1,363 research outputs found
Towards Model Checking Real-World Software-Defined Networks (version with appendix)
In software-defined networks (SDN), a controller program is in charge of
deploying diverse network functionality across a large number of switches, but
this comes at a great risk: deploying buggy controller code could result in
network and service disruption and security loopholes. The automatic detection
of bugs or, even better, verification of their absence is thus most desirable,
yet the size of the network and the complexity of the controller makes this a
challenging undertaking. In this paper we propose MOCS, a highly expressive,
optimised SDN model that allows capturing subtle real-world bugs, in a
reasonable amount of time. This is achieved by (1) analysing the model for
possible partial order reductions, (2) statically pre-computing packet
equivalence classes and (3) indexing packets and rules that exist in the model.
We demonstrate its superiority compared to the state of the art in terms of
expressivity, by providing examples of realistic bugs that a prototype
implementation of MOCS in UPPAAL caught, and performance/scalability, by
running examples on various sizes of network topologies, highlighting the
importance of our abstractions and optimisations
Consistent SDNs through Network State Fuzzing
The conventional wisdom is that a software-defined network (SDN) operates under the premise that the logically centralized control plane has an accurate representation of the actual data plane state. Nevertheless, bugs, misconfigurations, faults or attacks can introduce inconsistencies that undermine correct operation. Previous work in this area, however, lacks a holistic methodology to tackle this problem and thus, addresses only certain parts of the problem. Yet, the consistency of the overall system is only as good as its least consistent part. Motivated by an analogy of network consistency checking with program testing, we propose to add active probe-based network state fuzzing to our consistency check repertoire. Hereby, our system, PAZZ, combines production traffic with active probes to continuously test if the actual forwarding path and decision elements (on the data plane) correspond to the expected ones (on the control plane). Our insight is that active traffic covers the inconsistency cases beyond the ones identified by passive traffic. PAZZ prototype was built and evaluated on topologies of varying scale and complexity. Our results show that PAZZ requires minimal network resources to detect persistent data plane faults through fuzzing and localize them quickly
Consistent SDNs through Network State Fuzzing
The conventional wisdom is that a software-defined network (SDN) operates
under the premise that the logically centralized control plane has an accurate
representation of the actual data plane state. Unfortunately, bugs,
misconfigurations, faults or attacks can introduce inconsistencies that
undermine correct operation. Previous work in this area, however, lacks a
holistic methodology to tackle this problem and thus, addresses only certain
parts of the problem. Yet, the consistency of the overall system is only as
good as its least consistent part. Motivated by an analogy of network
consistency checking with program testing, we propose to add active probe-based
network state fuzzing to our consistency check repertoire. Hereby, our system,
PAZZ, combines production traffic with active probes to periodically test if
the actual forwarding path and decision elements (on the data plane) correspond
to the expected ones (on the control plane). Our insight is that active traffic
covers the inconsistency cases beyond the ones identified by passive traffic.
PAZZ prototype was built and evaluated on topologies of varying scale and
complexity. Our results show that PAZZ requires minimal network resources to
detect persistent data plane faults through fuzzing and localize them quickly
while outperforming baseline approaches.Comment: Added three extra relevant references, the arXiv later was accepted
in IEEE Transactions of Network and Service Management (TNSM), 2019 with the
title "Towards Consistent SDNs: A Case for Network State Fuzzing
A model for the analysis of security policies in service function chains
Two emerging architectural paradigms, i.e., Software Defined Networking (SDN)
and Network Function Virtualization (NFV), enable the deployment and management
of Service Function Chains (SFCs). A SFC is an ordered sequence of abstract
Service Functions (SFs), e.g., firewalls, VPN-gateways,traffic monitors, that
packets have to traverse in the route from source to destination. While this
appealing solution offers significant advantages in terms of flexibility, it
also introduces new challenges such as the correct configuration and ordering
of SFs in the chain to satisfy overall security requirements. This paper
presents a formal model conceived to enable the verification of correct policy
enforcements in SFCs. Software tools based on the model can then be designed to
cope with unwanted network behaviors (e.g., security flaws) deriving from
incorrect interactions of SFs in the same SFC
Merlin: A Language for Provisioning Network Resources
This paper presents Merlin, a new framework for managing resources in
software-defined networks. With Merlin, administrators express high-level
policies using programs in a declarative language. The language includes
logical predicates to identify sets of packets, regular expressions to encode
forwarding paths, and arithmetic formulas to specify bandwidth constraints. The
Merlin compiler uses a combination of advanced techniques to translate these
policies into code that can be executed on network elements including a
constraint solver that allocates bandwidth using parameterizable heuristics. To
facilitate dynamic adaptation, Merlin provides mechanisms for delegating
control of sub-policies and for verifying that modifications made to
sub-policies do not violate global constraints. Experiments demonstrate the
expressiveness and scalability of Merlin on real-world topologies and
applications. Overall, Merlin simplifies network administration by providing
high-level abstractions for specifying network policies and scalable
infrastructure for enforcing them
SDN Access Control for the Masses
The evolution of Software-Defined Networking (SDN) has so far been
predominantly geared towards defining and refining the abstractions on the
forwarding and control planes. However, despite a maturing south-bound
interface and a range of proposed network operating systems, the network
management application layer is yet to be specified and standardized. It has
currently poorly defined access control mechanisms that could be exposed to
network applications. Available mechanisms allow only rudimentary control and
lack procedures to partition resource access across multiple dimensions.
We address this by extending the SDN north-bound interface to provide control
over shared resources to key stakeholders of network infrastructure: network
providers, operators and application developers. We introduce a taxonomy of SDN
access models, describe a comprehensive design for SDN access control and
implement the proposed solution as an extension of the ONOS network controller
intent framework
Forwarding Tables Verification through Representative Header Sets
Forwarding table verification consists in checking the distributed
data-structure resulting from the forwarding tables of a network. A classical
concern is the detection of loops. We study this problem in the context of
software-defined networking (SDN) where forwarding rules can be arbitrary
bitmasks (generalizing prefix matching) and where tables are updated by a
centralized controller. Basic verification problems such as loop detection are
NP-hard and most previous work solves them with heuristics or SAT solvers. We
follow a different approach based on computing a representation of the header
classes, i.e. the sets of headers that match the same rules. This
representation consists in a collection of representative header sets, at least
one for each class, and can be computed centrally in time which is polynomial
in the number of classes. Classical verification tasks can then be trivially
solved by checking each representative header set. In general, the number of
header classes can increase exponentially with header length, but it remains
polynomial in the number of rules in the practical case where rules are
constituted with predefined fields where exact, prefix matching or range
matching is applied in each field (e.g., IP/MAC addresses, TCP/UDP ports). We
propose general techniques that work in polynomial time as long as the number
of classes of headers is polynomial and that do not make specific assumptions
about the structure of the sets associated to rules. The efficiency of our
method rely on the fact that the data-structure representing rules allows
efficient computation of intersection, cardinal and inclusion. Finally, we
propose an algorithm to maintain such representation in presence of updates
(i.e., rule insert/update/removal). We also provide a local distributed
algorithm for checking the absence of black-holes and a proof labeling scheme
for locally checking the absence of loops
- …