Some Complexity Results for Stateful Network Verification

Some Complexity Results for Stateful Network Verification
Some Complexity Results for Stateful Network
Verification
Yaron Velner1 , Kalev Alpernas1 , Aurojit Panda2 , Alexander Rabinovich1 , Mooly
Sagiv1 , Scott Shenker2 , and Sharon Shoham3
1
Tel Aviv University, Israel
University of California, Berkeley
The Academic College of Tel Aviv Yaffo, Israel
2
3
Abstract. In modern networks, forwarding of packets often depends on the history of previously transmitted traffic. Such networks contain stateful middleboxes, whose forwarding behavior depends on a mutable internal state. Firewalls
and load balancers are typical examples of stateful middleboxes.
This paper addresses the complexity of verifying safety properties, such as isolation, in networks with finite-state middleboxes. Unfortunately, we show that even
in the absence of forwarding loops, reasoning about such networks is undecidable
due to interactions between middleboxes connected by unbounded ordered channels. We therefore abstract away channel ordering. This abstraction is sound for
safety, and makes the problem decidable. Specifically, we show that safety checking is EXPSPACE-complete in the number of hosts and middleboxes in the network. We further identify two useful subclasses of finite-state middleboxes which
admit better complexities. The simplest class includes, e.g., firewalls and permits
polynomial-time verification. The second class includes, e.g., cache servers and
learning switches, and makes the safety problem coNP-complete.
Finally, we implement a tool for verifying the correctness of stateful networks.
1
Introduction
Modern computer networks are extremely complex, leading to many bugs and vulnerabilities which affect our daily life. Therefore, network verification is an increasingly
important topic addressed by the programming languages and networking communities (e.g., see [18,9,16,17,15,30,21,14]). Previous network verification tools leverage
a simple network forwarding model which renders the datapath immutable; i.e., normal packets going through the network do not change its forwarding behavior, and the
control plane explicitly alters the forwarding state at relatively slow time scales. Thus,
invariants can be verified before each control-plane initiated change and these invariants will be enforced until the next such change. While the notion of an immutable
datapath supported by an assemblage of routers makes verification tractable, it does not
reflect reality. Modern enterprise networks are comprised of roughly 2/3 routers and
1/3 middleboxes [31]. A simple example of a middlebox is a stateful firewall which
permits traffic from untrusted hosts only after they have received a message from a
trusted host. Middleboxes — such as firewalls, WAN optimizers, transcoders, proxies,
load-balancers, intrusion detection systems (IDS) and the like — are the most common
way to insert new functionality in the network datapath, and are commonly used to
improve network performance and security. While useful, middleboxes are a common
source of errors in the network [25], with middleboxes being responsible for over 40%
of all major incidents in networks.
This paper addresses the problem of verifying safety of networks with middleboxes,
referred to as stateful networks. From a verification perspective, it is possible to view
a middlebox as a procedure with local mutable state which is atomically changed every time a packet is transmitted. The local state determines the forwarding behavior.4
Thus, the problem of network verification amounts to verifying the correctness of a specialized distributed system where each of the middleboxes operates atomically and the
order of packet arrivals is arbitrary.
We model such a network as a finite undirected graph with two types of nodes:
(i) hosts which can send packets, (ii) middleboxes which react to packet arrivals and
forward modified packets. Each node in the network has a fixed number of ports, connected by network edges (links).
Real middleboxes are generally complex software programs implemented in several
100s of thousands of lines of code. We follow [24,23] in assuming that we are provided
with middlebox models in the form of finite-state transducers. In our experience one
can naturally model the behavior of most middleboxes this way. For every incoming
packet, the transducer uses the packet header and the local state to compute the forwarding behavior (output) and to update state for future packets. The transducer can be
non-deterministic to allow modelling of middleboxes like load-balancers whose behavior depends not just on state, but also on a random number source. We symbolically
represent the local state of each middlebox by a fixed set of relations on finite elements,
each with a fixed arity.
The Verification Problem We define network safety by means of avoiding “bad” middlebox states (e.g., states from which a middlebox forwards a packet in a way that
violates a network policy). Given a set of bad middlebox states, we are interested in
showing that for all packet scenarios the bad states cannot be reached. This problem
is hard since the number of packets is unbounded and the states of one middlebox can
affect another via transmitted packets.
1.1
What is decidable about middlebox verification
In Sec. 3, we prove that for general stateful networks the verification problem is undecidable. This result relies on the observation that packet histories can be used to count,
similarly to results in model checking of infinite ordered communication channels [8].
One may believe that undecidability arises from the presence of forwarding loops in
the network which are usually avoided in real networks. However, we show that the
verification problem is undecidable even for networks without forwarding loops.
In order to obtain decidability, we introduce an abstract semantics of networks
where the order of packet processing on each channel (connecting two middleboxes
or a middlebox and a host) is arbitrary, rather than FIFO. Thus, middlebox inputs are
4
Switches are a degenerate case of middleboxes, whose state is constant and hence their forwarding behavior does not change over time.
multisets of packets which can be processed in any order. This abstraction is conservative, i.e., whenever we verify that the network does not reach a bad state, it is indeed
the case. However, the verification may fail even in correct networks. Since packets are
atomically processed, we note that network designers can impose ordering even in this
abstract model by sending acknowledgments for received packets. This is useful when
enforcing authentication.
In fact, this abstraction closely corresponds to assumptions made by network engineers: since packets in modern networks can traverse multiple paths, be buffered, or
be chosen for more complex analysis, network software cannot assume that packets
sent from a source to a server are received by a server in order. Network protocols
therefore commonly build on TCP, a protocol which uses acknowledgments and other
mechanisms to ensure that servers receive packets in order. Since packet ordering is
enforced by causality (by sending acknowledgments) and by software on the receiving end, rather than by the network semantics, correctness of such networks typically
does not rely on the order of packet processing. Therefore we can successfully verify a
majority of network applications despite our abstraction.
1.2
Complexity of Stateful Verification
In Sec. 6, we show that the problem of network verification when assuming a nondeterministic order of packet processing is complete for exponential space, i.e., it is
decidable, and in the worst case, the decision procedure can take exponential space in
terms of hosts and middleboxes. This is proved by showing that the network safety
problem is equivalent to the coverability problem of Petri nets, which is known to be
EXPSPACE-complete [26].
Since the problem is complete, it is impossible to improve this upper-bound without
further assumptions. Therefore, we also consider limited cases of middleboxes permitting more efficient verification procedures, as
shown in Fig. 1. We identify four classes
of middleboxes with increasing expressive
Fig. 1: Middlebox hierarchy.
power and verification complexity: (i) stateless middleboxes whose forwarding behavior is constant over time, (ii) increasing middleboxes whose forwarding behavior increases over time, (iii) progressing middleboxes
whose forwarding behavior stabilizes after some fixed time, alternatively, the transition
relation of the transducer does not include cycles besides self-cycles, and (iv) arbitrary middleboxes without any restriction. For example, NATs, Switches and simple
ACL-based firewalls are stateless; hole-punching stateful firewalls are increasing; and
learning-switches and cache-proxies are progressing and not increasing.
For stateless and increasing middleboxes, we prove that any packet which arrives
once can arrive any number of times, leading to a polynomial-time verification algorithm, using dynamic programming. We note that efficient near linear-time algorithms
for stateless verification are known (e.g., see [17]). Our result generalizes these results
to increasing networks and is in line with the recent work in [13,19].
For progressing middleboxes, we show that verification is coNP-complete. The
main insight is that if a bad state is reachable then there exists a small (polynomial)
input scenario leading to a bad state. This means that tools like SAT solvers which are
frequently used for verification can be used to verify large networks in many cases but
it also means that we cannot hope for a general efficient solution unless P=NP.
Finally, we note that unlike the known results in stateless networks, the absence
of forwarding loops does not improve the upper bound, i.e., we show that our lower
bounds also hold for networks without forwarding loops.
Packet Space Assumption Previous works in stateless verification [16,14] assume that
packet headers have n-bits, simulating realistic packet headers which can be large in
practice. This makes the complexity of checking safety of stateless networks PSPACEhard. Our model avoids packet space explosion by only supporting three fields: source,
destination, and packet tags. We make this simplification since our work primarily focuses on middlebox policies (rather than routing). As demonstrated in Sec. 5.1, middlebox policies are commonly specified in terms of the source and destination hosts
of a packet and the network port (service) being accessed. For example, at the application level, firewalls may decide how to handle a packet according to a small set of
application types (e.g., skype, ssh, etc.). Source, destination and packet tag are thus sufficient for reasoning about safety with respect to these policies. This simplification is
also supported by recent works (e.g. [17]) which suggest that in practice the forwarding
behavior depends only on a small set of bits.
Lossless Channels Previous works on infinite ordered communication channels have
introduced lossy channel systems [2] as an abstraction of ordered communication that
recovers decidability. Lossy channel systems allow messages to be lost in transit, making the reachability problem decidable, but with a non-elementary lower bound on time
complexity. In our model, packets cannot be lost. On the other hand, the order of packets
arrival becomes nondeterministic. With this abstraction, we manage to obtain elementary time complexity for verification.
Initial Experience We implemented a tool which accepts symbolic representations of
middleboxes and a network configuration and verifies safety. For increasing (and stateless) networks, the tool generates a Datalog program and a query which holds iff a bad
state is reachable. Then, the query is evaluated using existing Datalog engines [22].
For arbitrary networks (and for progressing networks), the tool generates a petri-net
and a coverability property which holds iff the network reaches a bad state. To verify
the coverability property we use LOLA [28,1] — a Petri-Net model checker.
Main Results The main contributions of the paper are: (i) We define a conservative
abstraction of networks in which packets can be processed out of order, and show that
the safety problem of stateful networks becomes decidable, but EXPSPACE-complete.
(ii) We identify classes of networks, characterized by the forwarding behaviors of their
middleboxes, which admit better complexity results (PTIME and coNP). We demonstrate that these classes capture real-world middleboxes. The upper bounds are made
more realistic by stating them in terms of a symbolic representation of middleboxes.
(iii) We present initial empirical results using Petri nets and Datalog engines to verify
safety of networks. Due to space constraints, all proofs are omitted. More details and
examples are provided in a technical report [34].
2
A Formal Model for Stateful Networks
In this section, we present a formal model of networks with stateful middleboxes.
A network N is a finite undirected graph of hosts and middleboxes, equipped with a
packet domain. Formally, N = (H ∪ M, E, P ), where H is a finite set of hosts, M is a
finite set of middleboxes, E ⊆ {{u, v} | u, v ∈ H ∪ M } is the set of (undirected) edges
and P is a set of packets. A host h ∈ H consists of a unique id and a set of packets
hP ⊆ P that it can send.
Packets. In real networks, a packet consists of a packet header and a payload. The
packet header contains a source and destination host ids and additional arbitrary stream
of control bits. The payload is the content of the packet and may consist of any arbitrary
sequence of bits. In particular, the set of packets need not be finite. In this work, P is a
set of abstract packets. An abstract packet p ∈ P consists of a header only in the form
of a triple (s, d, t), where s, d ∈ H are the source and destination hosts (respectively)
and t is a packet tag that ranges over a finite domain T . Intuitively, T stands for an
abstract set of services or security policies. Therefore, P = H × H × T , making it a
finite set. Middlebox behavior in our model is defined with respect to abstract packets
and is oblivious of the underlying concrete packets.
2.1 Stateful Middleboxes
A middlebox m ∈ M in a network N has a set of ports Pr, which consists of all the
adjacent edges of m in the network N, and a forwarding transducer F .
0
, δm )
The forwarding transducer of a middlebox is a tuple F = (Σ, Γ, Qm , qm
where Σ = P × Pr is the input alphabet in which each input letter consists of a packet
and an input port, Γ = 2Σ is the output alphabet describing (possibly empty) sets of
0
∈ Qm is
packets over the different ports, Qm is a possibly infinite set of states, qm
the initial state, and δm : Qm × Σ → 2Γ ×Qm is the transition relation. Note that
the alphabet Σ is finite (since abstract packets are considered). We extend δm to sequences h ∈ (P × Pr)∗ in the natural way: δm (q, ) = {(, q)} and δm (q, h · (p, pr )) =
{(γi · o0 , q 0 ) | ∃qi ∈ Qm . (γi , qi ) ∈ δm (q, h) ∧ (o0 , q 0 ) ∈ δm (qi , (p, pr ))}. The language
of a state q ∈ Qm is L(q) = {(h, γ) ∈ (P × Pr)∗ × (P × Pr)∗ | (γ, q 0 ) ∈ δm (q, h)}.
