Checking Intra-Switch Conflicts of Rules During Preprocessing of Network Verification in SDN

Software defined networking (SDN) has been proposed for improving network flexibility and programmability by decoupling control plane and data plane of the network. In SDN, the conflicts between rules need to be avoided, while the partitions of the packet headers need to be precomputed from the configuration rules for the network verification tools. Previous researches usually use the trie-based method and the exhaustive searching with BDD expression to partition the equivalent packet classes (ECs). In this letter, we describe PreChecker to dynamically identify the conflicting rules and divide the rules into ECs. The conflicts between rules are defined for the discrimination of intra-switch conflicts. The MTBDD-based algorithm is proposed for effectively partitioning ECs when updating rules. Both analysis and simulations demonstrate the validity and the better performance of the algorithm.

[1]  Kathi Fisler,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[2]  Xin Huang,et al.  Efficient conflict detection in flow-based virtualized networks , 2012, 2012 International Conference on Computing, Networking and Communications (ICNC).

[3]  Jørn Lind-Nielsen,et al.  BuDDy : A binary decision diagram package. , 1999 .

[4]  Sofia Cassel,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 2012 .

[5]  Osamu Akashi,et al.  An efficient framework for data-plane verification with geometric windowing queries , 2016, 2016 IEEE 24th International Conference on Network Protocols (ICNP).

[6]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[7]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[8]  Mingwei Xu,et al.  Security Policy Violations in SDN Data Plane , 2018, IEEE/ACM Transactions on Networking.

[9]  Gustavo Augusto Lima de Campos,et al.  Flow-based conflict detection in OpenFlow networks using first-order logic , 2014, 2014 IEEE Symposium on Computers and Communications (ISCC).

[10]  Masahiro Fujita,et al.  Multi-Terminal Binary Decision Diagrams: An Efficient Data Structure for Matrix Representation , 1997, Formal Methods Syst. Des..

[11]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[12]  Hongkun Yang,et al.  Real-Time Verification of Network Properties Using Atomic Predicates , 2016, IEEE/ACM Trans. Netw..