![Page 1: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/1.jpg)
Verifying Reachability for Stateful Networks
Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott ShenkerUC Berkeley, MPI-SWS, TAU, ICSI
![Page 2: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/2.jpg)
Stateless vs Stateful NetworksStateless
• Packets forwarded based on static rules.
• Rules change slowly in response to:
• Changes in topology.
• Changes in policy.
![Page 3: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/3.jpg)
Stateless vs Stateful NetworksStateless Stateful
• Packets forwarded based on static rules.
• Rules change slowly in response to:
• Changes in topology.
• Changes in policy.
• Forwarding depends on rules and state.
![Page 4: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/4.jpg)
Stateless vs Stateful NetworksStateless Stateful
• Packets forwarded based on static rules.
• Rules change slowly in response to:
• Changes in topology.
• Changes in policy.
• Forwarding depends on rules and state.
• Rules change slowly (same as before).
![Page 5: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/5.jpg)
Stateless vs Stateful NetworksStateless Stateful
• Packets forwarded based on static rules.
• Rules change slowly in response to:
• Changes in topology.
• Changes in policy.
• Forwarding depends on rules and state.
• Rules change slowly (same as before).
• State changes at packet scales:
![Page 6: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/6.jpg)
Stateless vs Stateful NetworksStateless Stateful
• Packets forwarded based on static rules.
• Rules change slowly in response to:
• Changes in topology.
• Changes in policy.
• Forwarding depends on rules and state.
• Rules change slowly (same as before).
• State changes at packet scales:
• Every time a connection is established.
![Page 7: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/7.jpg)
Stateless vs Stateful NetworksStateless Stateful
• Packets forwarded based on static rules.
• Rules change slowly in response to:
• Changes in topology.
• Changes in policy.
• Forwarding depends on rules and state.
• Rules change slowly (same as before).
• State changes at packet scales:
• Every time a connection is established.
• Every time packet is forwarded.
![Page 8: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/8.jpg)
Why consider stateful networks?
![Page 9: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/9.jpg)
Networks are Increasingly Stateful
• Middleboxes: 1/3rd of all network devices in enterprises (SIGCOMM’12)
![Page 10: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/10.jpg)
Networks are Increasingly Stateful
• Middleboxes: 1/3rd of all network devices in enterprises (SIGCOMM’12)
• Network function virtualization: Simplifies NF deployment.
![Page 11: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/11.jpg)
Networks are Increasingly Stateful
• Middleboxes: 1/3rd of all network devices in enterprises (SIGCOMM’12)
• Network function virtualization: Simplifies NF deployment.
• Programmable switches (P4) also support state.
![Page 12: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/12.jpg)
Networks are Increasingly Stateful
• Middleboxes: 1/3rd of all network devices in enterprises (SIGCOMM’12)
• Network function virtualization: Simplifies NF deployment.
• Programmable switches (P4) also support state.
Not supported by most existing verification tools.
![Page 13: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/13.jpg)
State impacts invariants
![Page 14: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/14.jpg)
Invariants We Consider
• This work focuses on reachability and isolation invariants.
![Page 15: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/15.jpg)
Invariants We Consider
• This work focuses on reachability and isolation invariants.
• Can packets from host A reach host B?
![Page 16: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/16.jpg)
Invariants We Consider
• This work focuses on reachability and isolation invariants.
• Can packets from host A reach host B?
• But the addition of state raises some important issues:
![Page 17: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/17.jpg)
Invariants We Consider
• This work focuses on reachability and isolation invariants.
• Can packets from host A reach host B?
• But the addition of state raises some important issues:
• Invariants can include temporal aspects.
![Page 18: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/18.jpg)
Invariants We Consider
• This work focuses on reachability and isolation invariants.
• Can packets from host A reach host B?
• But the addition of state raises some important issues:
• Invariants can include temporal aspects.
• Might need to consider more than just packets.
