19 research outputs found
Type-Safe Data Plane Programming
Since the mid-1990s, there have been efforts to enable more flexible processing of network packets by making packet processing programmable. With the advent of software-defined networking (SDN), this idea has now become a reality. Early approaches initially focused on control plane programming, with the goal of implementing centralized network policies at a high level of abstraction without having to use low-level, device-specific configuration mechanisms. For this purpose, various network programming languages have been developed, which provide correctness guarantees and make the formal verification of network policies possible.
More recently, it is also possible to program the network data plane. Being able to define the structure of network packet headers freely, opens up a whole new range of applications, from implementing new network protocols up to moving application logic directly into the network. Until today, the P4 language has become the de facto standard for programming data planes. While P4 provides declarative abstractions for programming data planes, P4 lacks basic safety guarantees to help avoid errors and implement correct applications for the data plane.
Modern programming languages use static type systems to provide languages with basic safety guarantees that completely eliminate the occurrence of entire categories of errors. Surprisingly, however, the use of type systems in the field of network programming has hardly been investigated. This dissertation investigates what appropriate type systems must look like in order to provide data plane programming languages—in particular, P4—with static correctness guarantees. As a first step, we present SafeP4, a domain-specific language for programmable data planes that is equipped with a static type system that guarantees that all headers that are read or written are valid, which is a common cause of errors. We then present Π4, whose type system is based on dependent types and is thus able to bridge the gap in terms of expressiveness between SafeP4 and full-fledged verification tools. At the same time, Π4 enables modular verification of programs.
Our evaluation using open source programs confirms that accessing invalid packet headers is a common source of errors in practice and that the SafeP4’s type system is capable of identifying buggy programs. Using case studies, we show that Π4’s type system is capable of expressing and verifying a variety of real-world correctness properties
ReactiFi: Reactive Programming of Wi-Fi Firmware on Mobile Devices
Network programmability will be required to handle future increased network
traffic and constantly changing application needs. However, there is currently
no way of using a high-level, easy to use programming language to program Wi-Fi
firmware. This impedes rapid prototyping and deployment of novel network
services/applications and hinders continuous performance optimization in Wi-Fi
networks, since expert knowledge is required for both the used hardware
platforms and the Wi-Fi domain. In this paper, we present ReactiFi, a
high-level reactive programming language to program Wi-Fi chips on mobile
consumer devices. ReactiFi enables programmers to implement extensions of PHY,
MAC, and IP layer mechanisms without requiring expert knowledge of Wi-Fi chips,
allowing for novel applications and network protocols. ReactiFi programs are
executed directly on the Wi-Fi chip, improving performance and power
consumption compared to execution on the main CPU. ReactiFi is conceptually
similar to functional reactive languages, but is dedicated to the
domain-specific needs of Wi-Fi firmware. First, it handles low-level
platform-specific details without interfering with the core functionality of
Wi-Fi chips. Second, it supports static reasoning about memory usage of
applications, which is important for typically memory-constrained Wi-Fi chips.
Third, it limits dynamic changes of dependencies between computations to
dynamic branching, in order to enable static reasoning about the order of
computations. We evaluate ReactiFi empirically in two real-world case studies.
Our results show that throughput, latency, and power consumption are
significantly improved when executing applications on the Wi-Fi chip rather
than in the operating system kernel or in user space. Moreover, we show that
the high-level programming abstractions of ReactiFi have no performance
overhead compared to manually written C code
Dependently-Typed Data Plane Programming
Programming languages like P4 enable specifying the behavior of network data
planes in software. However, with increasingly powerful and complex
applications running in the network, the risk of faults also increases. Hence,
there is growing recognition of the need for methods and tools to statically
verify the correctness of P4 code, especially as the language lacks basic
safety guarantees. Type systems are a lightweight and compositional way to
establish program properties, but there is a significant gap between the kinds
of properties that can be proved using simple type systems (e.g., SafeP4) and
those that can be obtained using full-blown verification tools (e.g., p4v). In
this paper, we close this gap by developing 4, a dependently-typed version
of P4 based on decidable refinements. We motivate the design of 4, prove
the soundness of its type system, develop an SMT-based implementation, and
present case studies that illustrate its applicability to a variety of data
plane programs.Comment: This version is the companion technical report for the submission to
POPL'2
How to Avoid Making a Billion-Dollar Mistake: Type-Safe Data Plane Programming with SafeP4
The P4 programming language offers high-level, declarative abstractions that bring the flexibility of software to the domain of networking. Unfortunately, the main abstraction used to represent packet data in P4, namely header types, lacks basic safety guarantees. Over the last few years, experience with an increasing number of programs has shown the risks of the unsafe approach, which often leads to subtle software bugs.
This paper proposes SafeP4, a domain-specific language for programmable data planes in which all packet data is guaranteed to have a well-defined meaning and satisfy essential safety guarantees. We equip SafeP4 with a formal semantics and a static type system that statically guarantees header validity - a common source of safety bugs according to our analysis of real-world P4 programs. Statically ensuring header validity is challenging because the set of valid headers can be modified at runtime, making it a dynamic program property. Our type system achieves static safety by using a form of path-sensitive reasoning that tracks dynamic information from conditional statements, routing tables, and the control plane. Our evaluation shows that SafeP4\u27s type system can effectively eliminate common failures in many real-world programs
Optimizing Data Plane Programs for the Network
With the move of Software-defined networking from fixed to programmable data planes, network functions are written with P4 or eBPF for targets such as programmable switches, CPU based flow processors and commodity CPUs. These data plane programs are, however, limited in per-packet time budget (e.g., 67.2 ns at 10GbE) and program size, making program optimization imperative. Existing approaches focus on optimizing the distribution of flow rules in fixed data planes or they are limited to a single switch. We see great potential in integrating the network topology into program optimization
Online Reprogrammable Multi Tenant Switches
Recent research shows many benefits for cloud workloads and network operations when putting software functionality onto switches. Sharing the physical resources of a programmable switch between multiple tenants and workloads enables the widespread deployment of on-switch software functionality. Currently, changing the program on a programmable switch incurs significant switch downtime, connectivity loss, and service interruption. We, therefore propose a modification to the common programmable switch architecture to enable hot-pluggability, the ability to insert, modify, and remove on-path software functionality without interrupting the network operation. With hot-pluggability, a programmable switch can be shared between applications of different on-switch lifetime and therefore also between different tenants. Such sharing requires
performance and program isolation between different on-switch
functions and tenants. Our proposal makes on-switch software
functionality deployable within production networks and enables
programmable switches to be offered as a service to multiple tenants within cloud and ISP networks