Abstrac(ons for Model Checking SDN Controllers. Divjyot Sethi, Srinivas Narayana, Prof. Sharad Malik Princeton University

Transcription

1 Abstrac(ons for Model Checking SDN s Divjyot Sethi, Srinivas Narayana, Prof. Sharad Malik Princeton University

2 Tradi(onal Networking Swt 1 Swt 2 Talk OSPF, RIP, BGP, etc. Swt 3 Challenges: - Difficult to get right. Forwarding data plane Mapping used for forwarding packets. Distributed control plane Logic used to update the mapping. - Inflexible for novel ideas. - No clean abstrac(ons for implemen(ng control.

3 A Fundamental ShiS in Network Design Swt 1 Distributed Control Talk OSPF, RIP, BGP, etc. Swt 2 Swt 1 Centralized Control General purpose sosware Swt 2 Swt 3 Swt 3 Switches programmed by controller by installing rules Centralized control simplifies design and innova(on However, an Achilles heel for correctness.

4 Problem: Bugs in Centralized Control? Security leaks: packet sent to an untrusted host. Network loops: packet looping around in network. Link overload and data center outage. Down(me cost: ~$1 million per outage! ( AWS service commitment: Amazon EC2 and Amazon availability at least 99.95%

5 Challenges in Verifica(on outport(inpkt) = H 1 Swt 1 Swt H 2 2 pkt 1 pkt pkt c 4 Swt 3 Rou(ng Table Port 1 : inpkt.dst = H 1 Port 2 : inpkt.dst = H 3 Port 3 : inpkt.dst = H k Port p : inpkt.dst = H r Port q : inpkt.dst = H a Large number of packets alive in network. Large buffer state. Large number of rules installed in switches. Large network state. Large topology size.

6 Overview Exis(ng approaches and problem statement Abstrac(on on Stateful firewall Experimental case studies Stateful firewall Learning switch Conclusions

7 Overview Exis6ng approaches and problem statement Abstrac(on on Stateful firewall Experimental case studies Stateful firewall Learning switch Conclusions

8 Verifying SoSware Defined Networks: Exis(ng Approaches Updates Updates Configura(on 1 Transient Configura(on 2 Transient Configura(on 3 Phase Phase Network state evolves from configura(on (switch rules) to configura(on as controller updates the rules during transient phase. Category 1: Verify just one configura(on - Symbolic simula(on[kazemian et al. NSDI 12] - Reduc(on to SAT [S. Zhang et al. ATVA 12, H. Mai SIGCOMM 11] - Model Checking [E. Al- Shaer SafeConfig 10] Problem: verifies just one configura(on!

9 Verifying SoSware Defined Networks: Exis(ng Approaches Updates Updates Configura(on 1 Transient Configura(on 2 Transient Configura(on 3 Phase Phase Network state evolves from configura(on (switch rules) to configura(on as controller updates the rules during transient phase. Category 2: Incremental verifica(on, i.e., verify all configura(ons. [Kazemian et al. NSDI 13, A. Khurshid et al. NSDI 12] Problem: property may be violated in transient phase!

10 Verifying SoSware Defined Networks: Exis(ng Approaches Updates Updates Configura(on 1 Transient Configura(on 2 Transient Configura(on 3 Phase Phase Network state evolves from configura(on (switch rules) to configura(on as controller updates the rules during transient phase. Category 3: Full formal verifica(on of - NICE (M. Canini NSDI 12), FlowLog (T. Nelson HotSDN 13) Problem: handle only a bounded number of packets! - - Run(me grows exponen(ally with increasing packets. Can t guarantee proper(es like security as checked for small number of packets.

11 Focus of this Work Updates Updates Configura(on 1 Transient Configura(on 2 Transient Configura(on 3 Phase Phase Network state evolves from configura(on (switch rules) to configura(on as controller updates the rules during transient phase. Full formal verifica6on of using model checking. Extend model checking based approaches with abstrac(ons to handle an unbounded number packets.

12 Overview Exis(ng approaches and problem statement Abstrac6on on Stateful firewall Experimental case studies Stateful firewall Learning switch Conclusions

13 Stateful Firewall H 1 S 1 S H 2 2 Enterprise Host p1 p2 p1 p2 Firewall Internet Hosts Firewall rules: 1) H 1 can contact H 2 or H 3. 2) H 2 /H 3 can contact H 1, only if H 1 has already contacted them. 3) If H 2 /H 3 ini(ates contact first, it must be blocked. Property: If H 2 never contacts H 1 first, it does not get blocked. p3 H 3

14 Abstrac(on for Unbounded Packets: Data State Abstrac(on Key insight: proper(es of interest are per- packet proper(es. - For example a packet from one host cannot reach another. H 1 pkt 1 S 1 pkt S H 2 c 2 pkt H 1 3 S 1 S H pkt 2 c 2 H 3 pkt e pkt e pkt e H 3

15 Abstrac(on for Large Switch State: Network State Abstrac(on H 1 S 1 S H 2 2 Enterprise Host p1 p2 p1 p2 Firewall p3 H 3 Rou(ng Table Internet Hosts output port(pkt) = p 1 : pkt.dst = H 1 p 2 : pkt. dst = H 2 p 3 : pkt. dst = H 3

16 Abstrac(on for Reducing Switch State: Leveraging Data State Abstrac(on pkt c.src = H 1 pkt c.dst = H 2 H 1 S 1 S H 2 2 p1 p2 pkt p1 p2 c Enterprise Host output port(pkt) = Firewall p3 H 3 Abstracted Rou(ng Table p 1 : pkt.dst = H 1 p 2 : pkt. dst = H 2 Internet Hosts non- det: pkt. dst!= {H 1 or H 2 }

17 Overview Exis(ng approaches and problem statement Abstrac(on on Stateful firewall Experimental case studies Stateful firewall Learning switch Conclusions

18 Stateful Firewall H 1 S 1 S H 2 2 p1 p2 p1 p2 Enterprise Firewall Internet Verified a Murphi model of the firewall with a single host H 2. - Found a bug: H 2 replies to H 1 but s(ll gets blocked! Experiments were done on a 2.40 GHz Intel Core 2 Quad processor, 3.74 GB RAM.

19 Stateful Firewall: Race Condi(on H 1 S 1 S H 2 2 p1 p2 p1 p2 Enterprise pkt 1 Firewall Internet H 1 sends a packet pkt 1 to H 2

20 Stateful Firewall: Race Condi(on H 1 S 1 S H 2 2 p1 p2 p1 p2 Enterprise Firewall Internet pkt 1 Switch S 1 no(fies the controller.

21 Stateful Firewall: Race Condi(on H 1 S 1 S H 2 2 p1 p2 p1 p2 Enterprise Firewall Internet pkt 1 Packet is also forwarded by S 1, to S 2 which sends it to H 2.

22 Stateful Firewall: Race Condi(on H 1 S 1 S H 2 2 p1 p2 p1 p2 Enterprise Firewall Internet pkt 2 Host H 2 replies with packet pkt 2.

23 Stateful Firewall: Race Condi(on H 1 S 1 S H 2 2 p1 p2 p1 p2 Enterprise Firewall Internet pkt2 Switch S 2 no(fies about pkt 2.

24 Stateful Firewall: Race Condi(on H 1 S 1 S H 2 2 p1 p2 p1 p2 Enterprise Firewall Internet If no(fica(on of S 1 reaches aser S 2, thinks that H 2 contacted first and so is an asacker! H 2 gets erroneously blocked! Bug detected in 0.13 sec with 482 states

25 Stateful Firewall: Bug Fix H 1 S 1 S H 2 2 p1 p2 p1 p2 Enterprise Firewall Internet pkt 1 S 1 waits for to acknowledge no(fica(on before forwarding packet pkt 1 to H 2. - Proved correctness for an unbounded number of packets in this case. Correctness proof for the bug free case with unbounded number of packets in 0.19 sec with 613 states

26 Learning Switch Hst A Swt 1 Swt 2 Hst B pkt Swt 3 Hst C When a packet arrives at a switch at an input port: - Switch learns its source host is connected to that port. - Uses this informa(on to route future packets efficiently.

27 Learning Switch: Bug Hst A Swt Swt 2 Hst B Swt 3 Hst C Switches may learn rou(ng informa(on such that packets get stuck in a loop! Loop was found in 0.1 sec with 159 states explored.

28 Learning Switch: Bug Fix Hst A Swt 1 Swt 2 Hst B Swt 3 No packet on this link as not on spanning tree. Hst C Only route on a spanning tree Verified for an arbitrary number of packets exchanged between Hst A and Hst B in 600s with 1.45M.

29 Overview Exis(ng approaches and problem statement Abstrac(on on Stateful firewall Experimental case studies Stateful firewall Learning switch Conclusions

30 Conclusions We presented abstrac(ons for: Verifying proper(es for an arbitrary number of packets. Reducing network state. Verified a stateful firewall and a learning switch using these abstrac(ons.

31 Thank You!

32 Stress test Stress test: Larger fat tree topology with 20 switches, 16 hosts and 48 links. Model checking did not finish for an arbitrarily large number of packets. It finished in 68352s for the single packet case with network state abstrac(on

33 Ques(ons Lines of code? NAT ~1000 Pyswitch ~1000 Bug handled by acknowledgement carrying host info?