reasoning about software defined networks
DESCRIPTION
Reasoning about Software Defined Networks. Mooly Sagiv [email protected] 03-640-7606 Tel Aviv University Thursday 16-18 (Physics 105) Monday 14-16 Schrieber 317 Adviser: Michael Shapira Hebrew University. http://www.cs.tau.ac.il/~msagiv/courses/rsdn.html. Content. Challenges in SDNs - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/1.jpg)
Reasoning about Software Defined Networks
Mooly [email protected]
Tel Aviv UniversityThursday 16-18 (Physics 105)Monday 14-16 Schrieber 317Adviser: Michael Shapira
Hebrew University
http://www.cs.tau.ac.il/~msagiv/courses/rsdn.html
![Page 2: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/2.jpg)
Content
• Challenges in SDNs• Programming Language Abstractions• Programming Language Principles• Program Language Tools • Other useful tools
Beyond SDNs
![Page 3: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/3.jpg)
Challenges in SDN
• Programming complexity• Modularity• Composing operations• Handling Updates• Reliability• Performance• Testing• Productivity• Non-expert programmers
![Page 4: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/4.jpg)
How hard is it to program networks
• Routers with 20+ million lines of code• Cascading failures, vulnerabilities, etc• Low level programming• No abstractions– Virtual memory– Operating Systems– Resource Allocations– Libraries– Types
![Page 5: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/5.jpg)
Modularity: Simple Repeater
def repeater(switch): # Repeat Port 1 to Port 2 pat1 = {in_port:1} act1 = [forward(2)] install(switch, pat1, DEFAULT, act1) # Repeat Port 2 to Port 1 pat2 = {in_port:2} act2 = [forward(1)] install(switch, pat2, DEFAULT, act2)
Simple Repeater
1 2
Controller
When a switch joins the network, install two forwarding rules.
![Page 6: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/6.jpg)
Composition: Web Traffic Monitor
def web_monitor(switch)): # Web traffic from Internet pat = {inport:2,tp_src:80} install(switch, pat, DEFAULT, []) query_stats(switch, pat) def stats_in(switch, pat, bytes, …) print bytes sleep(30) query_stats(switch, pat)
Monitor Web (“port 80”) traffic
1 2
Web traffic
When a switch joins the network, install one monitoring rule.
![Page 7: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/7.jpg)
Composition: Repeater + Monitor
def switch_join(switch): pat1 = {inport:1} pat2 = {inport:2} pat2web = {in_port:2, tp_src:80} install(switch, pat1, DEFAULT, None, [forward(2)]) install(switch, pat2web, HIGH, None, [forward(1)]) install(switch, pat2, DEFAULT, None, [forward(1)]) query_stats(switch, pat2web)
def stats_in(switch, xid, pattern, packets, bytes): print bytes sleep(30) query_stats(switch, pattern)
Repeater + Monitor
Must think about both tasks at the same time.
![Page 8: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/8.jpg)
Concurrency: Switch-Controller Delays
• Common programming idiom– First packet goes to the controller– Controller installs rules
8
packets
![Page 9: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/9.jpg)
Concurrency: Switch-Controller Delays
• More packets arrive before rules installed?– Multiple packets reach the controller
packets
![Page 10: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/10.jpg)
Concurrency: Switch-Controller Delays
• Rules along a path installed out of order?– Packets reach a switch before the rules do
Must think about all possible packet and event orderings.
