NetKAT—A Formal System forthe Verification of Networks

Dexter Kozen

Cornell University

COPLAS/DIKUMarch 13, 2015

NetKAT Collaborators

Carolyn Jane Anderson, Nate Foster, Arjun Guha, Jean-Baptiste Jeannin,Dexter Kozen, Cole Schlesinger, and David Walker, NetKAT: SemanticFoundations for Networks. POPL 14.

Nate Foster, Dexter Kozen, Matthew Milano, Alexandra Silva, and LaureThompson, A Coalgebraic Decision Procedure for NetKAT. POPL 15.

Networking

“The last bastion of mainframe computing” [Hamilton 2009]

I Modern computersI implemented with commodity hardwareI programmed using general-purpose languages, standard interfaces

I NetworksI built and programmed the same way since the 1970sI low-level, special-purpose devices implemented on custom hardwareI routers and switches that do little besides maintaining routing tables

and forwarding packetsI configured locally using proprietary interfacesI network configuration (“tuning”) largely a black art

Networking

Ill-suited to modern data centers and cloud-based applications

I Difficult to implement end-to-end routing policies and optimizationsthat require a global perspective

I Difficult to extend with new functionality

I Effectively impossible to reason precisely about behavior

Software Defined Networks (SDN)

Main idea behind SDN

A general-purpose controller manages a collection of programmableswitches

I controller can monitor and respond to network eventsI new connections from hostsI topology changesI shifts in traffic load

I controller can reprogram the switches on the flyI adjust routing tablesI change packet filtering policies

Software Defined Networks (SDN)

Controller has a global view of the network

Enables a wide variety of applications:

I standard applicationsI shortest-path routingI traffic monitoringI access control

I more sophisticated applicationsI load balancingI intrusion detectionI fault tolerance

Software Defined Networks (SDN)

“ In the SDN architecture, the control and data planes aredecoupled, network intelligence and state are logicallycentralized, and the underlying network infrastructureis abstracted from the applications. As a result, en-terprises and carriers gain unprecedented programma-bility, automation, and network control, enabling themto build highly scalable, flexible networks that readily

adapt to changing business needs.”

—Open Networking Foundation, Software-Defined Networking: The NewNorm for Networks, 2012

OpenFlow

A first step: the OpenFlow API [McKeown & al., SIGCOMM 08]

I specifies capabilities and behavior of switch hardware

I a language for manipulating network configurations

I very low-level: easy for hardware to implement, difficult for humansto write and reason about

But. . .

I is platform independent

I provides an open standard that any vendor can implement

Network Programming Languages & Analysis Tools

I Formally Verifiable Networking [Wang & al., HotNets 09]

I FlowChecker [Al-Shaer & Saeed Al-Haj, SafeConfig 10]

I Anteater [Mai & al., SIGCOMM 11]

I Nettle [Voellmy & Hudak, PADL 11]

I Header Space Analysis [Kazemian & al., NSDI 12]

I Frenetic [Foster & al., ICFP 11] [Reitblatt & al., SIGCOMM 12]

I NetCore [Guha & al., PLDI 13] [Monsanto & al., POPL 12]

I Pyretic [Monsanto & al., NSDI 13]

I VeriFlow [Khurshid & al., NSDI 13]

I Participatory networking [Ferguson & al., SIGCOMM 13]

I Maple [Voellmy & al., SIGCOMM 13]

Goals:

I raise the level of abstraction above hardware-based APIs (OpenFlow)

I make it easier to build sophisticated and reliable SDN applicationsand reason about them

Network Programming Languages & Analysis Tools

• Formally Verifiable Networking [Wang & al., HotNets 09]

• FlowChecker [Al-Shaer & Saeed Al-Haj, SafeConfig 10]

• Anteater [Mai & al., SIGCOMM 11]

• Nettle [Voellmy & Hudak, PADL 11]

• Header Space Analysis [Kazemian & al., NSDI 12]

I Frenetic [Foster & al., ICFP 11] [Reitblatt & al., SIGCOMM 12]

I NetCore [Guha & al., PLDI 13] [Monsanto & al., POPL 12]

• Pyretic [Monsanto & al., NSDI 13]

• VeriFlow [Khurshid & al., NSDI 13]

• Participatory networking [Ferguson & al., SIGCOMM 13]

• Maple [Voellmy & al., SIGCOMM 13]

Goals:

• raise the level of abstraction above hardware-based APIs (OpenFlow)

• make it easier to build sophisticated and reliable SDN applicationsand reason about them

NetKAT [Anderson & al. 14]

NetKAT=

Kleene algebra with tests (KAT)+

additional specialized constructs particular tonetwork topology and packet switching

Kleene Algebra (KA)

Stephen Cole Kleene(1909–1994)

(0 + 1(01∗0)∗1)∗

{multiples of 3 in binary}1

0

1

0

0

1

(ab)∗a = a(ba)∗

{a, aba, ababa, . . .}a

b

(a + b)∗ = a∗(ba∗)∗

{all strings over {a, b}}a + b

Foundations of the Algebraic Theory

John Horton Conway(1937–)

J. H. Conway. Regular Algebraand Finite Machines. Chapmanand Hall, London, 1971.

Axioms of KA

Idempotent Semiring Axioms

p + (q + r) = (p + q) + r p(qr) = (pq)r

p + q = q + p 1p = p1 = p

p + 0 = p p0 = 0p = 0

p + p = p

p(q + r) = pq + pr a ≤ b4⇐⇒ a + b = b

(p + q)r = pr + qr

Axioms for ∗

1 + pp∗ ≤ p∗ q + px ≤ x ⇒ p∗q ≤ x

1 + p∗p ≤ p∗ q + xp ≤ x ⇒ qp∗ ≤ x

Standard Model

Regular sets of strings over Σ

A + B = A ∪ B

AB = {xy | x ∈ A, y ∈ B}A∗ =

⋃n≥0

An = A0 ∪ A1 ∪ A2 ∪ · · ·

1 = {ε}0 = ∅

This is the free KA on generators Σ

Relational Models

Binary relations on a set X

For R,S ⊆ X × X ,

R + S = R ∪ S

RS = R ◦ S = {(u, v) | ∃w (u,w) ∈ R, (w , v) ∈ S}R∗ = reflexive transitive closure of R

=⋃n≥0

Rn = R0 ∪ R1 ∪ R2 ∪ · · ·

1 = identity relation = {(u, u) | u ∈ X}0 = ∅

KA is complete for the equational theory of relational models

Other Models

I Trace models used in semantics

I (min, +) algebra used in shortest path algorithms

I (max, +) algebra used in coding

I Convex sets used in computational geometry (Iwano & Steiglitz 90)

Matrices over a KA form a KA

[a bc d

]+

[e fg h

]=

[a + e b + fc + g d + h

][

a bc d

]·[

e fg h

]=

[ae + bg af + bhce + dg cf + dh

]0 =

[0 00 0

]1 =

[1 00 1

][

a bc d

]∗=

[(a + bd∗c)∗ (a + bd∗c)∗bd∗

(d + ca∗b)∗ca∗ (d + ca∗b)∗

]b

a

cd

Systems of Affine Linear Inequalities

Theorem

Any system of n linear inequalities in n unknowns has a unique least solution

q1 + p11x1 + p12x2 + · · · p1nxn ≤ x1

...

qn + pn1x1 + pn2x2 + · · · pnnxn ≤ xn

≤+ P = pij

x1x2...

xn

x1x2...

xn

q1q2

...

qn

Least solution is P∗q

Kleene Algebra with Tests (KAT)

(K ,B,+, ·,∗ , , 0, 1), B ⊆ K

I (K ,+, ·,∗ , 0, 1) is a Kleene algebra

I (B,+, ·, , 0, 1) is a Boolean algebra

I (B,+, ·, 0, 1) is a subalgebra of (K ,+, ·, 0, 1)

I p, q, r , . . . range over K

I a, b, c , . . . range over B

Kleene Algebra with Tests (KAT)

+, ·, 0, 1 serve double duty

I applied to actions, denote choice, composition, fail, and skip, resp.

I applied to tests, denote disjunction, conjunction, falsity, and truth,resp.

I these usages do not conflict!

bc = b ∧ c b + c = b ∨ c

Modeling While Programs

p; q4= pq

if b then p else q4= bp + bq

while b do p4= (bp)∗b

KAT Subsumes Hoare Logic

{b} p {c} 4⇐⇒ bp ≤ pc

⇐⇒ bp = bpc

⇐⇒ bpc = 0

The Hoare while rule

{bc} p {c}{c}while b do p {bc}

becomes the universal Horn sentence

bcpc = 0 ⇒ c(bp)∗b bc = 0

KAT Results

Deductive Completeness and ComplexityI deductively complete over language, relational, and trace models

I subsumes propositional Hoare logic (PHL)

I deductively complete for all relationally valid Hoare-style rules

{b1} p1 {c1}, . . . , {bn} pn {cn}{b} p {c}

I decidable in PSPACE

ApplicationsI protocol verification

I static analysis and abstract interpretation

I verification of compiler optimizations

Models of KAT

I Language-theoretic modelsI K = sets of guarded strings over Σ,TI B = free Boolean algebra generated by T

I Relational modelsI K = binary relations on a set XI B = subsets of the identity relation