![Page 19: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/19.jpg)
Temporal Invariants
Server 0
Server 1
User 0
User 1User 1 receives no packets from server 0
Standard Reachability
denyserver*user*
Stateful Firewall
![Page 20: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/20.jpg)
Temporal Invariants
Server 0
Server 1
User 0
User 1User 1 receives no packets from server 0
Standard Reachability Temporal Property
denyserver*user*
without initiating a connection
Stateful Firewall
![Page 21: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/21.jpg)
Consider Data Instead of Packets
Server 0
Server 1Firewall Cache
User 0
User 1
denyuser1server0
User 1 receives no packet from Server 0
![Page 22: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/22.jpg)
Consider Data Instead of Packets
Server 0
Server 1Firewall
Secret
Cache
User 0
User 1
denyuser1server0
User 1 receives no packet from Server 0
![Page 23: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/23.jpg)
Consider Data Instead of Packets
Server 0
Server 1Firewall
Secret
Secret
Cache
User 0
User 1
denyuser1server0
User 1 receives no packet from Server 0
![Page 24: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/24.jpg)
Consider Data Instead of Packets
Server 0
Server 1Firewall
Secret
Secret
Cache
User 0
User 1
denyuser1server0
Secret
User 1 receives no packet from Server 0
![Page 25: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/25.jpg)
Consider Data Instead of Packets
Server 0
Server 1Firewall
Secret
Secret
Cache
User 0
User 1
denyuser1server0
User 1 receives no data from Server 0
Secret
User 1 receives no packet from Server 0
![Page 26: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/26.jpg)
Roadmap
• Why stateful networks, and how does state affect invariants?
• Existing work on network verification.
• VMN: Our system for verifying networks with state.
• Scaling verification.
![Page 27: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/27.jpg)
Network Verification Today
• Switches and Controllers: Static forwarding rules in switches.
HSA, Veriflow, NetKAT, Vericon, FlowLog, etc.
![Page 28: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/28.jpg)
Network Verification Today
• Switches and Controllers: Static forwarding rules in switches.
HSA, Veriflow, NetKAT, Vericon, FlowLog, etc.
• Testing for networks with mutable datapaths
Buzz: Generate packets that are likely to trigger interesting behavior.
![Page 29: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/29.jpg)
Network Verification Today
• Switches and Controllers: Static forwarding rules in switches.
HSA, Veriflow, NetKAT, Vericon, FlowLog, etc.
• Testing for networks with mutable datapaths
Buzz: Generate packets that are likely to trigger interesting behavior.
• Verification for networks with mutable datapaths
SymNet: Uses symbolic execution, limited state and behaviors.
![Page 30: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/30.jpg)
Roadmap
• Why stateful networks, and how does state affect invariants?
• Existing work on network verification.
• VMN: Our system for verifying networks with state.
• Scaling verification.
![Page 31: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/31.jpg)
VMN: System for scalable verification of stateful networks.
![Page 32: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/32.jpg)
VMN FlowModel each middlebox in the network
Build network forwarding model
Invariant Holds Example of violation
Logical Invariants
SMT Solver (Z3 from MSR)
![Page 33: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/33.jpg)
VMN FlowModel each middlebox in the network
Build network forwarding model
Invariant Holds Example of violation
Logical Invariants
SMT Solver (Z3 from MSR)
![Page 34: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/34.jpg)
Modeling Middleboxes• One approach: Extract model from code
![Page 35: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/35.jpg)
Modeling Middleboxes• One approach: Extract model from code
• Problem: At the wrong level of abstraction.
![Page 36: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/36.jpg)
Modeling Middleboxes• One approach: Extract model from code
• Problem: At the wrong level of abstraction.
• Code written to match bit patterns in packet, etc.
![Page 37: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/37.jpg)
Modeling Middleboxes• One approach: Extract model from code
• Problem: At the wrong level of abstraction.
• Code written to match bit patterns in packet, etc.
• Configuration is in terms of higher level abstractions
![Page 38: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/38.jpg)
Modeling Middleboxes• One approach: Extract model from code
• Problem: At the wrong level of abstraction.
• Code written to match bit patterns in packet, etc.
• Configuration is in terms of higher level abstractions
• Example source and destination addresses, payload is infected, etc.
![Page 39: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/39.jpg)
Modeling Middleboxes• One approach: Extract model from code
• Problem: At the wrong level of abstraction.
• Code written to match bit patterns in packet, etc.
• Configuration is in terms of higher level abstractions
• Example source and destination addresses, payload is infected, etc.
• Verify invariants which are also expressed in these terms.
![Page 40: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/40.jpg)
Challenges When Modeling Middleboxes
• Example configuration:
![Page 41: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/41.jpg)
Challenges When Modeling Middleboxes
• Example configuration:
Drop all packets from connections transmitting infected files.
![Page 42: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/42.jpg)
Challenges When Modeling Middleboxes
• Example configuration:
Drop all packets from connections transmitting infected files.
• How to define infected files: large, growing set of bit patterns.
![Page 43: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/43.jpg)
Challenges When Modeling Middleboxes
• Example configuration:
Drop all packets from connections transmitting infected files.
• How to define infected files: large, growing set of bit patterns.
• Complexity of matching code prevents verification in even small networks.
![Page 44: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/44.jpg)
Modeling Middleboxes
![Page 45: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/45.jpg)
Modeling Middleboxes
Classify PacketDetermines what application sent a packet, etc. Complex, proprietary processing.
![Page 46: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/46.jpg)
Modeling Middleboxes
Classify Packet
Update Classification State
Determines what application sent a packet, etc. Complex, proprietary processing.
Update state required for classification.
![Page 47: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/47.jpg)
Modeling Middleboxes
Classify Packet
Update Classification State
Determines what application sent a packet, etc. Complex, proprietary processing.
Update state required for classification.
Update Forwarding State Update forwarding State.
![Page 48: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/48.jpg)
Modeling Middleboxes
Classify Packet
Update Classification State
Forward Packet
Determines what application sent a packet, etc. Complex, proprietary processing.
Update state required for classification.
Always simple: forward or drop packets.
Update Forwarding State Update forwarding State.
![Page 49: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/49.jpg)
Modeling Middleboxes
Classify Packet
Update Classification State
Forward Packet
Determines what application sent a packet, etc. Complex, proprietary processing.
Update state required for classification.
Always simple: forward or drop packets.
Oracle: Specify data dependencies and outputs
Update Forwarding State Update forwarding State.
![Page 50: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/50.jpg)
Modeling Middleboxes
Classify Packet
Update Classification State
Forward Packet
Determines what application sent a packet, etc. Complex, proprietary processing.
Update state required for classification.
Always simple: forward or drop packets.
Oracle: Specify data dependencies and outputs
Forwarding Model: Specify Completely
Update Forwarding State Update forwarding State.
![Page 51: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/51.jpg)
Modeling Middleboxes
Classify Packet
Forward Packet
Update Forwarding State
Update Classification State
![Page 52: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/52.jpg)
Modeling Middleboxes
Classify Packet
Forward Packet
Update Forwarding State
OutputsIs packet infected.
DependenciesSee all packets in connection (flow).
Update Classification State
![Page 53: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/53.jpg)
Modeling Middleboxes
Classify Packet
Forward Packet
Update Forwarding State
OutputsIs packet infected.
DependenciesSee all packets in connection (flow).
if (infected) { infected_connections.add(packet.flow) }
Update Classification State
![Page 54: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/54.jpg)
Modeling Middleboxes
Classify Packet
Forward Packet
Update Forwarding State
OutputsIs packet infected.
DependenciesSee all packets in connection (flow).
if (packet.flow not in infected_connections) { forward (packet); }
if (infected) { infected_connections.add(packet.flow) }
Update Classification State
![Page 55: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/55.jpg)
Sample Modelclass Firewall (acls: Set[(Address, Address)]) { abstract malicious(p: Packet): bool val tainted: Set[Address] def model (p: Packet) = { tainted.contains(p.src) => forward(Empty) acls.contains((p.src, p.dst)) => forward(Empty) malicious(p) => tainted.add(p.src); forward(Empty) _ => forward(Seq(p)) } }
![Page 56: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/56.jpg)
Sample Modelclass Firewall (acls: Set[(Address, Address)]) { abstract malicious(p: Packet): bool val tainted: Set[Address] def model (p: Packet) = { tainted.contains(p.src) => forward(Empty) acls.contains((p.src, p.dst)) => forward(Empty) malicious(p) => tainted.add(p.src); forward(Empty) _ => forward(Seq(p)) } }
Oracle
![Page 57: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/57.jpg)
Sample Modelclass Firewall (acls: Set[(Address, Address)]) { abstract malicious(p: Packet): bool val tainted: Set[Address] def model (p: Packet) = { tainted.contains(p.src) => forward(Empty) acls.contains((p.src, p.dst)) => forward(Empty) malicious(p) => tainted.add(p.src); forward(Empty) _ => forward(Seq(p)) } }
OracleState
![Page 58: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/58.jpg)
Sample Modelclass Firewall (acls: Set[(Address, Address)]) { abstract malicious(p: Packet): bool val tainted: Set[Address] def model (p: Packet) = { tainted.contains(p.src) => forward(Empty) acls.contains((p.src, p.dst)) => forward(Empty) malicious(p) => tainted.add(p.src); forward(Empty) _ => forward(Seq(p)) } }
OracleState
Forwarding Model
![Page 59: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/59.jpg)
Network Forwarding Model
• Builds on network transfer functions.
![Page 60: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/60.jpg)
Network Forwarding Model
• Builds on network transfer functions.
• Existing work from HSA, Veriflow, etc.
![Page 61: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/61.jpg)
Network Forwarding Model
• Builds on network transfer functions.
• Existing work from HSA, Veriflow, etc.
• Abstracts all switches and routers into one big switch.
![Page 62: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/62.jpg)
Network Forwarding Model
• Builds on network transfer functions.
• Existing work from HSA, Veriflow, etc.
• Abstracts all switches and routers into one big switch.
• Details in the paper.
![Page 63: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/63.jpg)
Roadmap
• Why consider stateful networks?
• The current state of stateful network verification?
• VMN: Our system for verifying networks with state.
• Scaling verification.
![Page 64: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/64.jpg)
Networks are Large• Networks are huge in practice
![Page 65: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/65.jpg)
Networks are Large• Networks are huge in practice
• For example Google had 900K machines (approximately) in 2011
![Page 66: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/66.jpg)
Networks are Large• Networks are huge in practice
• For example Google had 900K machines (approximately) in 2011
• ISPs connect large numbers of machines.
![Page 67: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/67.jpg)
Networks are Large• Networks are huge in practice
• For example Google had 900K machines (approximately) in 2011
• ISPs connect large numbers of machines.
• Lots of middleboxes in these networks
![Page 68: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/68.jpg)
Networks are Large• Networks are huge in practice
• For example Google had 900K machines (approximately) in 2011
• ISPs connect large numbers of machines.
• Lots of middleboxes in these networks
• In datacenter each machine might be one or more middlebox.
![Page 69: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/69.jpg)
Networks are Large• Networks are huge in practice
• For example Google had 900K machines (approximately) in 2011
• ISPs connect large numbers of machines.
• Lots of middleboxes in these networks
• In datacenter each machine might be one or more middlebox.
• How do we address this?
![Page 70: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/70.jpg)
Scaling Techniques Thus Far
• Abstract middlebox models
![Page 71: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/71.jpg)
Scaling Techniques Thus Far
• Abstract middlebox models
• Simplify what needs to be considered per-middlebox.
![Page 72: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/72.jpg)
Scaling Techniques Thus Far
• Abstract middlebox models
• Simplify what needs to be considered per-middlebox.
• Abstract network
![Page 73: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/73.jpg)
Scaling Techniques Thus Far
• Abstract middlebox models
• Simplify what needs to be considered per-middlebox.
• Abstract network
• Simplify network forwarding.
![Page 74: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/74.jpg)
Those Techniques are not Enough
• TACAS 2016: Network verification with state is EXPSPACE-complete.
![Page 75: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/75.jpg)
Those Techniques are not Enough
• TACAS 2016: Network verification with state is EXPSPACE-complete.
• Practically for us SMT solvers timeout with large instances.
![Page 76: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/76.jpg)
Those Techniques are not Enough
• TACAS 2016: Network verification with state is EXPSPACE-complete.
• Practically for us SMT solvers timeout with large instances.
• Other methods also do not handle such large instances
• Symbolic execution is exponential in number of branches, not better.
![Page 77: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/77.jpg)
Those Techniques are not Enough
• TACAS 2016: Network verification with state is EXPSPACE-complete.
• Practically for us SMT solvers timeout with large instances.
• Other methods also do not handle such large instances
• Symbolic execution is exponential in number of branches, not better.
• Our techniques work for small instances, what to do about large instances?
![Page 78: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/78.jpg)
Scaling Verification
• Two techniques: Slicing and symmetry.
![Page 79: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/79.jpg)
Scaling Verification
• Two techniques: Slicing and symmetry.
• Slicing: Run verification on a subnetwork of size independent of network.
![Page 80: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/80.jpg)
Scaling Verification
• Two techniques: Slicing and symmetry.
• Slicing: Run verification on a subnetwork of size independent of network.
• Symmetry: Reduce number of invariants to verify by leveraging symmetry in policy.
![Page 81: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/81.jpg)
Network Slices
• Slices: Subnetworks for which a bisimulation with the original network exists.
• Ensures equivalent step in subnetwork for each step in the original network
• Slices are selected depending on the invariant being checked.
![Page 82: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/82.jpg)
Network SlicesACME Hosting
Willie E Coyote
Road RunnerFirewall
Cache
SylvesterTweety
Firewallpredator 6$ prey server
prey 6$ predator server
![Page 83: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/83.jpg)
Network SlicesACME Hosting
Willie E Coyote
Road RunnerFirewall
Cache
SylvesterTweety
Firewallpredator 6$ prey server
prey 6$ predator server
Invariant: RR cannot access data from Coyote’s server
![Page 84: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/84.jpg)
Network SlicesACME Hosting
Willie E Coyote
Road RunnerFirewall
Cache
SylvesterTweety
Firewallpredator 6$ prey server
prey 6$ predator server
Invariant: RR cannot access data from Coyote’s server
Willie E Coyote
![Page 85: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/85.jpg)
Network SlicesACME Hosting
Willie E Coyote
Road RunnerFirewall
Cache
SylvesterTweety
Firewallpredator 6$ prey server
prey 6$ predator server
Invariant: RR cannot access data from Coyote’s server
Willie E CoyoteFirewall
Cache
![Page 86: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/86.jpg)
Network SlicesACME Hosting
Willie E Coyote
Road RunnerFirewall
Cache
SylvesterTweety
Firewallpredator 6$ prey server
prey 6$ predator server
Invariant: RR cannot access data from Coyote’s server
Willie E CoyoteFirewall
Cache
![Page 87: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/87.jpg)
Network SlicesACME Hosting
Willie E Coyote
Road RunnerFirewall
Cache
SylvesterTweety
Firewallpredator 6$ prey server
prey 6$ predator server
Invariant: RR cannot access data from Coyote’s server
Willie E CoyoteFirewall
Cache
Establishes a bisimulation between slice and network.Allows us to prove invariants in the slice.
![Page 88: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/88.jpg)
Cannot always find such a slice.
![Page 89: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/89.jpg)
Finding Slices
• Flow parallel middleboxes - partition network by flows.
• Origin agnostic middleboxes - partition network by policy equivalence class.
• Details in paper.
![Page 90: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/90.jpg)
Evaluation Setup: Datacenter• Consider AWS like multi-tenant datacenter.
![Page 91: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/91.jpg)
Evaluation Setup: Datacenter• Consider AWS like multi-tenant datacenter.
• Each tenant has policies for private and public hosts.
![Page 92: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/92.jpg)
Evaluation Setup: Datacenter• Consider AWS like multi-tenant datacenter.
• Each tenant has policies for private and public hosts.
• Three verification tasks
![Page 93: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/93.jpg)
Evaluation Setup: Datacenter• Consider AWS like multi-tenant datacenter.
• Each tenant has policies for private and public hosts.
• Three verification tasks
• Private hosts for one tenant cannot reach another
![Page 94: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/94.jpg)
Evaluation Setup: Datacenter• Consider AWS like multi-tenant datacenter.
• Each tenant has policies for private and public hosts.
• Three verification tasks
• Private hosts for one tenant cannot reach another
• Public host for one tenant cannot reach private hosts for another
![Page 95: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/95.jpg)
Evaluation Setup: Datacenter• Consider AWS like multi-tenant datacenter.
• Each tenant has policies for private and public hosts.
• Three verification tasks
• Private hosts for one tenant cannot reach another
• Public host for one tenant cannot reach private hosts for another
• Public hosts are universally reachable.
![Page 96: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/96.jpg)
Verification Time (Datacenter)
0.01
0.1
1
10
100
1000
10000
100000
Slice 5 10 15 20
Tim
e (S
)
# of Tenants
Priv-Priv Pub-Priv Priv-Pub
![Page 97: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/97.jpg)
Verification Time (Datacenter)
0.01
0.1
1
10
100
1000
10000
100000
Slice 5 10 15 20
Tim
e (S
)
# of Tenants
Priv-Priv Pub-Priv Priv-Pub
![Page 98: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/98.jpg)
Role of Symmetry• Consider a private datacenter
![Page 99: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/99.jpg)
Role of Symmetry• Consider a private datacenter
• Use verification to prevent some bugs from a Microsoft DC (IMC 2013)
![Page 100: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/100.jpg)
Role of Symmetry• Consider a private datacenter
• Use verification to prevent some bugs from a Microsoft DC (IMC 2013)
• Bugs include
![Page 101: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/101.jpg)
Role of Symmetry• Consider a private datacenter
• Use verification to prevent some bugs from a Microsoft DC (IMC 2013)
• Bugs include
• Misconfigured firewalls
![Page 102: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/102.jpg)
Role of Symmetry• Consider a private datacenter
• Use verification to prevent some bugs from a Microsoft DC (IMC 2013)
• Bugs include
• Misconfigured firewalls
• Misconfigured redundant firewalls
![Page 103: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/103.jpg)
Role of Symmetry• Consider a private datacenter
• Use verification to prevent some bugs from a Microsoft DC (IMC 2013)
• Bugs include
• Misconfigured firewalls
• Misconfigured redundant firewalls
• Misconfigured redundant routing
![Page 104: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/104.jpg)
Role of Symmetry• Consider a private datacenter
• Use verification to prevent some bugs from a Microsoft DC (IMC 2013)
• Bugs include
• Misconfigured firewalls
• Misconfigured redundant firewalls
• Misconfigured redundant routing
• Measure time to verify as a function of number of symmetric policy groups
![Page 105: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/105.jpg)
Verification Time (With Symmetry)
0
50
100
150
200
250
300
350
25 50 100 250 500 1000
Tim
e (S
)
# of Policy Equivalence Classes
Rules Redundancy Traversal
![Page 106: Verifying Reachability for Stateful Networks · Verifying Reachability for Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, MPI-SWS,](https://reader033.vdocuments.mx/reader033/viewer/2022051607/60346099ee11b71ae130575a/html5/thumbnails/106.jpg)
Conclusion• Verifying stateful networks is increasingly important.
• The primary challenge is scaling to realistic network.
• Two methods to scale
• Models where oracles are separated from forwarding behavior.
• Split the network into smaller verifiable portions is necessary.