0
. We also define the set of
The language of F , denoted L(F ), is the language of qm
∗
0
, h)}.
histories leading to q ∈ Qm as h(q) = {h ∈ (P × Pr) | (γ, q) ∈ δm (qm
If F is deterministic, i.e., |δm (q, (p, pr ))| ≤ 1, then every history leads to at most
one state and output, in which case F defines a possibly partial forwarding function
f : (P × Pr)∗ × (P × Pr) → 2P ×Pr where f(h, (p, pr )) = o for the (unique) output o
such that (h · (p, pr ), γ · o) ∈ L(F ). f defines the (possibly empty) set of output packets
(paired with output ports) that m will send to its neighbors following every history h of
packets that m received in the past and input packet p arriving on input port pr. If F is
nondeterministic, a forwarding relation is defined in a similar way.
Note that every forwarding function f can be defined by an infinite-state deterministic transducer: Qm will include a state for every possible history, with as the initial
state. δm will map a state and an input packet to the set of output packets as defined by
f, and will change the state by appending the packet to the history.
Finite-state middleboxes Arbitrary middlebox functionality, defined via infinite-state
transducers, makes middleboxes Turing-complete, and hence impossible to analyze. To
input(src, dst, tag, prt) :
prt = 1 ⇒ // hosts within organization
trusted.insert dst ;
output {(src, dst, tag, 2)}
prt = 2 ∧ src in trusted ⇒
// trusted hosts outside organization
output {(src, dst, tag, 1)}
prt = 2 ∧ ¬(src in trusted) ⇒
output ∅ // untrusted hosts
input(src, dst, tag, prt) :
prt = 1 ∧ (dst, src, tag) in cache ⇒
// previously stored response
output {(this, src, tag, 1)}
prt = 1 ⇒ // new request
output {(this, dst, tag, 2)}
prt = 2 ⇒ // response to a request
cache.insert(src, dst, tag) ;
output{(this, dst, tag, 1)}
(a) A hole-punching firewall.
(b) A Proxy.
Fig. 2: Symbolic representation of middleboxes.
make the analysis tractable, we focus on abstract middleboxes, whose forwarding behavior is defined by finite-state transducers. Nondeterminsm can then be used to overapproximate the behavior of a concrete, possibly infinite-state, middlebox via a finite-state
abstract middlebox, allowing a sound abstraction w.r.t. safety. Note that when nondeterministic transducers are considered, the correspondence between packet histories and
transducer states no longer holds, as a single history might lead to multiple states.
In the sequel, unless explicitly stated otherwise, we consider abstract middleboxes.
We identify a middlebox with its forwarding relation and the transducer that implements
it, and use m to denote each of them.
Symbolic representation of middleboxes We use a symbolic representation of finitestate middleboxes, where a state of m is described by the valuation of a finite set of
relations R1 , . . . , Rk defined over finite elements (e.g., packet header fields). The transition relation δm is also described symbolically using (nondeterministic) update operations of the relations and output. Technically, we use guarded commands, where guards
are Boolean expressions over relation membership predicates of the form e in R and
element equalities e1 = e2 . Each ei is either a constant or a variable that refers to packet
fields. Commands are of the form: (i) insert tuple e to relation R, (ii) remove tuple e
from relation R, and (iii) output set of tuples.
Example 1. Fig. 2a contains a symbolic representation of a hole-punching Firewall
which uses a unary relation trusted. It assumes that port 1 connects hosts inside
a private organization to the firewall and that port 2 connects public hosts. By default,
messages from public hosts are considered untrusted and are dropped. trusted stores
public hosts that become trusted once they receive a packet from private hosts.
Fig. 2b contains a simplified, nondeterminitic, version of a Proxy server (or cache
server). A proxy stores copies of documents (packet payloads) that passed through it.
Subsequent requests for those documents are provided by the proxy, rather than being forwarded. Our modelling abstracts away the packet payloads and keeps only their
types. Consequently we use nondeterminism to also account for different requests with
the same type. The internal relation cache stores responses for packet types.
2.2
Concrete (FIFO) network semantics.
The semantics of a network is given by a transition system defined over a set of configurations. In order to define the semantics we first need to define the notion of channels
which capture the transmission of packets in the network. Formally, each (undirected)
edge {u, v} ∈ E in the network induces two directed channels: (u, v) and (v, u). The
channel (v, u) is the ingress channel of u, as well as the egress channel of v. It consists
of the sequence of packets that were sent from v to u and were not yet received by u
(and similarly for the channel (u, v)). The capacity of channels is unbounded, that is,
the sequence of packets may be arbitrarily long.
Configurations and runs. A configuration of a network consists of the content of each
channel and the state of every middlebox. The initial configuration of a network consists of empty channels and initial states for all middleboxes. A configuration c2 is a
successor of configuration c1 if it can be obtained by either: (i) some host h sending
a sequence of packets p1 , . . . , p` ∈ hP to a neighbor, thus appending these packets to
the corresponding channel; or (ii) some middlebox m processing a packet p from the
head of one of its ingress channels, changing its state to q 0 and appending output o to its
egress channels if (o, q 0 ) ∈ δm (q, (p, pr )) (where q is the current state of m and pr is
the port associated with the ingress channel). This model corresponds to asynchronous
networks with non-deterministic event order.
A run of a network from configuration c0 is a sequence of configurations
c0 , c1 , c2 , . . . such that ci+1 is a successor configuration of ci . A run is a run from the
initial configuration. The set of reachable configurations from a configuration ci is the
set of all configurations that reside on a run from ci . The set of reachable configurations
of a network is the set of reachable configurations from the initial configuration.
3
Verification of Safety Properties in Stateful Networks
In this section we define the safety verification problem in stateful networks, as well as
the special case of isolation. We prove their undecidability w.r.t. the FIFO semantics.
To describe safety properties, we augment middleboxes with a special abort state
that is reached whenever δm (q, (p, pr)) = ∅, i.e., the forwarding behavior is undefined
(not to be confused with the case where (∅, q 0 ) ∈ δm (q, (p, pr )) for some q 0 ∈ Qm ).
This lets middleboxes function as “monitors” for safety properties. If δm (q, (p, pr)) =
∅, and h ∈ h(q), we say that m aborts on h · (p, pr ) (and every extension thereof).
Similarly, we augment the symbolic representation with an abort command.
We define abort configurations as network configurations where at least one middlebox is in an abort state.
Safety. The input to the safety problem consists of a network N (that possibly contains
property middleboxes). The output is True if no abort configuration is reachable in N,
and False otherwise.
Isolation. An important example of a safety property is isolation. In the isolation problem, the input is a network N, a set of hosts Hi ⊆ H and a forbidden set of packets
Pi ⊆ P . The output is True if there is no run of N in which a host from Hi receives
a packet from Pi , and False otherwise. The isolation problem can be formulated as a
safety problem by introducing an isolation middlebox mhi for every host hi ∈ Hi . The
role of mhi is to monitor all traffic to hi , and abort if a forbidden packet p ∈ Pi arrives.
All other packets are forwarded to hi . Clearly, isolation holds if and only if the resulting
network is safe.
r1
f1
lb
A
r2
B
(a) Load Balancer and Rate
Limiter
A
f
B
c
f2
S1
S2
(b) Firewall and Proxy
pub11
pri11
pub21
pri21
(c) Multi-tenant data center
Fig. 3: Interesting network topologies for verification.
Example 2. Fig. 3 shows several examples of interesting middlebox topologies for verification. In all of the topologies shown we want to verify a variant of the isolation
property. In Fig. 3a we want to verify that A, a host, cannot send more than a fixed
number of packets to B. Here r1 and r2 are rate limiters, i.e., they count the number of
packets they have seen going from one host to the other, and lb is a load balancer that
evenly spreads packets from A along both paths (to minimize the load on any one path).
In Fig. 3b we want to ensure that host A cannot access data that originates in S1 , but
should be allowed to access data from S2 , where f is a firewall and c is a proxy (cache)
server. Finally in Fig. 3c we show a multi-tenant datacenter (e.g., Amazon EC2), where
many independent tenants insert rules into firewalls (f1 and f2 ) and we want to ensure
that the overall behavior of these rules is correct. For example, we would like to ensure
that pri11 cannot communicate with pri12 , and pub12 communicates with pri11 only if pri11
initiates the connection.
Undecidability of Safety w.r.t. the FIFO Semantics. We prove undecidability even in
networks with no forwarding loops. We show that undecidability holds for a network
with a DAG topology (i.e., a network with uni-directional links and no directed cycles).
Theorem 1. The safety problem w.r.t. the FIFO network semantics is undecidable even
for networks with finite-state middleboxes and without forwarding loops.
The proof of the theorem uses a reduction from the (undecidable) halting problem of
a two-counter machine to the complement of the isolation problem. Interestingly, the
reduction constructs a network with only three middleboxes, that do not change the
packet header (namely, they just forward packets).
4
Abstract Network Semantics
In this section we define an abstract network semantics, called the unordered semantics,
which recovers decidability of the safety problem.
In the concrete (FIFO) network semantics channels are ordered. In an ordered channel, if a packet p1 precedes a packet p2 in an ingress channel of some middlebox, then
the middlebox will receive packet p1 before it receives packet p2 . We abstract this semantics by an unordered network semantics, where the channels are unordered, i.e.,
there is no restriction on the order in which a middlebox receives packets from its
ingress channel. In this case, the sequence of pending packets in a channel can be abstracted by a multiset of packets. Namely, the only relevant information is how many
occurrences each packet has in the channel. The definitions of configurations and runs
w.r.t. the unordered semantics are adapted accordingly.
Remark 1. Every run w.r.t. the FIFO network semantics is also a run w.r.t. the unordered
semantics. Therefore, if safety holds w.r.t. the unordered semantics, then it also holds for
the FIFO semantics, making the unordered semantics a sound abstraction of the FIFO
semantics w.r.t. safety. The abstraction can introduce false alarms, where a violation
exists w.r.t. the unordered semantics but not w.r.t. the concrete semantics. Still, in many
cases, the abstraction is precise enough to enable verification. In particular, in Lemma 4
we show that for an important class of networks, the two semantics coincide w.r.t. safety.
Decidability of Safety w.r.t. the Unordered Semantics In the unordered semantics, the
network forms a special case of monotone transition systems: We define a partial order
≤ between network configurations such that c1 ≤ c2 if the middlebox states in c1 and
c2 are the same and c2 has at least the same packets (for every packet type) in every
channel. The network is monotone in the sense that for every run from c1 there is a
corresponding run from any bigger c2 , since more packets over a channel can only add
possible scenarios. The partial order is trivially a well-quasi-order (as the number of
packets cannot be negative), and the predecessor relation is obviously computable. The
classical results in [3] and [12] prove that in monotone transition systems a backward
reachability algorithm always terminates and thus, the safety problem is decidable. Formal arguments and complexity bounds are provided by Theorem 4.
5
Classification of Stateful Middleboxes
Encouraged by the decidability of safety w.r.t. the unordered semantics, we are now
interested in investigating its complexity. As a first step, in this section, we identify
three special classes of forwarding behaviors of middleboxes within the class of arbitrary middleboxes. Namely, stateless, increasing, and progressing middleboxes. We
show that these classes capture the behaviors of real world middleboxes. The classes
naturally extend to classes of networks: a network is stateless (respectively, increasing,
progressing or arbitrary) if all of its middleboxes are. As we show in Sec. 6, each of
these classes results in a different complexity of the safety problem.
Stateless middlebox. A middlebox m is stateless if it can be implemented as a transducer with a single state (in addition to the abort state), i.e., its forwarding behavior
does not depend on its history.
Increasing middlebox. A middlebox m is increasing if its forwarding relation is monotonically increasing w.r.t. its history, where histories are ordered by the subsequence
relation5 , denoted by v. Formally, a middlebox m is increasing if for every two histories h1 , h2 ∈ (P × Pr)∗ : if h1 v h2 , then for every packet p and port pr , if
(h1 · (p, pr ), γ1 · o1 ) ∈ Lm then either m aborts on h2 · (p, pr ) or there is γ2 · o2 s.t.
(h2 · (p, pr ), γ2 · o2 ) ∈ Lm and o1 ⊆ o2 , where Lm is the language of m’s transducer.
Progressing middlebox. In order to define progressing middleboxes, we define an
equivalence relation between middlebox states based on their forwarding behavior.
States q, q 0 are equivalent, denoted q1 ≈ q2 , if L(q1 ) = L(q2 ). A middlebox m is
progressing if it can be implemented by a transducer in which whenever the state is
5
A subsequence is a sequence that can be derived from another sequence by deleting some
elements without changing the order of the remaining elements.
changed into a non-equivalent state, it will never return to an equivalent state. Formally,
if (o0 , q 0 ) ∈ δm (q, (p, pr )) and q 0 6≈ q (where q, q 0 are reachable states of m) then for
any history h ∈ (P × Pr)∗ , if (γ 00 , q 00 ) ∈ δm (q 0 , h) then q 00 6≈ q.
The next lemma summarizes the hierarchy of the classes (as illustrated by Figure 1).
Lemma 1. – Any stateless middlebox is also increasing.
– Any increasing middlebox is also progressing.
Syntactic characterization of middlebox classes. The classes of middleboxes defined
above can be characterized via syntactic restrictions on their symbolic representation.
A middlebox representation is syntactically stateless if its representation does not
use any insert or remove command on any relation. A middlebox representation is syntactically increasing if its representation does not use the remove command on any
relation, and does not include any insert command under guards that include negated
membership predicates. A middlebox representation is syntactically progressing if its
representation does not use the remove command on any relation.
Lemma 2. A middlebox is stateless (respectively increasing, progressing) if and only if
it has a stateless (respectively increasing, progressing) representation.
5.1
Examples
In this subsection, we introduce several middleboxes, each of which resides in one of
the classes of the hierarchy presented above.
ACL switches. An ACL switch has a fixed access control list (ACL) that indicates which
packets it should forward and which packets it should discard. Typically the rules in the
list refer to the port number or to hosts that are allowed to use a certain service. As such,
the forwarding policy of an ACL switch is based only on the source host and/or ingress
port of the current packet, and does not depend on previous packets. Hence, an ACL
switch can be implemented by a stateless middlebox.
Hole-punching firewalls. A hole-punching firewall is described in Example 1. As the
set of trusted hosts depends on the history of the middlebox, a hole punching firewall
cannot be captured by a stateless middlebox. (Formally, the same packet is handled
differently when it follows different histories.) On the other hand, it is increasing. If
for a certain history a host is trusted, then any additional packets (in the past or in the
future) will not make it untrusted.
Learning switch. A learning switch dynamically learns the topology of the network and
constructs a routing table accordingly. Initially, the routing table of the switch is empty.
For every host h the switch remembers the first port from which a packet with source
h has arrived. When a packet arrives, if the port of the destination host is known, then
the packet is forwarded to that port; otherwise, the packet is forwarded to all connected
ports excluding the input-port.
A learning switch is a progressing middlebox. Intuitively, after the middlebox’s
forwarding function has changed to incorporate the destination port for a certain host h,
it will never revert to a state in which it has to flood a packet destined for h. A learning
switch is however, not an increasing middlebox, as packets destined for a host whose
location is not known are initially flooded, but after location of the host is learned, a
single copy of all subsequent packets are sent.
Proxy server. The Proxy server as described in Example 1 is an increasing middlebox.
After it has stored a response, it nondeterministically replies with the stored response,
or sends the request to the server again. However, in a concrete network model that
does not abstract away the packet payload, a proxy is a progressing middlebox. Once a
new request is responded by a proxy the forwarding behavior changes as it takes into
account the new response, and it never returns to the previous forwarding behavior (as it
does not “forget” the response). However, such a proxy is not an increasing middlebox:
while it behaves in a monotonically increasing manner over its request port, it behaves
in a monotonically decreasing manner over the response port.
Round-robin load balancer. A load balancer is a device that distributes network traffic
across a number of servers. In its simplest implementation, a round-robin balancer with
n out-ports (each connected to a server) forwards the i-th packet it receives to out-port
i (mod n). Round-robin load balancers are not progressing middleboxes, as the same
forwarding function repeats after every cycle of n packets.
Remark 2. In practice, middlebox behavior can also be affected by timeouts and session
termination. For example, in a firewall, a trusted host may become untrusted when a
session terminates (which makes the firewall behavior no longer increasing). In this
work, we do not model timeouts and session termination. In many practical cases, such
as firewalls, resets can only prevent packets from being forwarded and therefore restrict
reachability, thus not causing safety violations.
6
Complexity of Safety w.r.t. the Unordered Semantics
When considering the unordered network semantics, the safety problem becomes decidable for networks with finite-state middleboxes. In this section, we analyze its complexity. We provide tight bounds, as well as algorithms with matching complexity. The
complexity bounds are w.r.t the input size, namely, (i) the number of hosts; (ii) number of middleboxes; and (iii) the encoding size of the middleboxes functionality, i.e., the
size of the explicit state machine (if the encoding is explicit) or the number of characters
in the symbolic representation (if the encoding is symbolic).
The following lemma summarizes the obtained lower bounds:
Lemma 3. The safety problem w.r.t. the unordered network semantics is coNP-hard for
progressing networks, and EXPSPACE-hard for arbitrary stateful networks.
The coNP-hardness result is proved by a reduction from the complement of the Hamiltonian Path problem. The constructed network contains only stateless middleboxes and
learning switches, making the coNP-hardness result apply already to such networks,
which are used in practice. The second part of the lemma is proved by a reduction from
the control state reachability problem of vector addition systems with states (VASS)
which is known to be EXPSPACE-complete [10].
Upper Bounds. The rest of this section provides complexity upper bounds for the safety
problem of stateful networks w.r.t. the unordered semantics of networks. Our complexity analysis considers symbolic representations of middleboxes (which might be exponentially more succinct than explicit-state representations). The obtained upper bounds
match the lower bounds from Lemma 3 (hence, the bounds are tight).
StateData := {m 7→ InitialRelationValues(m) | m ∈ M }
PacketData := {m 7→ NeighborHostPackets(m) | m ∈ M }
while fixed-point not reached
foreach m ∈ M , (p, pr ) ∈ PacketData(m)
let q = GetState(StateData(m))
if δm (q, (p, pr )) = ∅ then return violation // abort state reached
let (q 0 , o) ∈ δm (q, (p, pr ))
StateData := AddData(m, q 0 )
PacketData := AddPacketsToNeighbors(m, o)
return safe
Fig. 4: Safety checking of increasing networks.
Remark 3. The complexity upper bounds we present are under the assumption that all
relations used to define middlebox states may have at most polynomial number of elements (polynomial in the size of the network and the size of the middlebox representation). To enforce this limitation we assume that the arity of relations is constant.
6.1
Unordered Safety of Increasing Networks is in PTIME
In this section, we show that safety of syntactically increasing networks is in PTIME.
Further, we show that for increasing networks, safety w.r.t. the unordered semantics and
the FIFO semantics coincide. As such, the polynomial upper bound applies to both.
Fig. 4 presents a polynomial algorithm for determining safety of a syntactically
increasing network. The algorithm performs a fixed-point computation of the set of all
tuples present in middlebox relations in reachable middlebox states, as well as the set
of all different packets transmitted in the network. For every middlebox m ∈ M , the
algorithm maintains the following sets:
– StateData(m): a set of pairs of the form (R, d) where R is a relation of m, and d
is a tuple in the domain of R, indicating that there is a run in which d ∈ R.
– PacketData(m): a set of pairs of the form (p, pr ), where p is a packet and pr is a
port of m, indicating that p can reach m from port pr .
StateData(m) is initialized to reflect the initial values of all middlebox relations.
PacketData(m) is initialized to include the packets that can be sent from neighbor
hosts. As long as a fixed-point is not reached, the algorithm iterates over all middleboxes and their packet data. For each middlebox m and (p, pr ) ∈ PacketData(m), m
is run over (p, pr ) from the state q in which every relation R contains all the tuples d
such that (R, d) ∈ StateData(m). The sets StateData(m) and PacketData(m0 ) for
every neighbor m0 of m, are updated to reflect the discovery of more elements in the
relations (more reachable states), and more packets that can be transmitted.
As the algorithm only adds reachable
states and packets, its running time is polynoP
mial and bounded by |M |(|P ||Pr| |Ri |)2 .
The correctness of the algorithm relies on the property of increasing networks that
if a packet is sent in some run from a reachable configuration, then a run where it is sent
exists from every reachable configuration. The same goes for elements that are added
to relations. Intuitively, this ensures that even though the algorithm considers “accumulative” middlebox states (by accumulating relation values) rather than exploring all
possible reachable states, it does not miss any violation of safety. We conclude:
Theorem 2. The safety problem of syntactically increasing networks w.r.t. the unordered semantics is in PTIME.
Remark 4. If n-tag packet headers are allowed, i.e. P = H×H×T1 . . .×Tn , then |P | is
no longer polynomial in the network representation, damaging the complexity analysis
of the algorithm. In fact, in this case the safety problem w.r.t. the unordered semantics
becomes PSPACE-hard even for stateless middleboxes (this is proved by reduction from
the emptiness problem of the intersection of n automata).
Recall that in general, safety w.r.t. the FIFO semantics and the unordered semantics
do not coincide. However, the following lemma shows that for increasing networks they
do, making the same algorithm and complexity analysis applicable. The proof utilizes
the property that in increasing networks if a packet p reaches a middlebox m once (in
either semantics), then it can reach m again, thus enabling the simulation of unordered
channels with ordered ones. The lemma applies also to infinite-state middleboxes.
Lemma 4. Let N be an increasing network. Then the output of the safety problem in N
w.r.t. the FIFO semantics and w.r.t. the unordered semantics is identical.
6.2
Unordered Safety of Progressing Networks is in coNP
We prove coNP-membership of the safety problem in syntactically progressing networks by proving that there exists a witness run for safety violation if and only if there
exists a “short” witness run, where a witness run for safety violation is a run from the
initial configuration in which at least one middlebox reaches an abort state. The key
observation is formalized by the following lemma:
Lemma 5. Let N be a syntactically progressing network whose middleboxes are defined via relations R1 , . . . , Rn (in total). Then there is aP
run ending in an abort state if
n
and only if there is such a run whose length is at most ( i=1 |Ri |)3 |P ||M |.
The proof of the lemma considers the network states that arise in a run. A network state
consists of the values of (R1 , . . . , Rn ), i.e., it captures the states of all middleboxes (not
to be confused with a network configuration, which also includes the content of every
channel). In order to construct a shorter run, we bound both the number of different
network states in a run andP
the number of steps in which a run stays in the same state.
n
The former is bounded by i=1 |Ri | due to the progress of the network. To provide a
bound for the latter, we analyze the packets that “affect” the run, utilizing the property
that steps that process packets that do not affect the run can be omitted.
Since the size of each relation is polynomial in the size of the network, and combined with the hardness result from Lemma 3, we conclude:
Theorem 3. The safety problem of syntactically progressing networks w.r.t. the unordered semantics is coNP-complete.
6.3
Unordered Safety of Arbitrary Networks is in EXPSPACE
In this section we show how to solve the non-safety problem of symbolic networks by a
reduction to the coverability problem of vector addition systems (VAS), a.k.a. petri-nets,
which is EXPSPACE-complete [26].
A VAS is a pair (x0 ∈ Nk , X ⊂ Zk ), where x0 is the initial value vector and X is a
set of transition vectors, each with k dimensions. A finite run in the VAS is a sequence of
transitions x1 , x2 , . . . , x` , such that for every i ∈ {1, . . . , `} the sum x0 + x1 + · · · + xi
is non-negative in all dimensions. The coverability problem asks whether a VAS has a
P`
run x1 , x2 , . . . , x` with i=0 xi ≥ y, where y is an input vector.
VAS construction We sketch a polynomial encoding of a network as a VAS. Roughly
speaking, the transitions of the VAS are used to simulate the processing of packets
in the network. Their non-deterministic nature captures the non-deterministic order of
network events. We first introduce the VAS dimensions and their roles in the simulation.
Channel simulation: To keep track of the packets over the unbounded channels, we
assign a packet dimension to every packet p ∈ P and every channel. The initial value of
each packet dimension is 0, it is incremented whenever a packet is added to a channel,
and decremented whenever a packet is processed.
Relation simulation: To keep track of relation values, we assign two dimensions,
active and inactive, to every relation R and every tuple d in the domain of R. The active
dimension indicates whether d ∈ R and the inactive one indicates whether d 6∈ R. Both
dimensions will have only values of 0 or 1. We need two dimensions since the VAS
semantics does not allow to encode negative (e.g., non-membership) conditions.
Single step simulation: To make sure that no two packets are simultaneously processed, we introduce a scheduler dimension. The scheduler dimension has initial value
1, it is decremented whenever a packet processing starts, and incremented when it ends.
In addition, to keep track of which command needs to be executed, we assign a command dimension to every guard and command, including an abort dimension (if an
abort command exists). The guard/command dimension has value 1 when the command
needs to be executed. Finally, to keep track of values of variables (e.g., src, dst, tag,
prt), we assign a dimension for every possible value d of variable ei . The dimension of
(ei , d) has value 1 if and only if ei has value d.
The VAS transitions increment and decrement these dimensions to simulate the start
of a packet processing event, as well as the execution of each guarded command. In
particular, decrements are used to enforce the execution of transitions only when the
dimension has value 1 (and not 0).
Non-safety of the network then amounts to a run in the VAS where an abort dimension gets a positive value. The reduction, combined with the lower bound implies:
Theorem 4. The safety problem of arbitrary stateful networks w.r.t. the unordered semantics is EXPSPACE-complete.
7
Implementation and Case Studies
In this section, we describe a prototype implementation of a tool for verification of
stateful networks, and describe our initial experience while running the tool on the
networks listed in Example 2 and illustrated in Fig. 3. For the experiments we used
quad core Intel Core i7-4790 CPU with 32GB memory.
Increasing Middleboxes Increasing networks are verified using LogicBlox, a Datalog
based database system [5]. The Multi-Tenant Datacenter example is an increasing network. Our tool produced a datalog program with 35 predicates, 153 rules and 29 facts.
LogicBlox successfully reached a fixed point in 3s, and proved all required properties.
Arbitrary Middleboxes Progressing and Arbitrary networks are verified using LOLA,
a Petri-Net model checker [28,1]. In the Load Balancer and Rate Limiter example our
tool created a P/T net with 243 places and 663 transitions; it was successfully verified
in 30ms. In the Firewall and Proxy example our tool produced a P/T net with 530 places
and 4447 transitions. LOLA successfully verified the resulting petri-net in 0.2s.
8
Conclusion and Related Work
In this paper, we investigated the complexity of reasoning about stateful networks. We
developed three algorithms and several lower bounds. In the future we hope to develop
practical verification methods utilizing the results in this paper. Below we survey some
of the most closely related work.
Topology-independent verification The earliest use of formal verification in networking
focused on proving correctness and checking security properties for protocols [11,27].
Recent works such FlowLog [21] and VeriCon [6] also aim to verify the correctness of
a given middlebox implementation w.r.t any possible network topology and configuration, e.g., flow table entries only contain forwarding rules from trusted hosts.
Immutable topology-dependent verification Recent efforts in network verification [20,9,16,17,32,30,4,14] have focused on verifying network properties by analyzing forwarding tables. Some of these tools including HSA [15], Libra [35] and VeriFlow [17]. These tools perform near real-time verification of simple properties, but
they cannot handle dynamic (mutable) datapaths.
Mutable topology-dependent verification SymNet [33] has suggested the need to extend
these mechanisms to handle mutable datapath elements. In their mechanism the mutable
middlebox states are encoded in the packet header. This technique is only applicable
when state is not shared across a flow (i.e., the middlebox can punch holes, but do no
more), and will not work for cache servers or learning switches.
The work in [24] is the most similar to our model. Their work considers Pythonlike syntax enriched with uninterpreted functions that model complicated functionality.
However [24] do not define formal network semantic (e.g., FIFO vs ordered channels)
and do not give any formal claim on the complexity of the solution.
Channel systems Channel systems, also called Finite State Communicating Machines,
are systems of finite state automata that communicate via asynchronous unbounded
FIFO channels [7,8]. They are a natural model for asynchronous communication protocols. Verification of such systems in undecidable. Abdulla and Jonsson [2] introduced
lossy channel systems where messages can be lost in transit. In their model the reachability problem is decidable but has a non-primitive lower bound [29].
In this work we use unordered (non-lossy) channels as a different relaxation for
channel systems. The unordered semantics over-approximates the lossy semantics w.r.t.
safety, as any violating run w.r.t. the lossy semantics can be simulated by a run w.r.t. the
unordered semantics where “lost” packets are starved until the violation occurs. The
unordered semantics admits verification procedures with elementary complexity, and
turns out to be sufficiently precise for many network protocols.
Acknowledgements. The research leading to these results has received funding from
the European Research Council under the European Union’s Seventh Framework Programme (FP7/2007-2013) / ERC grant agreement no [321174]. Research supported by
the Israel Science Foundation grant no.652/11. This research was also supported in part
by NSF grants 1040838 and 1420064, and funding provided by Intel Corporation.
References
1. Lola 2.0 sources. http://download.gna.org/service-tech/lola/lola-2.
0.tar.gz.
2. P. Abdulla and B. Jonsson. Verifying programs with unreliable channels. In Logic in Computer Science (LICS), pages 160–170. IEEE, 1993.
3. P. A. Abdulla, K. Čerāns, B. Jonsson, and Y.-K. Tsay. General decidability theorems for
infinite-state systems. In Logic in Computer Science (LICS), pages 313–321. IEEE, 1996.
4. C. J. Anderson, N. Foster, A. Guha, J.-B. Jeannin, D. Kozen, C. Schlesinger, and D. Walker.
NetKAT: Semantic foundations for networks. In POPL, 2014.
5. M. Aref, B. ten Cate, T. J. Green, B. Kimelfeld, D. Olteanu, E. Pasalic, T. L. Veldhuizen,
and G. Washburn. Design and implementation of the logicblox system. In ACM SIGMOD
International Conference on Management of Data, pages 1371–1382, 2015.
6. T. Ball, N. Bjørner, A. Gember, S. Itzhaky, A. Karbyshev, M. Sagiv, M. Schapira, and A. Valadarsky. Vericon: towards verifying controller programs in software-defined networks. In
ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI,
page 31, 2014.
7. G. V. Bochmann. Finite state description of communication protocols. Computer Networks
(1976), 2(4):361–372, 1978.
8. D. Brand and P. Zafiropulo. On communicating finite-state machines. Journal of the ACM
(JACM), 30(2):323–342, 1983.
9. M. Canini, D. Venzano, P. Peres, D. Kostic, and J. Rexford. A nice way to test openflow
applications. In 9th USENIX Symposium on Networked Systems Design and Implementation
(NSDI’12), 2012.
10. E. Cardoza, R. Lipton, and A. R. Meyer. Exponential space complete problems for petri nets
and commutative semigroups (preliminary report). In Proceedings of the eighth annual ACM
symposium on Theory of computing, pages 50–54. ACM, 1976.
11. E. M. Clarke, S. Jha, and W. R. Marrero. Using state space exploration and a natural deduction style message derivation engine to verify security protocols. In Programming Concepts
and Methods, IFIP TC2/WG2.2,2.3 International Conference on Programming Concepts and
Methods (PROCOMET ’98) 8-12 June 1998, Shelter Island, New York, USA, pages 87–106,
1998.
12. A. Finkel and P. Schnoebelen. Well-structured transition systems everywhere! Theoretical
Computer Science, 256(1):63–92, 2001.
13. A. Fogel, S. Fung, L. Pedrosa, M. Walraed-Sullivan, R. Govindan, R. Mahajan, and T. D.
Millstein. A general approach to network configuration analysis. In 12th USENIX Symposium on Networked Systems Design and Implementation, NSDI 15, Oakland, CA, USA, May
4-6, 2015, pages 469–483, 2015.
14. N. Foster, D. Kozen, M. Milano, A. Silva, and L. Thompson. A coalgebraic decision procedure for netkat. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on
Principles of Programming Languages, POPL 2015, Mumbai, India, January 15-17, 2015,
pages 343–355, 2015.
15. P. Kazemian, M. Chang, H. Zeng, G. Varghese, N. McKeown, and S. Whyte. Real time
network policy checking using header space analysis. In 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI ’13), 2013.
16. P. Kazemian, G. Varghese, and N. McKeown. Header space analysis: Static checking for
networks. In 9th USENIX Symposium on Networked Systems Design and Implementation
(NSDI ’12), 2012.
17. A. Khurshid, W. Zhou, M. Caesar, and B. Godfrey. Veriflow: verifying network-wide invariants in real time. Computer Communication Review, 42(4):467–472, 2012.
18. M. Kuzniar, P. Peresini, M. Canini, D. Venzano, and D. Kostic. A soft way for openflow
switch interoperability testing. In CoNEXT, pages 265–276, 2012.
19. N. P. Lopes, N. Bjørner, P. Godefroid, K. Jayaraman, and G. Varghese. Checking beliefs in
dynamic networks. In 12th USENIX Symposium on Networked Systems Design and Implementation, NSDI 15, Oakland, CA, USA, May 4-6, 2015, pages 499–512, 2015.
20. H. Mai, A. Khurshid, R. Agarwal, M. Caesar, B. Godfrey, and S. T. King. Debugging the
Data Plane with Anteater. In SIGCOMM, 2011.
21. T. Nelson, A. D. Ferguson, M. J. G. Scheer, and S. Krishnamurthi. Tierless programming and
reasoning for software-defined networks. In Proceedings of the 11th USENIX Symposium on
Networked Systems Design and Implementation, NSDI 2014, Seattle, WA, USA, April 2-4,
2014, pages 519–531, 2014.
22. OpenStack. LogicBlox. http://www.logicblox.com/ retrieved 07/07/2015.
23. A. Panda, K. J. Argyraki, M. Sagiv, M. Schapira, and S. Shenker. New directions for network
verification. In 1st Summit on Advances in Programming Languages, SNAPL 2015, May 3-6,
2015, Asilomar, California, USA, pages 209–220, 2015.
24. A. Panda, O. Lahav, K. Argyraki, M. Sagiv, and S. Shenker. Verifying isolation properties in
the presence of middleboxes. arXiv preprint arXiv:1409.7687, 2014.
25. R. Potharaju and N. Jain. Demystifying the dark side of the middle: a field study of middlebox failures in datacenters. In Proceedings of the 2013 Internet Measurement Conference,
IMC 2013, Barcelona, Spain, October 23-25, 2013, pages 9–22, 2013.
26. C. Rackoff. The covering and boundedness problems for vector addition systems. Theoretical Computer Science, 6(2):223–231, 1978.
27. R. W. Ritchey and P. Ammann. Using model checking to analyze network vulnerabilities. In
Security and Privacy, 2000.
28. K. Schmidt. Lola a low level analyser. In Application and Theory of Petri Nets 2000, pages
465–474. Springer, 2000.
29. P. Schnoebelen. Verifying lossy channel systems has nonprimitive recursive complexity.
Information Processing Letters, 83(5):251–261, 2002.
30. D. Sethi, S. Narayana, and S. Malik. Abstractions for model checking sdn controllers. In
FMCAD, 2013.
31. J. Sherry, S. Hasan, C. Scott, A. Krishnamurthy, S. Ratnasamy, and V. Sekar. Making middleboxes someone else’s problem: Network processing as a cloud service. In SIGCOMM,
2012.
32. R. Skowyra, A. Lapets, A. Bestavros, and A. Kfoury. A verification platform for sdn-enabled
applications. In HiCoNS, 2013.
33. R. Stoenescu, M. Popovici, L. Negreanu, and C. Raiciu. Symnet: static checking for stateful
networks. In Proceedings of the 2013 workshop on Hot topics in middleboxes and network
function virtualization, pages 31–36. ACM, 2013.
34. Y. Velner, K. Aplernas, A. Panda, A. Rabinovich, M. Sagiv, S. Shenker, and S. Shoham.
Some complexity results for stateful network verification. http://www.cs.tau.ac.
il/˜msagiv/tacas16submission.pdf.
35. H. Zeng, S. Zhang, F. Ye, V. Jeyakumar, M. Ju, J. Liu, N. McKeown, and A. Vahdat. Libra:
Divide and conquer to verify forwarding tables in huge networks. In NSDI, 2014.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement