Fast Control Plane Analysis Using an Abstract Representation

Networks employ complex, and hence error-prone, routing control plane configurations. In many cases, the impact of errors manifests only under failures and leads to devastating effects. Thus, it is important to proactively verify control plane behavior under arbitrary link failures. State-of-the-art verifiers are either too slow or impractical to use for such verification tasks. In this paper we propose a new high level abstraction for control planes, ARC, that supports fast control plane analyses under arbitrary failures. ARC can check key invariants without generating the data plane--which is the main reason for current tools' ineffectiveness. This is possible because of the nature of verification tasks and the constrained nature of control plane designs in networks today. We develop algorithms to derive a network's ARC from its configuration files. Our evaluation over 314 networks shows that ARC computation is quick, and that ARC can verify key invariants in under 1s in most cases, which is orders-of-magnitude faster than the state-of-the-art.

[1]  Aditya Akella,et al.  Demystifying configuration challenges and trade-offs in network-based ISP services , 2011, SIGCOMM.

[2]  George Varghese,et al.  Real Time Network Policy Checking Using Header Space Analysis , 2013, NSDI.

[3]  Aleksandrs Slivkins,et al.  Parameterized Tractability of Edge-Disjoint Paths on Directed Acyclic Graphs , 2003, SIAM J. Discret. Math..

[4]  Ramesh Govindan,et al.  A General Approach to Network Configuration Analysis , 2015, NSDI.

[5]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[6]  References , 1971 .

[7]  Nick Feamster,et al.  Detecting BGP configuration faults with static analysis , 2005 .

[8]  ZhangHui,et al.  Shedding light on the glue logic of the internet routing architecture , 2008 .

[9]  Franck Le,et al.  Shedding light on the glue logic of the internet routing architecture , 2008, SIGCOMM '08.

[10]  Jon Mitchell,et al.  Use of BGP for Routing in Large-Scale Data Centers , 2016, RFC.

[11]  Brighten Godfrey,et al.  Debugging the data plane with anteater , 2011, SIGCOMM.

[12]  Dave Katz,et al.  Administrative Domains and Routing Domains: A model for routing in the Internet , 1989, RFC.

[13]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[14]  Xiujun Li,et al.  Management Plane Analytics , 2015, Internet Measurement Conference.

[15]  Errin W. Fulp,et al.  Optimization of Network Firewall Policies using Directed Acyclical Graphs , 2005 .

[16]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[17]  George Varghese,et al.  Automatic Test Packet Generation , 2012, IEEE/ACM Transactions on Networking.

[18]  Daniel O. Awduche,et al.  Requirements for Traffic Engineering Over MPLS , 1999, RFC.

[19]  David A. Maltz,et al.  Unraveling the Complexity of Network Management , 2009, NSDI.

[20]  R. Aharoni,et al.  Menger’s theorem for infinite graphs , 2005, math/0509397.

[21]  Albert G. Greenberg,et al.  Routing design in operational networks: a look from the inside , 2004, SIGCOMM '04.