Mind the Gap: Monitoring the Control-Data Plane Consistency in Software Defined Networks

How to debug large networks is always a challenging task. Software Defined Network (SDN) offers a centralized con- trol platform where operators can statically verify network policies, instead of checking configuration files device-by-device. While such a static verification is useful, it is still not enough: due to data plane faults, packets may not be forwarded according to control plane policies, resulting in network faults at runtime. To address this issue, we present VeriDP, a tool that can continuously monitor what we call control-data plane consistency, defined as the consistency between control plane policies and data plane forwarding behaviors. We prototype VeriDP with small modifications of both hardware and software SDN switches, and show that it can achieve a verification speed of 3 μs per packet, with a false negative rate as low as 0.1%, for the Stanford backbone and Internet2 topologies. In addition, when verification fails, VeriDP can localize faulty switches with a probability as high as 96% for fat tree topologies.

[1]  Rob Sherwood,et al.  OFLOPS: An Open Framework for OpenFlow Switch Evaluation , 2012, PAM.

[2]  George Varghese,et al.  Automatic Test Packet Generation , 2012, IEEE/ACM Transactions on Networking.

[3]  Marco Canini,et al.  A SOFT way for openflow switch interoperability testing , 2012, CoNEXT '12.

[4]  Hongkun Yang,et al.  Real-time verification of network properties using Atomic Predicates , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[5]  Paul Barford,et al.  Controller-agnostic SDN Debugging , 2014, CoNEXT.

[6]  Brighten Godfrey,et al.  Debugging the data plane with anteater , 2011, SIGCOMM.

[7]  John B. Carter,et al.  SDN traceroute: tracing SDN forwarding without changing network behavior , 2014, HotSDN.

[8]  Junda Liu,et al.  Libra: Divide and Conquer to Verify Forwarding Tables in Huge Networks , 2014, NSDI.

[9]  George Varghese,et al.  Scaling network verification using symmetry and surgery , 2016, POPL.

[10]  E. Chemeritskiy,et al.  VERMONT - A toolset for checking SDN packet forwarding policies on-line , 2014, 2014 First International Science and Technology Conference (Modern Networking Technologies) (MoNeTeC).

[11]  Ehab Al-Shaer,et al.  FlowChecker: configuration analysis and verification of federated openflow infrastructures , 2010, SafeConfig '10.

[12]  Anja Feldmann,et al.  OFRewind: Enabling Record and Replay Troubleshooting for Networks , 2011, USENIX Annual Technical Conference.

[13]  David Walker,et al.  Frenetic: a network programming language , 2011, ICFP.

[14]  Dejan Kostic,et al.  Providing Reliable FIB Update Acknowledgments in SDN , 2014, CoNEXT.

[15]  David Walker,et al.  CacheFlow: Dependency-Aware Rule-Caching for Software-Defined Networks , 2016, SOSR.

[16]  Ji Yang,et al.  Design of All Programable Innovation Platform for Software Defined Networking , 2014, ONS.

[17]  Bo Yang,et al.  Is every flow on the right track?: Inspect SDN forwarding with RuleScope , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[18]  Nick McKeown,et al.  I Know What Your Packet Did Last Hop: Using Packet Histories to Troubleshoot Networks , 2014, NSDI.

[19]  Sharad Malik,et al.  An assertion language for debugging SDN applications , 2014, HotSDN.

[20]  Michael Mitzenmacher,et al.  Less hashing, same performance: Building a better Bloom filter , 2006, Random Struct. Algorithms.

[21]  Osamu Akashi,et al.  Rethinking Packet Classification for Global Network View of Software-Defined Networking , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[22]  Ramesh Govindan,et al.  A General Approach to Network Configuration Analysis , 2015, NSDI.

[23]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[24]  Qiang Xu,et al.  Enabling layer 2 pathlet tracing through context encoding in software-defined networking , 2014, HotSDN.

[25]  George Varghese,et al.  Usenix Association 10th Usenix Symposium on Networked Systems Design and Implementation (nsdi '13) 99 Real Time Network Policy Checking Using Header Space Analysis , 2022 .

[26]  Nick McKeown,et al.  Leveraging SDN layering to systematically troubleshoot networks , 2013, HotSDN '13.

[27]  David Walker,et al.  Abstractions for network update , 2012, SIGCOMM '12.

[28]  Zhi Liu,et al.  Troubleshooting blackbox SDN control software with minimal causal sequences , 2014 .

[29]  George Varghese,et al.  Checking Beliefs in Dynamic Networks , 2015, NSDI.

[30]  Dejan Kostic,et al.  Monocle: dynamic, fine-grained data plane monitoring , 2015, CoNEXT.

[31]  David Walker,et al.  Composing Software Defined Networks , 2013, NSDI.

[32]  Pavlin Radoslavov,et al.  ONOS: towards an open, distributed SDN OS , 2014, HotSDN.

[33]  Katerina J. Argyraki,et al.  Software dataplane verification , 2014, NSDI.

[34]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[35]  Rob Sherwood,et al.  Can the Production Network Be the Testbed? , 2010, OSDI.

[36]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[37]  Jiahua Lu Design of All Programmable Innovation Platform for Software Defined Networking , 2014 .

[38]  David Walker,et al.  Compiling path queries in software-defined networks , 2014, HotSDN.

[39]  Fernando Pedone,et al.  Merlin: A Language for Provisioning Network Resources , 2014, CoNEXT.

[40]  Guru M. Parulkar,et al.  OpenVirteX: make your virtual SDNs programmable , 2014, HotSDN.

[41]  Sharad Malik,et al.  SAT Based Verification of Network Data Planes , 2013, ATVA.

[42]  Myungjin Lee,et al.  CherryPick: tracing packet trajectory in software-defined datacenter networks , 2015, SOSR.

[43]  Tuomas Aura,et al.  Spook in Your Network: Attacking an SDN with a Compromised OpenFlow Switch , 2014, NordSec.

[44]  Ji Yang,et al.  DesktopDC: setting all programmable data center networking testbed on desk , 2014, SIGCOMM.

[45]  Michael Schapira,et al.  VeriCon: towards verifying controller programs in software-defined networks , 2014, PLDI.

[46]  Maciej Kuźniar,et al.  What You Need to Know About SDN Flow Tables , 2015, PAM.