research-article

Veriflow: verifying network-wide invariants in real time

Authors:

Ahmed Khurshid,

Matthew Caesar,

P. Brighten GodfreyAuthors Info & Claims

ACM SIGCOMM Computer Communication Review, Volume 42, Issue 4

Pages 467 - 472

https://doi.org/10.1145/2377677.2377766

Published: 24 September 2012 Publication History

Abstract

Networks are complex and prone to bugs. Existing tools that check configuration files and data-plane state operate offline at timescales of seconds to hours, and cannot detect or prevent bugs as they arise.

Is it possible to check network-wide invariants in real time, as the network state evolves? The key challenge here is to achieve extremely low latency during the checks so that network performance is not affected. In this paper, we present a preliminary design, VeriFlow, which suggests that this goal is achievable. VeriFlow is a layer between a software-defined networking controller and network devices that checks for network-wide invariant violations dynamically as each forwarding rule is inserted. Based on an implementation using a Mininet OpenFlow network and Route Views trace data, we find that VeriFlow can perform rigorous checking within hundreds of microseconds per rule insertion.

References

[1]

Mininet: Rapid prototyping for software defined networks. http://yuba.stanford.edu/foswiki/bin/view/OpenFlow/Mininet.

[2]

OpenFlow switch specification. http://www.openflow.org/documents/openflow-spec-v1.1.0.pdf.

[3]

Rocketfuel: An ISP topology mapping engine. http://www.cs.washington.edu/research/networking/rocketfuel/.

[4]

University of Oregon Route Views Project. http://www.routeviews.org/.

[5]

Al-Shaer, E., and Al-Haj, S. FlowChecker: Configuration analysis and verification of federated OpenFlow infrastructures. In SafeConfig (2010).

Digital Library

[6]

Al-Shaer, E., Marrero, W., El-Atawy, A., and ElBadawi, K. Network configuration in a box: Towards end-to-end verification of network reachability and security. In ICNP (2009).

[7]

Canini, M., Venzano, D., Peresini, P., Kostic, D., and Rexford, J. A NICE way to test OpenFlow applications. In NSDI (2012).

Digital Library

[8]

Feamster, N., and Balakrishnan, H. Detecting BGP configuration faults with static analysis. In NSDI (2005).

Digital Library

[9]

Foster, N., Harrison, R., Freedman, M. J., Monsanto, C., Rexford, J., Story, A., and Walker, D. Frenetic: A network programming language. In ICFP (2011).

Digital Library

[10]

Gude, N., Koponen, T., Pettit, J., Pfaff, B., Casado, M., McKeown, N., and Shenker, S. NOX: Towards an operating system for networks. In SIGCOMM CCR (2008).

Digital Library

[11]

Kazemian, P., Varghese, G., and McKeown, N. Header space analysis: Static checking for networks. In NSDI (2012).

Digital Library

[12]

Mai, H., Khurshid, A., Agarwal, R., Caesar, M., Godfrey, P. B., and King, S. T. Debugging the data plane with Anteater. In SIGCOMM (2011).

Digital Library

[13]

McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., and Shenker, S. OpenFlow: Enabling innovation in campus networks. In SIGCOMM CCR (2008).

Digital Library

[14]

Reitblatt, M., Foster, N., Rexford, J., and Walker, D. Consistent updates for software-defined networks: Change you can believe in! In HotNets (2011).

Digital Library

[15]

Sherwood, R., Gibb, G., Yap, K.-K., Appenzeller, G., Casado, M., McKeown, N., and Parulkar, G. Can the production network be the testbed? In OSDI (2010).

Digital Library

[16]

Tavakoli, A., Casado, M., Koponen, T., and Shenker, S. Applying NOX to the datacenter. In HotNets (2009).

[17]

Varghese, G. Network Algorithmics: An interdisciplinary approach to designing fast networked devices, 2004.

Digital Library

[18]

Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C.-N., and Mohapatra, P. FIREMAN: A toolkit for firewall modeling and analysis. In IEEE SnP (2006).

Digital Library

Cited By

Ma ZLi CZhang YYou RTu B(2025)IMS: Towards Computability and Dynamicity for Intent-Driven Micro-SegmentationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.341375222:1(677-694)Online publication date: Jan-2025
https://doi.org/10.1109/TDSC.2024.3413752
Moeller MJacobs JBelanger ODarais DSchlesinger CSmolka SFoster NSilva A(2024)KATch: A Fast Symbolic Verifier for NetKATProceedings of the ACM on Programming Languages10.1145/36564548:PLDI(1905-1928)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656454
Li YZhang HWang JShi XYin XWang ZHu JMiao CWu J(2024)Proactively Verifying Quantitative Network Policy Across Unsafe and Unreliable EnvironmentsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.340993519(10099-10113)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1109/TIFS.2024.3409935
Show More Cited By

Index Terms

Veriflow: verifying network-wide invariants in real time
1. Networks
  1. Network services
    1. Network management
    2. Network monitoring

Recommendations

VeriFlow: verifying network-wide invariants in real time
HotSDN '12: Proceedings of the first workshop on Hot topics in software defined networks

Networks are complex and prone to bugs. Existing tools that check configuration files and data-plane state operate offline at timescales of seconds to hours, and cannot detect or prevent bugs as they arise.

Is it possible to check network-wide ...
VeriFlow: verifying network-wide invariants in real time
nsdi'13: Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation

Networks are complex and prone to bugs. Existing tools that check network configuration files and the data-plane state operate offline at timescales of seconds to hours, and cannot detect or prevent bugs as they arise.

Is it possible to check network-...
Language support for verifiable SDNs
SPLASH Companion 2016: Companion Proceedings of the 2016 ACM SIGPLAN International Conference on Systems, Programming, Languages and Applications: Software for Humanity

Programming languages for Software-Defined Networks (SDNs) provide higher abstractions on top of hardware-based APIs like OpenFlow. Researchers started to develop SDN programming languages based on mathematical foundations, which makes these languages ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review

ACM SIGCOMM Computer Communication Review Volume 42, Issue 4

Special october issue SIGCOMM '12

October 2012

538 pages

ISSN:0146-4833

DOI:10.1145/2377677

Issue’s Table of Contents

Copyright © 2012 Authors.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 September 2012

Published in SIGCOMM-CCR Volume 42, Issue 4

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

183
Total Citations
View Citations
1,343
Total Downloads

Downloads (Last 12 months)17
Downloads (Last 6 weeks)2

Reflects downloads up to 25 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ma ZLi CZhang YYou RTu B(2025)IMS: Towards Computability and Dynamicity for Intent-Driven Micro-SegmentationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.341375222:1(677-694)Online publication date: Jan-2025
https://doi.org/10.1109/TDSC.2024.3413752
Moeller MJacobs JBelanger ODarais DSchlesinger CSmolka SFoster NSilva A(2024)KATch: A Fast Symbolic Verifier for NetKATProceedings of the ACM on Programming Languages10.1145/36564548:PLDI(1905-1928)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656454
Li YZhang HWang JShi XYin XWang ZHu JMiao CWu J(2024)Proactively Verifying Quantitative Network Policy Across Unsafe and Unreliable EnvironmentsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.340993519(10099-10113)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1109/TIFS.2024.3409935
Abane ABattou AMerzouki M(2024)Enhancing Network Data Plane Analysis with Native Graph DatabaseNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575228(1-9)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575228
Tung SLin YChang KHsiao HKim T(2024)Detecting IP Prefix Mismatches on SDN Data Plane2024 33rd International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN61486.2024.10637627(1-9)Online publication date: 29-Jul-2024
https://doi.org/10.1109/ICCCN61486.2024.10637627
Kanwal ANizamuddin MIqbal WAman WAbbas YMussiraliyeva S(2024)Exploring Security Dynamics in SDN Controller Architectures: Threat Landscape and ImplicationsIEEE Access10.1109/ACCESS.2024.339096812(56517-56553)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3390968
Chen HChen PWang BYu XChen XMa DZheng Z(2024)Graph neural network based robust anomaly detection at service level in SDN driven microservice systemComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2023.110135239:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.comnet.2023.110135
Liao JHe BWang JWang JQi QLiao JHe BWang JWang JQi Q(2024)Intelligent Allocation Technologies for All-Scenario KDN ResourcesKey Technologies for On-Demand 6G Network Services10.1007/978-3-031-70606-6_7(163-201)Online publication date: 26-Sep-2024
https://doi.org/10.1007/978-3-031-70606-6_7
Prasad NAndersen BRubin-Grøn D(2024)Overview of Security Challenges in Wireless IoT Infrastructures for Autonomous VehiclesThe Seventh International Conference on Safety and Security with IoT10.1007/978-3-031-53028-9_5(63-82)Online publication date: 19-Mar-2024
https://doi.org/10.1007/978-3-031-53028-9_5
Tang ABeckett RBenaloh SJayaraman KPatil TMillstein TVarghese GSchulzrinne HKohler EMaltz DMisra V(2023)Lightyear: Using Modularity to Scale BGP Control Plane VerificationProceedings of the ACM SIGCOMM 2023 Conference10.1145/3603269.3604842(94-107)Online publication date: 10-Sep-2023
https://dl.acm.org/doi/10.1145/3603269.3604842
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents