Uploaded byaurojit
PPTX, PDF280 views

SNAPL Network Verification

New techniques are needed to verify networks that contain mutable middleboxes with evolving state. Modeling the behavior and data dependencies of middleboxes is challenging but important to capture their functionality. A scalable approach is to leverage the flow-parallel nature of middleboxes and use compositional verification to check connectivity properties between pairs of hosts by only analyzing the path between them. Specifying middleboxes at the right level of abstraction is also key to make verification tractable.

Embed presentation

Download to read offline
New Directions for Network Verification Aurojit Panda, Katerina Argyraki, Mooly Sagiv, Michael Schapira, Scott Shenker
Brief Summary of This Talk• Context: • Proliferation of network verification tools. • Build on assumption that the network state is immutable. • Immutable = Data packets do not change behavior of network • My point: • Many network elements have mutable state • Verifying mutable networks requires new techniques • Two technical challenges: Modeling and Scaling
Outline • Background on networks. • Background on network verification. • Verifying mutable networks.
Classical Networking Switch Switch Switch • Networks provide end-to-end connectivity. • Just contain host and switches. • All interesting processing at the hosts. Alice Bob TrentMallory Ted Stevens was right
Real Networks have Middleboxes! Firewall Proxy CacheSwitch Switch Switch Alice Bob TrentMallory • Security (firewalls, IDSs,…). • Performance (caches, load balancers,…). • New functionality (proxies,…).
Outline • Background on networks. • Background on network verification. • Verifying mutable networks.
Reachability Invariants • Focus on reachability invariants • Most important in practice, simple to state but already hard Balancer Firewall FirewallMallory S1 S2 Can S2 receive packets of type T from Mallory?Can S2 receive “infected” packets from Mallory?Can S2 receive packets from Mallory without a connection?
Abstractions for Invariants • Operators want to specify packet types using abstractions: • “infected” • from “authenticated user” • from a given application • How these types are determined in a network varies • Invariants should not depend on these details
Network Verification Today • Switches: Forwarding rules in switches. HSA, Veriflow, NetKAT, etc. • SDN Controller: Code generating these rules. Vericon, FlowLog, etc. • Firewalls: Verify firewall configuration. Fang, Margrave, etc.
Existing Assumptions/Limitations Switches • Limited computational model (rule-based forwarding). • Immutable, functionality only changes with new rules. • Limited set of invariants enforced by networks. Controllers • All state and actions are centralized. (Globally ordered) • Data plane itself is immutable. Firewalls • Treated as if they contain Immutable state. • Assume a particular (simple) computational model.
Outline • Background on networks. • Background on network verification. • Verifying mutable networks.
Verification of Mutable Networks • Naive approach • Verify a program equivalent to the entire network. • Feasibility is not clear • Large, proprietary code bases (Bro ~102K lines of code). • Scalability is crucial • Networks contain several 1000 middleboxes or more.
Modeling Middleboxes Classify Packet Update State Update Packet Forward Packet Determines what application sent a packet, etc. Complex, proprietary processing. Could be simple (remember packets) or complex (update many hash tables). Updating payload is complex (compression, etc.) Updating header is simple (fixed format). Always simple: forward or drop packets. Oracle: Specify data dependencies and outputs Forwarding Model: Specify Completely
Example Classify Packet Update State Update Packet Forward Packet Oracle: Specify data dependencies and outputs Forwarding Model: Specify Completely Outputs Is packet infected. Dependencies See all packets in connection (flow). if (packet.flow not in infected_connections) { forward (packet); } if (infected) { infected_connections.add(packet.flow) }
Scaling Verification • Middleboxes are “flow-parallel” • State is partitioned between “flows.” • This enables “compositional verification” • 30,000 middlebox networks verified in 5 minutes
Compositional Verification mbox mbox mbox mbox mbox mbox mbox mbox mbox mbox mbox mbox • Invariants talk about pairs of hosts. • When flow-parallel, need-only verify path.
Conclusion • Real networks: • Contain mutable middleboxes. • Used to enforce rich connectivity invariants. • Network verification needs to evolve to handle this. • Several challenges • Right level of abstraction for specifying middleboxes. • Scalability, by leveraging compositional verification. • Future: Tractability of verification. Some pictures taken from the Noun Project
Backup
Does State Mutation Matter Firewall • Do we even need to look at state evolution? • Check invariant for all possible states. • Approach used in tools like Margrave. • # of states is small (just whether connection established). • False positives, some states may never occur. Firewall a b Connection started by a to b. Requires a to send packet to b, and b to respond Can a packet from 'a' reach 'b'?

More Related Content

PDF
Context-Oriented Programming: Beyond Layers
byESUG
 
PPTX
Network Virtualization for Cloud Services Infrastructure
byShahryar Ali
 
PDF
Network Functions Virtualization Fundamentals
byDamien Magoni
 
PPTX
Outsourced database
byfaraz Safarpour
 
PDF
Ssl Accelerator Test Bench
byRijksoverheid
 
PPTX
High-speed, Reactive Microservices 2017
byRick Hightower
 
PDF
NoSQL Now! Webinar Series: Innovations in NoSQL Query Languages
byDATAVERSITY
 
PDF
Kubernetes - A Comprehensive Overview
byBob Killen
 
Context-Oriented Programming: Beyond Layers
byESUG
 
Network Virtualization for Cloud Services Infrastructure
byShahryar Ali
 
Network Functions Virtualization Fundamentals
byDamien Magoni
 
Outsourced database
byfaraz Safarpour
 
Ssl Accelerator Test Bench
byRijksoverheid
 
High-speed, Reactive Microservices 2017
byRick Hightower
 
NoSQL Now! Webinar Series: Innovations in NoSQL Query Languages
byDATAVERSITY
 
Kubernetes - A Comprehensive Overview
byBob Killen
 

What's hot

PDF
Netty Cookbook - Chapter 2
byTrieu Nguyen
 
PDF
Nova net-or-neutron-atlanta2014.pptx
bySomik Behera
 
PPTX
Migration off DSpace 1.8.2
bystuartayeates
 
PDF
Reflection
byMarcus Denker
 
PPTX
Reactive Java: Promises and Streams with Reakt (JavaOne talk 2016)
byRick Hightower
 
PPTX
Vert.x Event Driven Non Blocking Reactive Toolkit
byBrian S. Paskin
 
PPTX
Distributed tracing 101
byItiel Shwartz
 
PDF
Document Similarity with Cloud Computing
byBryan Bende
 
PPTX
OpenStack Swift In the Enterprise
byHostway|HOSTING
 
PDF
Strict-Data-Consistency-in-Distrbuted-Systems-With-Failures
bySlava Imeshev
 
PPT
Vulnerability Chaining; it’s all connected
byToby Kohlenberg
 
PPTX
Continuous Validation at Scale
byMirantis
 
ODP
PHP mysqlnd connection multiplexing plugin
byUlf Wendel
 
ODP
MySQL 5.7 Fabric: Introduction to High Availability and Sharding
byUlf Wendel
 
PDF
Training Slides: 202 - Monitoring & Troubleshooting
byContinuent
 
PPTX
An Introduction to FileCatalyst
byFileCatalyst
 
ODP
Polling Techniques, Ajax, protocol Switching from Http to Websocket standard ...
bySrikanth Reddy Pallerla
 
PPTX
semantic search
bySaikiranK15
 
Netty Cookbook - Chapter 2
byTrieu Nguyen
 
Nova net-or-neutron-atlanta2014.pptx
bySomik Behera
 
Migration off DSpace 1.8.2
bystuartayeates
 
Reflection
byMarcus Denker
 
Reactive Java: Promises and Streams with Reakt (JavaOne talk 2016)
byRick Hightower
 
Vert.x Event Driven Non Blocking Reactive Toolkit
byBrian S. Paskin
 
Distributed tracing 101
byItiel Shwartz
 
Document Similarity with Cloud Computing
byBryan Bende
 
OpenStack Swift In the Enterprise
byHostway|HOSTING
 
Strict-Data-Consistency-in-Distrbuted-Systems-With-Failures
bySlava Imeshev
 
Vulnerability Chaining; it’s all connected
byToby Kohlenberg
 
Continuous Validation at Scale
byMirantis
 
PHP mysqlnd connection multiplexing plugin
byUlf Wendel
 
MySQL 5.7 Fabric: Introduction to High Availability and Sharding
byUlf Wendel
 
Training Slides: 202 - Monitoring & Troubleshooting
byContinuent
 
An Introduction to FileCatalyst
byFileCatalyst
 
Polling Techniques, Ajax, protocol Switching from Http to Websocket standard ...
bySrikanth Reddy Pallerla
 
semantic search
bySaikiranK15
 

Similar to SNAPL Network Verification

PDF
VeriFlow: Verifying Network-Wide Invariants in Real Time
byOpen Networking Summits
 
PDF
Security Testing of Network Protocol Implementation
byIRJET Journal
 
PPTX
Uncovering Bugs in P4 Programs with Assertion-based Verification
byAJAY KHARAT
 
PDF
METHODS AND ALGORITHMS FOR ASSESSING COMPUTER NETWORK PERFORMANCE
byacijjournal
 
PDF
METHODS AND ALGORITHMS FOR ASSESSING COMPUTER NETWORK PERFORMANCE
byacijjournal
 
PDF
METHODS AND ALGORITHMS FOR ASSESSING COMPUTER NETWORK PERFORMANCE
byhannatettehj
 
PDF
METHODS AND ALGORITHMS FOR ASSESSING COMPUTER NETWORK PERFORMANCE
byacijjournal
 
PDF
Proof-based Verification of Software Defined Networks
byOpen Networking Summits
 
PDF
Specification and Verification of Contract-based Applications
byDavide Basile
 
PDF
overview.pdf
byDummy462374
 
DOCX
But is it Art(ificial Intelligence)?
byAlan Sardella
 
PDF
Lessons learned validating 60,000 pages of api documentation
byBob Binder
 
PDF
Modern multi-proposer consensus implementations
byFrançois Garillot
 
PDF
Formal Verification of Functional Code
byMartin Děcký
 
PDF
A VNF modeling approach for verification purposes
byIJECEIAES
 
PDF
Network Algorithmics 2nd Edition Varghese
byfatoyedudney
 
PDF
Consensus Algorithms: An Introduction & Analysis
byZak Cole
 
PPTX
Verigraph
byIben Rodriguez
 
PDF
KEY CONCEPTS FOR SCALABLE STATEFUL SERVICES
byMykola Novik
 
PDF
Ofer rivlin BGU - department seminar
byOfer Rivlin, CISSP
 
VeriFlow: Verifying Network-Wide Invariants in Real Time
byOpen Networking Summits
 
Security Testing of Network Protocol Implementation
byIRJET Journal
 
Uncovering Bugs in P4 Programs with Assertion-based Verification
byAJAY KHARAT
 
METHODS AND ALGORITHMS FOR ASSESSING COMPUTER NETWORK PERFORMANCE
byacijjournal
 
METHODS AND ALGORITHMS FOR ASSESSING COMPUTER NETWORK PERFORMANCE
byacijjournal
 
METHODS AND ALGORITHMS FOR ASSESSING COMPUTER NETWORK PERFORMANCE
byhannatettehj
 
METHODS AND ALGORITHMS FOR ASSESSING COMPUTER NETWORK PERFORMANCE
byacijjournal
 
Proof-based Verification of Software Defined Networks
byOpen Networking Summits
 
Specification and Verification of Contract-based Applications
byDavide Basile
 
overview.pdf
byDummy462374
 
But is it Art(ificial Intelligence)?
byAlan Sardella
 
Lessons learned validating 60,000 pages of api documentation
byBob Binder
 
Modern multi-proposer consensus implementations
byFrançois Garillot
 
Formal Verification of Functional Code
byMartin Děcký
 
A VNF modeling approach for verification purposes
byIJECEIAES
 
Network Algorithmics 2nd Edition Varghese
byfatoyedudney
 
Consensus Algorithms: An Introduction & Analysis
byZak Cole
 
Verigraph
byIben Rodriguez
 
KEY CONCEPTS FOR SCALABLE STATEFUL SERVICES
byMykola Novik
 
Ofer rivlin BGU - department seminar
byOfer Rivlin, CISSP
 

Recently uploaded

PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
PDF
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
PDF
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 

SNAPL Network Verification

  • 1.
    New Directions for NetworkVerification Aurojit Panda, Katerina Argyraki, Mooly Sagiv, Michael Schapira, Scott Shenker
  • 2.
    Brief Summary ofThis Talk• Context: • Proliferation of network verification tools. • Build on assumption that the network state is immutable. • Immutable = Data packets do not change behavior of network • My point: • Many network elements have mutable state • Verifying mutable networks requires new techniques • Two technical challenges: Modeling and Scaling
  • 3.
    Outline • Background onnetworks. • Background on network verification. • Verifying mutable networks.
  • 4.
    Classical Networking Switch Switch Switch • Networksprovide end-to-end connectivity. • Just contain host and switches. • All interesting processing at the hosts. Alice Bob TrentMallory Ted Stevens was right
  • 5.
    Real Networks have Middleboxes! Firewall ProxyCacheSwitch Switch Switch Alice Bob TrentMallory • Security (firewalls, IDSs,…). • Performance (caches, load balancers,…). • New functionality (proxies,…).
  • 6.
    Outline • Background onnetworks. • Background on network verification. • Verifying mutable networks.
  • 7.
    Reachability Invariants • Focuson reachability invariants • Most important in practice, simple to state but already hard Balancer Firewall FirewallMallory S1 S2 Can S2 receive packets of type T from Mallory?Can S2 receive “infected” packets from Mallory?Can S2 receive packets from Mallory without a connection?
  • 8.
    Abstractions for Invariants •Operators want to specify packet types using abstractions: • “infected” • from “authenticated user” • from a given application • How these types are determined in a network varies • Invariants should not depend on these details
  • 9.
    Network Verification Today • Switches:Forwarding rules in switches. HSA, Veriflow, NetKAT, etc. • SDN Controller: Code generating these rules. Vericon, FlowLog, etc. • Firewalls: Verify firewall configuration. Fang, Margrave, etc.
  • 10.
    Existing Assumptions/Limitations Switches • Limited computationalmodel (rule-based forwarding). • Immutable, functionality only changes with new rules. • Limited set of invariants enforced by networks. Controllers • All state and actions are centralized. (Globally ordered) • Data plane itself is immutable. Firewalls • Treated as if they contain Immutable state. • Assume a particular (simple) computational model.
  • 11.
    Outline • Background onnetworks. • Background on network verification. • Verifying mutable networks.
  • 12.
    Verification of Mutable Networks •Naive approach • Verify a program equivalent to the entire network. • Feasibility is not clear • Large, proprietary code bases (Bro ~102K lines of code). • Scalability is crucial • Networks contain several 1000 middleboxes or more.
  • 13.
    Modeling Middleboxes Classify Packet UpdateState Update Packet Forward Packet Determines what application sent a packet, etc. Complex, proprietary processing. Could be simple (remember packets) or complex (update many hash tables). Updating payload is complex (compression, etc.) Updating header is simple (fixed format). Always simple: forward or drop packets. Oracle: Specify data dependencies and outputs Forwarding Model: Specify Completely
  • 14.
    Example Classify Packet Update State UpdatePacket Forward Packet Oracle: Specify data dependencies and outputs Forwarding Model: Specify Completely Outputs Is packet infected. Dependencies See all packets in connection (flow). if (packet.flow not in infected_connections) { forward (packet); } if (infected) { infected_connections.add(packet.flow) }
  • 15.
    Scaling Verification • Middleboxes are“flow-parallel” • State is partitioned between “flows.” • This enables “compositional verification” • 30,000 middlebox networks verified in 5 minutes
  • 16.
    Compositional Verification mbox mbox mbox mbox mbox mbox mbox mbox mbox mbox mbox mbox • Invariantstalk about pairs of hosts. • When flow-parallel, need-only verify path.
  • 17.
    Conclusion • Real networks: •Contain mutable middleboxes. • Used to enforce rich connectivity invariants. • Network verification needs to evolve to handle this. • Several challenges • Right level of abstraction for specifying middleboxes. • Scalability, by leveraging compositional verification. • Future: Tractability of verification. Some pictures taken from the Noun Project
  • 18.
  • 19.
    Does State Mutation Matter Firewall •Do we even need to look at state evolution? • Check invariant for all possible states. • Approach used in tools like Margrave. • # of states is small (just whether connection established). • False positives, some states may never occur. Firewall a b Connection started by a to b. Requires a to send packet to b, and b to respond Can a packet from 'a' reach 'b'?

Editor's Notes

  • #3 Before we start brief summary so you don’t get bored Context: Lots of network verification tools, but assume networks are immutable. Motivation for this talk: really we are seeing mutable things, net. verification should move on.
  • #5 Traditional view of networks: series of tubes Contain hosts and switches; all interesting things happen at hosts. Cherished design principle for networking: End to End principle.
  • #6 Networks don’t just have hosts and switches, also have middleboxes. Add middleboxes to enhance functionality. Security, performance, new functions.
  • #7 Next, let us look at what has been happening in network verification. Lots of projects, looking at particular parts of the network.
  • #8 Reachability is important: networks connect computers. Specified as can some type of packet get between nodes. Some examples.
  • #9 Operators buy middleboxes so they can specify types at a high-level. Examples: infected, ... Hard to define (infected depends on the vendor), and don’t want operator to specify this exactly.
  • #10 Switches: build on fact that switches have simple computational model. SDN Controllers: popular in networking right now, don’t worry if you don’t know what this is. Firewalls: Popular earlier than the others, organizational policy focused there.
  • #11 All of these based on immutability. Even SDN controllers, the idea is that state is centralized and data plane is immutable. Problem: Does not hold for middleboxes, which are increasingly important from a networking perspective.
  • #12 Finally, challenges. All of the challenges traditionally associated with verification still hold. Here we look at more network oriented challenges.
  • #15 Need to model middleboxes so that We can verify reachability invariants Verification is tractable No false positives. Classification is hard and proprietary. Also how to verify classification identifies all X. Describe others Here is a division we came up with that seems to work for us.
  • #16 - An example of what something fits into this.
  • #17 Example of middlebox after this.
  • #18 Networks are large, much larger than is reasonable to verify in time. Accounting for mutation makes it even worse. Need to scale: we notice that state is already partitioned: allows for compositional verification.