Formally specifying and checking policies and anomalies in service function chaining

Abstract One of the proposed management strategies for SDN networks is to specify traffic forwarding through policies, where each policy rule identifies a traffic flow and its traversed service chains. While network operators need to check network configurations as soon as possible, the SDN verification literature focuses on checking policy correctness during or after their deployment. This paper, instead, proposes early verification of forwarding policies before their deployment, by looking for the presence of anomalies that can potentially lead to erroneous and unexpected network behaviour. The proposed verification relies on a formal model that enables high flexibility in specifying both a forwarding policy and the set of anomalies to verify. The presented approach is efficient and highly scalable, as confirmed by tests with large networks.

[1]  Carlos Pignataro,et al.  Service Function Chaining (SFC) Architecture , 2015, RFC.

[2]  Christian Damsgaard Jensen,et al.  The application of Software Defined Networking on securing computer networks: A survey , 2019, J. Netw. Comput. Appl..

[3]  David Walker,et al.  Frenetic: a network programming language , 2011, ICFP.

[4]  Costin Raiciu,et al.  SymNet: Scalable symbolic execution for modern networks , 2016, SIGCOMM.

[5]  Paola Mello,et al.  A Configurable Rete-OO Engine for Reasoning with Different Types of Imperfect Information , 2010, IEEE Transactions on Knowledge and Data Engineering.

[6]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[7]  Emin Gün Sirer,et al.  Managing the network with Merlin , 2013, HotNets.

[8]  Thomas Engel,et al.  On Using Cognition for Anomaly Detection in SDN , 2015, EVOLVE.

[9]  Cataldo Basile,et al.  Classification and Analysis of Communication Protection Policy Anomalies , 2017, IEEE/ACM Transactions on Networking.

[10]  Samrat Kumar Dey,et al.  Detection of Flow Based Anomaly in OpenFlow Controller: Machine Learning Approach in Software Defined Networking , 2018, 2018 4th International Conference on Electrical Engineering and Information & Communication Technology (iCEEiCT).

[11]  David Walker,et al.  Modular SDN Programming with Pyretic , 2013, login Usenix Mag..

[12]  Gustavo Augusto Lima de Campos,et al.  Flow-based conflict detection in OpenFlow networks using first-order logic , 2014, 2014 IEEE Symposium on Computers and Communications (ISCC).

[13]  Cataldo Basile,et al.  Assessing network authorization policies via reachability analysis , 2017, Comput. Electr. Eng..

[14]  Antonio Manzalini,et al.  Formal Verification of Virtual Network Function Graphs in an SP-DevOps Context , 2015, ESOCC.

[15]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[16]  Samuel T. King,et al.  Debugging the data plane with anteater , 2011, SIGCOMM 2011.

[17]  Juan Felipe Botero,et al.  Resource Allocation in NFV: A Comprehensive Survey , 2016, IEEE Transactions on Network and Service Management.

[18]  Mohamed G. Gouda,et al.  Structured firewall design , 2007, Comput. Networks.

[19]  Xavier Hesselbach,et al.  ALEVIN - A Framework to Develop, Compare, and Analyze Virtual Network Embedding Algorithms , 2011, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..

[20]  Ying Zhang,et al.  PGA: Using Graphs to Express and Automatically Reconcile Network Policies , 2015, Comput. Commun. Rev..

[21]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[22]  Roberto Bifulco,et al.  OpenFlow Rules Interactions: Definition and Detection , 2013, 2013 IEEE SDN for Future Networks and Services (SDN4FNS).

[23]  Adriano Valenzano,et al.  Leveraging SDN to improve security in industrial networks , 2017, 2017 IEEE 13th International Workshop on Factory Communication Systems (WFCS).

[24]  Nora Cuppens-Boulahia,et al.  Complete analysis of configuration rules to guarantee reliable network security policies , 2008, International Journal of Information Security.

[25]  George Varghese,et al.  Usenix Association 10th Usenix Symposium on Networked Systems Design and Implementation (nsdi '13) 99 Real Time Network Policy Checking Using Header Space Analysis , 2022 .

[26]  David Walker,et al.  A compiler and run-time system for network programming languages , 2012, POPL '12.