HEADER SPACE ANALYSIS

Transcription

1 HEADER SPACE ANALYSIS Peyman Kazemian (Stanford University) George Varghese (UCSD, Yahoo Labs) Nick McKeown (Stanford University) 1 July 17 th, 2012 Joint Techs 2012

2 TODAY A typical network is a complex mix of protocols: IPv4 OSPF UDP Spanning tree MPLS ICMP VLAN NAT IPsec RSVP IPv6 ARP GRE TCP BGP IGMP Interact in complex ways. Cause unforeseen behavior. Hard to manage, understand and predict the behavior of networks. 2

3 TODAY Even simple questions are hard to answer Can host A talk to host B? What are all the packet headers from A that can reach B? Are there any loops in the network? Is Slice X isolated totally from Slice Y? What will happen if I remove an entry from a router? 3

4 HEADER SPACE ANALYSIS A Powerful General Foundation that gives us A unified view of almost all type of boxes. A powerful interface for answering different questions about the network. 4

5 HEADER SPACE FRAMEWORK SIMPLE OBSERVATION: A PACKET IS A POINT IN THE SPACE OF POSSIBLE HEADERS AND A BOX IS A TRANSFORMER ON THAT SPACE. 5

6 HEADER SPACE FRAMEWORK Step 1 - Model packet header as a point in {0,1} L space The Header Space Header L Data 6

7 HEADER SPACE FRAMEWORK Step 2 Model all networking boxes as transformer of header space Packet Transfer Function: Forwarding T :(h 2 Match in,p in )! {(h Action 1,p 1 ), (h 2,p 2 ),...,(h n,p n )} 0xx1..x1 11xx..0x + Send to port 32 Rewrite with 1xx011..x1 1x01xx..x

8 HEADER SPACE FRAMEWORK Example: Transfer Function of an IPv4 Router Port Port Port (h,1) if dst_ip(h) = x T(h, p) = (h,2) if dst_ip(h) = x (h,3) if dst_ip(h) = x.x 8

9 HEADER SPACE FRAMEWORK Example: Transfer Function of an IPv4 Router Port Port Port (dec_ttl(h),1) if dst_ip(h) = x T(h, p) = (dec_ttl(h),2) if dst_ip(h) = x (dec_ttl(h),3) if dst_ip(h) = x.x 9

10 HEADER SPACE FRAMEWORK Example: Transfer Function of an IPv4 Router Port Port Port T(h, p) = (rw_mac(dec_ttl(h),next_mac), 1) (rw_mac(dec_ttl(h),next_mac), 2) (rw_mac(dec_ttl(h),next_mac), 3) if dst_ip(h) = x if dst_ip(h) = x if dst_ip(h) = x.x 10

11 HEADER SPACE FRAMEWORK Properties of transfer functions Composable: T 3 (T 2 (T 1 (h, p))) R1 R2 T 2 (T 1 (h, p)) R3 T 1 (h, p) T 2 (h, p) T 3 (h, p) T 3 (T 2 (T 1 (h, p))) Invertible: T T 1 11 Domain (input) Range (output)

12 HEADER SPACE FRAMEWORK Step 3 - Develop an algebra to work on these spaces. Every object in Header Space, can be described by union of Wildcard Expressions. We want to perform the set operations on these wildcard expressions: Intersection Complementation Difference Refer to header space analysis paper for details. 12

13 USE CASES OF HEADER SPACE FRAMEWORK THESE ARE ONLY SOME EXAMPLE USE CASES THAT WE DEVELOPED SO FAR 13

14 USE CASES Can host A talk to B? All Packets that A can use to communicate with B A T -1 1 Box 1 T -1 1 T 1 (X,A) T -1 2 Box 2 T 2 (T 1 (X,A)) T -1 4 Box 4 T 4 (T 1 (X,A)) Box 3 B T -1 3 T -1 3 T 3 (T 2 (T 1 (X,A)) U T 3 (T 4 (T 1 (X,A)) 14

15 USE CASES Is there a loop in the network? Inject an all-x text packet from every switch-port Follow the packet until it comes back to injection port T 1 (X,P) Box 2 T 2 (T 1 (X,P)) T -1 2 Box 1 T -1 1 T -1 3 Box 3 Original HS T -1 4 Returned HS T 3 (T 2 (T 1 (X,P))) T 4 (T 3 (T 2 (T 1 (X,P)))) Box 4 15

16 USE CASES Is the loop infinite? Finite Loop Infinite Loop? 16

17 IMPLEMENTATION AND EVALUATION 17

18 IMPLEMENTATION Header Space Library (Hassel) Written in Python Implements Header Space Class Set operations Implements Transfer Function Class T and T -1 Implements Reachability, Loop Detection and Slice Isolation checks. < 50 lines of code Includes a Cisco IOS and Juniper Junos parser Generates transfer function from output of IOS/Junos commands and config file. Keeps the mapping from Transfer function rule to line number in config file. Publicly available: git clone 18

19 STANFORD BACKBONE NETWORK ~750K IP fwd rule. ~1.5K ACL rules. ~100 Vlans. Vlan forwarding. 19

20 STANFORD BACKBONE NETWORK Loop detection test run time < 10 minutes on a single machine. Vlan RED Spanning Tree Vlan BLUE Spanning Tree 20

21 PERFORMANCE Performance result for Stanford Backbone Network on a single machine: 4 core, 4GB RAM. Generating TF Rules Loop Detection Test (30 ports) Average Per Port Min Per Port Max Per Port Reachability Test (Avg) ~150 sec ~560 sec ~18 sec ~ 8 sec ~ 135 sec ~13 sec 21

22 SUMMARY Header Space Analysis is a Powerful General Foundation that gives us A unified view of almost all type of boxes. A powerful interface for answering different questions about the network. Can be applied to both SDN and Non-SDN networks. Our initial Python-based implementation can scale to enterprise-size networks on a single machine. 22

23 Thank You! Questions? 23

24 COMPLEXITY Run time Reachability: O(dR 2 ) Loop Detection: O(dPR 2 ) R: maximum number of rules per box. d: diameter of network. P: number of ports to be tested See paper for more details. 24

25 COMPLEXITY OF REACHABILITY AND LOOP DETECTION TESTS Run time Reachability: O(dR 2 ) Loop Detection: O(dPR 2 ) W 1,..W R W 1,..W R W 1,..W R W 1,..W R R: maximum number of rules per box. d: diameter of network. P: number of ports to be tested Assumption: Linear Fragmentation E 1 : Match M 1,.. E 2 : Match M 2,.. E 3 : Match M 3,..... E R : Match M R,.. R W 1,..W R cr cr/3 cr/3 cr/3 c 2 R c 2 R/9 c 2 R/9 c 2 R/9 c 2 R/9 c 2 R/9 c 2 R/9 c 2 R/9 c 2 R/9 c 2 R/9 25