Header Space Analysis in more detail abstraction across

Header Space Analysis in more detail - abstraction across vendors, devices, protocols - navigating large header spaces - all counterexamples not just one 1

Plan of lectures so far • Lecture 1: Overview and Motivation • Lecture 2: Forwarding and Routing review, formal models • Lecture 3: Black box formal models do not scale, and Header Space Analysis • Lecture 4: Header Space Deep Dive • Lecture 5: Net. Plumber (incremental HSA) and Atomic Predicates (more efficient) 2

Zoe versus Bios Zoe: Life in general without characterization Bios: Specific life, outlines that distinguish o Zoe: seeing from space, Bios: seeing details. Balanchine versus Robbins, abstract versus concrete, top-down versus bottom-up • Need multiple levels of thought. In CS: zoe (philosophy), medios (abstraction), bios • • 3

The Zoe of Header Space 4

Why is network verification so hard? • Forwarding state is hard to analyze! o Written to network by multiple writers. • • o Local instance of protocol. Remote instance of protocol. Local and remote instances of other protocols. Manually by different network admins. Operators can’t directly observe or control them. • Diversity (Cisco, Arista, Juniper, SDN) 5

Q: How other fields overcome similar challenges? A: By creating higher level abstractions. 6

Communication Engineering S Frequency Modulation Cos(wt) Antenna De. Modulation Antenna Band Pass Filter D Amplifier Cos(wt) 7

Digital Hardware Design B clock out A 8

Digital Hardware Design B clock out A 9

Abstracting across devices VLAN Table Spanning Tree IP Table MAC Table MPLS Mappings Input IP ACL table Output ACL ARP Table Spanning MAC Table Filtering Rules Tree Input IP ACL table Output ACL ARP Table Spanning MAC Table Tree 10

Vision for Network Verification VLAN Table Spanning Tree IP Table MAC Table MPLS Mappings Input IP ACL table Output ACL ARP Table Spanning MAC Table Filtering Rules Tree Input IP ACL table Output ACL ARP Table Spanning MAC Table Tree 11

Networks as geometric transformers • Model header as point in high dimensional space and all networking boxes as transformers of header space P 1 Match 0 xx 1. . x 1 Packet Forwarding P 2 Action Send to port 2 Rewrite with 1 x 01 xx. . x 1 MATHEMATICAL FRAMEWORK TO REASON ABOUT WHICH SET OF POINTS ENTERING CAN EXIT NETWORK 12

Header Space Framework • Step 1 - Model a packet, based on its header bits, as a point in {0, 1}L space – The Header Space Header Data 0 xxxx 0101 xxx 01110011… 1 L 13

Medios of HSA: 1. Models 14

Header Space Framework • Step 2 – Model all networking boxes as transformer of header space 1101. . 00 Transfer Function: 1 1110. . 00 Match 0 xx 1. . x 1 11 xx. . 0 x 3 Packet Forwarding Action + 2 Send to port 3 Rewrite with 1 xx 011. . x 1 Rewrite with 1 x 01 xx. . x 1 15

Transfer Function Example • IPv 4 Router – Forwarding Behavior o o o 172. 24. 74. x 172. 24. 128. x 171. 67. x. x T(h, p) = 1 Port 2 Port 3 2 3 (h, 1) if dst_ip(h) = 172. 24. 74. x (h, 2) if dst_ip(h) = 172. 24. 128. x (h, 3) if dst_ip(h) = 171. 67. x. x 16

Transfer Function Example • IPv 4 Router – forwarding + Time to Live (TTL) o o o 172. 24. 74. x 172. 24. 128. x 171. 67. x. x T(h, p) = Port 1 Port 2 Port 3 1 2 3 (dec_ttl(h), 1) if dst_ip(h) = 172. 24. 74. x (dec_ttl(h), 2) if dst_ip(h) = 172. 24. 128. x (dec_ttl(h), 3) if dst_ip(h) = 171. 67. x. x 17

Transfer Function Example • IPv 4 Router – forwarding + TTL + MAC rewrite o o o 172. 24. 74. x 172. 24. 128. x 171. 67. x. x T(h, p) = Port 1 Port 2 Port 3 1 2 3 (rw_mac(dec_ttl(h), next_mac) , 1) if dst_ip(h) = 172. 24. 74. x (rw_mac(dec_ttl(h), next_mac) , 2) if dst_ip(h) = 172. 24. 128. x (rw_mac(dec_ttl(h), next_mac) , 3) if dst_ip(h) = 171. 67. x. x 18

Example Actions: • Rewrite: rewrite bits 0 -2 with value 101 o (h & 000111…) | 101000… • Encapsulation: encap packet in a 1010 header. o (h >> 4) | 1010…. • Decapsulation: decap 1010 xxx… packets o (h << 4) | 000…xxxx • TTL Decrement: o o if ttl(h) == 0: if ttl(h) > 0: Drop h – 0… 000000010… 0 • Load Balancing: o LB(h, p) = {(h, P 1), …(h, Pn)} 19

Composing Transfer Functions • By composing transfer functions, we can find the end to end behavior of networks. R 1 R 2 R 3 T 1(h, p) 20

Medios of HSA: 2. Algebra 21

Inverting Transfer Functions • Tell us all possible input packets that can generate an output packet. -1(h, p) TT(h, p) Input Header Space Output Header Space 22

