nv a framework for modeling and verifying network
play

NV: A Framework for Modeling and Verifying Network Configurations - PowerPoint PPT Presentation

Sep 13, 2022 •691 likes •1.27k views

NV: A Framework for Modeling and Verifying Network Configurations LangSec 2020 David Walker Princeton University Collaborators Nick Giannarakis Devon Loehr Tim Thijm Ratul Mahajan Ryan Beckett Aarti Gupta (UW) (Microsoft) Language-Based

  1. NV: A Framework for Modeling and Verifying Network Configurations LangSec 2020 David Walker Princeton University

  2. Collaborators Nick Giannarakis Devon Loehr Tim Thijm Ratul Mahajan Ryan Beckett Aarti Gupta (UW) (Microsoft)

  3. Language-Based Security

  4. Language-Based Security for Networks

  5. Routing 101 Hoolie 𝑆 � “I can reach subnet X” “I can reach subnet X” 𝑆 � 𝑆 � 𝑆 � “I can reach subnet X” subnet X traffic Pied Piper

  6. An Example Route Hijack Hoolie subnet Y subnet X

  7. An Example Route Hijack Hoolie subnet Y subnet X

  8. An Example Route Hijack Pied Piper “I can reach subnet X” Hoolie subnet Y subnet X

  9. An Example Route Hijack Pied Piper Hoolie subnet Y subnet X

  10. This Kind of Thing Happens Too Often

  11. Why? Networks are: • Large (100K+ LOC) • Distributed • Low-level • Multiple vendors • Subject to failures Too much for humans to handle

  12. We need automated analysis! Generic Network Models To model the many ad hoc vendor languages in a uniform way [Griffin 2002, Sobrinho 2005] [SIGCOMM 2017, SIGCOMM 2018, PLDI 2020] Effective Abstractions and Efficient Algorithms To analyze these model at scale [POPL 2020, PLDI 2020]

  13. Network Models

  14. Routing Algebra [Griffin 2002, Sobrinho 2005] �𝑊 , 𝐹� 𝐔𝐩𝐪𝐩𝐦𝐩𝐡𝐳 : �𝑇 , ⊕ , 𝑔 , 𝑗𝑜𝑗𝑢� 𝐁𝐦𝐡𝐟𝐜𝐬𝐛 : set of routes initial route merge transfer S → 𝑇 → 𝑇 V → 𝑇 (protocol messages) E → 𝑇 → 𝑇 � select preferred route � Given an algebra, one can simulate it, looking for its solutions .

  15. Routing Example (Idealized BGP) (no route) S = { ∞ } U { ( preference , path , set of tags ) } ⊕ = “select the most preferred route” (route with higher preference, shorter path) 𝑔 (src,dst) = add src to path; adjust preference, tags according to configuration init = given by configuration

  16. Routing Example (Idealized BGP) messages S = { ∞ } U { ( preference , path , set of tags ) } 1. if attached(8075:30) 2. set localpref 200 1. if peer = R3 3. permit 2. add tag(8075:30) ∞ � 100, �𝑆 � � , � 8075: 30 �� 4. else 3. permit 5. default permit 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 � � 100, �𝑆 � , 𝑆 � , 𝑆 � � , � 8075: 30 �� ∞ � 100, �𝑆 � , 𝑆 � � , ∅� ∞ � 100, �� , ∅� � 200, �𝑆 � , 𝑆 � � , � 8075: 30 �� � 200, �𝑆 � , 𝑆 � � , � 8075: 30 �� ⊕ � 100, �𝑆 � , 𝑆 � � , ∅� � 100, �𝑆 � � , ∅� ∞ ⊕ � 100, �𝑆 � � , ∅� ∞ Further propagation of routes causes no change? We have found a solution .

  17. Research Progress Cycle �𝑇 , ⊕ , 𝑔 , 𝑗𝑜𝑗𝑢� Iterate Research idea Evaluate 1 year prototype Cisco (IOS, NX ‐ OS) Juniper, Arista BGP, OSPF, ISIS, RIP, iBGP Route Reflectors, Redistribution, Conditional advertisement, aggregation, ACLs, MPLS, GRE, …

  18. NV: A Language for Modelling Networks Cisco NV Juniper Ryan Beckett Nick Giannarakis Devon Loehr (Microsoft) • ad hoc • standard • non ‐ uniform • uniform • compositional • non ‐ compositional • concise • complex • 23+ commands to set protocol fields • 1 command to get a record field

  19. NV Language idealized_bgp.nv let nodes = 5; let edges = { 1-2; 1-3; 2-4; 3-4; 4-5; } type route = {pref:int; len:int; orig:node; tags:int set} type message = option[route] let init n = if n = 1 then Some {pref=100; len=0; orig=1; tags=empty;} else None let f e m = let protocol m = {pref=m.pref; len=m.len + 1; orig=orig; tags=tags;} in let config e m = ... in m |> protocol |> config e let merge n m1 m2 = if is_preferred m1 m2 then m1 else m2

  20. NV Language idealized_bgp.nv let nodes = 5; let edges = { 1-2; 1-3; 2-4; 3-4; 4-5; } let init n = ... let f e m = ... let merge n m1 m2 = ... let sol = solution {init= init ; trans= f ; merge= merge ;} (* Does router R5 have a route to R1? *) let prop sol = match sol[5] with None –> false | Some {pref=_; len=_; orig=n; comm=_;} -> (n = 1) assert prop(sol);

  21. The Power of Language: Exploring New Models Iterate �𝑇 , ⊕ , 𝑔 , 𝑗𝑜𝑗𝑢� Success Research idea Implement Evaluate prototype prototype (NV)

  22. Recall: A BGP Hijack Pied piper Hoolie host 2 host 1

  23. Can Pied Piper Hijack Hoolie? Hoolie 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 � 1. if peer = R6 2. pref := 200 𝑆 � 3. permit Pied Piper

  24. Can Pied Piper Hijack Hoolie? let nodes = 6 let edges = { 1-2; 1-3; 2-4; 3-4; 4-5; 6-2; } type route = {pref:int; len:int; orig:node; tags:int set} type message = option[route] symbolic u : route (* unknown route *) require u.orig = 6; let init n = if n = 6 then Some u else ... let f e m = let protocol m = ... in let config e m = match e with | 6~2 -> {pref=200; ... } | _ -> ... in m |> protocol |> config e assert prop(sol);

  25. Is Hoolie’s Network Fault Tolerant? Hoolie 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 �

  26. Is Hoolie’s Network Fault Tolerant? Hoolie 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 � duh ...

  27. Is Hoolie’s Network Fault Tolerant? let nodes = 5 let edges = { 1-2; 1-3; 2-4; 3-4; 4-5} type route = {pref:int; len:int; orig:node; tags:int set} type message = option[route] symbolic failure : edge (* the failed edge *) let f e m = let fail e m = if e = failure then None else m in let protocol m = ... in let config e m = ... in m |> fail e |> protocol |> config e assert prop(sol);

  28. Aside: Eliminating Symbolic Values type message = option[route] symbolic failure : edge let f e m = let fail e m = if e = failure then None else m in ... type message = dict[edge , option[route]] let f e m = let fail e m = mapif (fun e -> e = failure then None else m) m ...

  29. Aside: Eliminating Symbolic Values type message = option[route] symbolic failure : edge let f e m = let fail e m = if e = failure then None else m in ... type message = dict[edge, option[route]] let f e m = let fail e m = mapif (fun e -> e = failure) (fun m -> None) m ...

  30. More Realistic Networks type ospf = { ad : int; weight : int; areaType : int4; areaId : int;} type bgp = { ad : int; lp : int; aslen : int; comms : set[int16]; origin : int;} type rib_entry = { connected : option[edge]; static : option[edge]; ospf : option[ospf]; bgp : option[bgp]; selected : option[int2] } type prefixV4 = { ip : int32; len : int5; } type attribute = dict[prefixV4, rib_entry]

  31. NV Tools Cisco NV Juniper Z3 Simulation

  32. The Scalability Problem control plane simulation CBGP [Mai 2011] Batfish [Fogel 2015] control plane verification [Gember ‐ Jacobsen 2016] ARC 400 [Beckett 2017] Minesweeper Simulation time 350 300 (seconds) 250 32GB RAM 200 150 100 50 0 10,000 0 100 200 300 400 500 600 700 (Large modern data center) Datacenter Size (routers)

  33. The Scalability Problem (AWS) Software control plane simulation [Mai 2011] Network [Fogel 2015] control plane verification Cost [Gember ‐ Jacobsen 2016] ARC Storage [Beckett 2017] Minesweeper Compute Cloud growth by quarter (AWS) 2018 2009 Time 228x growth in networks in a decad

  34. Effective Abstractions & Efficient Algorithms

  35. Abstract Interpretation of Routing Algebras Aarti Ratul Ryan Mahajan Gupta Beckett Message Abstraction: asympototic improvements in time and space

  36. Abstract Interpretation of Routing Algebras Base Model Idealized BGP option[(preference, Abstract Model option[(preference, length, path, option[ tag abstraction ] origin, tag set)] tag set)] true, false, *

  37. Abstract Interpretation of Routing Algebras 1. if attached(8075:30) 2. set localpref 200 1. if peer = R3 3. permit 2. add tag(8075:30) None 4. else 3. permit 5. default permit 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 � Some false None None None Property: Does R5 obtain any route?

  38. Abstract Interpretation of Routing Algebras 1. if attached(8075:30) 2. set localpref 200 1. if peer = R3 3. permit 2. add tag(8075:30) Some true 4. else 3. permit 5. default permit 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 � Some false None None Some false Property: Does R5 obtain any route?

  39. Abstract Interpretation of Routing Algebras 1. if attached(8075:30) 2. set localpref 200 1. if peer = R3 3. permit 2. add tag(8075:30) Some true 4. else 3. permit 5. default permit 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 � Some false (Some true) None ⊕ (Some false) = (Some *) Some false Property: Does R5 obtain any route?

  40. Abstract Interpretation of Routing Algebras 1. if attached(8075:30) 2. set localpref 200 1. if peer = R3 3. permit 2. add tag(8075:30) Some true 4. else 3. permit 5. default permit 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 � Some false (Some *) (Some *) Some false Property: Does R5 obtain any route?

  41. Abstract Interpretation of Routing Algebras 1. if attached(8075:30) 2. set localpref 200 1. if peer = R3 3. permit 2. add tag(8075:30) Some true 4. else 3. permit 5. default permit 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 � Some false (Some *) (Some *) Some false Yes Property: Does R5 obtain any route?

  42. Example 2: Datacenter Simulation 𝑇 � Spine Routers (S) 𝐵 � 𝐵 � Aggregation Routers (A) 𝑈 � 𝑈 𝑈 � 𝑈 � 𝑈 𝑈 � � � Top-of-Rack Routers (T)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Modeling a Large Data-Acquisition Network in a Simulation Framework Tommaso Colombo 1,2 Holger

Modeling a Large Data-Acquisition Network in a Simulation Framework Tommaso Colombo 1,2 Holger

1st IEEE Workshop on High-Performance Interconnectjon Networks towards the Exascale and Big-Data Era Chicago, 8 September 2015 Modeling a Large Data-Acquisition Network in a Simulation Framework Tommaso Colombo 1,2 Holger Frning 2 Pedro Javier

538 views • 24 slides
Elaborating and Verifying RBAC Policies Conforming with CobiT Framework Requirements Christophe

Elaborating and Verifying RBAC Policies Conforming with CobiT Framework Requirements Christophe

Third International Workshop on Requirements Engineering and Law (RELAW 10) - September 28 th 2010 Conceptualizing a Responsibility based Approach for Elaborating and Verifying RBAC Policies Conforming with CobiT Framework Requirements

429 views • 27 slides
Fast Variational Algorithms for Statistical Network Modeling and other network modeling advances

Fast Variational Algorithms for Statistical Network Modeling and other network modeling advances

Hierarchical ERG models Fast Variational Algorithms for Statistical Network Modeling and other network modeling advances David Hunter Michael Schweinberger Duy Vu Ruth Hummel Department of Statistics, Penn State University MURI meeting, Nov

521 views • 34 slides
Overview MAXENT-Modeling: A framework for Discrete MAXENT-Models and RMs IRT-Modeling?

Overview MAXENT-Modeling: A framework for Discrete MAXENT-Models and RMs IRT-Modeling?

Overview MAXENT-Modeling: A framework for Discrete MAXENT-Models and RMs IRT-Modeling? Conceptual foundation and relationships of the MAXENT-framework The canonical MAXENT-distribution is structurally similar to Dipl.-Psych. Georg

366 views • 7 slides
Modeling Testing Evaluating 100 c c 90 Network latency (cycles) 80 Input c c Expect?

Modeling Testing Evaluating 100 c c 90 Network latency (cycles) 80 Input c c Expect?

PyOCN: A Unified Framework for Modeling, Testing, and Evaluating On-Chip Networks Modeling Testing Evaluating 100 c c 90 Network latency (cycles) 80 Input c c Expect? 70 R 60 c c 50 40 c c 30 20 10 Functional-Level Unit 0

563 views • 20 slides
The Matrix: An Agent-Based Modeling Framework for Data Intensive Simulations P. Bhattacharya 1 ,

The Matrix: An Agent-Based Modeling Framework for Data Intensive Simulations P. Bhattacharya 1 ,

The Matrix: An Agent-Based Modeling Framework for Data Intensive Simulations P. Bhattacharya 1 , S. Ekanayake 3 , C. J. Kuhlman 1 , C. Lebiere 2 , D. Morrison 2 , S. Swarup 1 , M. L. Wilson 1 , and M. G. Orr 1 1 Network Systems Science and Advanced

701 views • 17 slides
An Integrated Electric Power Supply Chain and Fuel Market Network Framework: Theoretical Modeling

An Integrated Electric Power Supply Chain and Fuel Market Network Framework: Theoretical Modeling

Introduction Literature Review Integrated Electric Power Supply Chains Empirical Examples Conclusions An Integrated Electric Power Supply Chain and Fuel Market Network Framework: Theoretical Modeling with Empirical Analysis for New England

705 views • 66 slides
An Integrated Electric Power Supply Chain and Fuel Market Network Framework: Theoretical Modeling

An Integrated Electric Power Supply Chain and Fuel Market Network Framework: Theoretical Modeling

Introduction Literature Review Integrated Electric Power Supply Chains Empirical Examples Conclusions An Integrated Electric Power Supply Chain and Fuel Market Network Framework: Theoretical Modeling with Empirical Analysis for New England

978 views • 60 slides
Transformation of Protg Ontologies into the Eclipse Modeling Framework Deepak Sharma

Transformation of Protg Ontologies into the Eclipse Modeling Framework Deepak Sharma

Transformation of Protg Ontologies into the Eclipse Modeling Framework Deepak Sharma Division of Biomedical Informatics Mayo Clinic 1 Outline Motivation Eclipse Modeling Framework (EMF) EMF at work LexGrid Model & FMA

1.24k views • 104 slides
Verifying and enforcing network paths with ICING Jad Naous , Michael Walfish, Antonio Nicolosi,

Verifying and enforcing network paths with ICING Jad Naous , Michael Walfish, Antonio Nicolosi,

Verifying and enforcing network paths with ICING Jad Naous , Michael Walfish, Antonio Nicolosi, David Mazires, Michael Miller, and Arun Seehra 1 Today: New protocol for every feature Remote VPN, Private WANs, Specifying QoS, Firewalls,

581 views • 38 slides
Verifying the Adaptation Behavior of Embedded Systems Klaus Schneider 1 Tobias Schuele 1 Mario

Verifying the Adaptation Behavior of Embedded Systems Klaus Schneider 1 Tobias Schuele 1 Mario

Introduction Modeling Adaptation Behavior Verifying Adaptation Behavior Tool Demonstration Summary and Conclusion Verifying the Adaptation Behavior of Embedded Systems Klaus Schneider 1 Tobias Schuele 1 Mario Trapp 2 1 Reactive Systems Group,

438 views • 14 slides
High Performance Network Modeling in the US Army Mobile Network Modeling Institute (MNMI) Ken

High Performance Network Modeling in the US Army Mobile Network Modeling Institute (MNMI) Ken

U.S. Army Research, Development and Engineering Command High Performance Network Modeling in the US Army Mobile Network Modeling Institute (MNMI) Ken Renard US Army Research Lab COMBINE 11 Sept 2012 Institute Objectives Develop

269 views • 14 slides
The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network

The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network

Chapter 4: The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network combines two types of domain knowledge to represent a joint probability distribution: qualitative knowledge: a (minimal) directed I-map

1.63k views • 134 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
ABC: A Cryptocurrency-Focused Threat Modeling Framework Ghada Almashaqbeh 1 , Allison Bishop 1,2 ,

ABC: A Cryptocurrency-Focused Threat Modeling Framework Ghada Almashaqbeh 1 , Allison Bishop 1,2 ,

ABC: A Cryptocurrency-Focused Threat Modeling Framework Ghada Almashaqbeh 1 , Allison Bishop 1,2 , Justin Cappos 3 1 Columbia, 2 Proof Trading, 3 NYU CryBlock 2019, Paris, France Outline Background. Motivation. The ABC framework.