packets
![Page 11: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/11.jpg)
Debugging is hard[Kazemian’NSDI’13]
• Distributed switch tables• Varied delays• Cascading effects on switch tables• Multiple protocols• Human interaction• …
![Page 12: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/12.jpg)
SDN Performance
• Given an SDN controller code
• Estimate the cost of routing per packet– Length of the path– Weight of the path– Number of controller interventions
![Page 13: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/13.jpg)
Programming Language Abstractions
• Hide the implementation• Interpreter/Compiler guarantees performance• Benefits– Portability– Ease of use– Reliability– Compositionality– Productivity
![Page 14: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/14.jpg)
Language Abstractions• Procedures• Abstract data types• Objects• Resources
– Memory management– Garbage collection
• Control abstractions– Exceptions– Iterators– Tree Pattern Matching– Higher order functions– Continuation– Lazy evaluation– Monads
• Libraries• Domain specific languages• Declarative programming
![Page 15: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/15.jpg)
Programming Language Principles
• Rigorously define the meaning of programs• Supports abstraction• Prove compiler correctness• Prove that two SDN programs are
observationally equivalent– The same packet transmissions
![Page 16: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/16.jpg)
A Simple Example• Numeric Expressions
– <exp> ::= <exp> + <exp> | < exp> * <exp> | number• The semantic of expressions is a number
E: <exp> int• Inductively defined
– En = n– Ee1 + e2 = Ee1 + Ee2– Ee1 * e2 = Ee1 * Ee2
• Compositional• Fully abstract• e1 e2 iff Ee1 = Ee2• 5 + 6 7 + 3 + 1
![Page 17: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/17.jpg)
A Simple Example + Var• Numeric Expressions
– <exp> ::= <exp> + <exp> | <exp> * <exp> | number | id• Need to introduce states
Var Int• Examples
– [x 2, y 3] x = – [x 2, y 3] z = 2– [x 2, y 3][z 5] = [x 2, y 3,z 5] – [x 2, y 3][x 5] = [x 5, y 3]– [x 2, y 3][x 5]x = 5– [x 2, y 3][x 5]y = 2
![Page 18: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/18.jpg)
A Simple Example + Var• Numeric Expressions
– <exp> ::= <exp> + <exp> | <exp> * <exp> | number | id• The semantic of expressions is a function from states to numbers
E: exp (Var Int) Int• Inductively defined
– En = n– Ee1 + e2 = Ee1 + Ee2
– Ee1 * e2 = Ee1 * Ee2– Eid = id– Ex+2[x 5] = Ex [x 5] + E2 [x 5] = [x 5]x + 2 = 5 + 2 =7 – x + x 2 * x
![Page 19: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/19.jpg)
Benefits of formal semantics• Can be done for arbitrary languages• Automatically generate interpreters• Rational language design• Formal proofs of language properties
– Observational equivalence– Type safety
• Correctness of tools– Interpreter– Compiler– Static Analyzer– Model Checker
![Page 20: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/20.jpg)
A Simple Controller Language
• No packet changes• No priorities• No statistics• Simple updates– Per-flow installation
![Page 21: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/21.jpg)
A Simple Controller Language• <controller> ::= <reld>* <evnt>• <reld> ::= rel <rid> (<tid>*) // auxiliary relations• <evnt> ::= packetIn (sid, pid, <pr>) <com>*• <pr> ::= port(int) • <com> ::= send(<pr>)
| install (sid, pid, <pr>, <opr>) // update flow table | id.insert(<pred>*) // update auxiliary relations | if rid(<exp>*) then <com>* else <com>*
| if rid(<exp>*) then <com>* | <com> ; < com>
• <opr> ::= <pr> |none // drop the package • <exp> ::= id | id (exp) | <pr>
![Page 22: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/22.jpg)
Learning Switch with 3 ports
rel connected (Sw, Pr, Ho)PacketIn(s, p, port(1)) -> connected.insert (s, port(1), p.src) if connected(s, port(2), p.dst) then { send (s, p, port(2)) install(s, p, port(1), port(2)) } else if connected(s, port(3), p.dst) then { send (port(3)) install(s, p, port(1), port(3)) } else { // flood send (port(2)) send (port(3)) }PacketIn(s, p, port(2)) -> …PacketIn(s, p, port(3)) -> …
![Page 23: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/23.jpg)
The semantics of the controller
• What is the meaning of package sent by a given host?– A set of paths
• Example: Learning Switch
a
1
2 3
![Page 24: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/24.jpg)
The semantics of the controller
• What is the meaning of package sent by a given host?– A set of paths
• Dynamically changed– Even for fixed topology
• Unbounded length• But can it be defined?
