NetKATA Formal System for the Verification of Networks Dexter Kozen - PowerPoint PPT Presentation

NetKAT—A Formal System for the Verification of Networks Dexter Kozen Cornell University AutoMathA 2015 Leipzig 7 May 2015

NetKAT Collaborators Carolyn Jane Anderson, Nate Foster, Arjun Guha, Jean-Baptiste Jeannin, Dexter Kozen, Cole Schlesinger, and David Walker, NetKAT: Semantic Foundations for Networks. POPL 14. Nate Foster, Dexter Kozen, Matthew Milano, Alexandra Silva, and Laure Thompson, A Coalgebraic Decision Procedure for NetKAT. POPL 15.

Networking “The last bastion of mainframe computing” [Hamilton 2009] ◮ Modern computers ◮ implemented with commodity hardware ◮ programmed using general-purpose languages, standard interfaces ◮ Networks ◮ built and programmed the same way since the 1970s ◮ low-level, special-purpose devices implemented on custom hardware ◮ routers and switches that do little besides maintaining routing tables and forwarding packets ◮ configured locally using proprietary interfaces ◮ network configuration (“tuning”) largely a black art

Networking Ill-suited to modern data centers and cloud-based applications ◮ Difficult to implement end-to-end routing policies and optimizations that require a global perspective ◮ Difficult to extend with new functionality ◮ Effectively impossible to reason precisely about behavior

Software Defined Networks (SDN) Main idea behind SDN A general-purpose controller manages a collection of programmable switches ◮ controller can monitor and respond to network events ◮ new connections from hosts ◮ topology changes ◮ shifts in traffic load ◮ controller can reprogram the switches on the fly ◮ adjust routing tables ◮ change packet filtering policies

Software Defined Networks (SDN) Controller has a global view of the network Enables a wide variety of applications: ◮ standard applications ◮ shortest-path routing ◮ traffic monitoring ◮ access control ◮ more sophisticated applications ◮ load balancing ◮ intrusion detection ◮ fault tolerance

Software Defined Networks (SDN) “ In the SDN architecture, the control and data planes are decoupled, network intelligence and state are logically centralized, and the underlying network infrastructure is abstracted from the applications. As a result, en- terprises and carriers gain unprecedented programma- bility, automation, and network control, enabling them to build highly scalable, flexible networks that readily adapt to changing business needs. ” —Open Networking Foundation, Software-Defined Networking: The New Norm for Networks , 2012

OpenFlow A first step: the OpenFlow API [McKeown & al., SIGCOMM 08] ◮ specifies capabilities and behavior of switch hardware ◮ a language for manipulating network configurations ◮ very low-level: easy for hardware to implement, difficult for humans to write and reason about But. . . ◮ is platform independent ◮ provides an open standard that any vendor can implement

Network Programming Languages & Analysis Tools ◮ Formally Verifiable Networking [Wang & al., HotNets 09] ◮ FlowChecker [Al-Shaer & Saeed Al-Haj, SafeConfig 10] ◮ Anteater [Mai & al., SIGCOMM 11] ◮ Nettle [Voellmy & Hudak, PADL 11] ◮ Header Space Analysis [Kazemian & al., NSDI 12] ◮ Frenetic [Foster & al., ICFP 11] [Reitblatt & al., SIGCOMM 12] ◮ NetCore [Guha & al., PLDI 13] [Monsanto & al., POPL 12] ◮ Pyretic [Monsanto & al., NSDI 13] ◮ VeriFlow [Khurshid & al., NSDI 13] ◮ Participatory networking [Ferguson & al., SIGCOMM 13] ◮ Maple [Voellmy & al., SIGCOMM 13] Goals: ◮ raise the level of abstraction above hardware-based APIs (OpenFlow) ◮ make it easier to build sophisticated and reliable SDN applications and reason about them

Network Programming Languages & Analysis Tools • Formally Verifiable Networking [Wang & al., HotNets 09] • FlowChecker [Al-Shaer & Saeed Al-Haj, SafeConfig 10] • Anteater [Mai & al., SIGCOMM 11] • Nettle [Voellmy & Hudak, PADL 11] • Header Space Analysis [Kazemian & al., NSDI 12] ◮ Frenetic [Foster & al., ICFP 11] [Reitblatt & al., SIGCOMM 12] ◮ NetCore [Guha & al., PLDI 13] [Monsanto & al., POPL 12] • Pyretic [Monsanto & al., NSDI 13] • VeriFlow [Khurshid & al., NSDI 13] • Participatory networking [Ferguson & al., SIGCOMM 13] • Maple [Voellmy & al., SIGCOMM 13] Goals: • raise the level of abstraction above hardware-based APIs (OpenFlow) • make it easier to build sophisticated and reliable SDN applications and reason about them

NetKAT [Anderson & al. 14] NetKAT = Kleene algebra with tests (KAT) + additional specialized constructs particular to network topology and packet switching

Kleene Algebra (KA) (0 + 1(01 ∗ 0) ∗ 1) ∗ { multiples of 3 in binary } 1 0 1 0 0 1 ( ab ) ∗ a = a ( ba ) ∗ { a , aba , ababa , . . . } a b ( a + b ) ∗ = a ∗ ( ba ∗ ) ∗ { all strings over { a , b }} Stephen Cole Kleene a + b (1909–1994)

Foundations of the Algebraic Theory J. H. Conway. Regular Algebra and Finite Machines . Chapman and Hall, London, 1971. John Horton Conway (1937–)

Axioms of KA Idempotent Semiring Axioms p + ( q + r ) = ( p + q ) + r p ( qr ) = ( pq ) r p + q = q + p 1 p = p 1 = p p + 0 = p p 0 = 0 p = 0 p + p = p △ p ( q + r ) = pq + pr a ≤ b ⇐ ⇒ a + b = b ( p + q ) r = pr + qr Axioms for ∗ 1 + pp ∗ ≤ p ∗ q + px ≤ x ⇒ p ∗ q ≤ x q + xp ≤ x ⇒ qp ∗ ≤ x 1 + p ∗ p ≤ p ∗

Standard Model Regular sets of strings over Σ A + B = A ∪ B = { xy | x ∈ A , y ∈ B } AB A 0 ∪ A 1 ∪ A 2 ∪ · · · A ∗ � A n = = n ≥ 0 1 = { ε } 0 = ∅ This is the free KA on generators Σ

Relational Models Binary relations on a set X For R , S ⊆ X × X , R + S = R ∪ S RS = R ◦ S = { ( u , v ) | ∃ w ( u , w ) ∈ R , ( w , v ) ∈ S } R ∗ = reflexive transitive closure of R R 0 ∪ R 1 ∪ R 2 ∪ · · · � R n = = n ≥ 0 { ( u , u ) | u ∈ X } 1 = identity relation = 0 = ∅ KA is complete for the equational theory of relational models

Other Models ◮ Trace models used in semantics ◮ (min , +) algebra used in shortest path algorithms ◮ (max , · ) algebra used in coding ◮ Convex sets used in computational geometry (Iwano & Steiglitz 90)

Matrices over a KA form a KA � a � e � a + e � � � b f b + f + = c d g h c + g d + h � � � � � � a b e f ae + bg af + bh · = c d g h ce + dg cf + dh � 0 � 1 � � 0 0 0 = 1 = 0 0 0 1 � ( a + bd ∗ c ) ∗ � a � ∗ ( a + bd ∗ c ) ∗ bd ∗ � b = ( d + ca ∗ b ) ∗ ca ∗ ( d + ca ∗ b ) ∗ c d b a d c

Systems of Affine Linear Inequalities Theorem Any system of n linear inequalities in n unknowns has a unique least solution q 1 + p 11 x 1 + p 12 x 2 + · · · p 1 n x n ≤ x 1 . . . q n + p n 1 x 1 + p n 2 x 2 + · · · p nn x n ≤ x n q 1 x 1 x 1 q 2 x 2 x 2 . . . + P = p ij ≤ . . . . . . q n x n x n Least solution is P ∗ q

Kleene Algebra with Tests (KAT) ( K , B , + , · , ∗ , , 0 , 1), B ⊆ K ◮ ( K , + , · , ∗ , 0 , 1) is a Kleene algebra ◮ ( B , + , · , , 0 , 1) is a Boolean algebra ◮ ( B , + , · , 0 , 1) is a subalgebra of ( K , + , · , 0 , 1) ◮ p , q , r , . . . range over K ◮ a , b , c , . . . range over B

Kleene Algebra with Tests (KAT) + , · , 0 , 1 serve double duty ◮ applied to actions, denote choice, composition, fail, and skip, resp. ◮ applied to tests, denote disjunction, conjunction, falsity, and truth, resp. ◮ these usages do not conflict! bc = b ∧ c b + c = b ∨ c

Modeling While Programs △ p ; q = pq △ = bp + bq if b then p else q = ( bp ) ∗ b △ while b do p

KAT Subsumes Hoare Logic △ { b } p { c } ⇐ ⇒ bp ≤ pc ⇐ ⇒ bp = bpc ⇐ ⇒ bpc = 0 The Hoare while rule { bc } p { c } { c } while b do p { bc } becomes the universal Horn sentence bcpc = 0 ⇒ c ( bp ) ∗ bbc = 0

KAT Results Deductive Completeness and Complexity ◮ deductively complete over language, relational, and trace models ◮ subsumes propositional Hoare logic (PHL) ◮ deductively complete for all relationally valid Hoare-style rules { b 1 } p 1 { c 1 } , . . . , { b n } p n { c n } { b } p { c } ◮ decidable in PSPACE Applications ◮ protocol verification ◮ static analysis and abstract interpretation ◮ verification of compiler optimizations

Models of KAT ◮ Language-theoretic models ◮ K = sets of guarded strings over Σ , T ◮ B = free Boolean algebra generated by T ◮ Relational models ◮ K = binary relations on a set X ◮ B = subsets of the identity relation ◮ Trace models ◮ K = sets of traces s 0 p 0 s 1 p 1 s 2 · · · s n − 1 p n − 1 s n ◮ B = traces of length 0 ◮ n × n matrices over K , B

NetKAT

NetKAT ◮ a packet π is an assignment of constant values n to fields x ◮ a packet history is a nonempty sequence of packets π 1 :: π 2 :: · · · :: π k ◮ the head packet is π 1 NetKAT ◮ assignments x ← n assign constant value n to field x in the head packet ◮ tests x = n if value of field x in the head packet is n , then pass, else drop ◮ dup duplicate the head packet

NetKAT Example sw = 6 ; pt = 88 ; dest ← 10 . 0 . 0 . 1 ; pt ← 50 “For all packets incoming on port 88 of switch 6, set the destination IP address to 10.0.0.1 and send the packet out on port 50.”