1.25k views • 26 slides
OpenStack Powered by Tungsten Fabric Sukhdev Kapur Krzysztof Kajkowski Distinguished Engineer,

OpenStack Powered by Tungsten Fabric Sukhdev Kapur Krzysztof Kajkowski Distinguished Engineer,

OpenStack Powered by Tungsten Fabric Sukhdev Kapur Krzysztof Kajkowski Distinguished Engineer, Juniper Networks Director of Engineering, CodiLime Open Infrastructure Summit, Shanghai, November 2019 1 Tungsten Fabric Architecture Overview

346 views • 16 slides
Towards Validated Network Configurations with NCGuard Laurent V ANBEVER , Grgory P ARDOEN ,

Towards Validated Network Configurations with NCGuard Laurent V ANBEVER , Grgory P ARDOEN ,

Towards Validated Network Configurations with NCGuard Laurent V ANBEVER , Grgory P ARDOEN , Olivier B ONAVENTURE INL: IP Networking Lab (http://inl.info.ucl.ac.be,laurent.vanbever@uclouvain.be) Universit catholique de Louvain (UCL), Belgium

364 views • 25 slides
SWIFT Predictive Fast Reroute upon Remote BGP Disruptions Laurent Vanbever ETH Zrich (D-ITET)

SWIFT Predictive Fast Reroute upon Remote BGP Disruptions Laurent Vanbever ETH Zrich (D-ITET)

SWIFT Predictive Fast Reroute upon Remote BGP Disruptions Laurent Vanbever ETH Zrich (D-ITET) Munich Internet Research Retreat November 25 2016 Human factors are responsible for 50% to 80% of network outages Juniper Networks, Whats

2.04k views • 141 slides
A Systematic Analysis of the Juniper Dual EC Incident Stephen Checkoway With Jacob Maskiewicz,

A Systematic Analysis of the Juniper Dual EC Incident Stephen Checkoway With Jacob Maskiewicz,

A Systematic Analysis of the Juniper Dual EC Incident Stephen Checkoway With Jacob Maskiewicz, Christina Garman, Joshua Fried, Shaanan Cohney, Matthew Green, Nadia Heninger, Ralf-Philipp Weinmann, Eric Rescorla, Hovav Shacham Junipers

1.06k views • 76 slides
:a-~ 1 0 ~ ~ \.)l :r v~ , :i; , : !. ~ - ~ ~ :~ " ' ' ' ~ Pl ' ~ "

:a-~ 1 0 ~ ~ \.)l :r v~ , :i; , : !. ~ - ~ ~ :~ " ' ' ' ~ Pl ' ~ "

. :a-~ 1 0 ~ ~ \.)l :r v~ , :i; , : !. ~ - ~ ~ :~ " ' ' ' ~ Pl ' ~ " lt l ) ' t:t. ":t I{ ~ U.S . D rough l M onitor Septe mber 27, 201 1 Mnd l Y. $#.. 1t,. Z.ON J Southern Pl ai ns (IW ..-d \bid 1

407 views • 18 slides
Software Routers ECE/CS598HPN Radhika Mittal Dataplane programmability is useful New ISP

Software Routers ECE/CS598HPN Radhika Mittal Dataplane programmability is useful New ISP

Software Routers ECE/CS598HPN Radhika Mittal Dataplane programmability is useful New ISP services intrusion detection, application acceleration Flexible network monitoring measure link latency, track down traffic New protocols

929 views • 60 slides
FutureGrid Tutorial @ CloudCom 2010 Indianapolis, Thursday Dec 2, 2010, 4:30-5:00pm

FutureGrid Tutorial @ CloudCom 2010 Indianapolis, Thursday Dec 2, 2010, 4:30-5:00pm

FutureGrid Tutorial @ CloudCom 2010 Indianapolis, Thursday Dec 2, 2010, 4:30-5:00pm laszewski@gmail.com Gregor von Laszewski, Greg Pike, Archit Kulshrestha, Andrew Younge, Fugang Wang, and the rest of the FG Team Community Grids Lab

953 views • 70 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides

More recommend