3,447 research outputs found
Packet flow analysis in IP networks via abstract interpretation
Static analysis (aka offline analysis) of a model of an IP network is useful
for understanding, debugging, and verifying packet flow properties of the
network. There have been static analysis approaches proposed in the literature
for networks based on model checking as well as graph reachability. Abstract
interpretation is a method that has typically been applied to static analysis
of programs. We propose a new, abstract-interpretation based approach for
analysis of networks. We formalize our approach, mention its correctness
guarantee, and demonstrate its flexibility in addressing multiple
network-analysis problems that have been previously solved via tailor-made
approaches. Finally, we investigate an application of our analysis to a novel
problem -- inferring a high-level policy for the network -- which has been
addressed in the past only in the restricted single-router setting.Comment: 8 page
Toward Synthesis of Network Updates
Updates to network configurations are notoriously difficult to implement
correctly. Even if the old and new configurations are correct, the update
process can introduce transient errors such as forwarding loops, dropped
packets, and access control violations. The key factor that makes updates
difficult to implement is that networks are distributed systems with hundreds
or even thousands of nodes, but updates must be rolled out one node at a time.
In networks today, the task of determining a correct sequence of updates is
usually done manually -- a tedious and error-prone process for network
operators. This paper presents a new tool for synthesizing network updates
automatically. The tool generates efficient updates that are guaranteed to
respect invariants specified by the operator. It works by navigating through
the (restricted) space of possible solutions, learning from counterexamples to
improve scalability and optimize performance. We have implemented our tool in
OCaml, and conducted experiments showing that it scales to networks with a
thousand switches and tens of switches updating.Comment: In Proceedings SYNT 2013, arXiv:1403.726
Directed Security Policies: A Stateful Network Implementation
Large systems are commonly internetworked. A security policy describes the
communication relationship between the networked entities. The security policy
defines rules, for example that A can connect to B, which results in a directed
graph. However, this policy is often implemented in the network, for example by
firewalls, such that A can establish a connection to B and all packets
belonging to established connections are allowed. This stateful implementation
is usually required for the network's functionality, but it introduces the
backflow from B to A, which might contradict the security policy. We derive
compliance criteria for a policy and its stateful implementation. In
particular, we provide a criterion to verify the lack of side effects in linear
time. Algorithms to automatically construct a stateful implementation of
security policy rules are presented, which narrows the gap between
formalization and real-world implementation. The solution scales to large
networks, which is confirmed by a large real-world case study. Its correctness
is guaranteed by the Isabelle/HOL theorem prover.Comment: In Proceedings ESSS 2014, arXiv:1405.055
Applying Formal Methods to Networking: Theory, Techniques and Applications
Despite its great importance, modern network infrastructure is remarkable for
the lack of rigor in its engineering. The Internet which began as a research
experiment was never designed to handle the users and applications it hosts
today. The lack of formalization of the Internet architecture meant limited
abstractions and modularity, especially for the control and management planes,
thus requiring for every new need a new protocol built from scratch. This led
to an unwieldy ossified Internet architecture resistant to any attempts at
formal verification, and an Internet culture where expediency and pragmatism
are favored over formal correctness. Fortunately, recent work in the space of
clean slate Internet design---especially, the software defined networking (SDN)
paradigm---offers the Internet community another chance to develop the right
kind of architecture and abstractions. This has also led to a great resurgence
in interest of applying formal methods to specification, verification, and
synthesis of networking protocols and applications. In this paper, we present a
self-contained tutorial of the formidable amount of work that has been done in
formal methods, and present a survey of its applications to networking.Comment: 30 pages, submitted to IEEE Communications Surveys and Tutorial
Abstract Interpretation of Stateful Networks
Modern networks achieve robustness and scalability by maintaining states on
their nodes. These nodes are referred to as middleboxes and are essential for
network functionality. However, the presence of middleboxes drastically
complicates the task of network verification. Previous work showed that the
problem is undecidable in general and EXPSPACE-complete when abstracting away
the order of packet arrival.
We describe a new algorithm for conservatively checking isolation properties
of stateful networks. The asymptotic complexity of the algorithm is polynomial
in the size of the network, albeit being exponential in the maximal number of
queries of the local state that a middlebox can do, which is often small.
Our algorithm is sound, i.e., it can never miss a violation of safety but may
fail to verify some properties. The algorithm performs on-the fly abstract
interpretation by (1) abstracting away the order of packet processing and the
number of times each packet arrives, (2) abstracting away correlations between
states of different middleboxes and channel contents, and (3) representing
middlebox states by their effect on each packet separately, rather than taking
into account the entire state space. We show that the abstractions do not lose
precision when middleboxes may reset in any state. This is encouraging since
many real middleboxes reset, e.g., after some session timeout is reached or due
to hardware failure
- …