Models and techniquesfor verification of

Software Defined Networks

Victor Altukhov Eugene Chemeritsky

Vladislav Podymov Vladimir Zakharov

Applied Research Center for Computer Networks

OutlineIntroduction

Software Defined Networks SDN

Packet Forwarding Policies PFP

Model

Policy language FO[TC]

Verifying monitor VERMONT

Experiments & Comparison

What is Software Defined Network?

A

B

Switch Link

Host Port

Conventional networkApplication

Forwarding state

What is SDN?

Conventional network

What is SDN?

A

B

Application

Forwarding state

Topology

TaskHow to forward a packet

…Packet PacketPacket

Conventional network

What is SDN?

A

B

Application

Forwarding state

AppFS

AppFS

AppFS

AppFS

decentralized control

non-uniformity

Conventional network

What is SDN?

A

B

AppFS

AppFS

AppFS

AppFS

Controllerdecentralized control

non-uniformity

centralized control

uniformity

SDN

What is SDN?

A

BFS

FS

FSFS

Controller

Control plane

Data planeOpenFlow

Application

SDN

centralized control

uniformity

What is SDN?

A

BFS

FS

FSFS

Controller

Control plane

Data planeOpenFlow

ApplicationUpdUpd

Ok, I cando it

Don’t know what to do

SDN

centralized control

uniformity

What is Packet Forwarding Policy?Example:

REQUIREMENTS imposed on a

SAFEto guarantee that its behavior is

NETWORK

CORRECT

SECURE

…

What is PFP?

What is PFP?

A

B

Example:

ReachabilityPackets from the host A will eventually reach the host B

What is PFP?

A

B

Example:

No topological loopsPackets do not traverse the same switch twice

What is PFP?

A

B

Example:

Short routes only 1 2 3 4

All hosts are reached in at most 3 hops

What is PFP?

Why ?

Hardware errors

Software (application) errors

We want to check if PFPs hold in a real SDN

and consider STATIC PFPs

TIMELINEw.r.t. to

How to check PFPs?

NETWORK POLICIES

Formal specificationNetwork model

Model checking

Fast!

Fast!

M P

M P⊧

~ 10μs

~ 10μs

Packet state

A

B

Switch #1Port #1Header #h1

Switch #2Port #1Header #h2 Switch #4

Port #1Header #h3

Switch #4Port #3Header #h4

h1h2 h3

h4

Packet state

A

B

Switch #1Port #1Header #h1

Switch #2Port #1Header #h2 Switch #4

Port #1Header #h3

Switch #4Port #3Header #h4

Switch #wPort #pHeader #h

Packet state

Switch #WPort #PHeader #H

0 … 1 1 … 1 0 … 0

sizew sizep sizeh

Switch #wPort #pHeader #h

S is the set of all packet states

Raw model

rule(p, h)

(p1, h1)

…

is an explicit description of key SDN componentssuch as:

(p2, h2)

(pk, hk)

Raw model

tablerulerulerulerule

default

…

is an explicit description of key SDN componentssuch as:

(p, h)

(p1, h1)(p2, h2)

(pk, hk)

Raw model

table …table

…

…

…

Switch

is an explicit description of key SDN componentssuch as:

(p, h)

(p1, h1)(p2, h2)

(pk, hk)

Relational model

In

Out

Step

⊆ S

⊆ S

⊆ S x S

Relational model

In

Out

Step

⊆ S

⊆ S

⊆ S x S(x, y)

(x)

(x)

BDD

BDD

BDD

PFP Specification Language: syntax

Atoms:

First order logic constructors:

State equalities:

Closure constructors:

In OutStep (x, y) (x) (x)

⋁ & ⌝ ∃∀x = y

x.w = constx.p = y.p

x.h = const

F (x, y)+

F (x, y)[i1, i2]

– transitive closure

– bounded transitive closure

x = constx.w = y.w

x.p = constx.h = y.h

PFP SL: semantics

a PFP SL formula F(x1, …, xn)

RF

Given a relational model (Step, In, Out, …)

How?

defines a relation

n times

⊆ S × … × S

PFP SL: semantics

How?Obvious

… = …

RF

Given a relational model (Step, In, Out, …)

n times

⊆ S × … × S

InOutStep (x, y) (x)

(x)

a PFP SL formula F(x1, …, xn) defines a relation

PFP SL: semantics

How? F1(…) ⋁ F2

(…) Union

F1(…) F2

(…) Intersection&

F (…)⌝ Complement

RF

Given a relational model (Step, In, Out, …)a PFP SL formula F(x1, …, xn) defines a relation

n times

⊆ S × … × S

PFP SL: semantics

How? F (…) Universal projection

∃

∀

F (…) Existential projection

RF

Given a relational model (Step, In, Out, …)

x

x

a PFP SL formula F(x1, …, xn) defines a relation

n times

⊆ S × … × S

PFP SL: semantics

How?

RF

Given a relational model (Step, In, Out, …)

F (x, y)+

F (x, y)[i1, i2]

Transitive closure

Bounded transitive closure

a PFP SL formula F(x1, …, xn) defines a relation

n times

⊆ S × … × S

PFP SL: examples

In (x)

Step (y, z)+

y.w = z.w

No topological loops

A(x) B (y)Reachability

In (x) Out (y)Short routes only

∀x & Step (x, y)*

⌝ ∃x,y,z & Step (x, y)* &

&

⌝ ∃x,y &

Step (x, y)+

&

& Step (x, y)[1, 3]

⌝

∃y

What else?

ADEQUATE

We should be able to UPDATE

We can do it not discussed

at every instant

NETWORK continuously changes

Model should be

The update rate for Modelshould surpass the update rate for

(to some extent)

Model

NETWORK

on-line

How does it work?

Main usage now:

Network

Controller

Proxy Checker

Loader

We tested it for

• 16 switches• Fat Tree topology• 48 tables• 757000 forw. rules• 1500 ACL rules• >100 VLAN

Stanford University Network

Tool comparisonTool Build

(ms.)Update(ms.)

Policies OpenFlow concepts

VERMONT (2014)

4600 100 - 600 FO[TC](strict superset of others)

Full

NetPlumber (2013)

37000 2 - 1000 CTL Partial

VeriFlow (2013)

> 4000 68-100 Small fixed set Minimal

AP Verifier (2013)

1000 0.1 Small fixed set Minimal

FlowChecker (2010)

1200000 350 - 67000 CTL Full

Anteater (2011)

400000 ??? Small fixed set No

The End

valdus@yandex.ruMe: