ABSTRACT
How to debug large networks is always a challenging task. Software Defined Network (SDN) offers a centralized con- trol platform where operators can statically verify network policies, instead of checking configuration files device-by-device. While such a static verification is useful, it is still not enough: due to data plane faults, packets may not be forwarded according to control plane policies, resulting in network faults at runtime. To address this issue, we present VeriDP, a tool that can continuously monitor what we call control-data plane consistency, defined as the consistency between control plane policies and data plane forwarding behaviors. We prototype VeriDP with small modifications of both hardware and software SDN switches, and show that it can achieve a verification speed of 3 μs per packet, with a false negative rate as low as 0.1%, for the Stanford backbone and Internet2 topologies. In addition, when verification fails, VeriDP can localize faulty switches with a probability as high as 96% for fat tree topologies.
- 802.1ad - Provider Bridges. http://www.ieee802.org/1/pages/802.1ad.html.Google Scholar
- Dpctl Documentation. https://github.com/CPqD/ofsoftswitch13/wiki/Dpctl-Documentation.Google Scholar
- Floodlight OpenFlow Controller. http://floodlight.openflowhub.org/.Google Scholar
- Hassel, the header space library. https://bitbucket.org/peymank/hassel-public.Google Scholar
- Mininet. http://mininet.org/.Google Scholar
- Open Network Install Environment (ONIE). http://onie.org/.Google Scholar
- Open vSwitch. http://openvswitch.org/.Google Scholar
- OpenFlow Switch Specification Version 1.5.1. https://www.opennetworking.org/sdn-resources/technical-library.Google Scholar
- Ryu OpenFlow Controller. http://osrg.github.io/ryu/.Google Scholar
- The Apache Cassandra Project. http://cassandra.apache.org/.Google Scholar
- The Internet2 Observatory. http://www.internet2.edu/research-solutions/research-support/observatory/.Google Scholar
- The Murmur3 hash function. https://code.google.com/p/smhasher/wiki/MurmurHash3.Google Scholar
- The ONetSwitch SDN platform. http://onetswitch.org.Google Scholar
- K. Agarwal, E. Rozner, C. Dixon, and J. Carter. SDN traceroute: Tracing SDN forwarding without changing network behavior. In HotSDN, 2014. Google ScholarDigital Library
- A. Al-Shabibi, M. De Leenheer, M. Gerola, A. Koshibe, G. Parulkar, E. Salvadori, and B. Snow. Openvirtex: Make your virtual sdns programmable. In HotSDN, 2014. Google ScholarDigital Library
- E. Al-Shaer and S. Al-Haj. Flowchecker: Configuration analysis and verification of federated openflow infrastructures. In ACM workshop on Assurable and usable security configuration, 2010. Google ScholarDigital Library
- V. Altukhov, V. Podymov, V. Zakharov, and E. Chemeritskiy. Vermont-a toolset for checking sdn packet forwarding policies on-line. In IEEE Modern Networking Technologies (MoNeTeC), 2014.Google ScholarCross Ref
- M. Antikainen, T. Aura, and M. Särelä. Spook in Your Network: Attacking an SDN with a Compromised OpenFlow Switch. In Secure IT Systems. 2014.Google Scholar
- T. Ball, N. Bjørner, A. Gember, S. Itzhaky, A. Karbyshev, M. Sagiv, M. Schapira, and A. Valadarsky. Vericon: Towards verifying controller programs in software-defined networks. In ACM PLDI, 2014. Google ScholarDigital Library
- R. Beckett, X. K. Zou, S. Zhang, S. Malik, J. Rexford, and D. Walker. An assertion language for debugging sdn applications. In HotSDN, 2014. Google ScholarDigital Library
- P. Berde, M. Gerola, J. Hart, Y. Higuchi, M. Kobayashi, T. Koide, B. Lantz, B. O'Connor, P. Radoslavov, W. Snow, et al. ONOS: towards an open, distributed SDN OS. In HotSDN, 2014. Google ScholarDigital Library
- R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE Transactions on Computers, 100(8):677--691, 1986. Google ScholarDigital Library
- K. Bu, X. Wen, B. Yang, Y. Chen, L. E. Li, and X. Chen. Is every flow on the right track?: Inspect SDN forwarding with RuleScope. In IEEE INFOCOM, 2016.Google ScholarCross Ref
- M. Canini, D. Venzano, P. Peresini, D. Kostic, and J. Rexford. A NICE way to test OpenFlow applications. In USENIX NSDI, 2012. Google ScholarDigital Library
- M. Dobrescu and K. Argyraki. Software dataplane verification. In USENIX NSDI, 2014. Google ScholarDigital Library
- R. Durairajan, J. Sommers, and P. Barford. Controller-agnostic sdn debugging. In ACM CoNEXT, 2014. Google ScholarDigital Library
- A. Fogel, S. Fung, L. Pedrosa, M. Walraed-Sullivan, R. Govindan, R. Mahajan, and T. Millstein. A general approach to network configuration analysis. In USENIX NSDI, 2015. Google ScholarDigital Library
- N. Foster, R. Harrison, M. J. Freedman, C. Monsanto, J. Rexford, A. Story, and D. Walker. Frenetic: A network programming language. In ACM SIGPLAN Notices, volume 46, pages 279--291, 2011. Google ScholarDigital Library
- N. Handigol, B. Heller, V. Jeyakumar, D. Mazieres, and N. McKeown. I know what your packet did last hop: Using packet histories to troubleshoot networks. In USENIX NSDI, 2014. Google ScholarDigital Library
- B. Heller, C. Scott, N. McKeown, S. Shenker, A. Wundsam, H. Zeng, S. Whitlock, V. Jeyakumar, N. Handigol, J. McCauley, et al. Leveraging SDN layering to systematically troubleshoot networks. In HotSDN, 2013. Google ScholarDigital Library
- C. Hu, J. Yang, Z. Gong, S. Deng, and H. Zhao. Desktopdc: setting all programmable data center networking testbed on desk. ACM SIGCOMM Computer Communication Review, 44(4):593--594, 2015. Google ScholarDigital Library
- C. Hu, J. Yang, H. Zhao, and J. Lu. Design of all programmable innovation platform for software defined networking. In Open Networking Summit, 2014.Google Scholar
- T. Inoue, T. Mano, K. Mizutani, S.-i. Minato, and O. Akashi. Rethinking packet classification for global network view of software-defined networking. In IEEE ICNP, 2014. Google ScholarDigital Library
- N. Katta, O. Alipourfard, J. Rexford, and D. Walker. CacheFlow: Dependency-aware rule-caching for software-defined networks. In ACM SOSR, 2016. Google ScholarDigital Library
- P. Kazemian, M. Chan, H. Zeng, G. Varghese, N. McKeown, and S. Whyte. Real time network policy checking using header space analysis. In USENIX NSDI, 2013. Google ScholarDigital Library
- P. Kazemian, G. Varghese, and N. McKeown. Header space analysis: Static checking for networks. In USENIX NSDI, 2012. Google ScholarDigital Library
- A. Khurshid, W. Zhou, M. Caesar, and P. Godfrey. Veriflow: Verifying network-wide invariants in real time. In USENIX NSDI, 2013. Google ScholarDigital Library
- A. Kirsch and M. Mitzenmacher. Less hashing, same performance: Building a better Bloom filter. In Algorithms--ESA 2006, pages 456--467. Springer, 2006. Google ScholarDigital Library
- M. Kuzniar, P. Peresini, M. Canini, D. Venzano, and D. Kostic. A SOFT way for openflow switch interoperability testing. In ACM CoNEXT, 2012. Google ScholarDigital Library
- M. Kuzniar, P. Peresini, and D. Kostić. Providing reliable fib update acknowledgments in sdn. In ACM CoNEXT, 2014. Google ScholarDigital Library
- M. Kuzniar, P. Peresini, and D. Kostic. Monocle: Dynamic, fine-grained data plane monitoring. In ACM CoNEXT, 2015. Google ScholarDigital Library
- N. P. Lopes, N. Bjørner, P. Godefroid, K. Jayaraman, and G. Varghese. Checking beliefs in dynamic networks. In USENIX NSDI, 2015. Google ScholarDigital Library
- H. Mai, A. Khurshid, R. Agarwal, M. Caesar, P. Godfrey, and S. T. King. Debugging the data plane with Anteater. In ACM SIGCOMM, 2011. Google ScholarDigital Library
- C. Monsanto, J. Reich, N. Foster, J. Rexford, D. Walker, et al. Composing software defined networks. In USENIX NSDI, 2013. Google ScholarDigital Library
- S. Narayana, J. Rexford, and D. Walker. Compiling path queries in software-defined networks. In HotSDN, 2014. Google ScholarDigital Library
- P. Peresini, M. Kuzniar, and D. Kostic. What You Need to Know About SDN Flow Tables. In PAM, 2015.Google Scholar
- G. Pickett. Staying persistent in software defined networks. In Black Hat Briefings, 2015.Google Scholar
- G. D. Plotkin, N. Bjørner, N. P. Lopes, A. Rybalchenko, and G. Varghese. Scaling network verification using symmetry and surgery. In ACM POPL, 2016. Google ScholarDigital Library
- M. Reitblatt, N. Foster, J. Rexford, C. Schlesinger, and D. Walker. Abstractions for network update. In ACM SIGCOMM, 2012. Google ScholarDigital Library
- C. Rotsos, N. Sarrar, S. Uhlig, R. Sherwood, and A. W. Moore. OFLOPS: An open framework for OpenFlow switch evaluation. In Passive and Active Measurement, pages 85--95, 2012. Google ScholarDigital Library
- C. Scott, A. Wundsam, B. Raghavan, A. Panda, A. Or, J. Lai, E. Huang, Z. Liu, A. El-Hassany, S. Whitlock, et al. Troubleshooting blackbox SDN control software with minimal causal sequences. In ACM SIGCOMM, 2014. Google ScholarDigital Library
- R. Sherwood, G. Gibb, K.-K. Yap, G. Appenzeller, M. Casado, N. McKeown, and G. M. Parulkar. Can the production network be the testbed? In OSDI, 2010. Google ScholarDigital Library
- R. Soulé, S. Basu, P. J. Marandi, F. Pedone, R. Kleinberg, E. G. Sirer, and N. Foster. Merlin: A language for provisioning network resources. In ACM CoNEXT, 2014. Google ScholarDigital Library
- P. Tammana, R. Agarwal, and M. Lee. CherryPick: Tracing packet trajectory in software-defined datacenter networks. In SOSR, 2015. Google ScholarDigital Library
- A. Wundsam, D. Levin, S. Seetharaman, A. Feldmann, et al. OFRewind: Enabling record and replay troubleshooting for networks. In USENIX Annual Technical Conference, 2011. Google ScholarDigital Library
- H. Yang and S. S. Lam. Real-time verification of network properties using atomic predicates. In IEEE ICNP, 2013.Google ScholarCross Ref
- H. Zeng, P. Kazemian, G. Varghese, and N. McKeown. Automatic test packet generation. In ACM CoNEXT, 2012. Google ScholarDigital Library
- H. Zeng, S. Zhang, F. Ye, V. Jeyakumar, M. Ju, J. Liu, N. McKeown, and A. Vahdat. Libra: Divide and conquer to verify forwarding tables in huge networks. In USENIX NSDI, 2014. Google ScholarDigital Library
- H. Zhang, C. Lumezanu, J. Rhee, N. Arora, Q. Xu, and G. Jiang. Enabling layer 2 pathlet tracing through context encoding in software-defined networking. In HotSDN, 2014. Google ScholarDigital Library
- S. Zhang and S. Malik. Sat based verification of network data planes. In Automated Technology for Verification and Analysis. 2013.Google ScholarCross Ref
Index Terms
- Mind the Gap: Monitoring the Control-Data Plane Consistency in Software Defined Networks
Recommendations
Packet Reachability Verification in OpenFlow Networks
ICSCA '20: Proceedings of the 2020 9th International Conference on Software and Computer ApplicationsOpenFlow is a network technology that enables to control network equipment centrally, to realize complicated forwarding of packets and to change network topologies flexibly. In OpenFlow networks, network equipment is separated into OpenFlow switches and ...
Impact of DoS Attack in Software Defined Network for Virtual Network
A virtual network is a computer network which does not contain any physical link between two computational nodes instead they connect through the virtual links. In recent years the virtual network is managed by Software Defined Network (SDN). SDN is one ...
A Comprehensive Tutorial on Software Defined Network: The Driving Force for the Future Internet Technology
AICTC '16: Proceedings of the International Conference on Advances in Information Communication Technology & ComputingThese days the usage of network is growing at a faster pace, at the same time a lot of challenges is facing by the network administrator, to tackle the frequent network access by the users. The network infrastructure is growing rapidly to meet the ...
Comments