TOWARDS CORRECT-BY-CONSTRUCTION SDN Leonid Ryzhyk Nikolaj Bjorner - - PowerPoint PPT Presentation

towards correct by construction sdn
SMART_READER_LITE
LIVE PREVIEW

TOWARDS CORRECT-BY-CONSTRUCTION SDN Leonid Ryzhyk Nikolaj Bjorner - - PowerPoint PPT Presentation

Oct 26, 2023 391 likes •641 views

TOWARDS CORRECT-BY-CONSTRUCTION SDN Leonid Ryzhyk Nikolaj Bjorner Marco Canini Jean-Baptjste Jeannin Nina Narodytska Cole Schlesinger Douglas Terry George Varghese 22 August 2016 INTRODUCTION 2 Cocoon is a high-level

slide-1
SLIDE 1

TOWARDS CORRECT-BY-CONSTRUCTION SDN

Leonid Ryzhyk Nikolaj Bjorner Marco Canini Jean-Baptjste Jeannin Nina Narodytska Cole Schlesinger Douglas Terry George Varghese 22 August 2016

slide-2
SLIDE 2

2

INTRODUCTION

  • Cocoon is a

– high-level SDN programming language – verifjcation tool – SDN programming methodology

  • … based on the principle of correctness by

construction

slide-3
SLIDE 3

3

COCOON IN A NUTSHELL

Design Implement Run on the controller Verify generated network configuration refine implementation refine refine spec Correct by construction

Traditional SDN Verification Workflow SDN verification with Cocoon

slide-4
SLIDE 4

4

EXAMPLE: CAMPUS NETWORK

vlan-1 vlan-2 vlan-3 vlan-1 gw router vlan-2 gw router vlan-3 gw router switch router

[Sung et al. Towards Systematic Design of Enterprise Networks] L2 segment Router Switch VLAN Gateway

slide-5
SLIDE 5

5

INTER-VLAN ROUTING: HOP1

vlan-1 vlan-2 vlan-3 vlan-1 gw router vlan-2 gw router vlan-3 gw router switch router ACL

slide-6
SLIDE 6

6

INTER-VLAN ROUTING: HOP2

vlan-1 vlan-2 vlan-3 vlan-1 gw router vlan-2 gw router vlan-3 gw router switch router ACL

slide-7
SLIDE 7

7

INTER-VLAN ROUTING: HOP3

vlan-1 vlan-2 vlan-3 vlan-1 gw router vlan-2 gw router vlan-3 gw router switch router

This is messy:

  • Large, ad hoc topology
  • L2/L3 routing are mixed up
  • Complex distributed security policies

Typical bugs:

  • ACL distribution
  • Routing loops
  • Black holes

Let’s try to untangle this design …

slide-8
SLIDE 8

8

STEP 1: HIGH-LEVEL SPECIFICATION

acl() 193.62.*.* 193.63.*.* 193.64.1.*

slide-9
SLIDE 9

9

STEP 2: DISTRIBUTED ACLs

acl() 193.62.*.* 193.63.*.* 193.64.1.*

slide-10
SLIDE 10

10

STEP 2: DISTRIBUTED ACLs

193.62.*.* 193.63.*.* 193.64.1.* aclOut() aclIn() Assumption: acl() ≡ aclOut() Λ aclIn() Gateways

slide-11
SLIDE 11

11

STEP 3: L3 ROUTING

193.62.*.* 193.63.*.* 193.64.1.*

slide-12
SLIDE 12

12

STEP 3: L3 ROUTING

193.62.*.* 193.63.*.* 193.64.1.* L3NextHop() Assumption: L3NextHop(pkt)* = Gateway(pkt) Routers

slide-13
SLIDE 13

13

STEP 4: L2 SWITCHING

193.62.*.* 193.63.*.* 193.64.1.*

slide-14
SLIDE 14

14

STEP 4: L2 SWITCHING

193.62.*.* 193.63.*.* 193.64.1.*

slide-15
SLIDE 15

15

STEP 4: L2 SWITCHING

Assumption: L2NextHop(pkt)* = L3NextHop(pkt) L2 switches

slide-16
SLIDE 16

16

STEP 4: L2 SWITCHING

L2NextHop(pkt.vlan=0) L2NextHop(pkt.vlan=green) L2NextHop(pkt.vlan=red) L2NextHop(pkt.vlan=blue)

slide-17
SLIDE 17

17

SEPARATION OF CONCERNS

Distributed access control L3 routing L2 switching High-level spec

slide-18
SLIDE 18

18

WOULDN’T IT BE GREAT TO BUILD SDNs THIS WAY?

acl() 193.62.*.* 193.63.*.* 193.64.1.* 193.62.*.* 193.63.*.* 193.64.1.* aclOut() aclIn() 193.62.*.* 193.63.*.* 193.64.1.* l3NextHop()

With Cocoon, you can!

  • Language support for refinement-based programming
  • Automatic compositional verification
  • P4 and OpenFlow (via NetKAT) backends
slide-19
SLIDE 19

19

PARAMETERIZED SPECIFICATIONS

  • Parameterized specifjcations

– Spec may contain undefjned functions, e.g., acl(),

l2NextHop(), l3NextHop()

– Verifjcation relies on assumptions – These functions are defjned when the network

design is instantiated

– They can also change at runtime, e.g., in response

to link failures

– Assumptions are validated when concrete

defjnitions are provided (statically or at runtime)

slide-20
SLIDE 20

20

CASE STUDIES

  • Campus network

[Sung et al. T

  • wards Systematic Design of Enterprise

Networks]

  • F10

[Liu et al. F10: A Fault-T

  • lerant Engineered Network]
  • B4-style WAN

[Jain et al. B4: Experience with a Globally-Deployed Software Defjned WAN]

  • iSDX (Software-defjned Internet Exchange)

[Gupta et al. An Industrial-Scale Software Defjned Internet Exchange Point]

  • NSX-style network virtualization framework

[Koponen et al. Network Virtualization in Multi-tenant Datacenters]

  • Stag (source-based routing + security labels for fat-tree

topology)

slide-21
SLIDE 21

21

PERFORMANCE

  • All case studies verifjed in ~10 sec,

– Compositional verifjcation (1 refjnement at a time) – Parameterized verifjcation amplifjes the power of

symbolic reasoning

  • No direct comparison (yet) with existing tools like

NetKAT, HSA, but expect them to slow down for larger topologies

slide-22
SLIDE 22

22

COCOON VS TRADITIONAL NETWORK VERIFICATION

HSA/ NetKAT/ ... Correctness spec

slide-23
SLIDE 23

24

CONCLUSIONS

  • Correct-by-construction SDN via iterative

refjnement:

– Enforces modular design – Enables strong static correctness guarantees – Scales to complex realistic networks

slide-24
SLIDE 24

25

EXAMPLE ASSUMPTION

assume (hid_t sid, vid_t vid, MAC dst) (l2distance(sid, vid, dst) > 1) => l2distance(link(sid, l2NextHop(sid, vid, dst)), dst) == (l2distance(sid, vid, dst) - 1)