I Trace modelsI K = sets of traces s0p0s1p1s2 · · · sn−1pn−1snI B = traces of length 0

I n × n matrices over K ,B

NetKAT

NetKAT

I a packet π is an assignment of constant values n to fields x

I a packet history is a nonempty sequence of packetsπ1 :: π2 :: · · · :: πk

I the head packet is π1

NetKAT

I assignments x ← nassign constant value n to field x in the head packet

I tests x = nif value of field x in the head packet is n, then pass, else drop

I dupduplicate the head packet

NetKAT

Example

sw = 6 ; pt = 88 ; dest ← 10.0.0.1 ; pt ← 50

“For all packets incoming on port 88 of switch 6, set the destination IPaddress to 10.0.0.1 and send the packet out on port 50.”

NetKAT Axioms

x ← n ; y ← m ≡ y ← m ; x ← n (x 6= y)assignments to distinct fields may be done in either order

x ← n ; y = m ≡ y = m ; x ← n (x 6= y)an assignment to a field does not affect a different field

x = n ; dup ≡ dup ; x = nfield values are preserved in a duplicated packet

x ← n ≡ x ← n ; x = nan assignment causes the field to have that value

x = n ; x ← n ≡ x = nan assignment of a value that the field already has is redundant

x ← n ; x ← m ≡ x ← ma second assignment to the same field overrides the first

x = n ; x = m ≡ 0 (n 6= m) (∑

n x = n) ≡ 1every field has exactly one value

Standard Model

Standard model of NetKAT is a packet-forwarding model

JeK : H → 2H

where H = {packet histories}

Jx ← nK(π1 :: σ)4= {π1[n/x ] :: σ}

Jx = nK(π1 :: σ)4=

{{π1 :: σ} if π1(x) = n

∅ if π1(x) 6= n

JdupK(π1 :: σ)4= {π1 :: π1 :: σ}

Standard Model

Jp + qK(σ)4= JpK(σ) ∪ JqK(σ)

Jp ; qK(σ)4=

⋃τ∈JpK(σ)

JqK(τ)

Jp∗K(σ)4=⋃n

JpnK(σ)

J1K(σ)4= JpassK(σ) = {σ}

J0K(σ)4= JdropK(σ) = ∅

Examples

ReachabilityI Can host A communicate with host B? Can every host

communicate with every other host?

SecurityI Does all untrusted traffic pass through the intrusion detection

system located at C ?

Loop detectionI Is it possible for a packet to be forwarded around a cycle in the

network?

Encoding Network Topology

Modeling Links

sw = A ; pt = n ; sw ← B ; pt ← m

A Bn m

I filters out all packets not located at the source end of the link

I updates switch and port fields to the location of the target end

I this captures the effect of sending the packet across the link

I network topology is expressed as a sum of link expressions

Switch Policies

Switch behavior for switch A is specified by a NetKAT term

sw = A ; pA

where pA specifies what to do with packets entering switch A

pApA

A

Example

pt = n ; dest = a ; dest ← b ; (pt ← m + pt ← k)

Incoming packets on port n with destination a ⇒ modify destination to band send out on ports m and k

Switch policy pA is the sum of all such behaviors for A

Putting It Together

Let

I t = sum of all link expressions

I p = sum of all switch policies

Then

I pt = one step of the network

I each switch processes its packets, then sends them along links to thenext switch

I cross terms vanish! (x ← n; x = m ≡ 0 for n 6= m)

I (pt)∗ = the multistep behavior of the network in which thesingle-step behavior is iterated

Reachability

To check if any packet can travel from A to B given the topology andthe switch policies, ask whether

sw = A ; t(pt)∗ ; sw = B ≡ 0 (drop).

I prefix sw = A filters out packets not at A

I suffix sw = B filters out packets not at B

It can be shown that the lhs is equivalent to a sum of terms of the form

sw = A ; x1 = n1 ; · · · ; xk = nk ; x1 ← m1 ; · · · ; xk ← mk ; sw = B

each describing conditions under which a packet can travel from A to B

All-Pairs Reachability

To check whether every host in the network can physically communicatewith every other host, use switch policies

sw = A ;∑n

pt = n ;∑m

pt ← m

where

I n ranges over all active input ports of A

I m ranges over all active output ports of A

Let

I q = sum of these policies for all A

I t = encoding of the topology

Then check whether

(qt)∗ ≡∑A

(sw = A ;∑n

pt = n) ;∑B

(sw ← B ;∑m

pt ← m)

Waypointing

A waypoint between A to B is a location F that all packets must traverseenroute from A to B

I modify F ’s switch policy to duplicate the head packet:

sw = F ; pF ⇒ sw = F ; dup ; pF

I this marks traffic through F

I check whether

sw = A ; t(pt)∗ ; sw = B

≤ sw = A ; t(pt)∗ ; sw = F ; dup ; pF ; t(pt)∗ ; sw = B

I true if and only if all packet histories contain a dup generated bytraversing F

Forwarding Loops

A network has a forwarding loop if some packet would endlessly traversea cycle in the network

I frequent source of error

I have caused major outages in LANs and the Internet

I usually handled by a TTL (time-to-live) field

To check for loops, check if a packet can visits the same state twice:

α ; pt(pt)∗ ; α = 0

for each valuation α such that

in ; (pt)∗ ; α

does not vanish.

Other Applications

I traffic isolation

I access control

I correctness of a compiler that maps a NetKAT expression to a set ofindividual flow tables that can be deployed on the switches

Results

Soundness and Completeness [Anderson et al. 14]

I ` p = q if and only if JpK = JqK

Decision Procedure [Foster et al. 15]

I NetKAT coalgebra

I efficient bisimulation-based decision procedure

I implementation in OCaml

I deployed in the Frenetic suite of network management tools

A Language Model

Let e be an expression to be analyzed and let x1, . . . , xk be all fieldsappearing in e.

I A complete assignment is a sequence x1 ← n1; · · · ; xk ← nk

I A complete test is a sequence x1 = n1; · · · ; xk = nk

Facts:

I Every test is (provably) equivalent to a sum of complete tests.

I Every assignment is (provably) equivalent to sum of complete testsand complete assignments.

I The complete tests and complete assignments are in one-to-onecorrespondence (one of each for each tuple (n1, . . . , nk))

A Language Model

Let P = {complete assignments} = {p, q, . . .} andAt = {complete tests} = {α, β, . . .}

Let αp be the complete test corresponding to the complete assignment p

Reduced NetKAT axioms:

α dup = dupα αα = α

pαp = p αβ = 0, α 6= β

αpp = αp

∑α∈At α = 1

qp = p

A Language Model

Regular sets of NetKAT reduced strings

N = At · P · (dup ·P)∗

For A,B ⊆ N ,

A + B = A ∪ B AB = {αxyq | αxp ∈ A, αpyq ∈ B}

A∗ =⋃n≥0

An 1 = {αpp | p ∈ P} 0 = ∅

I p ∈ P interpreted as {αp | α ∈ At}I α ∈ At interpreted as {αpα}I dup interpreted as {αpp dupαp | p ∈ P}

Lemma Every string over P and At is equivalent to a string in N

Completeness

Theorem [Anderson & al. 14]

I RegN , the family of regular subsets of N , forms a NetKAT and isisomorphic to the standard packet-switching model

I This is the free NetKAT on generators P and At

I The following are equivalent:

I NetKAT ` e1 = e2

I Je1K = Je2KI RegN � e1 = e2

NetKAT Automata [Foster & al. 14]

A NetKAT automaton is a tuple (S , ε, δ) where

ε : S → 2At×At δ : S → SAt×At

Acceptance of strings in N = At · P · (dup · P)∗ defined by

I Accept(s, αpβ dup x)4= Accept(δαβ(s), βx)

I Accept(s, αpβ)4= εαβ(s)

Kleene’s Theorem for NetKAT [Foster & al. 14]

Theorem1. Let M be a finite NetKAT automaton. The set of strings in N

accepted by M is L(e) for some NetKAT expression e.

2. For every NetKAT expression e, there is a deterministic NetKATautomaton M with at most |At| · 2` states accepting L(e), where ` isthe number of occurrences of dup in e.

A Bisimulation-Based Algorithm

To check e1 = e2, convert to automata, check bisimilarity

I exploits a sparse matrix representation

I Hopcroft-Tarjan union-find data structure to represent bisimilarityclasses

I BDDs to represent tests (new — based on Pous, POPL 15)

I algorithm is competitive with state of the art

A Bisimulation-Based Algorithm

0

5

10

15

20

25

30

All-Pairs Connectivity Loop Freedom Translation Validation

Tim

e to

sol

ve (

s)

Conclusion

I Programming languages have a key role to play in emergingplatforms for managing software-defined networks

I NetKAT is a high-level language for programming and reasoningabout network behavior in the SDN paradigm

I based on sound mathematical principlesI formal denotational semantics, complete deductive systemI efficient bisimulation-based decision procedureI lots of applications and abstractions: reachability, noninterference,

cycle detection, fault tolerance, load balancing, QoS, virtualnetworks. . .

I Future work:I further optimizations to reduce state spaceI probabilistic semanticsI generating proof artifacts

For papers and code, please visit:http://frenetic-lang.org/

Thanks!