Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix:...
Transcript of Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix:...
![Page 1: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/1.jpg)
Geoffrey XieNaval Postgraduate [email protected]
Abstraction-Driven Network Verification and Design (a personal odyssey)
![Page 2: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/2.jpg)
It started in 2004
• A sabbatical at CMU– Joined a collaborative project with AT&T Labs
– Goal: To reverse engineer the routing designs of 100s of production networks and find ways to detect errors early and minimize outages due to routing loops and blackholes
– We were given only router configuration files
7/8/15 MSR 2015 Faculty Summit 2
![Page 3: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/3.jpg)
Excerpts of a Router Configinterface Ethernet0
ip address 6.2.5.14 255.255.255.128interface Serial1/0.5 point-to-point
ip address 6.2.2.85 255.255.255.252ip access-group 143 inframe-relay interface-dlci 28
router ospf 64redistribute connected subnetsredistribute bgp 64780 metric 1 subnetsnetwork 66.251.75.128 0.0.0.127 area 0
router bgp 64780redistribute ospf 64 match route-map 8aTzlvBrbaWneighbor 66.253.160.68 remote-as 12762neighbor 66.253.160.68 distribute-list 4 in
…
…access-list 143 deny 1.1.0.0/16access-list 143 permit anyroute-map 8aTzlvBrbaW deny 10
match ip address 4route-map 8aTzlvBrbaW permit 20
match ip address 7ip route 10.2.2.1/16 10.2.1.7…
7/8/15 MSR 2015 Faculty Summit 3
![Page 4: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/4.jpg)
Lots of Configuration Files
Router ID (sorted by # lines in config) 8810
# Lines in
co
nfig
file
2000
1000
0
An example real-world large enterprise network consisting of ~900 routers (data collected in 2003)
Router config sizes of today can be much larger because of additional security and service requirements
7/8/15 MSR 2015 Faculty Summit 4
![Page 5: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/5.jpg)
A Reverse-Engineering Methodology[Maltz et al, Sigcomm’04]
Configuration filesFind links
Find adjacent routing processes
Construct Routing Process Graph
Condense adjacent routing processes into Routing Instances
Construct logical IP Topology
OSPF #1 OSPF #2BGP AS1
AS2
This abstraction is key to a scalable solution
7/8/15 MSR 2015 Faculty Summit 5
![Page 6: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/6.jpg)
6
Diverse Deigns beyond Textbook Model
OSPF (Company 2)
IS-IS (Company 1)
ISISOSPF 1
BGP
Some operational network
EIGRPBGP
OSPF 2 RIP
BGP
BGP
textbook model
BGP/IGP
A network can have many routing instances and their interaction will impact routing safety
7/8/15 MSR 2015 Faculty Summit
![Page 7: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/7.jpg)
Route Redistribution
RIP OSPF
A B CPrefix: 128.2.1/24Hop-count: 1
Prefix: 128.2.1/24Type: External 2Cost: 20
RIP OSPF
Route Selection
FIB
…
router rip
…
!
router ospf 200
redistribute rip metric 20
!
Configuration of Router B7
P
7/8/15 MSR 2015 Faculty Summit
![Page 8: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/8.jpg)
Route Selection
RIP OSPF
A B C
Prefix: 128.2.1/24Hop-count: 5
Prefix: 128.2.1/24Type: External 2Cost: 100
RIP OSPF
Route Selection
FIB
Admin Dist: 120 AD: 110
…
router rip
distance 90
!
router ospf 200
…
!
Configuration of Router D
D
8
P
AD: 90
7/8/15 MSR 2015 Faculty Summit
![Page 9: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/9.jpg)
Impact on Routing Theory & Practice
• Understanding current design and ensuring safety [Le et al, ICNP’07, Sigcomm’08, CoNext’10] [Benson et al,, IMC’09, NSDI’09] [Alim and Griffin, CoNext’11] [Sun et al, CoNext’12], etc.
• Clean slate design of route redistribution[Le et al, Sigcomm’10]
• Routing Reconfiguration[Vanbever et al, Sigcomm’12] [Vissicchio et al, Infocom’14] etc.
• Co-existence of multiple control planes (including SDN)[Volpano et al, HotSDN’14] [Vissicchio et al, Infocom’15] etc.
7/8/15 MSR 2015 Faculty Summit 9
![Page 10: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/10.jpg)
Next goal: Predicting Reachability
• Reachability depends not just on topology– Routing protocols, packet filters, and middleboxes
• Predicting reachability is key to network security and resilience
Host A B
7/8/15 MSR 2015 Faculty Summit 10
![Page 11: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/11.jpg)
State of the Art at the time
• Build the network and try it• Dynamic probing (ping and traceroute) used to
troubleshoot reachability problems
Host A B
7/8/15 MSR 2015 Faculty Summit 11
![Page 12: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/12.jpg)
Reachability Example
• Enterprise with two remote offices
• Only A&B should be able to talk to server C
Internet
A
B
C
7/8/15 12MSR 2015 Faculty Summit
![Page 13: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/13.jpg)
• Network designers add two links for robustness
• Configure routing protocols to use new links in failure
Internet
A
B
C
Reachability Example
7/8/15 13MSR 2015 Faculty Summit
![Page 14: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/14.jpg)
• Designers apply packet filters to new links
Internet
A
B
C
Reachability Example
7/8/15 14MSR 2015 Faculty Summit
![Page 15: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/15.jpg)
Internet
A
B
C
Reachability Example
7/8/15 MSR 2015 Faculty Summit 15
![Page 16: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/16.jpg)
• Packets from B->C dropped!• Testing under normal conditions won’t find this error!
Internet
A
B
C
Reachability Example
7/8/15 MSR 2015 Faculty Summit 16
![Page 17: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/17.jpg)
The Reachability Set abstraction[Xie et al, Infocom’05]
Set of all packets permitted from one node to another
• Model packet filters naturallye.g., “Permit A->C” rule defined on link from node u to v:Fu,v = {packet p | p.src_addr = A, p.dst_addr = C}
• Effect of routing protocols added as dynamic destination address based packet filters
– when network is in forwarding state s, Fu,v(s) = Fu,v ∩ {all packets u would forward to v at s}
• Packet transformation as generalized inverse function that maps a set of packets to another set of packets
7/8/15 MSR 2015 Faculty Summit 17
![Page 18: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/18.jpg)
Reachability Analysis Graph
Internet
Node 1
Node 5
Node 3
Node 2
Node 4
Reachable Set over directed path 1->2->3 = F1,2(s) ∩ F2,3(s)
Fi,j(s): Set of all packets permitted for
link i->j at network state s
7/8/15 MSR 2015 Faculty Summit 18
![Page 19: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/19.jpg)
Let’s revisit that reachability example
Before adding links After
adding links
Permit B->C(Permit B->C) ∩(Permit A->C)
Internet
A
B
C
RSB->C
L = Ø !7/8/15 MSR 2015 Faculty Summit 19
![Page 20: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/20.jpg)
Recent Advances in Static Network Analysis
• Boolean satisfiability formulation [Mai et al, Sigcomm’11]
• Header space analysis [Kazemian et al, Sigcomm’12]
• Fast algorithms [Yang and Lam, ICNP’13]
7/8/15 MSR 2015 Faculty Summit 20
![Page 21: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/21.jpg)
Next goal: Design automation[Sung et al CoNext’10]
1. Abstract network-wide requirements of a design task – Correctness criteria for reachability control modeled as a
Reachability Matrix: each cell RS(i,j) defines precisely the required reachability set from (virtual) subnet i to j
2. Formulate optimization problems– Incorporate resource feasibility constraints
(e.g., router capacity for processing packet filter rules)
– Model explicitly operator strategies (e.g., to deploy a minimum number of filter rules)
3. Solve formulated problems– Obtain new packet filter placement algorithm
7/8/15 MSR 2015 Faculty Summit 21
![Page 22: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/22.jpg)
Automated Packet Filter Placement• Intuition:
– To achieve RS(i, j), same filters must be replicated in an edge-cut-set (ECS) between gateways of the subnets• Correctness guaranteed
– Variety of heuristics possible based on design strategy which chooses particular ECS (minimizing total # of filters, balancing processing load, etc.)
All (i,j) edge-cut-sets
ECS1
ECS3
ECS5
ECS6
ECS4
ECS2
Strategy A
Strategy B
Strategy C
Strategy D
7/8/15 MSR 2015 Faculty Summit 22
![Page 23: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/23.jpg)
Some Related Design Efforts
• Integrated design methodology[Sun and Xie, CoNext’13]
• Optimizing the “one big switch” abstraction[Kang et al, CoNext’13]
• Placement of middleboxes and NFVs[Anwer et al, SOSR’15]
7/8/15 MSR 2015 Faculty Summit 23
![Page 24: Abstraction-Driven Network Verification and Design (a ... · Route Selection RIP OSPF A B C Prefix: 128.2.1/24 Hop-count: 5 Prefix: 128.2.1/24 Type: External 2 Cost: 100 RIP OSPF](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed0700fff5f4b556c35c9c2/html5/thumbnails/24.jpg)
Conclusion
• A huge semantic gap exists between network service objectives and actions of individual protocols and nodes.– Software defined networking (SDN) doesn’t reduce service
objectives, while introducing a new type of nodes and diverse control apps
• Developing higher level abstractions may be key to containing this “curse of many knobs”.– E.g., Separation of correctness and performance concerns as in
traditional computer programming?
7/8/15 MSR 2015 Faculty Summit 24