Presentation is loading. Please wait.

Presentation is loading. Please wait.

Abstractions for Model Checking SDN Controllers

Published byLizbeth Eaton Modified over 6 years ago

Similar presentations

Presentation on theme: "Abstractions for Model Checking SDN Controllers"— Presentation transcript:

1 Abstractions for Model Checking SDN Controllers
Divjyot Sethi, Srinivas Narayana, Prof. Sharad Malik Princeton University

2 Traditional Networking
Swt1 Swt2 Talk OSPF, RIP, BGP, etc. Challenges: - Difficult to get right. - Inflexible for novel ideas. - No clean abstractions for implementing control. Swt3 Forwarding data plane Mapping used for forwarding packets. Distributed control plane Logic used to update the mapping.

3 A Fundamental Shift in Network Design
Distributed Control Centralized Control General purpose software Controller Swt1 Swt2 Swt1 Swt2 Talk OSPF, RIP, BGP, etc. Switches programmed by controller by installing rules Swt3 Swt3 Centralized control simplifies design and innovation However, an Achilles heel for correctness.

4 Problem: Bugs in Centralized Control?
Security leaks: packet sent to an untrusted host. Network loops: packet looping around in network. Link overload and data center outage. Downtime cost: ~$1 million per outage! ( AWS service commitment: Amazon EC2 and Amazon availability at least 99.95%

5 Challenges in Verification
Controller Large number of packets alive in network. Large buffer state. Large number of rules installed in switches. Large network state. Large topology size. H1 Swt1 H2 Swt2 pkt1 pkt4 pktc pkt2 pkt3 Swt3 Routing Table Port1: inPkt.src = Host1 Port2: inPkt.src = Host3 Port3: inPkt.src = Hostk Portp: inPkt.src = Hostr Portq: inPkt.src = Hosta outPort(inPkt) =

6 Overview Existing approaches and problem statement
Abstraction on Stateful firewall Experimental case studies Stateful firewall Learning switch Conclusions

7 Overview Existing approaches and problem statement
Abstraction on Stateful firewall Experimental case studies Stateful firewall Learning switch Conclusions

8 Verifying Software Defined Networks: Existing Approaches
Controller Updates Controller Updates Configuration 1 Configuration 2 Configuration 3 Transient Phase Transient Phase Network state evolves from configuration (switch rules) to configuration as controller updates the rules during transient phase. Category 1: Verify just one configuration - Symbolic simulation[Kazemian et al. NSDI’12] Reduction to SAT [S. Zhang et al. ATVA’12, H. Mai SIGCOMM’ 11] Model Checking [E. Al-Shaer SafeConfig’10] Problem: verifies just one snapshot!

9 Verifying Software Defined Networks: Existing Approaches
Controller Updates Controller Updates Configuration 1 Configuration 2 Configuration 3 Transient Phase Transient Phase Network state evolves from configuration (switch rules) to configuration as controller updates the rules during transient phase. Category 2: Incremental verification, i.e., verify all snapshots [Kazemian et al. NSDI’13, A. Khurshid et al. NSDI’12] Problem: property may be violated in transient phase!

10 Verifying Software Defined Networks: Existing Approaches
Controller Updates Controller Updates Configuration 1 Transient Phase Configuration 2 Transient Phase Configuration 3 Network state evolves from configuration (switch rules) to configuration as controller updates the rules during transient phase. Category 3: Full formal verification of Controller - NICE (M. Canini NSDI’12), FlowLog (T. Nelson HotSDN’13) Problem: handle only a bounded number of packets! Runtime grows exponentially with increasing packets. Can’t guarantee properties like security as checked for small number of packets.

11 Full formal verification of Controller using model checking.
Focus of this Work Controller Updates Controller Updates Configuration 1 Transient Phase Configuration 2 Transient Phase Configuration 3 Network state evolves from configuration (switch rules) to configuration as controller updates the rules during transient phase. Full formal verification of Controller using model checking. Extend NICE with abstractions to handle an unbounded number packets.

12 Overview Existing approaches and problem statement
Abstraction on Stateful firewall Experimental case studies Stateful firewall Learning switch Conclusions

13 Stateful Firewall Firewall rules: H1 can contact H2 or H3
p2 p1 Enterprise Host Internet Hosts Firewall Controller H3 p3 Firewall rules: H1 can contact H2 or H3 H2/H3 can contact H1, only if H1 has already contacted them. If H2/H3 initiates contact first, it must be blocked. Property: If H2 never contacts H1 first, it does not get blocked.

14 Abstraction for Unbounded Packets: Data State Abstraction
Key insight: properties of interest are per-packet properties. - For example a packet from one host cannot reach another. Controller Controller H1 pkt1 H2 H1 H2 S1 pktc S2 pkt3 S1 pktc S2 pkte pkte pkte pkt2 H3 H3

15 Abstraction for Large Switch State: Network State Abstraction
Controller H1 H2 S1 S2 p1 p2 p1 p2 p3 Enterprise Host Internet Hosts Firewall H3 Routing Table p1: pkt.dst = H1 output port(pkt) = p2: pkt. dst = H2 p3: pkt. dst = H3

16 Abstraction for Reducing Switch State: Leveraging Data State Abstraction
pktc.src = H1 pktc.dst = H2 Controller H1 H2 S1 S2 p1 p2 pktc p1 p2 p3 Enterprise Host Internet Hosts Firewall H3 Abstracted Routing Table p1: pkt.dst = H1 output port(pkt) = p2: pkt. dst = H2 non-det: pkt. dst != {H1 or H2}

17 Overview Existing approaches and problem statement
Abstraction on Stateful firewall Experimental case studies Stateful firewall Learning switch Conclusions

18 Stateful Firewall S1 S2 H1 H2 p2 p1 Enterprise Internet Firewall Controller Verified a Murphi model of the firewall with a single host H2. - Found a bug: H2 replies to H1 but still gets blocked! Experiments were done on a 2.40 GHz Intel Core 2 Quad processor, 3.74 GB RAM.

19 Stateful Firewall: Race Condition
H1 H2 p2 p1 Enterprise Internet Firewall Controller pkt1 H1 sends a packet pkt1 to H2

20 Stateful Firewall: Race Condition
H1 H2 p2 p1 Enterprise Internet Firewall Controller Notification pkt1 Switch S1 notifies the controller.

21 Stateful Firewall: Race Condition
H1 H2 p2 p1 Enterprise Internet Firewall Controller Notification pkt1 Packet is also forwarded by S1, to S2 which sends it to H2

22 Stateful Firewall: Race Condition
H1 H2 p2 p1 Enterprise Internet Firewall Controller Notification pkt2 Host H2 replies with packet pkt2.

23 Stateful Firewall: Race Condition
H1 H2 p2 p1 Enterprise Internet Firewall Controller Notification Notification pkt2 Switch S2 notifies Controller about pkt2.

24 Stateful Firewall: Race Condition
H1 H2 p2 p1 Enterprise Internet Firewall Controller Notification Notification If notification of S1 reaches after S2, Controller thinks that H2 contacted first and so is an attacker! H2 gets erroneously blocked! Bug detected in 0.13 sec with 482 states

25 Stateful Firewall: Bug Fix
H1 H2 p2 p1 Enterprise Internet Firewall Controller Notification pkt1 S1 waits for Controller to acknowledge notification before forwarding packet pkt1 to H2. - Proved correctness for an unbounded number of packets in this case. Correctness proof for the bug free case with unbounded number of packets in 0.19 sec with 613 states

26 Learning Switch When a packet arrives at a switch at an input port:
Controller HstA HstB Swt1 Swt2 1 2 3 pkt Swt3 HstC When a packet arrives at a switch at an input port: Switch learns its source host is connected to that port. Uses this information to route future packets efficiently.

27 Learning Switch: Bug Controller HstA HstB Swt1 Swt2 1 2 3 Swt3 HstC Switches may learn routing information such that packets get stuck in a loop! Loop was found in 0.1 sec with 159 states explored.

28 Learning Switch: Bug Fix
Controller HstA HstB Swt1 Swt2 1 2 3 No packet on this link as not on spanning tree. Swt3 HstC Only route on a spanning tree Verified for an arbitrary number of packets exchanged between HstA and HstB in 600s with 1.45M.

29 Overview Existing approaches and problem statement
Abstraction on Stateful firewall Experimental case studies Stateful firewall Learning switch Conclusions

30 Conclusions We presented abstractions for:
Verifying properties for an arbitrary number of packets. Handling large network state. Verified a stateful firewall and a learning switch using these abstractions.

31 Thank You!

Download ppt "Abstractions for Model Checking SDN Controllers"

Similar presentations

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
Models and techniques for verification of Software Defined Networks

Models and techniques for verification of Software Defined Networks
CSCI 465 D ata Communications and Networks Lecture 20 Martin van Bommel CSCI 465 Data Communications & Networks 1.

CSCI 465 D ata Communications and Networks Lecture 20 Martin van Bommel CSCI 465 Data Communications & Networks 1.
Chapter 9 Local Area Network Technology

Chapter 9 Local Area Network Technology
A SOFT Way for OpenFlow Interoperability Testing Marco Canini TU Berlin / T-Labs [CoNEXT’12]

A SOFT Way for OpenFlow Interoperability Testing Marco Canini TU Berlin / T-Labs [CoNEXT’12]
Incremental Consistent Updates Naga Praveen Katta Jennifer Rexford, David Walker Princeton University.

Incremental Consistent Updates Naga Praveen Katta Jennifer Rexford, David Walker Princeton University.
VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.

VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.
Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.

Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.
SDN and Openflow.

SDN and Openflow.
William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.

William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.
Data Plane Verification. Background: What are network policies Alice can talk to Bob Skype traffic must go through a VoIP transcoder All traffic must.

Data Plane Verification. Background: What are network policies Alice can talk to Bob Skype traffic must go through a VoIP transcoder All traffic must.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.
BUFFALO: Bloom Filter Forwarding Architecture for Large Organizations Minlan Yu Princeton University Joint work with Alex Fabrikant,

BUFFALO: Bloom Filter Forwarding Architecture for Large Organizations Minlan Yu Princeton University Joint work with Alex Fabrikant,
Formal checkings in networks James Hongyi Zeng with Peyman Kazemian, George Varghese, Nick McKeown.

Formal checkings in networks James Hongyi Zeng with Peyman Kazemian, George Varghese, Nick McKeown.
LAN Overview (part 2) CSE 3213 Fall 2011 21 April 2017.

LAN Overview (part 2) CSE 3213 Fall April 2017.
Lecture 10 Overview. Border Gateway Protocol(BGP) De facto standard for Internet inter-AS routing allows subnet to advertise its existence to rest of.

Lecture 10 Overview. Border Gateway Protocol(BGP) De facto standard for Internet inter-AS routing allows subnet to advertise its existence to rest of.
Software-Defined Networks Jennifer Rexford Princeton University.

Software-Defined Networks Jennifer Rexford Princeton University.
Formal Modeling of an Openflow Switch using Alloy Natali Ruchansky and Davide Proserpio.

Formal Modeling of an Openflow Switch using Alloy Natali Ruchansky and Davide Proserpio.
VeriFlow: Verifying Network-Wide Invariants in Real Time

VeriFlow: Verifying Network-Wide Invariants in Real Time
Floodless in SEATTLE : A Scalable Ethernet ArchiTecTure for Large Enterprises. Changhoon Kim, Matthew Caesar and Jenifer Rexford. Princeton University.

Floodless in SEATTLE : A Scalable Ethernet ArchiTecTure for Large Enterprises. Changhoon Kim, Matthew Caesar and Jenifer Rexford. Princeton University.

Similar presentations

Ads by Google