[PPT] - Online Data Plane Checking June 12, 2013 Summer School on Formal PowerPoint Presentation

SLIDE 1

Online Data Plane Checking

June 12, 2013 Summer School on Formal Methods and Networks Cornell University

SLIDE 2

VeriFlow: Verifying Network-Wide Invariants in Real Time*

Ahmed Khurshid, Xuan Zou, Wenxuan Zhou, Matthew Caesar, P. Brighten Godfrey University of Illinois at Urbana-Champaign (UIUC)

June 12, 2013

Summer School on Formal Methods and Networks Cornell University

*HotSDN 2012, NSDI 2013, ONS 2013

SLIDE 3

Challenges in Network Debugging

6/12/2013 Department of Computer Science, UIUC 3

http://groups.geni.net/geni/chrome/site/thumbnails/wiki /TangoGENI/OF-VLAN3715_1000.jpg

Complex interactions Misconfigurations Unforeseen bugs Difficult to test the entire network state space before deployment

SLIDE 4

Data Plane Verification in Action

FlowChecker [Al-Shaer et al., SafeConfig 2010]

– Uses BDD-based model checker

Anteater [Mai et al., SIGCOMM 2011]

– Uses SAT-based model checking – Revealed 23 real bugs in the UIUC campus network

Header Space Analysis [Kazemian et al., NSDI 2012]

– Uses set-based custom algorithm – Found multiple loops in the Stanford backbone network

6/12/2013 Department of Computer Science, UIUC 4

Find problems after they occur and (potentially) cause damage

Running time: Several seconds to a few hours

SLIDE 5

Can we run verification in real time?

6/12/2013 Department of Computer Science, UIUC 5

Checking network-wide invariants in real time as the network evolves Need to verify new updates at high speeds Block dangerous changes Provide immediate warning

SLIDE 6

Challenges in Real-Time Verification

Challenge 1: Obtaining real-time view of

network

– Solution: Utilize the centralized data-plane view available in an SDN (Software-Defined Network)

Challenge 2: Verification speed

– Solution: Off-the-shelf techniques?

6/12/2013 Department of Computer Science, UIUC 6

No, too slow!

SLIDE 7

Our Tool: VeriFlow

VeriFlow checks network-wide invariants in

real time using data-plane state

– Absence of routing loops and black holes, access control violations, etc.

VeriFlow functions by

– Monitoring dynamic changes in the network – Constructing a model of the network behavior – Using custom algorithms to automatically derive whether the network contains errors

6/12/2013 Department of Computer Science, UIUC 7

SLIDE 8

VeriFlow

New rules

VeriFlow Operation

6/12/2013 Department of Computer Science, UIUC 8

Network Controller Generate equivalence classes Generate forwarding graphs Run queries Diagnosis report

Type of invariant

violation

Affected set of

packets

Rules violating network invariant(s) Good rules

SLIDE 9

1. Limit the Search Space

6/12/2013 Department of Computer Science, UIUC 9

VeriFlow

Generate Equivalence Classes Updates

Equivalence class: Packets experiencing the same forwarding actions throughout the network.

Fwd’ing rules

Equiv. classes

0.0.0.0/1 64.0.0.0/3 1 2 3 4 0.0.0.0/0

SLIDE 10

Computing Equivalence Classes

6/12/2013 Department of Computer Science, UIUC 10

(device, rule) pairs (don’t care/wildcard)

SLIDE 11

2. Represent Forwarding Behavior

6/12/2013 Department of Computer Science, UIUC 11

VeriFlow

Generate Forwarding Graphs Generate Equivalence Classes Updates All the info to answer queries!

Equivalence Class 1 Equivalence Class 2

SLIDE 12

3. Run Query to Check Invariants

6/12/2013 Department of Computer Science, UIUC 12

VeriFlow

Generate Forwarding Graphs Generate Equivalence Classes Run Queries Updates

Black holes, Routing loops, Access control policies

Good rules Bad rules Diagnosis report

Type of invariant

violation

Affected set of

packets

SLIDE 13

API to write custom invariants

VeriFlow provides a set of functions to write

custom query algorithms

– Gives access to the affected set of equivalence classes and their forwarding graphs – Verification becomes a standard graph traversal algorithm

Can be used to

– Check forwarding behavior of specific packet sets – Verify effects of potential changes

6/12/2013 Department of Computer Science, UIUC 13

SLIDE 14

Experiment

Simulated an IP network using a Rocketfuel

topology

– 172 routers

Replayed Route Views BGP traces

– 5 million RIB entries – 90K BGP updates

Checked for loops and black holes
Microbenchmarked each phase of VeriFlow’s
peration

6/12/2013 Department of Computer Science, UIUC 14

SLIDE 15

Performance Result

6/12/2013 Department of Computer Science, UIUC 15

97.8% of the updates were verified within 1 millisecond

SLIDE 16

Effect of Equivalence Class Count

6/12/2013 Department of Computer Science, UIUC 16

Number of ECs strongly influences verification time

Number of ECs affected by new rule

SLIDE 17

Experiment (cont.)

Mininet OpenFlow network

– Rocketfuel topology with 172 switches, one host per switch

NOX controller, learning switch application
TCP connections between random pairs of hosts

6/12/2013 Department of Computer Science, UIUC 17

NOX Controller + Switch application

VeriFlow

TCP SYN

SLIDE 18

Effect on Flow Table Update Throughput

6/12/2013 Department of Computer Science, UIUC 18

Update throughput (msg/sec)

Overhead of VeriFlow is low

SLIDE 19

Effect of Multiple Header Fields

6/12/2013 Department of Computer Science, UIUC 19

Data link source Data link destination Network source Network destination Data link type

More fields -> More equivalence classes -> Longer verification time

SLIDE 20

Conclusion

VeriFlow achieves real-time verification

– A layer between SDN controller and network devices – Handles multiple packet header fields efficiently – Runs queries within hundreds of microseconds – Exposes an API for writing custom invariants

Ongoing work

– Handling packet transformations efficiently – Dealing with multiple controllers

6/12/2013 Department of Computer Science, UIUC 20

SLIDE 21

Demo Network

SLIDE 22

6/12/2013 Department of Computer Science, UIUC 22

A(1) 10.0.0.33 10.0.0.32 10.0.0.64 10.0.0.128 10.0.0.129 10.0.0.65 10.0.0.66 B(2) C(3) D(4) E(5) F(6) G(7) H(8) J(10) I(9)

1 2 3 4 1 2 3 1 2 1 2 3 4 1 2 3 4 2 1 1 2 1 2 3 3 1 2 4 1 2 3

Name(ID) Intfn Intf1

SLIDE 23

6/12/2013 Department of Computer Science, UIUC 23

A(1) 10.0.0.33 10.0.0.32 10.0.0.64 10.0.0.128 10.0.0.129 10.0.0.65 10.0.0.66 B(2) C(3) D(4) E(5) F(6) G(7) H(8) J(10) I(9)

1 2 3 4 1 2 3 1 2 1 2 3 4 1 2 3 4 2 1 1 2 1 2 3 3 1 2 4 1 2 3

Name(ID) Intfn Intf1

Priority = 1 Priority = 2

SLIDE 24

6/12/2013 Department of Computer Science, UIUC 24

A(1) 10.0.0.33 10.0.0.32 10.0.0.64 10.0.0.128 10.0.0.129 10.0.0.65 10.0.0.66 B(2) C(3) D(4) E(5) F(6) G(7) H(8) J(10) I(9)

1 2 3 4 1 2 3 1 2 1 2 3 4 1 2 3 4 2 1 1 2 1 2 3 3 1 2 4 1 2 3

Name(ID) Intfn Intf1

Priority = 1 Priority = 2

SLIDE 25

Forwarding Graphs from the Rocketfuel-RouteViews Experiment

SLIDE 26

6/12/2013 Department of Computer Science, UIUC 26

SLIDE 27

6/12/2013 Department of Computer Science, UIUC 27

SLIDE 28

6/12/2013 Department of Computer Science, UIUC 28

SLIDE 29

6/12/2013 Department of Computer Science, UIUC 29

SLIDE 30

VeriFlow source code is available at

http://www.cs.illinois.edu/~khurshi1/projects/veriflow/

SLIDE 31

Thank you

khurshi1@illinois.edu http://www.cs.illinois.edu/~khurshi1

SLIDE 32

Backup Slides

SLIDE 33

Related Work

Real time network policy checking using header space

analysis, NSDI 2013

Header space analysis: Static checking for networks, NSDI

2012

A NICE way to test OpenFlow applications, NSDI 2012
Abstractions for network update, SIGCOMM 2012
Can the production network be the testbed?, OSDI 2010
FlowChecker: Configuration analysis and verification of

federated OpenFlow infrastructures, SafeConfig 2010

Network configuration in a box: Towards end-to-end

verification of network reachability and security, ICNP 2009

On static reachability analysis of IP networks, INFOCOM

2005

6/12/2013 Department of Computer Science, UIUC 33