Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast Testing Network Data Plane with RuleChecker

Published byGyörgy Gál Modified over 5 years ago

Similar presentations

Presentation on theme: "Fast Testing Network Data Plane with RuleChecker"— Presentation transcript:

1 Fast Testing Network Data Plane with RuleChecker
2019/5/21 Fast Testing Network Data Plane with RuleChecker Author: Peng Zhang, Cheng Zhang, and Chengchen Hu Publisher: IEEE ICNP 2017 Presenter: Chia-He Lin Date: 2017/11/29 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. CSIE CIAL Lab 1

2 Outline Introduction Background Proposed scheme Evaluation Conclusion
National Cheng Kung University CSIE Computer & Internet Architecture Lab

3 2019/5/21 Introduction Software Defined Networking (SDN) decouples control functions away from the data plane, thereby offering a centralized, flexible, and programmable network control. A new risk rises: the data plane states may not agree with the control plane policies. For example, switches may fail to correctly install the rules issued by the controller, due to software bugs, hardware faults , or attacks. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

4 2019/5/21 Introduction Both VeriDP and REV cannot handle packet rewrites, and need to modify SDN switches to add tags. Data plane testing tools like Monocle and RuleScope detect rule missing fault and priority fault by generating probes for rules, and checking whether the switch outputs the probes according to their corresponding rules. Compared with VeriDP and REV,Monocle and RuleScope need to send a small number of probe packets, require no switch modification and are thus a more preferable approach to check the correspondence of network data plane. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

5 2019/5/21 Introduction (1) They are relatively slow in generating probes due to the need of solving Boolean Satisfiability (SAT) problems. (2) They may generate false negatives when there are multiple missing rules that are correlated. (3) They do not support incremental probe update, and are thus inefficient under dynamic network re-configurations. (4) They cannot test cascaded flow tables, a mandatory feature of OpenFlow. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

6 2019/5/21 Introduction RuleChecker monitors (without blocking) the rule install/remove messages, and computes/updates probes based on the rules. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

7 2019/5/21 Introduction (1) RuleChecker uses a new probe generation method, which does not require solving SAT problems. (2) RuleChecker introduces a new rule dependency model, and uses multiple rounds of probing to eliminate false negatives. (3) RuleChecker only needs to re-compute a minimal number of probes when a new rule is added. (4) RuleChecker generates a probe for each rule of each of cascaded flow table, based on a model named rule path. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

8 Background Rule missing fault
2019/5/21 Background Rule missing fault (1) the controller sends a rule installation message to the switch, but the switch fails to install the rules to its flow table. A possible reason for (1) is that the switch software may contain bugs such that it fails to properly process the rule installation messages. (2) the rule that previously exists in a switch’s flow table disappears without being noticed by the controller. As for (2), it is possible that a switch deletes a rule from its flow table due to table overflow, without reporting to the controller. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

9 Background Rule priority fault
2019/5/21 Background Rule priority fault We say a pair of rule ri and rj are experiencing a priority fault, if their priorities are swapped. Priority faults can happen if the switch totally ignores the priority fields of rules. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

10 Proposed scheme-Overview
Detecting rule missing fault According Monocle, a probe that can detect the missing fault of ri should satisfy: 1) The probe should match rule ri, but no any other rule whose priority is higher than ri. 2) Let rj be the highest-priority rule satisfying rj.p < ri.p and the probe matches rj , then we should have ri.a ≠ rj.a. National Cheng Kung University CSIE Computer & Internet Architecture Lab

11 Proposed scheme National Cheng Kung University CSIE Computer & Internet Architecture Lab

12 Proposed scheme Detecting rule priority fault
2019/5/21 Proposed scheme Detecting rule priority fault The probes generated for detecting rule missing faults may not detect priority faults. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

13 Proposed scheme-Encoding Header Fields
2019/5/21 Proposed scheme-Encoding Header Fields Before generating probes using Eqs. (1), we need a method to encode header fields. Wildcard is a good choice for representing IP prefix or suffix, and is adopted by HAS. Binary Decision Diagram (BDD) is an efficient data structure for encoding Boolean expressions. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

14 2019/5/21 Proposed scheme National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

15 Proposed scheme-Generating Probes Sets
2019/5/21 Proposed scheme-Generating Probes Sets (Line 1)The algorithm first sorts the rules in the order of decreasing priority , (Line 2)and initializes the set of unmatched headers, denoted as Ha, as the whole set, e.g., the logical “true”. (Line 3-14) Generates probe sets for each rule ri. (Line 4)In each loop, the algorithm first calculates the hitting fields ri.h and updates Ha. (Line 5-8)If ri.h is not empty, then the algorithm initializes Hb as ri.h, and calculates the overriding fields for each rj that has a lower priority than ri. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

16 Proposed scheme-Generating Probes Sets
2019/5/21 Proposed scheme-Generating Probes Sets (Line 9-12 )If override(ri, rj) is not empty and the actions of ri and rj are different, then it will be put as a probe set into ri.t, and override(ri, rj) is subtracted from Hb. (Line 13-14)Finally, if there are still remaining headers in Hb (meaning that Hb will match the default rule), then Hb will be added to ri.t. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

17 Proposed scheme-Sampling Probes
2019/5/21 Proposed scheme-Sampling Probes AnySAT problem is very efficient for BDD: one only needs to find a path from the root node leading to the True node. If the BDD encodes a set of IPv4 addresses, then the number of variables is 32. That is, AnySAT has a linear complexity, compared with Boolean Satisfiability (SAT), which is NP-complete. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

18 Proposed scheme-The Complete Construction
2019/5/21 Proposed scheme-The Complete Construction (1) it may raise false negatives when there are multiple missing rules; (2) it cannot incrementally update probes when a new rule is added; (3) it does not support cascaded flow tables. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

19 Proposed scheme-Eliminating False negatives
2019/5/21 Proposed scheme-Eliminating False negatives National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

20 2019/5/21 Proposed scheme National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

21 Proposed scheme Dependency-aware rule probing and repairing
2019/5/21 Proposed scheme Dependency-aware rule probing and repairing (1) The conservative approach always sends probes for rules that depend on no other rules. If these probes pass the test, then we remove the rules, together with their corresponding edges, from the dependency graph. Then, we continue to send probes for rules that depend on other rules. (2) The aggressive approach simply sends all probes without waiting, and see if there are failed probes. Since there are no false positives, we only need to repair the rules whose probes fail, and re-send all probes again. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

22 Proposed scheme National Cheng Kung University CSIE Computer & Internet Architecture Lab

23 Proposed scheme-Incremental Probe Update
2019/5/21 Proposed scheme-Incremental Probe Update Rh: the rules whose matching fields overlap with r, and whose priority is higher than r. Rl: the rules whose matching fields overlap with r, and whose priority is lower than r. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

24 Proposed scheme-Testing Cascaded Flow Tables
2019/5/21 Proposed scheme-Testing Cascaded Flow Tables We assume that packets will match Table 1 and Table 2 in sequence. Each flow table has three rules, numbered in the order of decreasing priority, and at the last is a default rule that catches all unmatched headers. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

25 Proposed scheme-Testing Cascaded Flow Tables
2019/5/21 Proposed scheme-Testing Cascaded Flow Tables National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

26 Proposed scheme (Line 4-7)calculates their matching fields and hitting fields. (Line 9),For each rule ri,j , the algorithm selects one of its leaf rules r.k, (Line 10-19)and tries to find another rule rl satisfying rk overrides rl and rk.a ≠ rl.a. (Line 5-14 )The process of finding such rl is mostly the same with that of Algorithm 1, and difference is that rl is chosen from Relative(ri,j , rk). National Cheng Kung University CSIE Computer & Internet Architecture Lab