![Page 25: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/25.jpg)
The State of a switch
• The switch table is a relation on ports
• FT = Sw P(Pk Pr Pr {none})• Updated by the controller• Actual nodes depend on the topology graph
input port output port
![Page 26: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/26.jpg)
The Semantics of Expressions
• <exp> ::= id | id (exp) | <Pr>• Val = Int Pr
{P(Tt1 … Ttk | t1, …, tk are valid types} • Controller State such that : Var Val• E id = id• Eid (e) = Fid (Ee )• Eport(n) = n
![Page 27: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/27.jpg)
The Meaning of Commands• <com> ::= send(<pr>)
| install (<pr>, <opr>) | id.insert(<exp>*) | if RID(<exp>*) then <com>* else <com>*
| if RID(<exp>*) then <com>* | <com> ; < com>
• <opr> ::= <pr> |none • C: <com> (Sw Pk Pr) ( FT) ( FT P(Pr
{none}) event input-state output
![Page 28: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/28.jpg)
Atomic Commands
• Csend(pr)sw, pk, ip , ft = , ft, {Epr}
• Cinstall(s, p, prin,prout)sw, pk, ip , ft =
, ft {pk, Eprin, Eprout}, • Cr.insert(e) sw, pk, ip , ft = [r r { Ee}], ft,
![Page 29: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/29.jpg)
Conditional Commands
• Cif r(e) then c1 else c2 ev , ft =
C c1 ev , ft
C c2 ev , ft
If Ee r
If Ee r
![Page 30: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/30.jpg)
Sequential Composition
• Cc1 ; c2 ev , ft = let ’, ft’, prs1 = Cc1 ev , ft
”, ft”, prs2 = Cc2 ev ’, ft’ in
”, ft”, prs1 prs2
![Page 31: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/31.jpg)
Semantics of Events• G: <evnt> (Sw Pk Pr) P(( FT) ( FT P(Pr {none}))
• GpacketIn(s, p, i) c sw, pk, ip = Rwhere
, ft R ’, ft’, portsiff
ip = Ei (op : Pr. pk, ip, op ft)
Cc sw, pk, ip [ssw, ppk], ft = ’, ft’, sp
![Page 32: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/32.jpg)
System State
• Comprises of:– Single state of the controller– Flow-table for each switch
• FTS = Sw FT
![Page 33: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/33.jpg)
Packet Histories
• Packets can influence the routing of other packets
• Histories can be seen as sequences of packet transmissions
• HST= (SW PR PK (PR {none}))*
![Page 34: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/34.jpg)
Small-step semantics (Controller)
• ctrl : ( FTS HST) ( FTS HST)
• , fts, h ctrl ’, fts’, h’ iff
sw : Sw, pk : Pk, ip : Pr, sp : P(Pr), ft’ : FT . , fts sw (Gevnt sw, pk, ip) ’, ft’, sp fts’ = fts[sw ft’] h’ = h sw, ip, pk, jj sp or (sp = and j=none)
![Page 35: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/35.jpg)
Small-step Semantics (Switch)
• sw : ( FTS HST) ( FTS HST)
• , fts, h sw ’, fts’, h’ iff=’ fts=fts’ sw : Sw, pk : Pk, ip : Pr, op : Pr
{none}.pk, ip, op fts sw h’ = h sw, ip, pk, op
![Page 36: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/36.jpg)
Executions
• Combined step semantics:– = ctrl sw
• A sequence of event processing steps has the from– a1 a2 … an
![Page 37: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/37.jpg)
Feasible Histories
• Given a topology graph G over V = Ho (Sw Pr)
• A history h is feasible iff for any packet pk Pk,
• any two consecutive entries for p in h:– sw1, ip1, pk, op1 and sw2, ip2, pk, op2
– there exists an edge between sw1, op1 and sw2, ip2
![Page 38: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/38.jpg)
In Pkt Out
Example
a
1
2 3
Port in Packet Port out
Port Host
connected =
![Page 39: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/39.jpg)
In Pkt Out
Example
a
1
2 3
Port in Packet Port out
2 1
2 3
Port Host
2
connected =
![Page 40: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/40.jpg)
In Pkt Out
3 2
Example
a
1
2 3
Port in Packet Port out
2 1
2 3
3 2
Port Host
2
3
connected =
![Page 41: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/41.jpg)
In Pkt Out
3 2
Example
a
1
2 3
Port in Packet Port out
2 1
2 3
3 2
3 2
Port Host
2
3
connected =
![Page 42: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/42.jpg)
Useful Programming Language Tools
• Interpreter• Compiler• Parser• Type Checker• Static Program Analysis• Verification Tool• Dynamic Program Analysis– Model checker
![Page 43: Reasoning about Software Defined Networks](https://reader035.vdocuments.net/reader035/viewer/2022062323/56816331550346895dd3b57e/html5/thumbnails/43.jpg)
Interesting Network Properties
Property Meaning
Connectivity Every packet eventually reaches its destination
No forwarding loops
No black holes
No dropping
Access control No paths between certain hosts of certain packets