Header Space Framework • Step 3 - Header Space Set Algebra. o o Intersection Complementation Difference Check subset and equality condition. • Every region of Header Space, can be described by union of Wildcard Expressions. (example: 10 xx U 011 x) • Goal: do set operation on wildcard expressions. 23

HS Set Algebra- Intersection • Bit by bit intersect using intersection table: o o o Example: If result has any ‘z’, then intersection is empty: Example: wildcard empty 24

Medios of HSA: 3. Algorithms 25

Header Space Model Summary • Step 1 - Model a packet, based on its header bits, as a point in {0, 1}L space – the Header Space • Abstractions: 1. All layers collapsed into a flat sequence of bits 2. Wildcards ignore irelevant header bits • Step 2 – Abstract networking boxes (Cisco routers , Juniper Firewalls) as transformers of header space Transfer Function: 26

A. Computing Reachability All Packets that A can use can possibly send to communicate with B A All Packets that A can possibly send to box 2 through box 1 T-11 Box 1 T-1 1 All Packets that A can possibly send to box 4 through box 1 T 1(X, A) T-14 T-12 Box 2 T 2(T 1(X, A)) T 4(T 1(X, A)) Box 4 Box 3 B T-13 T 3(T 2(T 1(X, A)) U T 3(T 4(T 1(X, A)) PROPAGATE MILLIONS OF SETS OF HEADERS IF DONE NAIVELY 27

B. Secure Slicing of Networks • Network slice of resources defined by o o A topology consisting of switches and ports. A set of predicates on packet headers. • Think Citibank & BOA sharing network. • Generalizes what are known as VLANs today

Definition of Slice in HSA laguange • Network slice is a piece of network resources defined by o o A topology consisting of switches and ports. A set of predicates on packet headers. VLAN = A 29

Checking Isolation of Slices • How to check if two slices are isolated? o o Slice definitions don’t intersect. Packets don’t leak after forwarding. 30

C. Finding Loops • Is there a loop in the network? o o Inject an all-x test packet from every switch-port Follow the packet until it comes back to injection port T 1(X, P) Box 2 T 2(T 1(X, P)) T-12 Box 1 T-13 T-11 Box 3 T-14 Original HS Returned HS T 4(T 3(T 2(T 1(X, P)))) T 3(T 2(T 1(X, P))) Box 4 31

Finding Loops • Is the loop infinite? Finite Loop Infinite Loop ? 32

Bios of HSA: 1. Optimization, Implementation 33

Difference of Cubes: ∪ wi − ∪ wj 10* 1** 299 headers! 1** - 10* Propagate empty headers! 10* 110*

Network versus classical verification o o Took days for 1 query till we compressed headers via difference of cubes 10, 000 x Difference of cubes worked better and faster than Binary Decision Diagrams Difference of cubes seems to work because router “formulae” have 1 level of negation Beyond reachability: secure slicing. Etc. STRUCTURE IN DOMAIN: LIMITED NEGATION, SMALL FORWARDING EQUIVALENCE CLASSES, LIMITED WRITES, NO LOOPS, SMALL DIAMETER 35

Why Wildcard Encoding beats BDDs • Wildcard Encoding: 1 10, 0 01, * 11, z (null) 00 • So 1** is encoded as 101111 and 01* as 010111. Intersection AND, Union OR • Intersection: null space if any pair is 00 • Word parallel; BDDs, however, are tree-like structures, need sequential access to bits STRUCTURE IN DOMAIN: BDDs ENCODE ARBITRARY FUNCTIONS!

Header Space Library (Hassel) • Two versions – Python and C. • Foundation Layer o Implements Header Space and Transfer Function objects. • Application Layer o o Reachability, Loop Detection and Slice Isolation checks. < 100 Lo. C for these checks. • Parser (only available in Python) o CLI Parsing tool for Cisco IOS, Juniper Junos and Open. Flow table dump. • Example: for Cisco IOS, reads IP table, ARP table, MAC table, Spanning tree output and Config file. o • Keeps mapping from TF Rule to CLI line number. Available online: git clone https: //bitbucket. org/peymank/hassel-public. git 37

Bios of HSA: 2. Evaluation 38

Stanford backbone network • Loop detection test Vlan RED Spanning Tree Vlan BLUE Spanning Tree Owns 6 x /16 IP domains. ~750 K IP fwd rule. ~1. 5 K ACL rules. ~100 Vlans. Vlan forwarding. 39

Performance on Stanford Network Run Time Generating TF 150 s Pairwise Reachability (Avg) 40 ms Pairwise Reachability (min) <1 ms Pairwise Reachability (max) 500 ms Loop Detection (30 Ports) • • • 2 s Performance benchmark on a single quad core machine with 4 GB RAM TF Generation done in Python. Reachability and isolation test using multi-threaded C implementation. 40

o o D: diameter of network. R: max. number of rules in a switch. P: number of ports to inject packets from. Stanford x 4 – double rules o Stanford x 4 • Reachability scales with DR 2. • Loop Detection scales as PDR 2. Stanford Scalability Reachability 40 ms 100 ms 400 ms Loop 2 s 20 s 80 s 41

So what’s left • • • Speed Specification Language. Stateful verification Control Plane Run time tests 42