtute
other
 values
from
each
variable’s
relaxable
set


slide-10
SLIDE 10

Example


  • Requirements
example
(Prolog)


– All
Physical
IP
Addresses
DisMnct


slide-11
SLIDE 11

Example


  • Converted
configuraMon
into
QFF
statements


to
be
evaluated


slide-12
SLIDE 12

Missing
Clarity


  • Where
is
the
definiMon
for
certain
Prolog


funcMons?


– ipAddress,
subnet,
hsrp,
etc.
 – Must
be
defined
as
a
part
of
ConfigAssure


  • How
are
the
possible
variable
values
generated?


– Does
it
use
all
possible
values?


  • IP‐Addressing
bounds

  • Bounds
of
IP‐addressing
within
a
subnet


– How
does
the
“relaxable”
set
assist
with
the
variable
 values?


slide-13
SLIDE 13

Analysis
of
soluMon


  • Is
this
useful
only
for
networking?
Very
likely


– Specific
Prolog
funcMons
just
for
networking
and
no
 menMon
of
program
language
analysis
 – IP
address
and
subnets
lend
itself
well
to
this
soluMon


  • Calculated
as:
{first
quartet}*256^3
+
{second


quartet}*256^2
+
{third
quartet}*256
+{fourth
quartet}


– Solver
only
runs
on
fixed
bounds
of
possible
IPs


  • Can
narrow
IP
range
down
based
on
subnet
as
well


– Networking
supports
bitwise
operaMons
 – Performance
numbers
looked
posiMve,
but
would
 likely
blow
up
if
implemenMng
the
bounds
of
IPv6


slide-14
SLIDE 14

Analysis
of
soluMon


  • We
have
read
a
lot
of
papers
on
solvers
and
staMc
analysis

  • Very
similar
soluMon
to
MulVAL
menMoned
in
paper

  • What
is
innovaMve
here?


– ConfigAssure
strongly
relies
on
Kodkod
and
Prolog
 – Created
a
way
to
define
requirements
for
a
network
 and
analyze
a
given
configuraMon
 – “Relaxed”
sets
makes
this
tool
more
useful


  • Although,
ConfigAssure
does
not
define
what
should
be
in
the


set


  • Relies
on
the
end
user,
which
could
limit
the
tool’s


effecMveness


  • “I
will
prove
this.
But
if
this
is
meaningless,
it
will
do
you
no


good”


– Determined
some
QFFs
could
be
solved
more
 efficiently
outside
of
Kodkod


slide-15
SLIDE 15

QuesMons