Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
NetKAT—A Formal System forthe Verification of Networks
Dexter Kozen
Cornell University
COPLAS/DIKUMarch 13, 2015
NetKAT Collaborators
Carolyn Jane Anderson, Nate Foster, Arjun Guha, Jean-Baptiste Jeannin,Dexter Kozen, Cole Schlesinger, and David Walker, NetKAT: SemanticFoundations for Networks. POPL 14.
Nate Foster, Dexter Kozen, Matthew Milano, Alexandra Silva, and LaureThompson, A Coalgebraic Decision Procedure for NetKAT. POPL 15.
Networking
“The last bastion of mainframe computing” [Hamilton 2009]
I Modern computersI implemented with commodity hardwareI programmed using general-purpose languages, standard interfaces
I NetworksI built and programmed the same way since the 1970sI low-level, special-purpose devices implemented on custom hardwareI routers and switches that do little besides maintaining routing tables
and forwarding packetsI configured locally using proprietary interfacesI network configuration (“tuning”) largely a black art
Networking
Ill-suited to modern data centers and cloud-based applications
I Difficult to implement end-to-end routing policies and optimizationsthat require a global perspective
I Difficult to extend with new functionality
I Effectively impossible to reason precisely about behavior
Software Defined Networks (SDN)
Main idea behind SDN
A general-purpose controller manages a collection of programmableswitches
I controller can monitor and respond to network eventsI new connections from hostsI topology changesI shifts in traffic load
I controller can reprogram the switches on the flyI adjust routing tablesI change packet filtering policies
Software Defined Networks (SDN)
Controller has a global view of the network
Enables a wide variety of applications:
I standard applicationsI shortest-path routingI traffic monitoringI access control
I more sophisticated applicationsI load balancingI intrusion detectionI fault tolerance
Software Defined Networks (SDN)
“ In the SDN architecture, the control and data planes aredecoupled, network intelligence and state are logicallycentralized, and the underlying network infrastructureis abstracted from the applications. As a result, en-terprises and carriers gain unprecedented programma-bility, automation, and network control, enabling themto build highly scalable, flexible networks that readily
adapt to changing business needs.”
—Open Networking Foundation, Software-Defined Networking: The NewNorm for Networks, 2012
OpenFlow
A first step: the OpenFlow API [McKeown & al., SIGCOMM 08]
I specifies capabilities and behavior of switch hardware
I a language for manipulating network configurations
I very low-level: easy for hardware to implement, difficult for humansto write and reason about
But. . .
I is platform independent
I provides an open standard that any vendor can implement
Network Programming Languages & Analysis Tools
I Formally Verifiable Networking [Wang & al., HotNets 09]
I FlowChecker [Al-Shaer & Saeed Al-Haj, SafeConfig 10]
I Anteater [Mai & al., SIGCOMM 11]
I Nettle [Voellmy & Hudak, PADL 11]
I Header Space Analysis [Kazemian & al., NSDI 12]
I Frenetic [Foster & al., ICFP 11] [Reitblatt & al., SIGCOMM 12]
I NetCore [Guha & al., PLDI 13] [Monsanto & al., POPL 12]
I Pyretic [Monsanto & al., NSDI 13]
I VeriFlow [Khurshid & al., NSDI 13]
I Participatory networking [Ferguson & al., SIGCOMM 13]
I Maple [Voellmy & al., SIGCOMM 13]
Goals:
I raise the level of abstraction above hardware-based APIs (OpenFlow)
I make it easier to build sophisticated and reliable SDN applicationsand reason about them
Network Programming Languages & Analysis Tools
• Formally Verifiable Networking [Wang & al., HotNets 09]
• FlowChecker [Al-Shaer & Saeed Al-Haj, SafeConfig 10]
• Anteater [Mai & al., SIGCOMM 11]
• Nettle [Voellmy & Hudak, PADL 11]
• Header Space Analysis [Kazemian & al., NSDI 12]
I Frenetic [Foster & al., ICFP 11] [Reitblatt & al., SIGCOMM 12]
I NetCore [Guha & al., PLDI 13] [Monsanto & al., POPL 12]
• Pyretic [Monsanto & al., NSDI 13]
• VeriFlow [Khurshid & al., NSDI 13]
• Participatory networking [Ferguson & al., SIGCOMM 13]
• Maple [Voellmy & al., SIGCOMM 13]
Goals:
• raise the level of abstraction above hardware-based APIs (OpenFlow)
• make it easier to build sophisticated and reliable SDN applicationsand reason about them
NetKAT [Anderson & al. 14]
NetKAT=
Kleene algebra with tests (KAT)+
additional specialized constructs particular tonetwork topology and packet switching
Kleene Algebra (KA)
Stephen Cole Kleene(1909–1994)
(0 + 1(01∗0)∗1)∗
{multiples of 3 in binary}1
0
1
0
0
1
(ab)∗a = a(ba)∗
{a, aba, ababa, . . .}a
b
(a + b)∗ = a∗(ba∗)∗
{all strings over {a, b}}a + b
Foundations of the Algebraic Theory
John Horton Conway(1937–)
J. H. Conway. Regular Algebraand Finite Machines. Chapmanand Hall, London, 1971.
Axioms of KA
Idempotent Semiring Axioms
p + (q + r) = (p + q) + r p(qr) = (pq)r
p + q = q + p 1p = p1 = p
p + 0 = p p0 = 0p = 0
p + p = p
p(q + r) = pq + pr a ≤ b4⇐⇒ a + b = b
(p + q)r = pr + qr
Axioms for ∗
1 + pp∗ ≤ p∗ q + px ≤ x ⇒ p∗q ≤ x
1 + p∗p ≤ p∗ q + xp ≤ x ⇒ qp∗ ≤ x
Standard Model
Regular sets of strings over Σ
A + B = A ∪ B
AB = {xy | x ∈ A, y ∈ B}A∗ =
⋃n≥0
An = A0 ∪ A1 ∪ A2 ∪ · · ·
1 = {ε}0 = ∅
This is the free KA on generators Σ
Relational Models
Binary relations on a set X
For R,S ⊆ X × X ,
R + S = R ∪ S
RS = R ◦ S = {(u, v) | ∃w (u,w) ∈ R, (w , v) ∈ S}R∗ = reflexive transitive closure of R
=⋃n≥0
Rn = R0 ∪ R1 ∪ R2 ∪ · · ·
1 = identity relation = {(u, u) | u ∈ X}0 = ∅
KA is complete for the equational theory of relational models
Other Models
I Trace models used in semantics
I (min, +) algebra used in shortest path algorithms
I (max, +) algebra used in coding
I Convex sets used in computational geometry (Iwano & Steiglitz 90)
Matrices over a KA form a KA
[a bc d
]+
[e fg h
]=
[a + e b + fc + g d + h
][
a bc d
]·[
e fg h
]=
[ae + bg af + bhce + dg cf + dh
]0 =
[0 00 0
]1 =
[1 00 1
][
a bc d
]∗=
[(a + bd∗c)∗ (a + bd∗c)∗bd∗
(d + ca∗b)∗ca∗ (d + ca∗b)∗
]b
a
cd
Systems of Affine Linear Inequalities
Theorem
Any system of n linear inequalities in n unknowns has a unique least solution
q1 + p11x1 + p12x2 + · · · p1nxn ≤ x1
...
qn + pn1x1 + pn2x2 + · · · pnnxn ≤ xn
≤+ P = pij
x1x2...
xn
x1x2...
xn
q1q2
...
qn
Least solution is P∗q
Kleene Algebra with Tests (KAT)
(K ,B,+, ·,∗ , , 0, 1), B ⊆ K
I (K ,+, ·,∗ , 0, 1) is a Kleene algebra
I (B,+, ·, , 0, 1) is a Boolean algebra
I (B,+, ·, 0, 1) is a subalgebra of (K ,+, ·, 0, 1)
I p, q, r , . . . range over K
I a, b, c , . . . range over B
Kleene Algebra with Tests (KAT)
+, ·, 0, 1 serve double duty
I applied to actions, denote choice, composition, fail, and skip, resp.
I applied to tests, denote disjunction, conjunction, falsity, and truth,resp.
I these usages do not conflict!
bc = b ∧ c b + c = b ∨ c
Modeling While Programs
p; q4= pq
if b then p else q4= bp + bq
while b do p4= (bp)∗b
KAT Subsumes Hoare Logic
{b} p {c} 4⇐⇒ bp ≤ pc
⇐⇒ bp = bpc
⇐⇒ bpc = 0
The Hoare while rule
{bc} p {c}{c}while b do p {bc}
becomes the universal Horn sentence
bcpc = 0 ⇒ c(bp)∗b bc = 0
KAT Results
Deductive Completeness and ComplexityI deductively complete over language, relational, and trace models
I subsumes propositional Hoare logic (PHL)
I deductively complete for all relationally valid Hoare-style rules
{b1} p1 {c1}, . . . , {bn} pn {cn}{b} p {c}
I decidable in PSPACE
ApplicationsI protocol verification
I static analysis and abstract interpretation
I verification of compiler optimizations
Models of KAT
I Language-theoretic modelsI K = sets of guarded strings over Σ,TI B = free Boolean algebra generated by T
I Relational modelsI K = binary relations on a set XI B = subsets of the identity relation
I Trace modelsI K = sets of traces s0p0s1p1s2 · · · sn−1pn−1snI B = traces of length 0
I n × n matrices over K ,B
NetKAT
NetKAT
I a packet π is an assignment of constant values n to fields x
I a packet history is a nonempty sequence of packetsπ1 :: π2 :: · · · :: πk
I the head packet is π1
NetKAT
I assignments x ← nassign constant value n to field x in the head packet
I tests x = nif value of field x in the head packet is n, then pass, else drop
I dupduplicate the head packet
NetKAT
Example
sw = 6 ; pt = 88 ; dest ← 10.0.0.1 ; pt ← 50
“For all packets incoming on port 88 of switch 6, set the destination IPaddress to 10.0.0.1 and send the packet out on port 50.”
NetKAT Axioms
x ← n ; y ← m ≡ y ← m ; x ← n (x 6= y)assignments to distinct fields may be done in either order
x ← n ; y = m ≡ y = m ; x ← n (x 6= y)an assignment to a field does not affect a different field
x = n ; dup ≡ dup ; x = nfield values are preserved in a duplicated packet
x ← n ≡ x ← n ; x = nan assignment causes the field to have that value
x = n ; x ← n ≡ x = nan assignment of a value that the field already has is redundant
x ← n ; x ← m ≡ x ← ma second assignment to the same field overrides the first
x = n ; x = m ≡ 0 (n 6= m) (∑
n x = n) ≡ 1every field has exactly one value
Standard Model
Standard model of NetKAT is a packet-forwarding model
JeK : H → 2H
where H = {packet histories}
Jx ← nK(π1 :: σ)4= {π1[n/x ] :: σ}
Jx = nK(π1 :: σ)4=
{{π1 :: σ} if π1(x) = n
∅ if π1(x) 6= n
JdupK(π1 :: σ)4= {π1 :: π1 :: σ}
Standard Model
Jp + qK(σ)4= JpK(σ) ∪ JqK(σ)
Jp ; qK(σ)4=
⋃τ∈JpK(σ)
JqK(τ)
Jp∗K(σ)4=⋃n
JpnK(σ)
J1K(σ)4= JpassK(σ) = {σ}
J0K(σ)4= JdropK(σ) = ∅
Examples
ReachabilityI Can host A communicate with host B? Can every host
communicate with every other host?
SecurityI Does all untrusted traffic pass through the intrusion detection
system located at C ?
Loop detectionI Is it possible for a packet to be forwarded around a cycle in the
network?
Encoding Network Topology
Modeling Links
sw = A ; pt = n ; sw ← B ; pt ← m
A Bn m
I filters out all packets not located at the source end of the link
I updates switch and port fields to the location of the target end
I this captures the effect of sending the packet across the link
I network topology is expressed as a sum of link expressions
Switch Policies
Switch behavior for switch A is specified by a NetKAT term
sw = A ; pA
where pA specifies what to do with packets entering switch A
pApA
A
Example
pt = n ; dest = a ; dest ← b ; (pt ← m + pt ← k)
Incoming packets on port n with destination a ⇒ modify destination to band send out on ports m and k
Switch policy pA is the sum of all such behaviors for A
Putting It Together
Let
I t = sum of all link expressions
I p = sum of all switch policies
Then
I pt = one step of the network
I each switch processes its packets, then sends them along links to thenext switch
I cross terms vanish! (x ← n; x = m ≡ 0 for n 6= m)
I (pt)∗ = the multistep behavior of the network in which thesingle-step behavior is iterated
Reachability
To check if any packet can travel from A to B given the topology andthe switch policies, ask whether
sw = A ; t(pt)∗ ; sw = B ≡ 0 (drop).
I prefix sw = A filters out packets not at A
I suffix sw = B filters out packets not at B
It can be shown that the lhs is equivalent to a sum of terms of the form
sw = A ; x1 = n1 ; · · · ; xk = nk ; x1 ← m1 ; · · · ; xk ← mk ; sw = B
each describing conditions under which a packet can travel from A to B
All-Pairs Reachability
To check whether every host in the network can physically communicatewith every other host, use switch policies
sw = A ;∑n
pt = n ;∑m
pt ← m
where
I n ranges over all active input ports of A
I m ranges over all active output ports of A
Let
I q = sum of these policies for all A
I t = encoding of the topology
Then check whether
(qt)∗ ≡∑A
(sw = A ;∑n
pt = n) ;∑B
(sw ← B ;∑m
pt ← m)
Waypointing
A waypoint between A to B is a location F that all packets must traverseenroute from A to B
I modify F ’s switch policy to duplicate the head packet:
sw = F ; pF ⇒ sw = F ; dup ; pF
I this marks traffic through F
I check whether
sw = A ; t(pt)∗ ; sw = B
≤ sw = A ; t(pt)∗ ; sw = F ; dup ; pF ; t(pt)∗ ; sw = B
I true if and only if all packet histories contain a dup generated bytraversing F
Forwarding Loops
A network has a forwarding loop if some packet would endlessly traversea cycle in the network
I frequent source of error
I have caused major outages in LANs and the Internet
I usually handled by a TTL (time-to-live) field
To check for loops, check if a packet can visits the same state twice:
α ; pt(pt)∗ ; α = 0
for each valuation α such that
in ; (pt)∗ ; α
does not vanish.
Other Applications
I traffic isolation
I access control
I correctness of a compiler that maps a NetKAT expression to a set ofindividual flow tables that can be deployed on the switches
Results
Soundness and Completeness [Anderson et al. 14]
I ` p = q if and only if JpK = JqK
Decision Procedure [Foster et al. 15]
I NetKAT coalgebra
I efficient bisimulation-based decision procedure
I implementation in OCaml
I deployed in the Frenetic suite of network management tools
A Language Model
Let e be an expression to be analyzed and let x1, . . . , xk be all fieldsappearing in e.
I A complete assignment is a sequence x1 ← n1; · · · ; xk ← nk
I A complete test is a sequence x1 = n1; · · · ; xk = nk
Facts:
I Every test is (provably) equivalent to a sum of complete tests.
I Every assignment is (provably) equivalent to sum of complete testsand complete assignments.
I The complete tests and complete assignments are in one-to-onecorrespondence (one of each for each tuple (n1, . . . , nk))
A Language Model
Let P = {complete assignments} = {p, q, . . .} andAt = {complete tests} = {α, β, . . .}
Let αp be the complete test corresponding to the complete assignment p
Reduced NetKAT axioms:
α dup = dupα αα = α
pαp = p αβ = 0, α 6= β
αpp = αp
∑α∈At α = 1
qp = p
A Language Model
Regular sets of NetKAT reduced strings
N = At · P · (dup ·P)∗
For A,B ⊆ N ,
A + B = A ∪ B AB = {αxyq | αxp ∈ A, αpyq ∈ B}
A∗ =⋃n≥0
An 1 = {αpp | p ∈ P} 0 = ∅
I p ∈ P interpreted as {αp | α ∈ At}I α ∈ At interpreted as {αpα}I dup interpreted as {αpp dupαp | p ∈ P}
Lemma Every string over P and At is equivalent to a string in N
Completeness
Theorem [Anderson & al. 14]
I RegN , the family of regular subsets of N , forms a NetKAT and isisomorphic to the standard packet-switching model
I This is the free NetKAT on generators P and At
I The following are equivalent:
I NetKAT ` e1 = e2
I Je1K = Je2KI RegN � e1 = e2
NetKAT Automata [Foster & al. 14]
A NetKAT automaton is a tuple (S , ε, δ) where
ε : S → 2At×At δ : S → SAt×At
Acceptance of strings in N = At · P · (dup · P)∗ defined by
I Accept(s, αpβ dup x)4= Accept(δαβ(s), βx)
I Accept(s, αpβ)4= εαβ(s)
Kleene’s Theorem for NetKAT [Foster & al. 14]
Theorem1. Let M be a finite NetKAT automaton. The set of strings in N
accepted by M is L(e) for some NetKAT expression e.
2. For every NetKAT expression e, there is a deterministic NetKATautomaton M with at most |At| · 2` states accepting L(e), where ` isthe number of occurrences of dup in e.
A Bisimulation-Based Algorithm
To check e1 = e2, convert to automata, check bisimilarity
I exploits a sparse matrix representation
I Hopcroft-Tarjan union-find data structure to represent bisimilarityclasses
I BDDs to represent tests (new — based on Pous, POPL 15)
I algorithm is competitive with state of the art
A Bisimulation-Based Algorithm
0
5
10
15
20
25
30
All-Pairs Connectivity Loop Freedom Translation Validation
Tim
e to
sol
ve (
s)
Conclusion
I Programming languages have a key role to play in emergingplatforms for managing software-defined networks
I NetKAT is a high-level language for programming and reasoningabout network behavior in the SDN paradigm
I based on sound mathematical principlesI formal denotational semantics, complete deductive systemI efficient bisimulation-based decision procedureI lots of applications and abstractions: reachability, noninterference,
cycle detection, fault tolerance, load balancing, QoS, virtualnetworks. . .
I Future work:I further optimizations to reduce state spaceI probabilistic semanticsI generating proof artifacts
For papers and code, please visit:http://frenetic-lang.org/
Thanks!