781 research outputs found
Efficient Loop Detection in Forwarding Networks and Representing Atoms in a Field of Sets
The problem of detecting loops in a forwarding network is known to be
NP-complete when general rules such as wildcard expressions are used. Yet,
network analyzer tools such as Netplumber (Kazemian et al., NSDI'13) or
Veriflow (Khurshid et al., NSDI'13) efficiently solve this problem in networks
with thousands of forwarding rules. In this paper, we complement such
experimental validation of practical heuristics with the first provably
efficient algorithm in the context of general rules. Our main tool is a
canonical representation of the atoms (i.e. the minimal non-empty sets) of the
field of sets generated by a collection of sets. This tool is particularly
suited when the intersection of two sets can be efficiently computed and
represented. In the case of forwarding networks, each forwarding rule is
associated with the set of packet headers it matches. The atoms then correspond
to classes of headers with same behavior in the network. We propose an
algorithm for atom computation and provide the first polynomial time algorithm
for loop detection in terms of number of classes (which can be exponential in
general). This contrasts with previous methods that can be exponential, even in
simple cases with linear number of classes. Second, we introduce a notion of
network dimension captured by the overlapping degree of forwarding rules. The
values of this measure appear to be very low in practice and constant
overlapping degree ensures polynomial number of header classes. Forwarding loop
detection is thus polynomial in forwarding networks with constant overlapping
degree
Forwarding Tables Verification through Representative Header Sets
Forwarding table verification consists in checking the distributed
data-structure resulting from the forwarding tables of a network. A classical
concern is the detection of loops. We study this problem in the context of
software-defined networking (SDN) where forwarding rules can be arbitrary
bitmasks (generalizing prefix matching) and where tables are updated by a
centralized controller. Basic verification problems such as loop detection are
NP-hard and most previous work solves them with heuristics or SAT solvers. We
follow a different approach based on computing a representation of the header
classes, i.e. the sets of headers that match the same rules. This
representation consists in a collection of representative header sets, at least
one for each class, and can be computed centrally in time which is polynomial
in the number of classes. Classical verification tasks can then be trivially
solved by checking each representative header set. In general, the number of
header classes can increase exponentially with header length, but it remains
polynomial in the number of rules in the practical case where rules are
constituted with predefined fields where exact, prefix matching or range
matching is applied in each field (e.g., IP/MAC addresses, TCP/UDP ports). We
propose general techniques that work in polynomial time as long as the number
of classes of headers is polynomial and that do not make specific assumptions
about the structure of the sets associated to rules. The efficiency of our
method rely on the fact that the data-structure representing rules allows
efficient computation of intersection, cardinal and inclusion. Finally, we
propose an algorithm to maintain such representation in presence of updates
(i.e., rule insert/update/removal). We also provide a local distributed
algorithm for checking the absence of black-holes and a proof labeling scheme
for locally checking the absence of loops
Deux défis des Réseaux Logiciels : Relayage par le Nom et Vérification des Tables
The Internet changed the lives of network users: not only it affects users' habits, but it is also increasingly being shaped by network users' behavior.Several new services have been introduced during the past decades (i.e. file sharing, video streaming, cloud computing) to meet users' expectation.As a consequence, although the Internet infrastructure provides a good best-effort service to exchange information in a point-to-point fashion, this is not the principal need that todays users request. Current networks necessitate some major architectural changes in order to follow the upcoming requirements, but the experience of the past decades shows that bringing new features to the existing infrastructure may be slow.In this thesis work, we identify two main aspects of the Internet evolution: a “behavioral” aspect, which refers to a change occurred in the way users interact with the network, and a “structural” aspect, related to the evolution problem from an architectural point of view.The behavioral perspective states that there is a mismatch between the usage of the network and the actual functions it provides. While network devices implement the simple primitives of sending and receiving generic packets, users are really interested in different primitives, such as retrieving or consuming content. The structural perspective suggests that the problem of the slow evolution of the Internet infrastructure lies in its architectural design, that has been shown to be hardly upgradeable.On the one hand, to encounter the new network usage, the research community proposed the Named-data networking paradigm (NDN), which brings the content-based functionalities to network devices.On the other hand Software-defined networking (SDN) can be adopted to simplify the architectural evolution and shorten the upgrade-time thanks to its centralized software control plane, at the cost of a higher network complexity that can easily introduce some bugs. SDN verification is a novel research direction aiming to check the consistency and safety of network configurations by providing formal or empirical validation.The talk consists of two parts. In the first part, we focus on the behavioral aspect by presenting the design and evaluation of “Caesar”, a content router that advances the state-of-the-art by implementing content-based functionalities which may coexist with real network environments.In the second part, we target network misconfiguration diagnosis, and we present a framework for the analysis of the network topology and forwarding tables, which can be used to detect the presence of a loop at real-time and in real network environments.Cette thèse aborde des problèmes liés à deux aspects majeurs de l’évolution d’Internet : l’aspect >, qui correspond aux nouvelles interactions entre les utilisateurs et le réseau, et l’aspect >, lié aux changements d’Internet d’un point de vue architectural.Le manuscrit est composé d’un chapitre introductif qui donne les grandes lignes de recherche de ce travail de thèse, suivi d’un chapitre consacré à la description de l’état de l’art sur les deux aspects mentionnés ci-dessus. Parmi les solutions proposées par la communauté scientifique pour s'adapter à l’évolution d’Internet, deux nouveaux paradigmes réseaux sont particulièrement décrits : Information- Centric Networking (ICN) et Software-Defined Networking (SDN).La thèse continue avec la proposition de >, un dispositif réseau, inspiré par ICN, capable de gérer la distribution de contenus à partir de primitives de routage basées sur le nom des données et non les adresses des serveurs. Caesar est présenté dans deux chapitres, qui décrivent l’architecture et deux des principaux modules : le relayage et la gestion de la traçabilité des requêtes.La suite du manuscrit décrit un outil mathématique pour la détection efficace de boucles dans un réseau SDN d’un point de vue théorique. Les améliorations de l’algorithme proposé par rapport à l’état de l’art sont discutées.La thèse se conclue par un résumé des principaux résultats obtenus et une présentation des travaux en cours et futurs
Automatic Inference of High-Level Network Intents by Mining Forwarding Patterns
There is a semantic gap between the high-level intents of network operators
and the low-level configurations that achieve the intents. Previous works tried
to bridge the gap using verification or synthesis techniques, both requiring
formal specifications of the intended behavior which are rarely available or
even known in the real world. This paper discusses an alternative approach for
bridging the gap, namely to infer the high-level intents from the low-level
network behavior. Specifically, we provide Anime, a framework and a tool that
given a set of observed forwarding behavior, automatically infers a set of
possible intents that best describe all observations. Our results show that
Anime can infer high-quality intents from the low-level forwarding behavior
with acceptable performance.Comment: SOSR 202
Recommended from our members
Towards model checking real-world software-defined networks
In software-defined networks (SDN), a controller program is in charge of deploying diverse network functionality across a large number of switches, but this comes at a great risk: deploying buggy controller code could result in network and service disruption and security loopholes. The automatic detection of bugs or, even better, verification of their absence is thus most desirable, yet the size of the network and the complexity of the controller makes this a challenging undertaking. In this paper, we propose MOCS, a highly expressive, optimised SDN model that allows capturing subtle real-world bugs, in a reasonable amount of time. This is achieved by (1) analysing the model for possible partial order reductions, (2) statically pre-computing packet equivalence classes and (3) indexing packets and rules that exist in the model. We demonstrate its superiority compared to the state of the art in terms of expressivity, by providing examples of realistic bugs that a prototype implementation of MOCS in Uppaal caught, and performance/scalability, by running examples on various sizes of network topologies, highlighting the importance of our abstractions and optimisations
- …