Temporal NetKAT. Ryan Beckett Michael Greenberg, David Walker. Pomona College Princeton University

Size: px

Start display at page:

Download "Temporal NetKAT. Ryan Beckett Michael Greenberg*, David Walker. Pomona College* Princeton University"

Esmond Mosley
5 years ago
Views:

1 Temporal NetKAT Ryan Beckett Michael Greenberg*, David Walker Princeton University Pomona College*

2 Software-Defined Networking Controller

3 Software-Defined Networking Controller Match Action dst= pt 3, collect src= pt 2 * drop

4 Controller

5 L Maple FlowLog Frenetic NetKAT Routing Controller

6 L Maple FlowLog Frenetic NetKAT ndb Path Queries Routing Debugging Controller

7 L Maple FlowLog Frenetic NetKAT ndb Path Queries DREAM Path Queries Open Sketch Routing Debugging Controller Monitoring

8 FlowVisor L Maple FlowLog Frenetic NetKAT ndb Path Queries DREAM Path Queries Open Sketch NOD VeriFlow Headerspace NetPlumber NetKAT Routing Debugging Controller Monitoring Security Policy Verifier

9 Shared Abstraction: Dynamic forwarding based on a packet s history! Routing Debugging Monitoring Security Policy Controller Verifier

10 Overview Temporal NetKAT Extend NetKAT with queries over a packet s history Study the new paradigm on several applications Define a semantics and equational theory for the language Prove soundness and network-wide completeness Describe and implement a compilation strategy Evaluate the compiler performance on several networks

11 Temporal NetKAT

12 NetKAT Overview Predicates a,b ::= f = n test 1 true 0 false a + b or a b and a negation Policies p,q ::= a predicate f v assignment p + q union p q sequence p* iteration Based on KAT [Kozen & Smith 96] Extended to networks [Anderson et al 14]

13 NetKAT Overview Predicates a,b ::= f = n test 1 true 0 false a + b or a b and a negation Policies p,q ::= a predicate f v assignment p + q union p q sequence p* iteration Boolean Algebra Kleene Algebra

14 NetKAT Overview Packet: A record of fields and values sw=a, pt=1, src= , dst= A 3

15 NetKAT Overview Language Features: Match packets Modify packets sw=a, pt=1, src= , dst= A 3

16 NetKAT Overview Language Features: Match packets Modify packets sw=a, pt=1, src= , dst= src= sw=a 2 1 A 3

17 NetKAT Overview Language Features: Match packets Modify packets sw=a, pt=1, src= , dst= src pt A 3

18 NetKAT Overview Language Features: Match packets Modify packets sw=a, pt=1, src= , dst= src pt A 3

19 NetKAT Topology (sw=a pt=2) sw B pt A 1 2 B

20 NetKAT Network Kleene Star: (topology switch)*

21 NetKAT Network Kleene Star: (topology switch)*

22 NetKAT Network Kleene Star: (topology switch)*

23 NetKAT Network Kleene Star: (topology switch)*

24 NetKAT Network Kleene Star: (topology switch)*

25 NetKAT: Packet History A policy takes a packet history to a set of histories

26 NetKAT: Packet History A policy takes a packet history to a set of histories initial history [ ]

27 NetKAT: Packet History A policy takes a packet history to a set of histories [ ]

28 NetKAT: Packet History A policy takes a packet history to a set of histories [ ], [ ]

29 NetKAT: Packet History A policy takes a packet history to a set of histories [ ],, [ ], [ ]

30 NetKAT: Packet History A policy takes a packet history to a set of histories [ ],, [,,, ] [ ], [ ]

31 NetKAT: Packet History Final packet Initial packet [,,, ]

32 NetKAT: Packet History In practice, packets do not carry their history [ ]?,,,??

33 Temporal NetKAT Predicates a,b ::= f = n test 1 identity 0 drop a + b or a b and a negation a last (a S b) since Policies p,q ::= a predicate f v assignment p + q union p q sequence p* iteration LTLf Kleene Algebra

34 Temporal NetKAT (f=v1) f=v1 f=v1 f=v2 f=v3 f=v1 f=v1 Time

35 Temporal NetKAT (f=v1) f=v1 f=v1 f=v2 f=v3 f=v1 f=v1 Time

36 Temporal NetKAT What to do when there is no history? (f=v1) f=v1 f=v1 f=v2 f=v3 f=v1 f=v1 Time

37 Temporal NetKAT What to do when there is no history? (f=v1) Finite trace semantics LTLf [Giacomo & Vardi 13] False f=v1 f=v1 f=v2 f=v3 f=v1 f=v1 Time

38 Temporal NetKAT start = 1 f=v1 f=v1 f=v2 f=v3 f=v1 f=v1 Time

39 Temporal NetKAT Ever a = (1 S a) (f=v2) f=v1 f=v1 f=v2 f=v3 f=v1 f=v1 Time

40 Temporal NetKAT Ever a = (1 S a) (f=v2) f=v1 f=v1 f=v2 f=v3 f=v1 f=v1 Time

41 Temporal NetKAT Always a = a (f=v1) f=v1 f=v1 f=v2 f=v3 f=v1 f=v1 Time

42 Temporal NetKAT Always a = a (f=v1) f=v1 f=v1 f=v2 f=v3 f=v1 f=v1 Time

43 Examples

44 Routing Debugging Monitoring Security Policy Controller Verifier

45 Example: Debugging/Monitoring Determine flows utilizing a congested link S1 S3 S2 S4 S5 S6

46 Example: Debugging/Monitoring Determine flows utilizing a congested link pol + sw=s6 (sw=s2 (sw=s1)) pt ctrl S1 S3 S2 S4 S5 S6

47 Example: Security Ensure all traffic arriving at S6 went through a FW and IDS FW1 NAT S1 S3 S2 S4 S5 S6 FW2 IDS

48 Example: Security Ensure all traffic arriving at S6 went through a FW and IDS sw=s6 (sw=fw) (sw=ids) FW1 NAT S1 S3 S2 S4 S5 S6 FW2 IDS

49 Example: Isolation Enforce physical isolation of S1, S3, S4 from S2, S5, S6 S1 S3 S2 S4 S5 S6

50 Example: Isolation Enforce physical isolation of S1, S3, S4 from S2, S5, S6 pol ( (sw=s1+sw=s3+sw=s4) + (sw=s2+sw=s5+sw=s6)) S1 S3 S2 S4 S5 S6

51 Example: Verification Does the NAT always modify the dst IP address correctly? FW1 NAT S1 S3 S2 S4 S5 S6 FW2 IDS

52 Example: Verification Does the NAT always modify the dst IP address correctly? pol pol ((dst= ) S (sw=nat)) FW1 NAT S1 S3 S2 S4 S5 S6 FW2 IDS

53 Questions Reasoning How expressive is Temporal NetKAT? When are two programs equivalent? Compilation How to compile Temporal NetKAT to switch rules? Can we scale compilation to realistic topologies/policies?

54 Reasoning

55 Equational Theory Kleene Algebra Axioms Idempotent Semiring Laws (p+q)r pr+qr p+p p p+q q+p 1p p1 p p+0 p p0 0p 0 p(q+r) pq+pr p(qr) (pq)r p+(q+r) (p+q)+r Boolean Algebra Axioms aa a a a 0 a + 1 a a + a 1 (p + q)r pr + qr a + bc (a + b)(a + c) p* 1+pp* p* 1+p*p Axioms for * q+px x p*q x q+px x p*q x Packet Axioms (f = v) (f = v) (f = v ) (f v) (f = v) (f v) (f = v ) 1 0 f n (f = v ) (f v) NetKAT

56 Equational Theory Kleene Algebra Axioms p+q q+p p+0 p Idempotent Semiring Laws (p+q)r pr+qr p(q+r) pq+pr p+(q+r) (p+q)+r p* 1+pp* p* 1+p*p Packet Axioms (f = v) (f = v) (f = v ) (f v) (f = v) (f v) (f = v ) p+p p 1p p1 p p0 0p 0 p(qr) (pq)r Axioms for * q+px x p*q x q+px x p*q x 1 0 f n (f = v ) (f v) Boolean Algebra Axioms aa a a a 0 a + 1 a a + a 1 (p + q)r pr + qr a + bc (a + b)(a + c) LTLf Axioms 1 1 (a+b) a + b (a b) a b (a S b) b + a (a S b) (a S b) ( b) B ( a b) a (start a) (a a b) (a a)