27 Evaluation RuleChecker:3.1GHz dual-core Intel i5 CPU,16GB RAM
2019/5/21 Evaluation RuleChecker:3.1GHz dual-core Intel i5 CPU,16GB RAM Software switches (OpenvSwitches) 2 * 2GHz 6-core Intel E5 CPUs, 32 GB RAM National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

28 Evaluation National Cheng Kung University CSIE Computer & Internet Architecture Lab

29 Evaluation National Cheng Kung University CSIE Computer & Internet Architecture Lab

30 Evaluation National Cheng Kung University CSIE Computer & Internet Architecture Lab

31 Evaluation National Cheng Kung University CSIE Computer & Internet Architecture Lab

32 Evaluation National Cheng Kung University CSIE Computer & Internet Architecture Lab

33 Conclusion We presented RuleChecker, which can generate probes to actively test the correctness of SDN flow tables. Different from previous probe-based testing tools like Monocle, RuleChecker is extremely fast due to a novel set-based probe generation method. Moreover, RuleChecker fills some important parts missed by previous tools, including elimination of false negatives, incremental probe update, and support of cascaded flow tables. National Cheng Kung University CSIE Computer & Internet Architecture Lab

Download ppt "Fast Testing Network Data Plane with RuleChecker"

Similar presentations

An Efficient IP Address Lookup Algorithm Using a Priority Trie Authors: Hyesook Lim and Ju Hyoung Mun Presenter: Yi-Sheng, Lin ( 林意勝 ) Date: Mar. 11, 2008.

An Efficient IP Address Lookup Algorithm Using a Priority Trie Authors: Hyesook Lim and Ju Hyoung Mun Presenter: Yi-Sheng, Lin ( 林意勝 ) Date: Mar. 11, 2008.
Memory-Efficient Regular Expression Search Using State Merging Department of Computer Science and Information Engineering National Cheng Kung University,

Memory-Efficient Regular Expression Search Using State Merging Department of Computer Science and Information Engineering National Cheng Kung University,
1 Route Table Partitioning and Load Balancing for Parallel Searching with TCAMs Department of Computer Science and Information Engineering National Cheng.

1 Route Table Partitioning and Load Balancing for Parallel Searching with TCAMs Department of Computer Science and Information Engineering National Cheng.
OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.

OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.
EQC16: An Optimized Packet Classification Algorithm For Large Rule-Sets Author: Uday Trivedi, Mohan Lal Jangir Publisher: 2014 International Conference.

EQC16: An Optimized Packet Classification Algorithm For Large Rule-Sets Author: Uday Trivedi, Mohan Lal Jangir Publisher: 2014 International Conference.
StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:

StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:
Regular Expression Matching for Reconfigurable Packet Inspection Authors: Jo˜ao Bispo, Ioannis Sourdis, Jo˜ao M.P. Cardoso and Stamatis Vassiliadis Publisher:

Regular Expression Matching for Reconfigurable Packet Inspection Authors: Jo˜ao Bispo, Ioannis Sourdis, Jo˜ao M.P. Cardoso and Stamatis Vassiliadis Publisher:
Research on TCAM-based OpenFlow Switch Author: Fei Long, Zhigang Sun, Ziwen Zhang, Hui Chen, Longgen Liao Conference: 2012 International Conference on.

Research on TCAM-based OpenFlow Switch Author: Fei Long, Zhigang Sun, Ziwen Zhang, Hui Chen, Longgen Liao Conference: 2012 International Conference on.
2017/4/26 Rethinking Packet Classification for Global Network View of Software-Defined Networking Author: Takeru Inoue, Toru Mano, Kimihiro Mizutani, Shin-ichi.

2017/4/26 Rethinking Packet Classification for Global Network View of Software-Defined Networking Author: Takeru Inoue, Toru Mano, Kimihiro Mizutani, Shin-ichi.
Memory-Efficient and Scalable Virtual Routers Using FPGA Department of Computer Science and Information Engineering, National Cheng Kung University, Tainan,

Memory-Efficient and Scalable Virtual Routers Using FPGA Department of Computer Science and Information Engineering, National Cheng Kung University, Tainan,
Early Detection of DDoS Attacks against SDN Controllers

Early Detection of DDoS Attacks against SDN Controllers
Shadow MACs: Scalable Label- switching for Commodity Ethernet Author: Kanak Agarwal, John Carter, Eric Rozner and Colin Dixon Publisher: HotSDN 2014 Presenter:

Shadow MACs: Scalable Label- switching for Commodity Ethernet Author: Kanak Agarwal, John Carter, Eric Rozner and Colin Dixon Publisher: HotSDN 2014 Presenter:
Updating Designed for Fast IP Lookup Author : Natasa Maksic, Zoran Chicha and Aleksandra Smiljani´c Conference: IEEE High Performance Switching and Routing.

Updating Designed for Fast IP Lookup Author : Natasa Maksic, Zoran Chicha and Aleksandra Smiljani´c Conference: IEEE High Performance Switching and Routing.
TFA: A Tunable Finite Automaton for Regular Expression Matching Author: Yang Xu, Junchen Jiang, Rihua Wei, Yang Song and H. Jonathan Chao Publisher: ACM/IEEE.

TFA: A Tunable Finite Automaton for Regular Expression Matching Author: Yang Xu, Junchen Jiang, Rihua Wei, Yang Song and H. Jonathan Chao Publisher: ACM/IEEE.
Binary-tree-based high speed packet classification system on FPGA Author: Jingjiao Li*, Yong Chen*, Cholman HO**, Zhenlin Lu* Publisher: 2013 ICOIN Presenter:

Binary-tree-based high speed packet classification system on FPGA Author: Jingjiao Li*, Yong Chen*, Cholman HO**, Zhenlin Lu* Publisher: 2013 ICOIN Presenter:
A Fast Regular Expression Matching Engine for NIDS Applying Prediction Scheme Author: Lei Jiang, Qiong Dai, Qiu Tang, Jianlong Tan and Binxing Fang Publisher:

A Fast Regular Expression Matching Engine for NIDS Applying Prediction Scheme Author: Lei Jiang, Qiong Dai, Qiu Tang, Jianlong Tan and Binxing Fang Publisher:
Lightweight Traffic-Aware Packet Classification for Continuous Operation Author: Shariful Hasan Shaikot, Min Sik Kim Presenter: Yen-Chun Tseng Date: 2014/11/26.

Lightweight Traffic-Aware Packet Classification for Continuous Operation Author: Shariful Hasan Shaikot, Min Sik Kim Presenter: Yen-Chun Tseng Date: 2014/11/26.
Range Enhanced Packet Classification Design on FPGA Author: Yeim-Kuan Chang, Chun-sheng Hsueh Publisher: IEEE Transactions on Emerging Topics in Computing.

Range Enhanced Packet Classification Design on FPGA Author: Yeim-Kuan Chang, Chun-sheng Hsueh Publisher: IEEE Transactions on Emerging Topics in Computing.
PC-TRIO: A Power Efficient TACM Architecture for Packet Classifiers Author: Tania Banerjee, Sartaj Sahni, Gunasekaran Seetharaman Publisher: IEEE Computer.

PC-TRIO: A Power Efficient TACM Architecture for Packet Classifiers Author: Tania Banerjee, Sartaj Sahni, Gunasekaran Seetharaman Publisher: IEEE Computer.
Lossy Compression of Packet Classifiers Author: Ori Rottenstreich, J’anos Tapolcai Publisher: 2015 IEEE International Conference on Communications Presenter:

Lossy Compression of Packet Classifiers Author: Ori Rottenstreich, J’anos Tapolcai Publisher: 2015 IEEE International Conference on Communications Presenter:

Similar presentations

Ads by Google