Fast Configuration Change Impact Analysis for Network Overlay Data Center Networks

This paper presents the first network configuration verifier that provides fast all-pair reachability analysis of incremental configuration changes for network overlay data center networks (DCNs). Network overlay DCNs leverage distributed control (i.e., BGP EVPN) on switches to establish VXLAN tunnels, distribute overlay routes and limit traffic access (e.g., microsegmentation). Although some incremental verification techniques have been proposed, they are either not complete, or do not support certain features of the network. Our configuration verifier addresses these issues through the following components: 1) a port-predicate forwarding model that is general to support all features; 2) fine-grained indexing technique to lookup possibly affected reachable pairs by changed interfaces; and 3) required waypoint path computation that finds all reachable pairs related to changed interfaces. Experiment results show that our algorithm is complete and fast. For the studied service updates, our verifier performs all-pair reachability change impact analysis within 25s for networks with 100 leafs (2000 endpoints and 4 mill. pairs), outperforming existing approaches by up to 8x.

[1]  Aditya Akella,et al.  Tiramisu: Fast Multilayer Network Verification , 2020, NSDI.

[2]  Brighten Godfrey,et al.  Plankton: Scalable network configuration verification through model checking , 2019, NSDI.

[3]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[4]  George Varghese,et al.  Efficient Network Reachability Analysis Using a Succinct Control Plane Representation , 2016, OSDI.

[5]  Lawrence Kreeger,et al.  Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks , 2014, RFC.

[6]  Alan J. Hu,et al.  Reachability Analysis for AWS-Based Networks , 2019, CAV.

[7]  Mukul R. Prasad,et al.  Delta-net: Real-time Network Verification Using Atoms , 2017, NSDI.

[8]  Peng Zhang,et al.  APKeep: Realtime Verification for Real Networks , 2020, NSDI.

[9]  Hongkun Yang,et al.  Real-time verification of network properties using Atomic Predicates , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[10]  Lawrence Kreeger,et al.  VXLAN Group Policy Option , 2018 .

[11]  George Varghese,et al.  Checking Beliefs in Dynamic Networks , 2015, NSDI.

[12]  Ratul Mahajan,et al.  Fast Control Plane Analysis Using an Abstract Representation , 2016, SIGCOMM.

[13]  H. Andersen An Introduction to Binary Decision Diagrams , 1997 .

[14]  Lingyu Wang,et al.  TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation , 2017, NDSS.

[15]  Ehab Al-Shaer,et al.  FlowChecker: configuration analysis and verification of federated openflow infrastructures , 2010, SafeConfig '10.

[16]  Costin Raiciu,et al.  SymNet: Scalable symbolic execution for modern networks , 2016, SIGCOMM.

[17]  Ramesh Govindan,et al.  A General Approach to Network Configuration Analysis , 2015, NSDI.

[18]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[19]  George Varghese,et al.  Usenix Association 10th Usenix Symposium on Networked Systems Design and Implementation (nsdi '13) 99 Real Time Network Policy Checking Using Header Space Analysis , 2022 .

[20]  Costin Raiciu,et al.  Dataplane equivalence and its applications , 2019, NSDI.

[21]  Ratul Mahajan,et al.  A General Approach to Network Configuration Verification , 2017, SIGCOMM.

[22]  Mukul R. Prasad,et al.  A Precise and Expressive Lattice-theoretical Framework for Efficient Network Verification , 2019, 2019 IEEE 27th International Conference on Network Protocols (ICNP).

[23]  George Varghese,et al.  ddNF: An Efficient Data Structure for Header Spaces , 2016, Haifa Verification Conference.