57 Equational Theory Kleene Algebra Axioms Idempotent Semiring Laws (p+q)r pr+qr p+q q+p p+0 p p(q+r) pq+pr p+(q+r) (p+q)+r p* 1+pp* p* 1+p*p Packet Axioms (f = v) (f = v) (f = v ) (f v) (f = v) (f v) (f = v ) p+p p 1p p1 p p0 0p 0 p(qr) (pq)r Axioms for * q+px x p*q x q+px x p*q x 1 0 f n (f = v ) (f v) Boolean Algebra Axioms aa a a a 0 a + 1 a a + a 1 (p + q)r pr + qr a + bc (a + b)(a + c) LTLf Axioms 1 1 (a+b) a + b (a b) a b (a S b) b + a (a S b) (a S b) ( b) B ( a b) a (start a) (a a b) (a a) Step Axiom (f v) a a (f v)

58 Metatheory NetKAT: Soundness: If p q, then p = q Completeness: If p = q, then p q Temporal NetKAT: Soundness: If p q, then p = q Completeness: If start p = start q, then start p start q Completeness for network-wide policies Normalization reduces Temporal NetKAT terms to NetKAT Interesting induction invariant see the paper!

59 Compilation

60 Compilation A Fast Compiler for NetKAT [Smolka et al 15] Symbolic NetKAT automata Based on FDDs a variant of BDDs Tags the packet with the state of the automaton src=x dst Y sw B sw=a pt=1

61 Compilation A Fast Compiler for NetKAT [Smolka et al 15] Symbolic NetKAT automata Based on FDDs a variant of BDDs Tags the packet with the state of the automaton src=x dst Y sw=a pt=1 sw B High-level Idea: Reuse tagging mechanism for tracking history as well

62 Compilation Term Policy Automaton Query Automata NetKAT Automaton Rules

63 Compilation: Example pola link polb = (sw=a pt=1) (pt 2) = (sw B) (pt 1) = (sw=b pt=1) (pt 2) 1 2 A 1 2 B

64 Compilation: Example pola link polb pol = (sw=a pt=1) (pt 2) = (sw B) (pt 1) = (sw=b pt=1) (pt 2) = pola link (src=x) polb (src=x) 1 2 A 1 2 B

65 Compilation: Example pola link (src=x) polb (src=x) 1 2 A 1 2 B

66 Compilation: Example pola link (src=x) polb

67 Compilation: Example pola link (src=x) polb abstract predicate pola link α polb

68 Compilation: Example pola link α polb src=x 1 Query Automaton (α) 0 src=x 1 [src=x] [1] Policy Automaton 0 pola 1 link 2 [α polb]

69 src=x 1 Query Automaton (α) 0 src=x 1 [src=x] [1] Policy Automaton 0 pola 1 link 2 = [α polb] Product Automaton 0,0 src=x pola src=x pola 0,1 src=x link 0,2 src=x link link 1,1 [src=x polb] 1,2 [1 polb]

70 Compilation: Example 0,0 src=x pola src=x pola 0,1 src=x link 0,2 src=x link link 1,1 [src=x polb] 1,2 [1 polb] FDD Compilation Idea: Automaton state encoded as a packet field in the FDD

71 Compilation: Example

72 Compilation: Example

73 Compilation: Example See the paper for additional optimizations!

74 Evaluation

75 Compiler Evaluation Topology Zoo Over 250 real topologies Shortest path routing Stanford Campus Network Mid-sized campus network 16 core backbone routers Rich, non-uniform routing policy

76 Compiler Evaluation Baseline: Routing only Security: Enforce physical isolation Enforce logical isolation Debugging/Monitoring: Congested Link Simple path Port Matrix? DDOS sources?

77 Topology Zoo Compilation Time Most policies have very little overhead ~12 min worst case Main limiting factor: number of queries

78 Topology Zoo Number of Rules Often near minimal rule overhead ~2x increase with DDOS query

79 Stanford Network Compilation Time 12 Time (sec) No Query Congested Physical Isolation Simple Path Slice Isolation DDOS

80 Stanford Network Rule Overhead 0 No Query Congested Physical Isolation Simple Path Slice Isolation DDOS

81 Conclusions Language Extension of NetKAT with queries over packet history Useful in a variety of network applications Theory Soundness and completeness for network-wide programs New proof technique for completeness Compiler Inspired by structure of the completeness proof Scales to many real network topologies/policies

It's the last COS 326 class!

It's the last COS 326 class! David Walker COS 326 Princeton University COS 326 Final Exam Logistics: Friday Jan 26 1:30pm McCosh 46 Note: If you are doing study abroad, make sure that you email Chris Moretti