An Assertion Language for Debugging SDN Applications Ryan Beckett - PowerPoint PPT Presentation

An Assertion Language for Debugging SDN Applications � Ryan Beckett � with � X. Kelvin Zou, Shuyuan Zhang, � Sharad Malik, Jennifer Rexford, David Walker � Princeton University � 1 �

Data Plane Verification � Controller � • Find common misconfigurations � • Operate in real time � Data Plane Verifier � • Check fixed network properties � • Can report false positives during transitions � 2 �

Stateful Firewall � client client � server server � State � Table � c 1 � A � B � s 1 � c 2 � 3 �

Stateful Firewall � client client � server server � State � Table � Firewall Property: Firewall Property: � c 1 � “A server can only reach a client if the client has communicated A � B � with the server” � s 1 � c 2 � 3 �

Stateful Firewall � client client � server server � State � Table � X � Firewall Property: Firewall Property: � c 1 � “A server can only reach a client if the client has communicated A � B � with the server” � s 1 � c 2 � 3 �

Stateful Firewall � client client � server server � State � Table � Firewall Property: Firewall Property: � c 1 � “A server can only reach a client if the client has communicated A � B � with the server” � s 1 � c 2 � 3 �

Stateful Firewall � client client � server server � c 1 � s 1 � State � Table � Firewall Property: � Firewall Property: c 1 � reachable(s 1, c 1 ) � A � B � s 1 � c 2 � 3 �

Stateful Firewall � client client � server server � c 1 � s 1 � State � Table � c 2 � s 1 � Firewall Property: Firewall Property: � c 1 � reachable(s 1, c 1 ) ∧ � A � B � reachable(s 1, c 2 ) � s 1 � c 2 � 3 �

Stateful Firewall � client client � server server � c 1 � s 1 � State � Table � c 2 � s 1 � Firewall Property: Firewall Property: � c 1 � ∀ (c,s) ∈ table, reachable(s , c) � A � B � s 1 � c 2 � 3 �

Stateful Firewall � client � client server server � c 1 � s 1 � State � Table � c 2 � s 1 � Firewall Property: Firewall Property: � c 1 � ∀ c ∈ clients, ∀ s ∈ servers, � A � B � reachable(s , c) ↔ (c,s) ∈ table � s 1 � c 2 � 3 �

� Stateful Firewall � client � client server server � c 1 � s 1 � State � Table � c 2 � s 1 � Controller Code: Controller Code: � c 1 � assert_continuously assert_continuously(f) � A � B � def packet_in(event): � s 1 � pkt = event.parsed � if pkt.typ != eth.IP_TYP: � return � c 2 � … � 3 �

Stateful Firewall � client client � server server � State � Table � Controller Code: Controller Code: � c 1 � assert_continuously(f) � A � B � s 1 � c 2 � 3 �

Stateful Firewall � client � client server server � c 1 � s 1 � State � Table � r 1 � r 2 � Controller Code: � Controller Code: c 1 � assert_continuously(f) � A � B � s 1 � c 2 � 3 �

Stateful Firewall � client � client server server � c 1 � s 1 � State � Table � r 1 � r 2 � Controller Code: � Controller Code: c 1 � assert_continuously(f) � A � B � s 1 � stop(f) � install(r 1 ) � c 2 � install(r 2 ) � assert_continuously(f) � 3 �

Design Overview � Controller � specification � Data Plane Verifier � 4 �

Design Overview � Controller � Assertion Library � Controller � specification � specification � Data Plane Verifier � Property Generator � verification � conditions � Data Plane Verifier � 4 �

Design Overview � Controller � Assertion Library � Property Generator � Data Plane Verifier � 5 �

Design Overview � Controller � Assertion Library � event � Property Generator � Data Plane Verifier � 5 �

Design Overview � Controller � Assertion Library � event � rule � Property Generator � Data Plane Verifier � 5 �

Design Overview � Controller � Assertion Library � event � state � assertion � update � Property Generator � verification � conditions � Data Plane Verifier � 5 �

Design Overview � Controller � Assertion Library � event � exception � Property Generator � verification � results � Data Plane Verifier � 5 �

Incremental Verification � • Change in data plane (existing tools handle this) � • Change in assertion property � 6 �

Incremental Verification � • Change in data plane (existing tools handle this) � • Change in assertion property � • Incrementally generate new verification conditions � 6 �

Incremental Verification � • Change in data plane (existing tools handle this) � • Change in assertion property � • Incrementally generate new verification conditions � Firewall Property: Firewall Property: � c 1 � reachable(s 1, c 1 ) � A � B � s 1 � c 2 � 6 �

Incremental Verification � • Change in data plane (existing tools handle this) � • Change in assertion property � • Incrementally generate new verification conditions � Firewall Property: Firewall Property: � c 1 � reachable(s 1, c 1 ) ∧ � A � B � reachable(s 1, c 2 ) � s 1 � c 2 � 6 �

Incremental Verification � • Change in data plane (existing tools handle this) � • Change in assertion property � • Incrementally generate new verification conditions � • Precompute and cache intermediate results � Firewall Property: Firewall Property: � c 1 � reachable(s 1, c 1 ) � A � B � s 1 � c 2 � 6 �

Incremental Verification � • Change in data plane (existing tools handle this) � • Change in assertion property � • Incrementally generate new verification conditions � • Precompute and cache intermediate results � Firewall Property: Firewall Property: � c 1 � reachable(s 1, c 1 ) ∧ � A � B � reachable(s 1, c 2 ) � s 1 � c 2 � 6 �

Incremental Data Structure � Firewall Property: Firewall Property: � ∀ c ∈ clients, ∀ s ∈ servers, � reachable(s,c) ↔ (c,s) ∈ table � ∀ c � c=c 1 � c=c 2 � ∀ s � ∀ s � True � s=s 1 � s=s 1 � False � reachable(s 1, c 1 ) ↔ (c 1 ,s 1 ) ∈ table � 7 �

Incremental Data Structure � Firewall Property: � Firewall Property: ∀ c ∈ clients, ∀ s ∈ servers, � reachable(s,c) ↔ (c,s) ∈ table � ∀ c � c=c 1 � c=c 2 � ∀ s � ∀ s � True � s=s 1 � s=s 1 � s=s 2 � s=s 2 � False � 7 �

Incremental Data Structure � Firewall Property: � Firewall Property: ∀ c ∈ clients, ∀ s ∈ servers, � reachable(s,c) ↔ (c,s) ∈ table � ∀ c � c=c 1 � c=c 2 � c=c 3 � ∀ s � ∀ s � ∀ s � True � s=s 1 � s=s 1 � s=s 2 � s=s 2 � s=s 1 � s=s 2 � False � 7 �

Incremental Data Structure � Firewall Property: Firewall Property: � ∀ c ∈ clients, ∀ s ∈ servers, � reachable(s,c) ↔ (c,s) ∈ table � ∀ c � c=c 1 � c=c 2 � c=c 3 � ∀ s � ∀ s � ∀ s � True � s=s 1 � s=s 1 � s=s 2 � s=s 2 � s=s 1 � s=s 2 � False � Query data-plane verifier � 7 �

Incremental Data Structure � Firewall Property: � Firewall Property: ∀ c ∈ clients, ∀ s ∈ servers, � reachable(s,c) ↔ (c,s) ∈ table � ∀ c � c=c 1 � c=c 2 � c=c 3 � ∀ s � ∀ s � ∀ s � True � s=s 1 � s=s 1 � s=s 2 � s=s 2 � s=s 1 � s=s 2 � False � 7 �

Incremental Data Structure � Firewall Property: � Firewall Property: ∀ c ∈ clients, ∀ s ∈ servers, � reachable(s,c) ↔ (c,s) ∈ table � ∀ c � c=c 1 � c=c 2 � c=c 3 � ∀ s � ∀ s � ∀ s � True � s=s 1 � s=s 1 � s=s 2 � s=s 2 � s=s 1 � s=s 2 � False � 7 �

Incremental Data Structure � Firewall Property: � Firewall Property: ∀ c ∈ clients, ∀ s ∈ servers, � reachable(s,c) ↔ (c,s) ∈ table � ∀ c � c=c 1 � c=c 2 � c=c 3 � ∀ s � ∀ s � ∀ s � True � s=s 1 � s=s 1 � s=s 2 � s=s 2 � s=s 1 � s=s 2 � False � 7 �

Prototype Implementation � Stateful Firewall (incremental vs naive) � 100 � • Python assertion debugging library � 75 � VC % Reduction � • Support for Pyretic, Pox, Ryu � 50 � • Uses the VeriFlow verification tool � 25 � • Initial performance is promising � 0 � 10 � 20 � 30 � 40 � 50 � active hosts (clients) � 8 �

Conclusion � • Assertions to verify dynamic properties � • Programmatic control over verification timing � • Incremental algorithm to verify dynamic assertion properties � • Prototype with reasonable performance � 9 