nv a framework for modeling and verifying network
play

NV: A Framework for Modeling and Verifying Network Configurations - PowerPoint PPT Presentation

Sep 13, 2022 •691 likes •1.27k views

NV: A Framework for Modeling and Verifying Network Configurations LangSec 2020 David Walker Princeton University Collaborators Nick Giannarakis Devon Loehr Tim Thijm Ratul Mahajan Ryan Beckett Aarti Gupta (UW) (Microsoft) Language-Based

  1. NV: A Framework for Modeling and Verifying Network Configurations LangSec 2020 David Walker Princeton University

  2. Collaborators Nick Giannarakis Devon Loehr Tim Thijm Ratul Mahajan Ryan Beckett Aarti Gupta (UW) (Microsoft)

  3. Language-Based Security

  4. Language-Based Security for Networks

  5. Routing 101 Hoolie 𝑆 � “I can reach subnet X” “I can reach subnet X” 𝑆 � 𝑆 � 𝑆 � “I can reach subnet X” subnet X traffic Pied Piper

  6. An Example Route Hijack Hoolie subnet Y subnet X

  7. An Example Route Hijack Hoolie subnet Y subnet X

  8. An Example Route Hijack Pied Piper “I can reach subnet X” Hoolie subnet Y subnet X

  9. An Example Route Hijack Pied Piper Hoolie subnet Y subnet X

  10. This Kind of Thing Happens Too Often

  11. Why? Networks are: • Large (100K+ LOC) • Distributed • Low-level • Multiple vendors • Subject to failures Too much for humans to handle

  12. We need automated analysis! Generic Network Models To model the many ad hoc vendor languages in a uniform way [Griffin 2002, Sobrinho 2005] [SIGCOMM 2017, SIGCOMM 2018, PLDI 2020] Effective Abstractions and Efficient Algorithms To analyze these model at scale [POPL 2020, PLDI 2020]

  13. Network Models

  14. Routing Algebra [Griffin 2002, Sobrinho 2005] �𝑊 , 𝐹� 𝐔𝐩𝐪𝐩𝐦𝐩𝐡𝐳 : �𝑇 , ⊕ , 𝑔 , 𝑗𝑜𝑗𝑢� 𝐁𝐦𝐡𝐟𝐜𝐬𝐛 : set of routes initial route merge transfer S → 𝑇 → 𝑇 V → 𝑇 (protocol messages) E → 𝑇 → 𝑇 � select preferred route � Given an algebra, one can simulate it, looking for its solutions .

  15. Routing Example (Idealized BGP) (no route) S = { ∞ } U { ( preference , path , set of tags ) } ⊕ = “select the most preferred route” (route with higher preference, shorter path) 𝑔 (src,dst) = add src to path; adjust preference, tags according to configuration init = given by configuration

  16. Routing Example (Idealized BGP) messages S = { ∞ } U { ( preference , path , set of tags ) } 1. if attached(8075:30) 2. set localpref 200 1. if peer = R3 3. permit 2. add tag(8075:30) ∞ � 100, �𝑆 � � , � 8075: 30 �� 4. else 3. permit 5. default permit 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 � � 100, �𝑆 � , 𝑆 � , 𝑆 � � , � 8075: 30 �� ∞ � 100, �𝑆 � , 𝑆 � � , ∅� ∞ � 100, �� , ∅� � 200, �𝑆 � , 𝑆 � � , � 8075: 30 �� � 200, �𝑆 � , 𝑆 � � , � 8075: 30 �� ⊕ � 100, �𝑆 � , 𝑆 � � , ∅� � 100, �𝑆 � � , ∅� ∞ ⊕ � 100, �𝑆 � � , ∅� ∞ Further propagation of routes causes no change? We have found a solution .

  17. Research Progress Cycle �𝑇 , ⊕ , 𝑔 , 𝑗𝑜𝑗𝑢� Iterate Research idea Evaluate 1 year prototype Cisco (IOS, NX ‐ OS) Juniper, Arista BGP, OSPF, ISIS, RIP, iBGP Route Reflectors, Redistribution, Conditional advertisement, aggregation, ACLs, MPLS, GRE, …

  18. NV: A Language for Modelling Networks Cisco NV Juniper Ryan Beckett Nick Giannarakis Devon Loehr (Microsoft) • ad hoc • standard • non ‐ uniform • uniform • compositional • non ‐ compositional • concise • complex • 23+ commands to set protocol fields • 1 command to get a record field

  19. NV Language idealized_bgp.nv let nodes = 5; let edges = { 1-2; 1-3; 2-4; 3-4; 4-5; } type route = {pref:int; len:int; orig:node; tags:int set} type message = option[route] let init n = if n = 1 then Some {pref=100; len=0; orig=1; tags=empty;} else None let f e m = let protocol m = {pref=m.pref; len=m.len + 1; orig=orig; tags=tags;} in let config e m = ... in m |> protocol |> config e let merge n m1 m2 = if is_preferred m1 m2 then m1 else m2

  20. NV Language idealized_bgp.nv let nodes = 5; let edges = { 1-2; 1-3; 2-4; 3-4; 4-5; } let init n = ... let f e m = ... let merge n m1 m2 = ... let sol = solution {init= init ; trans= f ; merge= merge ;} (* Does router R5 have a route to R1? *) let prop sol = match sol[5] with None –> false | Some {pref=_; len=_; orig=n; comm=_;} -> (n = 1) assert prop(sol);

  21. The Power of Language: Exploring New Models Iterate �𝑇 , ⊕ , 𝑔 , 𝑗𝑜𝑗𝑢� Success Research idea Implement Evaluate prototype prototype (NV)

  22. Recall: A BGP Hijack Pied piper Hoolie host 2 host 1

  23. Can Pied Piper Hijack Hoolie? Hoolie 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 � 1. if peer = R6 2. pref := 200 𝑆 � 3. permit Pied Piper

  24. Can Pied Piper Hijack Hoolie? let nodes = 6 let edges = { 1-2; 1-3; 2-4; 3-4; 4-5; 6-2; } type route = {pref:int; len:int; orig:node; tags:int set} type message = option[route] symbolic u : route (* unknown route *) require u.orig = 6; let init n = if n = 6 then Some u else ... let f e m = let protocol m = ... in let config e m = match e with | 6~2 -> {pref=200; ... } | _ -> ... in m |> protocol |> config e assert prop(sol);

  25. Is Hoolie’s Network Fault Tolerant? Hoolie 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 �

  26. Is Hoolie’s Network Fault Tolerant? Hoolie 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 � duh ...

  27. Is Hoolie’s Network Fault Tolerant? let nodes = 5 let edges = { 1-2; 1-3; 2-4; 3-4; 4-5} type route = {pref:int; len:int; orig:node; tags:int set} type message = option[route] symbolic failure : edge (* the failed edge *) let f e m = let fail e m = if e = failure then None else m in let protocol m = ... in let config e m = ... in m |> fail e |> protocol |> config e assert prop(sol);

  28. Aside: Eliminating Symbolic Values type message = option[route] symbolic failure : edge let f e m = let fail e m = if e = failure then None else m in ... type message = dict[edge , option[route]] let f e m = let fail e m = mapif (fun e -> e = failure then None else m) m ...

  29. Aside: Eliminating Symbolic Values type message = option[route] symbolic failure : edge let f e m = let fail e m = if e = failure then None else m in ... type message = dict[edge, option[route]] let f e m = let fail e m = mapif (fun e -> e = failure) (fun m -> None) m ...

  30. More Realistic Networks type ospf = { ad : int; weight : int; areaType : int4; areaId : int;} type bgp = { ad : int; lp : int; aslen : int; comms : set[int16]; origin : int;} type rib_entry = { connected : option[edge]; static : option[edge]; ospf : option[ospf]; bgp : option[bgp]; selected : option[int2] } type prefixV4 = { ip : int32; len : int5; } type attribute = dict[prefixV4, rib_entry]

  31. NV Tools Cisco NV Juniper Z3 Simulation

  32. The Scalability Problem control plane simulation CBGP [Mai 2011] Batfish [Fogel 2015] control plane verification [Gember ‐ Jacobsen 2016] ARC 400 [Beckett 2017] Minesweeper Simulation time 350 300 (seconds) 250 32GB RAM 200 150 100 50 0 10,000 0 100 200 300 400 500 600 700 (Large modern data center) Datacenter Size (routers)

  33. The Scalability Problem (AWS) Software control plane simulation [Mai 2011] Network [Fogel 2015] control plane verification Cost [Gember ‐ Jacobsen 2016] ARC Storage [Beckett 2017] Minesweeper Compute Cloud growth by quarter (AWS) 2018 2009 Time 228x growth in networks in a decad

  34. Effective Abstractions & Efficient Algorithms

  35. Abstract Interpretation of Routing Algebras Aarti Ratul Ryan Mahajan Gupta Beckett Message Abstraction: asympototic improvements in time and space

  36. Abstract Interpretation of Routing Algebras Base Model Idealized BGP option[(preference, Abstract Model option[(preference, length, path, option[ tag abstraction ] origin, tag set)] tag set)] true, false, *

  37. Abstract Interpretation of Routing Algebras 1. if attached(8075:30) 2. set localpref 200 1. if peer = R3 3. permit 2. add tag(8075:30) None 4. else 3. permit 5. default permit 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 � Some false None None None Property: Does R5 obtain any route?

  38. Abstract Interpretation of Routing Algebras 1. if attached(8075:30) 2. set localpref 200 1. if peer = R3 3. permit 2. add tag(8075:30) Some true 4. else 3. permit 5. default permit 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 � Some false None None Some false Property: Does R5 obtain any route?

  39. Abstract Interpretation of Routing Algebras 1. if attached(8075:30) 2. set localpref 200 1. if peer = R3 3. permit 2. add tag(8075:30) Some true 4. else 3. permit 5. default permit 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 � Some false (Some true) None ⊕ (Some false) = (Some *) Some false Property: Does R5 obtain any route?

  40. Abstract Interpretation of Routing Algebras 1. if attached(8075:30) 2. set localpref 200 1. if peer = R3 3. permit 2. add tag(8075:30) Some true 4. else 3. permit 5. default permit 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 � Some false (Some *) (Some *) Some false Property: Does R5 obtain any route?

  41. Abstract Interpretation of Routing Algebras 1. if attached(8075:30) 2. set localpref 200 1. if peer = R3 3. permit 2. add tag(8075:30) Some true 4. else 3. permit 5. default permit 𝑆 � 𝑆 � 𝑆 � 𝑆 � 𝑆 � Some false (Some *) (Some *) Some false Yes Property: Does R5 obtain any route?

  42. Example 2: Datacenter Simulation 𝑇 � Spine Routers (S) 𝐵 � 𝐵 � Aggregation Routers (A) 𝑈 � 𝑈 𝑈 � 𝑈 � 𝑈 𝑈 � � � Top-of-Rack Routers (T)

Recommend

Modeling a Large Data-Acquisition Network in a Simulation Framework Tommaso Colombo 1,2 Holger

Modeling a Large Data-Acquisition Network in a Simulation Framework Tommaso Colombo 1,2 Holger

1st IEEE Workshop on High-Performance Interconnectjon Networks towards the Exascale and Big-Data Era Chicago, 8 September 2015 Modeling a Large Data-Acquisition Network in a Simulation Framework Tommaso Colombo 1,2 Holger Frning 2 Pedro Javier

538 views • 24 slides
Elaborating and Verifying RBAC Policies Conforming with CobiT Framework Requirements Christophe

Elaborating and Verifying RBAC Policies Conforming with CobiT Framework Requirements Christophe

Third International Workshop on Requirements Engineering and Law (RELAW 10) - September 28 th 2010 Conceptualizing a Responsibility based Approach for Elaborating and Verifying RBAC Policies Conforming with CobiT Framework Requirements

429 views • 27 slides
Fast Variational Algorithms for Statistical Network Modeling and other network modeling advances

Fast Variational Algorithms for Statistical Network Modeling and other network modeling advances

Hierarchical ERG models Fast Variational Algorithms for Statistical Network Modeling and other network modeling advances David Hunter Michael Schweinberger Duy Vu Ruth Hummel Department of Statistics, Penn State University MURI meeting, Nov

521 views • 34 slides
Overview MAXENT-Modeling: A framework for Discrete MAXENT-Models and RMs IRT-Modeling?

Overview MAXENT-Modeling: A framework for Discrete MAXENT-Models and RMs IRT-Modeling?

Overview MAXENT-Modeling: A framework for Discrete MAXENT-Models and RMs IRT-Modeling? Conceptual foundation and relationships of the MAXENT-framework The canonical MAXENT-distribution is structurally similar to Dipl.-Psych. Georg

366 views • 7 slides
Modeling Testing Evaluating 100 c c 90 Network latency (cycles) 80 Input c c Expect?

Modeling Testing Evaluating 100 c c 90 Network latency (cycles) 80 Input c c Expect?

PyOCN: A Unified Framework for Modeling, Testing, and Evaluating On-Chip Networks Modeling Testing Evaluating 100 c c 90 Network latency (cycles) 80 Input c c Expect? 70 R 60 c c 50 40 c c 30 20 10 Functional-Level Unit 0

563 views • 20 slides
The Matrix: An Agent-Based Modeling Framework for Data Intensive Simulations P. Bhattacharya 1 ,

The Matrix: An Agent-Based Modeling Framework for Data Intensive Simulations P. Bhattacharya 1 ,

The Matrix: An Agent-Based Modeling Framework for Data Intensive Simulations P. Bhattacharya 1 , S. Ekanayake 3 , C. J. Kuhlman 1 , C. Lebiere 2 , D. Morrison 2 , S. Swarup 1 , M. L. Wilson 1 , and M. G. Orr 1 1 Network Systems Science and Advanced

702 views • 17 slides
An Integrated Electric Power Supply Chain and Fuel Market Network Framework: Theoretical Modeling

An Integrated Electric Power Supply Chain and Fuel Market Network Framework: Theoretical Modeling

Introduction Literature Review Integrated Electric Power Supply Chains Empirical Examples Conclusions An Integrated Electric Power Supply Chain and Fuel Market Network Framework: Theoretical Modeling with Empirical Analysis for New England

705 views • 66 slides
An Integrated Electric Power Supply Chain and Fuel Market Network Framework: Theoretical Modeling

An Integrated Electric Power Supply Chain and Fuel Market Network Framework: Theoretical Modeling

Introduction Literature Review Integrated Electric Power Supply Chains Empirical Examples Conclusions An Integrated Electric Power Supply Chain and Fuel Market Network Framework: Theoretical Modeling with Empirical Analysis for New England

978 views • 60 slides
Transformation of Protg Ontologies into the Eclipse Modeling Framework Deepak Sharma

Transformation of Protg Ontologies into the Eclipse Modeling Framework Deepak Sharma

Transformation of Protg Ontologies into the Eclipse Modeling Framework Deepak Sharma Division of Biomedical Informatics Mayo Clinic 1 Outline Motivation Eclipse Modeling Framework (EMF) EMF at work LexGrid Model & FMA

1.24k views • 104 slides
Verifying and enforcing network paths with ICING Jad Naous , Michael Walfish, Antonio Nicolosi,

Verifying and enforcing network paths with ICING Jad Naous , Michael Walfish, Antonio Nicolosi,

Verifying and enforcing network paths with ICING Jad Naous , Michael Walfish, Antonio Nicolosi, David Mazires, Michael Miller, and Arun Seehra 1 Today: New protocol for every feature Remote VPN, Private WANs, Specifying QoS, Firewalls,

581 views • 38 slides
Verifying the Adaptation Behavior of Embedded Systems Klaus Schneider 1 Tobias Schuele 1 Mario

Verifying the Adaptation Behavior of Embedded Systems Klaus Schneider 1 Tobias Schuele 1 Mario

Introduction Modeling Adaptation Behavior Verifying Adaptation Behavior Tool Demonstration Summary and Conclusion Verifying the Adaptation Behavior of Embedded Systems Klaus Schneider 1 Tobias Schuele 1 Mario Trapp 2 1 Reactive Systems Group,

438 views • 14 slides
High Performance Network Modeling in the US Army Mobile Network Modeling Institute (MNMI) Ken

High Performance Network Modeling in the US Army Mobile Network Modeling Institute (MNMI) Ken

U.S. Army Research, Development and Engineering Command High Performance Network Modeling in the US Army Mobile Network Modeling Institute (MNMI) Ken Renard US Army Research Lab COMBINE 11 Sept 2012 Institute Objectives Develop

270 views • 14 slides
The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network

The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network

Chapter 4: The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network combines two types of domain knowledge to represent a joint probability distribution: qualitative knowledge: a (minimal) directed I-map

1.63k views • 134 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
ABC: A Cryptocurrency-Focused Threat Modeling Framework Ghada Almashaqbeh 1 , Allison Bishop 1,2 ,

ABC: A Cryptocurrency-Focused Threat Modeling Framework Ghada Almashaqbeh 1 , Allison Bishop 1,2 ,

ABC: A Cryptocurrency-Focused Threat Modeling Framework Ghada Almashaqbeh 1 , Allison Bishop 1,2 , Justin Cappos 3 1 Columbia, 2 Proof Trading, 3 NYU CryBlock 2019, Paris, France Outline Background. Motivation. The ABC framework.

1.25k views • 26 slides
Modeling Dynamic Network Modeling Dynamic Network Systems with State-Contingent Penalty

Modeling Dynamic Network Modeling Dynamic Network Systems with State-Contingent Penalty

Modeling Dynamic Network Modeling Dynamic Network Systems with State-Contingent Penalty Functions Penalty Functions Richard Howitt, Kristiana Hansen University of California Davis & Universite de Louvain University of California, Davis

440 views • 32 slides
A DYNAMIC BAYESIAN BELIEF NETWORK APPROACH FOR MODELING THE ATM NETWORK DELAYS Yi it Bekir

A DYNAMIC BAYESIAN BELIEF NETWORK APPROACH FOR MODELING THE ATM NETWORK DELAYS Yi it Bekir

A DYNAMIC BAYESIAN BELIEF NETWORK APPROACH FOR MODELING THE ATM NETWORK DELAYS Yi it Bekir Kaya Data Science Researcher at CAL, Aeronautics Graduate Student Prof. Gkhan nalhan Director of CAL Istanbul Technical University Controls

715 views • 67 slides
Towards Verifying Cyber- Physical Systems with Structural Dynamism Dagstuhl Seminar 11441-1

Towards Verifying Cyber- Physical Systems with Structural Dynamism Dagstuhl Seminar 11441-1

Towards Verifying Cyber- Physical Systems with Structural Dynamism Dagstuhl Seminar 11441-1 Science and Engineering of Cyber-Physical Systems, 02.11.2011 Holger Giese and Basil Becker System Analysis & Modeling Group, Hasso Plattner

222 views • 8 slides
Framework for G.709 Optical Transport Network (OTN) draft-ietf-ccamp-gmpls-g709-framework-05

Framework for G.709 Optical Transport Network (OTN) draft-ietf-ccamp-gmpls-g709-framework-05

Framework for G.709 Optical Transport Network (OTN) draft-ietf-ccamp-gmpls-g709-framework-05 CCAMP WG, IETF 82 nd Taipei Content of the drafts Informative overview of the OTN layer network Connection management in OTN GMPLS and PCE

580 views • 12 slides
The Role of NHDPlus as a Geospatial Framework for USGS SPARROW Modeling John Brakebill, USGS

The Role of NHDPlus as a Geospatial Framework for USGS SPARROW Modeling John Brakebill, USGS

The Role of NHDPlus as a Geospatial Framework for USGS SPARROW Modeling John Brakebill, USGS NAWQA Program September 24, 2015 1) SPARROW Background, Required Framework 2) Spatial Data Referencing Thanks : Greg Schwarz, Steve Preston, Craig

662 views • 26 slides
In this class ! Gephi (visualization and basic network metrics) ! NetLogo (modeling network

In this class ! Gephi (visualization and basic network metrics) ! NetLogo (modeling network

SNA L1B: software tools Lada Adamic In this class ! Gephi (visualization and basic network metrics) ! NetLogo (modeling network dynamics) ! iGraph (for programming assignments) Alternatives (User friendly) ! Pajek ! http://pajek.imfm.si/doku.php

623 views • 8 slides
Verifying Deadlock Freedom Duy-Khanh LE , Wei-Ngan CHIN, Yong-Meng TEO {leduykha,chinwn,teoym}

Verifying Deadlock Freedom Duy-Khanh LE , Wei-Ngan CHIN, Yong-Meng TEO {leduykha,chinwn,teoym}

An Expressive Framework for Verifying Deadlock Freedom Duy-Khanh LE , Wei-Ngan CHIN, Yong-Meng TEO {leduykha,chinwn,teoym} [at] comp.nus.edu.sg 11 th International Symposium on Automated Technology for Verification and Analysis (ATVA), Hanoi,

734 views • 42 slides
Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers Dining Philosophers Peter Welch and Neil Brown Peter Welch and Neil Brown School of Computing, University of Kent, UK School of Computing,

675 views • 44 slides

More recommend