NetKAT f a t i c t r A * * C o m p l n t e t e e - PowerPoint PPT Presentation

1 Kulfi Robust Tra ffi c Engineering Using Semi-Oblivious Routing Praveen Kumar, Yang Yuan, Chris Yu, 
 Bobby Kleinberg, Robert Soulé, & Nate Foster Cornell, Carnegie Mellon, Microsoft Research, & Lugano

1 Kulfi Tastes great, no churn! Robust Tra ffi c Engineering Using Semi-Oblivious Routing Praveen Kumar, Yang Yuan, Chris Yu, 
 Bobby Kleinberg, Robert Soulé, & Nate Foster Cornell, Carnegie Mellon, Microsoft Research, & Lugano

2 NetKAT f a t i c t r A * * C o m p l n t e t e e A * t * s i W s E Event-Driven Network Programming n e I o l C D C l D L * o * e c P s u u e m E R e * o t n t y s * d e v d a E a l e t a u Pavol ˇ Probabilistic NetKAT Jedidiah McClurg Hossein Hojjat Nate Foster Cern´ y CU Boulder, USA Cornell University, USA Cornell University, USA CU Boulder, USA Nate Foster 1 , Dexter Kozen 1 , Konstantinos Mamouras 2 ∗ , jedidiah.mcclurg@colorado.edu hojjat@cornell.edu jnfoster@cs.cornell.edu pavol.cerny@colorado.edu Mark Reitblatt 3 ∗ , and Alexandra Silva 4 1 Cornell University 2 University of Pennsylvania Abstract execute on general-purpose machines. These programs re- arXiv:1507.07049v3 [cs.PL] 16 Apr 2016 3 Facebook act to events such as topology changes, traffic statistics, Software-defined networking (SDN) programs must simul- 4 University College London receipt of packets, etc. by modifying sets of forwarding taneously describe static forwarding behavior and dynamic rules installed on switches. SDN programs can implement updates in response to events. Event-driven updates are crit- a wide range of advanced network functionality including ical to get right, but difficult to implement correctly due to fine-grained access control [8], network virtualization [22], Abstract. This paper presents a new language for network program- the high degree of concurrency in networks. Existing SDN traffic engineering [15, 16], and many others. ming based on a probabilistic semantics. We extend the NetKAT lan- platforms offer weak guarantees that can break application Although the basic SDN model is simple, building so- guage with new primitives for expressing probabilistic behaviors and invariants, leading to problems such as dropped packets, enrich the semantics from one based on deterministic functions to one phisticated applications is challenging in practice. Pro- degraded performance, security violations, etc. This paper based on measurable functions on sets of packet histories. We establish grammers must keep track of numerous low-level details introduces event-driven consistent updates that are guaran- fundamental properties of the semantics, prove that it is a conservative such as encoding configurations into prioritized forwarding teed to preserve well-defined behaviors when transitioning extension of the deterministic semantics, show that it satisfies a number rules, processing concurrent events, managing asynchronous between configurations in response to events. We propose of natural equations, and develop a notion of approximation. We present events, dealing with unexpected failures, etc. To address case studies that show how the language can be used to model a diverse network event structures (NESs) to model constraints on these challenges, a number of domain-specific network pro- collection of scenarios drawn from real-world networks. updates, such as which events can be enabled simultane- gramming languages have been proposed [2, 10, 19, 21, 29, ously and causal dependencies between events. We define 31, 36, 37]. The details of these languages vary, but they all an extension of the NetKAT language with mutable state, offer higher-level abstractions for specifying behavior (e.g., 1 Introduction give semantics to stateful programs using NESs, and discuss using mathematical functions, boolean predicates, relational provably-correct strategies for implementing NESs in SDNs. operators, etc.), and rely on a compiler and run-time system Formal specification and verification of networks has become a reality in re- Finally, we evaluate our approach empirically, demonstrat- to generate and manage the underlying network state. cent years with the emergence of network-specific programming languages and ing that it gives well-defined consistency guarantees while Unfortunately, the languages that have been proposed so property-checking tools. Programming languages like Frenetic [11], Pyretic [36], avoiding expensive synchronization and packet buffering. far lack critical features that are needed to implement dy- Maple [52], FlowLog [38], and others are enabling programmers to specify the Categories and Subject Descriptors C.2.3 [ Computer- intended behavior of a network in terms of high-level constructs such as Boolean namic, event-driven applications. Static languages such as communication Networks ]: Network Operations—Network NetKAT [2] offer rich constructs for describing network con- predicates and functions on packets. Verification tools like Header Space Analy- Management; D.3.2 [ Programming Languages ]: Language figurations, but lack features for responding to events and sis [21], VeriFlow [22], and NetKAT [12] are making it possible to check properties Classifications—Specialized application languages; D.3.4 such as connectivity, loop freedom, and tra ffi c isolation automatically. maintaining internal state. Instead, programmers must write [ Programming Languages ]: Processors—Compilers a stateful program in a general-purpose language that gener- However, despite many notable advances, these frameworks all have a funda- ates a stream of NetKAT programs. Dynamic languages such mental limitation: they model network behavior in terms of deterministic packet- Keywords network update, consistent update, event struc- as FlowLog and Kinetic [21, 31] offer stateful programming processing functions. This approach works well enough in settings where the ture, software-defined networking, SDN, NetKAT models, but they do not specify how the network behaves network functionality is simple, or where the properties of interest only concern the forwarding paths used to carry tra ffi c. But it does not provide satisfactory while it is being reconfigured in response to state changes. 1. Introduction Abstractions such as consistent updates provide strong guar- accounts of more complicated situations that often arise in practice: Software-defined networking (SDN) allows network behav- antees during periods of reconfiguration [26, 33], but cur- ior to be specified using logically-centralized programs that – Congestion: the network operator wishes to calculate the expected degree rent realizations are limited to properties involving a single of congestion on each link given a model of the demands for tra ffi c. packet (or set of related packets, such as a unidirectional – Failure: the network operator wishes to calculate the probability that pack- flow). To implement correct dynamic SDN applications to- ets will be delivered to their destination, given that devices and links fail day, the most effective option is often to use low-level APIs, with a certain probability. forgoing the benefits of higher-level languages entirely. ∗ Work performed at Cornell University. Example: Stateful Firewall. To illustrate the challenges that arise when implementing dynamic applications, con- sider a topology where an internal host H 1 is connected to switch s 1 , an external host H 4 is connected to a switch s 4 , and switches s 1 and s 4 are connected to each other (see Fig- Event-Driven Network Programming 1 2016/4/19 [ESOP ’16] [PLDI ’16]