Emerging Trends in Network Design and Verification

Slide Note
Embed
Share

Explore the evolution of network design from manual configurations to custom networks and software-defined solutions. Discover the challenges facing current networks and the potential for optimizing network performance through innovative approaches like P4 and SDNs. Delve into the intersection of digital hardware design and network automation, with a focus on formal methods that enhance testing, verification, and synthesis processes.

adrianna
adrianna Follow

Uploaded on Aug 21, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. VERIFICATION, SYNTHESIS, AND THE CREATIVE HABIT: COURSE REVIEW George Varghese 1

  2. Problem with Networks today Shortest Path D S Manual Configurations: Managers override default shortest paths for security, load balancing, and economic reasons Data Plane + Control Plane: Vendor-specific knobs in both Problem: Manually programming individual routers to implement global policy leads to cloud failures 2

  3. Networks Tomorrow Online services latency, cost sensitive Merchant Silicon Build your own router Rise of Data centers Software defined Networks (SDNs) Custom networks Program custom design routing P4 (next generation SDN) redefine hardware forwarding at runtime Opportunity to custom design networks to optimize goal. Potential simplifications but hard to get right

  4. Digital Hardware Design as Inspiration? Specification Specification Testbench & Vectors Functional Description (RTL) Policy Language, Semantics Testing Functional Verification Logical Synthesis Verification Synthesis Static Timing Performance verification? Network Topology Design Static checking (local checks) Place & Route Design Rule Checking (DRC) Layout vs Schematic (LVS) Parasitic Extraction Wiring Checkers Manufacture & Validate Dynamic checkers/ debuggers Interference estimation? Electronic Design Automation (McKeown SIGCOMM 2012) Network Design Automation (NDA)?

  5. This Courses Slice of NDA Specification Policy Language, Semantics Testing Verification Synthesis Won t discuss debugging, very little of run-time verification. Mostly interested in where formal methods can help

  6. This Courses Slice of NDA Specification CTL, NoD, Klee Assert Policy Language, Semantics Propane ATPG Testing Data Plane: Anteater, VeriFlow, HSA, Atomic Predicates, Control Plane: BatFish, rcc, ERA Verification (e.g. reachabilty) Synthesis (e.g. forwarding) Did: Propane Missing: One big switch, NetKAT, FlowLog Didn t discuss debugging, very little of run-time verification. Focus on applications of formal methods

  7. Road Map of Course Introduction to Networking & Formal Methods Data Plane Verification One counterexample All counterexamples Optimizations Adding Functionality Data Plane Testing Control Plane Testing and Synthesis

  8. Formal Methods Need to have: Examples: a modelling language for networks state machines, Datalog, HSA, ERA a specification language for correctness CTL, NoD, NetPlumber a system, data structures to encode program and data and a solver Hassel + Difference of Cubes, Atomic Predicates + BDDs

  9. Beware the Black Box Run time in seconds Model Checker SMT All Solutions NoD HSA Stanford Unreach 12.2 0.1 2.1 0.1 Stanford Reachable 13.7 1121 5.9 0.9 Stanford Loop 11.7 290 3.9 0.2 Cloud Time out Time out 15.7 - Cloud 2 8.5 Time out 4.8 - Atomic Predicates and use of Symmetries does even better

  10. Verification Tasks [Fayazbakhsh 15] Program types: ????????????: ?????? ??? ??? ?????????: ??? ?????? ????????? DP tasks for fixed snapshot of FIBS ? ?: ??????: (?,????????? ?,? ) CP verifiers for fixed configuration ? (Batfish) ?,?: (?,?????????(????????????(?,?),?))) CP verifiers for CP only as in ARC ?: (???????????? ?,? )

  11. Introduction to Formal Methods Data Plane Verification One counterexample All counterexamples Optimizations Adding Functionality Control Plane Testing and Synthesis DATA PLANE VERIFICATION: IF ONE COUNTEREXAMPLE SUFFICES

  12. Historically: Encode networks using existing verification engines [Xie05] Theoretical reachability algorithm [AlShaer09]: Model checking approach [Mai11]: SAT Based Anteater If 1 counterexample + small networks, reusing existing tools works fine. Only clever encoding

  13. Introduction to Formal Methods Data Plane Verification One counterexample All counterexamples Optimizations Adding Functionality Data Plane Testing Control Plane Testing and Synthesi DATA PLANE VERIFICATION: ALL COUNTEREXAMPLES

  14. Why all examples? Easier to see which rule caused counterexample. Easier to do incremental verification However, we have now gone from SAT to AllSAT which modern SAT solvers are not optimized for. Fortunately, we can exploit the domain structure to do quite well.

  15. All Solutions: Header Space [Kazemian 12] Step 1 - Model a packet, based on its header bits, as a point in {0,1}L space the Header Space Two abstractions: 1. All layers collapsed into a flat sequence of bits 2. Wildcards ignore header bits irrelevant to forwarding Two technical ideas: 1. Ternary Algebra 2. Difference of cubes Header 0xxxx0101xxx Data 01110011 1 L

  16. Introduction to Formal Methods Data Plane Verification One counterexample All counterexamples Optimizations Adding Functionality Data Plane Testing Control Plane Testing & Synthesis DATA PLANE VERIFICATION: OPTIMIZATIONS

  17. Scaling to Large Networks Exploit: Incrementality Only small parts of program change on rule change Equivalence Classes Number of header equivalence classes is small Symmetries Many rules and boxes are repeated (redundancy) [NetPlumber] [Atomic Predicates] [Plotkin 15]

  18. Exploiting incrementality: NetPlumber [Kazemian 13] S ... ... ... ... ? ... ... ... ... VERIFYING CHANGES BY SDN CONTROLLERS BEFORE THEY TAKE EFFECT 18

  19. Atomic Predicates Intuition [Yang 13] From run-time compression via Difference of cubes to precomputed compression via Ai Computes pairwise intersection of router and ACL guards to generate Ai using BDDs Then rewrites forwarding rules using a simple set of integer labels for each Symbolic propagation propagating sets of integers. Fast. No rule matching, less space Analog to MPLS versus IP forwarding!

  20. Exploiting Symmetry [Plotkin15] Symmetry Modularity Can exploit regularities in rules and topology (not headers): Symmetry Theorem: Can reduce fat tree to thin tree using a simulation and verify reachability cheaply in latter Modularity Theorem: reuse of parts of switching network

  21. Introduction to Formal Methods Data Plane Verification One counterexample All counterexamples Optimizations Adding Functionality Data Plane Testing Control Plane Verification Control Plane Testing Synthesis, Semantics DATA PLANE VERIFICATION: ADDING FUNCTIONALITY

  22. Improving Functionality Support for dynamic networks and imperfect specifications (NOD) HSA only static specifications, static routers Support for Quantities (Sung09) HSA only verifies Boolean properties. Did not do Support for Stateful boxes HSA does not handle stateful boxes like NAT etc. Work by Berkeley and CMU. Did not do.

  23. Dynamic Networks: Network Optimized Datalog [Lopes15] Classical model checking provides languages based on temporal logic to specify a variety of properties Header Space hard codes some properties Classical verification tools compute only 1 solution Datalog computes all but was inefficient. Had to redo Datalog engine. Datalog allows some dynamism. But for more have to model control plane a la Batfish Datalog nearly as fast as HSA but much more expressive Included in Z3. Being used to check Azure configurations

  24. Introduction to Formal Methods Data Plane Verification Data Plane Testing Control Plane Testing and Synthesis DATA PLANE TESTING

  25. Symbolic Execution Methods Want to push program to as many states as possible: maximize coverage Random (Fuzz testing) useful but can do better. Idea: Encode program as a decision tree. Try to cover all paths in decision tree. Conjunction of symbolic predicates for each path. Cover finding concrete solution via SMT.

  26. ATPG vs Klee [Zheng 13] Monitor the data plane by sending test packets. Maximum rule coverage (like Klee: rules lines) Minimize number of packets required (like Klee: packets test cases) Constraints on terminal ports and headers of test packets (unlike Klee) Once error is detected, localize it (unlike Klee more like tomography)

  27. Software Data Plane Verification [Dobrescu 14] Verifies actual code of Click software router. Checks for new physical bugs (e.g., crash freedom, loops) using symbolic testing. No path explosion: since router is a pipeline only compose potentially buggy path fragments Use verified data structures (no pointers). Tradeoff verification ease with runtime cost. Found bugs: e.g., IP option + fragmentation.

  28. Introduction to Formal Methods Data Plane Verification Data Plane Testing Control Plane Testing and Synthesis CONTROL PLANE TESTING

  29. Earlier Control Plane Work BGP Loops Possible [Govindan, Griffin-Wilfong] Sufficient Conditions for Avoiding Loops [Gao-Rexford] Route redistribution can cause loops [Le 2008] But based on human analysis and proofs. We studied tools for automated analysis

  30. Cellular Protocol Testing [Li et al] Cellular Control Plan but tests for protocol and implementation bugs not config bugs Modest checking via SPIN to suggest buggy use cases and experiments with phones and Qualcomm debugger to confirm Bugs in feature interaction (e.g., 3G to 4G) Config bugs in later papers! Similar to IP.

  31. Static Checking BGP Configs: RCC [Feamster 05] Checks BGP configs for path visibility, validity Example, route reflector configuration bugs Route r (not visible to all) Route s (visible to all)

  32. Testing Across Announcements [ERA] Batfish:symbolic simulation of 1 environment ERA looks for route reachability and computes a maximal announcement that finds bugs Seems to work to find an interesting set of bugs (backup equivalence, valley free etc) Bugs correspond almost 1-1 with data plane bugs (loops, blackholes) but for announcements

  33. Config Synthesis [Propane] New language for route preferences based on ordered regular expressions Regular expression state machine crossproduct with topology encode transitions with communities, LPs Regret freedom encodes choices that are oblivious to any failure. May be too strong.

  34. Config Verification [Minesweeper] Encodes stable path problem in SAT for routes and usual data plane reachability in SAT Uses a graph to encode the network to model redistribution, output & input filters etc. Optimizations like slicing and transferring prefix matching in CP to inequalities in DP. Scales but only 1 counterexample on failure

  35. LESSONS AND LOOKING BACK

  36. Research ideas? from research in real networks via exemplars 10* P1 1* P2 PREFIX MATCH 10010 IP Router 01A1A2 P1 . . . EXACT MATCH 01A1A2 MAC Bridge 5 P1,Pop 5 . . . INDEXED LOOKUP 5, 6 MPLS Switch ESSENTIAL INSIGHT FOR OPENFLOW. USE SAME INSIGHT IN HSA FOR UNDERSTANDING EXISTING PROTOCOLS. SIMILARLY MPLS ATOMIC PREDICATES 36

  37. Research ideas? from PL and Hardware Verification via exemplars Earlier Exemplar Network Verification Ternary Simulation, Symbolic Execution (Dill 01, Hardware) Header Space Analysis (HSA) Certified Development of an OS Sel4 [Klein 09] Correct by construction BGP Configs [Propane] Static Checkers for Programs [Lint] Static Checking for BGP (Feamster rcc ) Exploit Symmetry in Model Checking [Sistla] Exploit Symmetry in Data Center Verification (Plotkin15) Can choose either analysis of existing (e.g., Veriflow) or clean slate Approaches based on synthesis. Both have a place

  38. Exemplars: Food for thought? What are Network Verification analogs of: Abstract Interpretation (replacing complex state by a simple state) CEGAR (counterexample driven refinement) Interpolants Strong typing in Language Design Wiring checkers in Chip Design

  39. Scaling? Exploit Domain Structure Technique Structure exploited Header Space (HSA) Limited negation, no loops, small equivalence classes Net Plumber Network Graph, rule dependencies structure ATPG (Testing) Network graph limits size of state space compared to KLEE Symmetry Exploiting Known symmetries because of design (vs on logical structures) Scope for Interdisciplinary work between PL, Hardware CAD, Verification Community and Networking Researchers

  40. No Specifications? Use Beliefs Paper Example Beliefs Bugs as Deviant Behavior [Engler 01] Dereferencing Pointer P that could be NULL is a bug Routing Config Checker (RCC) [Feamster rcc] Routes from a Peer should not be re-advertised to another peer Network Optimized Datalog [NOD] Customer VMs should not be able to access router ports Batifsh Control Plane Testing Equal cost routes should have equivalent reachabiliyt

  41. Dont know how Leverage code SMT: Z3 BDD packages: (BuDDy) Model checking: SPIN, nuSmv/nuXmv Network Specific verification: Hassel, Veriflow, NoD, Atomic Predicates Datasets: Stanford, Cloud (NoD), Internet2 Symbolic Test Generation: KLEE, DART, SAGE Proof Assistants: Coq, Isabelle Known to be available for download

  42. Lessons Summarized 1. What research? Via exemplars from PL/HW 2. What research? Via exemplars from networks 3. Scaling? Exploit domain structure 4. Lack of specifications? Use Beliefs 5. Don t know how? Leverage available code 6. Network Design Automation? Learn from EDA

  43. Be Creative 1. Know your creative DNA. Build Teams 2. Harness your memory. Connect. Metaphor. 3. Ask Na ve Questions. 4. Scratch for ideas at the start. 5. Find a spine 6. Accidents will happen. Be open to new outcomes. 7. Use skill and persistence to finish the work!

  44. What made me happy 1. Each of your insights during discussions 2. Your performance in the test 3. The idea of using verification for business processes 4. Many of your other ideas. Will try and return with your finals.

  45. Conclusion Inflection Point: Rise of services, data centers, Software Defined Networks Ideas: Creatively adapt Verification ideas to domain Intellectual Opportunity: Rethink existing techniques exploiting domain structure Systems Opportunity Change way large operational networks are built Lot more than Verification and Formal Methods (have to add debugging, run-time checks etc.) but EDA suggests this is an Essential foundation 45

Related


Importance of Timely Verification in Care After Death

Importance of Timely Verification in Care After Death

willow
Program Verification via an Intermediate Verification Language

Program Verification via an Intermediate Verification Language

dee_ana
Integrated Verification and Repair in Control Plane

Integrated Verification and Repair in Control Plane

buddy
Comprehensive Solution for EU Digital COVID Certificate Verification

Comprehensive Solution for EU Digital COVID Certificate Verification

mall878
Formal Verification and Automata Abstraction in Esterel

Formal Verification and Automata Abstraction in Esterel

edelweiss
Overview of Program Verification Tools and Techniques

Overview of Program Verification Tools and Techniques

bowe_635
Introduction to UVM: Verification Methodologies Overview

Introduction to UVM: Verification Methodologies Overview

wtav
Comprehensive Overview of Fault Modeling and Fault Simulation in VLSI

Comprehensive Overview of Fault Modeling and Fault Simulation in VLSI

kaiy_2
DeepFace: Advancements in Face Verification Technology

DeepFace: Advancements in Face Verification Technology

mswen
Network Slicing with OAI 5G CN Workshop Overview

Network Slicing with OAI 5G CN Workshop Overview

justice
Verification Concepts Overview for Spring 2022 at Tufts University

Verification Concepts Overview for Spring 2022 at Tufts University

aren_ete
Criticisms and Defenses of Verification and Falsification Principles

Criticisms and Defenses of Verification and Falsification Principles

esmee
ICAO Strategic Objective: Economic Development of Air Transport Verification and Validation Overview

ICAO Strategic Objective: Economic Development of Air Transport Verification and Validation Overview

sbrig
SKA1 Low Assembly Integration & Verification Plan

SKA1 Low Assembly Integration & Verification Plan

aune_k
Electors Verification Programme Overview

Electors Verification Programme Overview

fionn
Software Bugs and Formal Verification in Critical Systems

Software Bugs and Formal Verification in Critical Systems

jama_ico
Formal Verification of Cyberphysical Systems and Future Certification Methods

Formal Verification of Cyberphysical Systems and Future Certification Methods

knox_roy
Gradual Program Verification and its Techniques

Gradual Program Verification and its Techniques

adi_sco
Automated Static Verification of Higher-order Functional Programs

Automated Static Verification of Higher-order Functional Programs

aaka860
Warning Verification and Scoring Guidelines in Weather Forecasting Workshop

Warning Verification and Scoring Guidelines in Weather Forecasting Workshop

mfouc
Updates on Accounting and Verification Activities in HN Groups

Updates on Accounting and Verification Activities in HN Groups

wiktoria
Verification Modulo Versions: Towards Usable Verification

Verification Modulo Versions: Towards Usable Verification

ekha
Understanding Emerging and Re-emerging Infectious Diseases

Understanding Emerging and Re-emerging Infectious Diseases

treasure
Prioritization of Emerging Contaminants in Europe

Prioritization of Emerging Contaminants in Europe

maddix

More Related Content