COCO N: CORRECT-BY-CONSTRUCTION NETWORKS USING STEPWISE REFINEMENT

Transcription

1 COCO N: CORRECT-BY-CONSTRUCTION NETWORKS USING STEPWISE REFINEMENT Leonid Ryzhyk Nikolaj Bjorner Marco Canini Jean-Baptiste Jeannin Cole Schlesinger Douglas Terry George Varghese

2 RUNNING EXAMPLE: CAMPUS NETWORK 2 ACL subnet 1 zone 1 zone 3 core zone 2 subnet 2

3 RUNNING EXAMPLE: CAMPUS NETWORK 3 zone 1 zone 3 core zone 2 subnet 1 subnet 1 gateway router subnet 2 subnet 2 gateway router switch router (not assigned to a subnet)

4 NETWORK VERIFICATION: CURRENT PRACTICES 4 OpenFlow SDN app Option 1: Dataplane verification (NetPlumber, HSA, Veriflow) Fixing bugs in a deployed network takes time; may not avoid the downtime Option 2: Controller verification (Vericon, FlowLog) Limited scalability Check for: Loop freedom Black holes Reachability Isolation Common to both approaches: Property-based verification does not guarantee correctness

5 NETWORK VERIFICATION IN A NUTSHELL 5 ~ Option 1: Dataplane verification (NetKAT) Limited scalability Big switch abstraction

6 REQUIREMENTS 6 Ideally, network verification should be: 1. Scalable 2. Static 3. Exhaustive (works at DC scale) (verifies all possible configurations) (misses no bugs) State of the art: pick 1 out of 3

7 OBSERVATIONS 7 Top-level spec Simple top-level description: the what, not the how Design by hierarchical decomposition ACL subnet 1 zone 1 Refinement 1 zone 3 core zone 2 Refinement 3 subnet 2 Refinement 2

8 DECOMPOSING A WAN 8 switch WAN router local link WAN link Data center 1 Local fabric Data center 2 Core layer Local fabric ToR layer 3 2 Global fabric Internet 1 DC3

9 MORE EXAMPLES 9 Virtual network is decomposed into Physical fabric Virtual fabric Cellular network is decomposed into Edge (base stations) Core Internet gateway Exposing this structure enables efficient compositional verification

10 COCO N: COrrect by COnstruction Networking 10 We propose Cocoon: SDN design method Programming language Verifier Cocoon achieves scalable, static, exhaustive verification (3 out of 3!) via a network design process that focuses on correctness. refine spec refine refine implementation SDN controller Correct by construction

11 EXAMPLE COCOON SPECIFICATIONS 11 role HostOut[IP4 addr] chost(addr) = filter ip2subnet(pkt.srcip)==ip2subnet(pkt.dstip) or acl(pkt); filter chost(pkt.dstip); send HostIn[pkt.dstIP] subnet 1 Runtime-Defined Functions (RDFs) function function function function Must return valid subnet ID chost(ip4 addr): bool csubnet(vid_t vid): bool acl(packet p): bool ip2subnet(ip4 ip): vid_t Assumption: ACL subnet 2 chost(addr) chost(addr) == addr=={ } addr=={ } addr=={ } addr=={ } ip2subnet(ip) ip2subnet(ip) == *.* *.* subnet1 subnet *.* *.* subnet2 subnet assume(ip4 addr) chost(addr)=>csubnet(ip2subnet(addr))

12 REFINEMENT EXAMPLE 12 role HostOut[IP4 addr] chost(addr) = filter ip2subnet(pkt.srcip)==ip2subnet(pkt.dstip) or acl(pkt); filter chost(pkt.dstip); send HostIn[pkt.dstIP] subnet 1 refine HostOut { role HostOut[IP4 addr] chost(addr) =... send RouterZoneIn[zone(addr)] role RouterZoneIn[zid_t] = } ACL subnet 2 zone 1 zone 3 core zone 2

13 2-PHASE VERIFICATION 13 Refinements + assumptions specify static network design Verified statically RDFs encapsulate runtime configuration Checked at runtime against assumptions

14 COCOON ARCHITECTURE 14 Cocoon spec verifier external apps RDF definitions Cocoon runtime assumption checker compiler OpenFlow/P4 SDN controller

15 IMPLEMENTING VERIFICATION 15 Role semantics: Role refinement: We convert this program to Boogie and use the Corral model checker Enforce static bound on the number of network hops to achieve completeness Assumptions are converted to SMT and checked using Z3

16 CASE STUDIES B4-style WAN [Jain et al. B4: Experience with a Globally-Deployed Software Defined WAN] NSX-style network virtualization framework [Koponen et al. Network Virtualization in Multi-tenant Datacenters] Enterprise network [Sung et al. Towards Systematic Design of Enterprise Networks] F10 [Liu et al. F10: A Fault-Tolerant Engineered Network] Stag [Lopes et al. Automatically verifying reachability and wellformedness in P4 Networks] isdx [Gupta et al. An Industrial-Scale Software Defined Internet Exchange Point] 16

17 PERFORMANCE (static verification) 17 Compositional: Monolithic:

18 PERFORMANCE (runtime verification) 18

19 COCOON VS TRADITIONAL NETWORK VERIFICATION 19 zone 1 zone 3 core security policy zone 2 subnet 1 subnet 2 subnet 1 subnet 1 gateway router subnet 2 subnet 2 gateway router switch router (not assigned to a subnet) HSA/ Veriflow/... Correctness spec

20 PERFORMANCE (Cocoon + HSA) 20

21 CONCLUSION 21 Design-by-refinement works well for networks: Allow concise high-level specifications Well-defined module boundaries Verification is feasible for a single refinement: no pointers, concurrency, dynamic memory allocation, etc. Source code, case studies: