Formal Analysis of Network Protocols

Today’s Internet is becoming increasingly complex and fragile. Current performance centric techniques on network analysis and runtime verification have became inadequate in the development of robust networks. To cope with these challenges there is a growing interest in the use of formal analysis techniques to reason about network protocol correctness throughout the network development cycle. This talk surveys recent work on the use of formal analysis techniques to aid in design, implementation, and analysis of network protocols. We first present a general framework that covers a majority of existing formal analysis techniques on both the control and routing planes of networks, and present a classification and taxonomy of techniques according to the proposed framework. Using four representative case studies (Metarouting, rcc, axiomatic formulation, and Alloy based analysis), we discuss various aspects of formal network analysis, including formal specification, formal verification, and system validation. Their strengths and limitations are evaluated and compared in detail

Source Prefix Filtering in ROFL

Traditional firewalls have the ability to allow or block traffic based on source address as well as destination address and port number. Our original ROFL scheme implements firewalling by layering it on top of routing; however, the original proposal focused just on destination address and port number. Doing route selection based in part on source addresses is a form of policy routing, which has started to receive increased amounts of attention. In this paper, we extend the original ROFL (ROuting as the Firewall Layer) scheme by including source prefix constraints in route announcement. We present algorithms for route propagation and packet forwarding, and demonstrate the correctness of these algorithms using rigorous proofs. The new scheme not only accomplishes the complete set of filtering functionality provided by traditional firewalls, but also introduces a new direction for policy routing

An algebraic framework for multi-objective and robust variants of path problems

It is well known that various types of path problems in graphs can be treated together within a common algebraic framework. Thereby each type is characterized by a different ``path algebra", i.e., a different instance of the same abstract algebraic structure. This paper demonstrates that the common algebraic framework, although originally intended for conventional problem variants, can be extended to cover multi-objective and robust variants. Thus the paper is mainly concerned with constructing and justifying new path algebras that correspond to such more complex problem varieties. A consequence of the obtained algebraic formulation is that multi-objective or robust problem instances can be solved by well-known general algorithms designed to work over an arbitrary path algebra. The solutions obtained in this way comprise all paths that are efficient in the Pareto sense. The efficient paths are by default described only implicitly, as vectors of objective-function values. Still, it is shown in the paper that, with slightly extended versions of the involved algebras, the same paths can also be identified explicitly. Also, for robust problem instances it is possible to select only one ``robustly optimal" path according to a generalized min-max or min-max regret criterion

Multipath inter-domain policy routing

Dissertação submetida para a obtenção do grau de Doutor em Engenharia Electrotécnica e de ComputadoresRouting can be abstracted to be a path nding problem in a graph that models the network. The problem can be modelled using an algebraic approach that describes the way routes are calculated and ranked. The shortest path problem is the most common form and consists in nding the path with the smallest cost. The inter-domain scenario introduces some new challenges to the routing problem: the routing is performed between independently con gured and managed networks; the ranking of the paths is not based on measurable metrics but on policies; and the forwarding is destination based hop-by-hop. In this thesis we departed from the Border gateway Protocol (BGP) identifying its main problems and elaborating on some ideal characteristics for a routing protocol suited for the inter-domain reality. The main areas and contributions of this work are the following: The current state of the art in algebraic modeling of routing problems is used to provide a list of possible alternative conditions for the correct operation of such protocols. For each condition the consequences in terms of optimality and network restrictions are presented. A routing architecture for the inter-domain scenario is presented. It is proven that it achieves a multipath routing solution in nite time without causing forwarding loops. We discuss its advantages and weaknesses. A tra c-engineering scheme is designed to take advantage of the proposed architecture. It works using only local information and cooperation of remote ASes to minimize congestion in the network with minimal signalling. Finally a general model of a routing protocol based on hierarchical policies is used to study how e cient is the protocol operation when the correctness conditions are met. This results in some conclusions on how the policies should be chosen and applied in order to achieve speci c goals.Portuguese Science and Technology Foundation -(FCT/MCTES)grant SFRH/BD/44476/2008; CTS multi-annual funding project PEst OE/EEI/UI0066/2011; MPSat project PTDC/EEA TEL/099074/2008; OPPORTUNISTICCR project PTDC/EEA-TEL/115981/2009; Fentocells project PTDC/EEA TEL/120666/201

Automated Formal Analysis of Internet Routing Configurations

Today\u27s Internet interdomain routing protocol, the Border Gateway Protocol (BGP), is increasingly complicated and fragile due to policy misconfigurations by individual autonomous systems (ASes). To create provably correct networks, the past twenty years have witnessed, among many other efforts, advances in formal network modeling, system verification and testing, and point solutions for network management by formal reasoning. On the conceptual side, the formal models usually abstract away low-level details, specifying what are the correct functionalities but not how to achieve them. On the practical side, system verification of existing networked systems is generally hard, and system testing or simulation provide limited formal guarantees. This is known as a long standing challenge in network practice --- formal reasoning is decoupled from actual implementation. This thesis seeks to bridge formal reasoning and actual network implementation in the setting of the Border Gateway Protocol (BGP), by developing the Formally Verifiable Routing (FVR) toolkit that combines formal methods and programming language techniques. Starting from the formal model, FVR automates verification of routing models and the synthesis of faithful implementations that carries the correctness property. Conversely, starting from large real-world BGP systems with arbitrary policy configurations, automates the analysis of Internet routing configurations, and also includes a novel network reduction technique that scales up existing techniques for automated analysis. By developing the above formal theories and tools, this thesis aims to help network operators to create and manage BGP systems with correctness guarantee

Planning and verification of multipath routing protocols

Conventionally the problem of the best path in a network refers to the shortest path problem. However, for the vast majority of networks present nowadays this solution has some limitations which directly affect their proper functioning, as well as an inefficient use of their potentialities. Problems at the level of large networks where graphs of high complexity are commonly present as well as the appearing of new services and their respective requirements, are intrinsically related to the inability of this solution. In order to overcome the needs present in these networks, a new approach to the problem of the best path must be explored. One solution that has aroused more interest in the scientific community considers the use of multiple paths between two network nodes, where they can all now be considered as the best path between those nodes. Therefore, the routing will be discontinued only by minimizing one metric, where only one path between nodes is chosen, and shall be made by the selection of one of many paths, thereby allowing the use of a greater diversity of the present paths (obviously, if the network consents). The establishment of multi-path routing in a given network has several advantages for its operation. Its use may well improve the distribution of network traffic, improve recovery time to failure, or it can still offer a greater control of the network by its administrator. These factors still have greater relevance when networks have large dimensions, as well as when their constitution is of high complexity, such as the Internet, where multiple networks managed by different entities are interconnected. A large part of the growing need to use multipath protocols is associated to the routing made based on policies. Therefore, paths with different characteristics can be considered with equal level of preference, and thus be part of the solution for the best way problem. To perform multi-path routing using protocols based only on the destination address has some limitations but it is possible. Concepts of graph theory of algebraic structures can be used to describe how the routes are calculated and classified, enabling to model the routing problem. This thesis studies and analyzes multi-path routing protocols from the known literature and derives a new algebraic condition which allows the correct operation of these protocols without any network restriction. It also develops a range of software tools that allows the planning and the respective verification/validation of new protocols models according to the study made

An algebraic perspective on the convergence of vector-based routing protocols

This thesis studies the properties of vector-based routing protocols whose underlying algebras are strictly increasing. Strict increasingness has previously been shown to be both a sufficient and a necessary condition for the convergence of path-vector protocols. One of the key contributions of this thesis is to link vector-based routing to a much larger family of asynchronous iterative algorithms. This unlocks a significant body of existing theory, and allows asynchronous protocols to be proved correct by purely synchronous reasoning. As well as applying it to routing protocols, this thesis advances the asynchronous theory in two ways. Firstly it shows that the existing conditions required for convergence may be relaxed. Secondly it proposes the first model for ``dynamic'' asynchronous processes in which both the problem being solved and the set of participants change over time. The thesis' attention then turns to models of routing problems, and presents a new algebraic structure that is simpler and more expressive than the state of the art. In particular this structure is capable of modelling routing problems that underlie both distance-vector and path-vector protocols. Consequently these two families of vector-based protocols may be unified for the first time. The new structure is also capable of modelling protocols that use path-dependent conditional policy. Next the work above is used to construct a model of an abstract vector-based protocol. This is then used in the first proof of correctness for strictly increasing distance-vector protocols and a new proof of correctness for strictly increasing path-vector protocols. The latter is an improvement over previous results as it i) proves that convergence is deterministic ii) does not assume reliable communication between nodes and iii) applies to path-vector protocols with path-dependent conditional policy. The long standing question of the worst-case rate of convergence for a strictly increasing path-vector protocol is then answered by lowering the previous upper bound of $O(n!)$ to a new tight bound of~$\Theta(n^2)$. Finally all of the work has been formalised in the proof assistant Agda. Not only does this significantly increase users' confidence in the validity of the results, the resulting Agda library may also be used to verify the correctness of protocol implementations. To illustrate this, a formal proof of correctness is described for a path-vector protocol which contains many of the features of the Border Gateway Protocol including: local preferences, communities, an expressive conditional policy language and path inflation.EPSRC Doctoral Training gran