Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SYMNET — A Tool for Static Network Verification

0286822f506fc4621bd3ea0bcbfef238?s=47 Bucharest FP
September 24, 2014
Programming
0
240

SYMNET — A Tool for Static Network Verification

http://bucharestfp.ro/2014/09/24/symnet-a-tool-for-static-network-verification/

0286822f506fc4621bd3ea0bcbfef238?s=128

Bucharest FP

September 24, 2014
Tweet

More Decks by Bucharest FP

See All by Bucharest FP
The Curry-Howard-Lambek Correspondence
0286822f506fc4621bd3ea0bcbfef238?s=48 bucharestfp
3
270
An Applicative Application
0286822f506fc4621bd3ea0bcbfef238?s=48 bucharestfp
0
5.5k
Composition in FP
0286822f506fc4621bd3ea0bcbfef238?s=48 bucharestfp
0
110
Formal Design, Implementation and Verification of Blockchain Languages and Virtual Machines
0286822f506fc4621bd3ea0bcbfef238?s=48 bucharestfp
1
230
PureScript & Halogen
0286822f506fc4621bd3ea0bcbfef238?s=48 bucharestfp
1
250
A Simple Sudoku Solver in Haskell
0286822f506fc4621bd3ea0bcbfef238?s=48 bucharestfp
0
670
DeviceGraph — Clustering Devices into People at Adobe with Apache Spark
0286822f506fc4621bd3ea0bcbfef238?s=48 bucharestfp
0
170
Functional Programming Inception
0286822f506fc4621bd3ea0bcbfef238?s=48 bucharestfp
0
210
Equational Reasoning in Programming
0286822f506fc4621bd3ea0bcbfef238?s=48 bucharestfp
0
390

Other Decks in Programming

See All in Programming
Reactでアプリケーションを構築する多様化
2917a3c430817eb71086f8973c06ebba?s=48 sakito
4
3.4k
Airflow1=>Airflow2へのupgrade 事例紹介
A3ae651ab614249880dd9fad4fd0cee7?s=48 reizist
0
110
未経験QAの私が、よきQA(Question Asker) になっていく物語
F0a8d07597a19192791bf663504d2a17?s=48 atamaplus
0
220
The future of trust stores in Python
6638acfdb9c5979d11b4312984292c55?s=48 sethmlarson
0
180
機能横断型チームにおける技術改善
63b77df425b26126961817a39969a660?s=48 takeshiakutsu
3
470
SRE bridge the gap: Feature development to Core API / 機能開発チームとコアAPIチームの架け橋としてのSRE
5520f7e791c2f63da603f6b089b07c6f?s=48 kenzan100
1
140
Better Reliability through Observability (and Experimentation)
8c73ec710b03be8909e71ad500866934?s=48 ksatirli
PRO
1
260
Node.js 最新動向 TFCon 2022
D76231a2114896dfcc7b79ac69558b79?s=48 yosuke_furukawa
PRO
6
2.9k
WindowsコンテナDojo : 第1回 Visual StudioでWindowsコンテナアプリ作成
E5eb221d34d4ffbe973f8542b4c3a00e?s=48 oniak3ibm
PRO
0
330
How useEvent would change our applications
45daf58c77e9dbbab5a1c8a5afc7ac5c?s=48 koba04
1
1.7k
テスト設計技法をなぜ&どのように使うのか体験しよう!
Add1036688abcb2e3dbff7c3090f7e35?s=48 imtnd
0
350
競プロへの誘 -いざな-
Efbc292fd2e2c4caa0ede1d1532804a9?s=48 u76ner
0
370

Featured

See All Featured
What's new in Ruby 2.0
7edec06b5435e0dac07a353b2cc26253?s=48 geeforr
336
30k
Rails Girls Zürich Keynote
24fc194843a71f10949be18d5a692682?s=48 gr2m
86
12k
In The Pink: A Labor of Love
E837d2996f52008ace055a08fbfff992?s=48 frogandcode
130
21k
Mobile First: as difficult as doing things right
0fe2973fa8d27d96547e43322341183a?s=48 swwweet
212
7.5k
Navigating Team Friction
245cee81a9c424266e5e401d844ea881?s=48 lara
175
11k
From Idea to $5000 a Month in 5 Months
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
372
44k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
212
20k
Side Projects
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
449
37k
GraphQLの誤解/rethinking-graphql
3cb4e761dbdb7aebd1ffd85f752e1e3e?s=48 sonatard
24
6.2k
StorybookのUI Testing Handbookを読んだ
50fc0fdc2327ecbe7350645812de52e3?s=48 zakiyama
4
2k
Keith and Marios Guide to Fast Websites
E14f55d3f939977cecbf51b64ff6f861?s=48 keithpitt
404
21k
Raft: Consensus for Rubyists
B6a8f005f39d23ffc930508ac9da68b9?s=48 vanstee
126
5.4k

Transcript

  1. SYMNET Matei Popovici, Costin Raiciu, Radu Stoenescu a static tool

    for network verification

  2. Network function virtualization

  3. None
  4. None

  5. Hard to reason about

  6. Hard to maintain Hard to reason about

  7. None
  8. None

  9. Hardware

  10. Hardware // Change the following line to refer to your

    interface's IP and Ethernet // addresses. AddressInfo(the_interface 1.0.0.1 0:0:c0:8a:67:ef); classifier :: Classifier(12/0800 /* IP packets */, 12/0806 20/0001 /* ARP requests */, - /* everything else */); ip_classifier :: IPClassifier(dst udp port 1234 /* relevant UDP packets */, - /* everything else Software

  11. Hardware // Change the following line to refer to your

    interface's IP and Ethernet // addresses. AddressInfo(the_interface 1.0.0.1 0:0:c0:8a:67:ef); classifier :: Classifier(12/0800 /* IP packets */, 12/0806 20/0001 /* ARP requests */, - /* everything else */); ip_classifier :: IPClassifier(dst udp port 1234 /* relevant UDP packets */, - /* everything else Software Click

  12. Hardware // Change the following line to refer to your

    interface's IP and Ethernet // addresses. AddressInfo(the_interface 1.0.0.1 0:0:c0:8a:67:ef); classifier :: Classifier(12/0800 /* IP packets */, 12/0806 20/0001 /* ARP requests */, - /* everything else */); ip_classifier :: IPClassifier(dst udp port 1234 /* relevant UDP packets */, - /* everything else Software Click

  13. Hardware // Change the following line to refer to your

    interface's IP and Ethernet // addresses. AddressInfo(the_interface 1.0.0.1 0:0:c0:8a:67:ef); classifier :: Classifier(12/0800 /* IP packets */, 12/0806 20/0001 /* ARP requests */, - /* everything else */); ip_classifier :: IPClassifier(dst udp port 1234 /* relevant UDP packets */, - /* everything else Software Click ClickOS

  14. Hardware // Change the following line to refer to your

    interface's IP and Ethernet // addresses. AddressInfo(the_interface 1.0.0.1 0:0:c0:8a:67:ef); classifier :: Classifier(12/0800 /* IP packets */, 12/0806 20/0001 /* ARP requests */, - /* everything else */); ip_classifier :: IPClassifier(dst udp port 1234 /* relevant UDP packets */, - /* everything else Software Click ClickOS

  15. Hardware // Change the following line to refer to your

    interface's IP and Ethernet // addresses. AddressInfo(the_interface 1.0.0.1 0:0:c0:8a:67:ef); classifier :: Classifier(12/0800 /* IP packets */, 12/0806 20/0001 /* ARP requests */, - /* everything else */); ip_classifier :: IPClassifier(dst udp port 1234 /* relevant UDP packets */, - /* everything else Software Click ClickOS

  16. Examples

  17. Examples

  18. Examples

  19. Examples

  20. Examples

  21. Virtualization vs. configuration 12/0806 20/0001

  22. Virtualization vs. configuration access-list extended permit tcp host 192.168.1.1 any

    12/0806 20/0001

  23. Virtualization vs. configuration access-list extended permit tcp host 192.168.1.1 any

    12/0806 20/0001

  24. Virtualization vs. configuration access-list extended permit tcp host 192.168.1.1 any

    in -> IPClassifier(„dst host 192.168.1.1 and tcp”) -> out 12/0806 20/0001

  25. Virtualization vs. configuration access-list extended permit tcp host 192.168.1.1 any

    in -> IPClassifier(„dst host 192.168.1.1 and tcp”) -> out 12/0806 20/0001 in -> IPClassifier(„12/0806 20/0001”) -> out

  26. Virtualization vs. configuration access-list extended permit tcp host 192.168.1.1 any

    in -> IPClassifier(„dst host 192.168.1.1 and tcp”) -> out 12/0806 20/0001 in -> IPClassifier(„12/0806 20/0001”) -> out ARP req

  27. Challenges

  28. Challenges • Debugging

  29. Challenges • Debugging • Understanding the „software” topology

  30. Challenges • Debugging • Understanding the „software” topology • Offering

    guarantees that software processing behaves as intended

  31. Verifying network processing

  32. Verifying network processing formally

  33. What is out there...

  34. What is out there... on off off on off

  35. What is out there... on off off on off

  36. What is out there... on off off on off

  37. What is out there... on off off on off

  38. What is out there... on off off on off

  39. What is out there... on off off on off Model

    checking

  40. What is out there... on off off on off Model

    checking A(int x, int y) { if (x == 2) return A(x,x+y); if (y == 1) return A(x-1,y); return x-y; }

  41. What is out there... on off off on off Model

    checking A(int x, int y) { if (x == 2) return A(x,x+y); if (y == 1) return A(x-1,y); return x-y; } -32767 < x < 32767

  42. What is out there... on off off on off Model

    checking A(int x, int y) { if (x == 2) return A(x,x+y); if (y == 1) return A(x-1,y); return x-y; } -32767 < x < 32767 -32767 < y < 32767

  43. What is out there... on off off on off Model

    checking A(int x, int y) { if (x == 2) return A(x,x+y); if (y == 1) return A(x-1,y); return x-y; } -32767 < x < 32767 -32767 < y < 32767 x =2

  44. What is out there... on off off on off Model

    checking A(int x, int y) { if (x == 2) return A(x,x+y); if (y == 1) return A(x-1,y); return x-y; } -32767 < x < 32767 -32767 < y < 32767 x =2 y =1

  45. What is out there... on off off on off Model

    checking A(int x, int y) { if (x == 2) return A(x,x+y); if (y == 1) return A(x-1,y); return x-y; } -32767 < x < 32767 -32767 < y < 32767 x =2 y =1 Symbolic execution

  46. Our setting FromDevice(eth0) ->Strip(14) ->c :: IPClassifier(„tcp”,”udp”)[0] ->IPRewriter(„pattern 10.0.0.1 20

    - -”) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth1) c[1] ->IPEncap(4, 18.26.4.24, 140.247.60.147) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth2)

  47. Our setting FromDevice(eth0) ->Strip(14) ->c :: IPClassifier(„tcp”,”udp”)[0] ->IPRewriter(„pattern 10.0.0.1 20

    - -”) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth1) c[1] ->IPEncap(4, 18.26.4.24, 140.247.60.147) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth2) Arbitrary packet

  48. Our setting FromDevice(eth0) ->Strip(14) ->c :: IPClassifier(„tcp”,”udp”)[0] ->IPRewriter(„pattern 10.0.0.1 20

    - -”) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth1) c[1] ->IPEncap(4, 18.26.4.24, 140.247.60.147) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth2) Arbitrary packet Trim ethernet

  49. Our setting FromDevice(eth0) ->Strip(14) ->c :: IPClassifier(„tcp”,”udp”)[0] ->IPRewriter(„pattern 10.0.0.1 20

    - -”) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth1) c[1] ->IPEncap(4, 18.26.4.24, 140.247.60.147) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth2) Arbitrary packet Trim ethernet TCP packet

  50. Our setting FromDevice(eth0) ->Strip(14) ->c :: IPClassifier(„tcp”,”udp”)[0] ->IPRewriter(„pattern 10.0.0.1 20

    - -”) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth1) c[1] ->IPEncap(4, 18.26.4.24, 140.247.60.147) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth2) Arbitrary packet Trim ethernet TCP packet RW src IP and TCP

  51. Our setting FromDevice(eth0) ->Strip(14) ->c :: IPClassifier(„tcp”,”udp”)[0] ->IPRewriter(„pattern 10.0.0.1 20

    - -”) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth1) c[1] ->IPEncap(4, 18.26.4.24, 140.247.60.147) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth2) Arbitrary packet Trim ethernet TCP packet RW src IP and TCP Add ethernet header

  52. Our setting FromDevice(eth0) ->Strip(14) ->c :: IPClassifier(„tcp”,”udp”)[0] ->IPRewriter(„pattern 10.0.0.1 20

    - -”) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth1) c[1] ->IPEncap(4, 18.26.4.24, 140.247.60.147) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth2) Arbitrary packet Trim ethernet TCP packet UDP packet RW src IP and TCP Add ethernet header

  53. Our setting FromDevice(eth0) ->Strip(14) ->c :: IPClassifier(„tcp”,”udp”)[0] ->IPRewriter(„pattern 10.0.0.1 20

    - -”) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth1) c[1] ->IPEncap(4, 18.26.4.24, 140.247.60.147) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth2) Arbitrary packet Trim ethernet TCP packet UDP packet RW src IP and TCP Add ethernet header Encapsulate in IP

  54. Our setting FromDevice(eth0) ->Strip(14) ->c :: IPClassifier(„tcp”,”udp”)[0] ->IPRewriter(„pattern 10.0.0.1 20

    - -”) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth1) c[1] ->IPEncap(4, 18.26.4.24, 140.247.60.147) ->EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) ->ToDevice(eth2) Arbitrary packet Trim ethernet TCP packet UDP packet RW src IP and TCP Add ethernet header Encapsulate in IP Add ethernet header

  55. Arbitrary packet Trim ethernet TCP packet UDP packet RW src

    IP and TCP Add ethernet header Encapsulate in IP Add ethernet header

  56. Arbitrary packet Trim ethernet TCP packet UDP packet RW src

    IP and TCP Add ethernet header Encapsulate in IP Add ethernet header

  57. Our idea

  58. Our idea Symbolic execution

  59. Our idea Symbolic execution ...

  60. Our idea Symbolic execution on all paths... ...

  61. Treat sets of packets as n-dimensional spaces

  62. Treat sets of packets as n-dimensional spaces Source IP =

    169.168.0.1 Source IP = 169.168.0.255

  63. Treat sets of packets as n-dimensional spaces Source IP =

    169.168.0.1 Source IP = 169.168.0.255 IP proto = 6 IP proto = 17

  64. Treat packet processing elements as functions

  65. Treat packet processing elements as functions

  66. Treat packet processing elements as functions

  67. Treat packet processing elements as functions

  68. Treat packet processing elements as functions Filtering function

  69. Treat packet processing elements as functions Filtering function

  70. Treat packet processing elements as functions Filtering function

  71. Treat packet processing elements as functions Filtering function

  72. Treat packet processing elements as functions Filtering function Modify function

  73. Treat packet processing elements as functions Filtering function Modify function

    Reunion, disjunction, complement, set difference

  74. Compute reachability and loop detection

  75. Compute reachability and loop detection Src FW R1 R2 R3

    Dst

  76. Compute reachability and loop detection Src FW R1 R2 R3

    Dst

  77. Compute reachability and loop detection Src FW R1 R2 R3

    Dst

  78. Compute reachability and loop detection Src FW R1 R2 R3

    Dst

  79. Compute reachability and loop detection Src FW R1 R2 R3

    Dst

  80. Compute reachability and loop detection Src FW R1 R2 R3

    Dst

  81. Compute reachability and loop detection Src FW R1 R2 R3

    Dst

  82. Compute reachability and loop detection Src FW R1 R2 R3

    Dst

  83. Compute reachability and loop detection Src FW R1 R2 R3

    Dst

  84. ... where functional programming comes into play

  85. Writing flow operations intuitively

  86. Writing flow operations intuitively („IPSrc” .=. „192.168.0.1”) .>. nil

  87. Writing flow operations intuitively („IPSrc” .=. „192.168.0.1”) .>. nil („proto”

    .=. „4”) .>. nil

  88. Writing flow operations intuitively („IPSrc” .=. „192.168.0.1”) .>. nil („proto”

    .=. „4”) .>. nil ((„IPSrc” .=. „192.168.0.1”) .>. nil) `cup` ((„proto” .=. „4”) .>. nil)

  89. Writing flow operations intuitively („IPSrc” .=. „192.168.0.1”) .>. nil („proto”

    .=. „4”) .>. nil ((„IPSrc” .=. „192.168.0.1”) .>. nil) `cup` ((„proto” .=. „4”) .>. nil) („DstPort” .=. „80”) .>. ((„IPSrc” .=. „192.168.0.1”) .>. nil) `cup` ((„proto” .=. „4”) .>. nil)

  90. Hiding actual representation

  91. Hiding actual representation class AsExpression a where (.=.) :: Var

    -> a -> VarBinding

  92. Hiding actual representation class AsExpression a where (.=.) :: Var

    -> a -> VarBinding instance AsExpression String where v .=. s = ...

  93. Hiding actual representation class AsExpression a where (.=.) :: Var

    -> a -> VarBinding instance AsExpression String where v .=. s = ... instance AsExpression Integer where v .=. i =

  94. Hiding actual representation class AsExpression a where (.=.) :: Var

    -> a -> VarBinding instance AsExpression String where v .=. s = ... instance AsExpression Integer where v .=. i = instance AsExpression Expr where v .=. e = v `Bind` e

  95. Hiding actual representation class AsExpression a where (.=.) :: Var

    -> a -> VarBinding instance AsExpression String where v .=. s = ... instance AsExpression Integer where v .=. i = instance AsExpression Expr where v .=. e = v `Bind` e data VarBinding = Bind Var Expr

  96. Processing elements as functions type Rule = (Flow -> Bool,

    Flow -> Flow)

  97. Processing elements as functions type Rule = (Flow -> Bool,

    Flow -> Flow)

  98. Processing elements as functions type Rule = (Flow -> Bool,

    Flow -> Flow) Should I process this flow?

  99. Processing elements as functions type Rule = (Flow -> Bool,

    Flow -> Flow) Should I process this flow?

  100. Processing elements as functions type Rule = (Flow -> Bool,

    Flow -> Flow) Should I process this flow? How should I modify the flow?

  101. Processing elements as functions type Rule = (Flow -> Bool,

    Flow -> Flow) Should I process this flow? How should I modify the flow? (m,a) `comp` (m',a') = let mfin f = (m f) && (m' f) afin = a . a' in (mfin, afin)

  102. Processing elements as functions type Rule = (Flow -> Bool,

    Flow -> Flow) Should I process this flow? How should I modify the flow? (m,a) `comp` (m',a') = let mfin f = (m f) && (m' f) afin = a . a' in (mfin, afin) (m,a) `comp` (m',a') = let mfin f = (m f) && (m' (a f)) afin = a . a' in (mfin, afin)

  103. Processing elements as functions type Rule = (Flow -> Bool,

    Flow -> Flow) Should I process this flow? How should I modify the flow? (m,a) `comp` (m',a') = let mfin f = (m f) && (m' f) afin = a . a' in (mfin, afin) (m,a) `comp` (m',a') = let mfin f = (m f) && (m' (a f)) afin = a . a' in (mfin, afin) Building more sofisticated processing from simpler one

  104. Compute reachability and loop detection Src FW R1 R2 R3

    Dst „Object-oriented” style

  105. Compute reachability and loop detection Src FW R1 R2 R3

    Dst Visitable „Object-oriented” style Visitable Visitable Visitable Visitable Visitable

  106. Compute reachability and loop detection Src FW R1 R2 R3

    Dst Visitable „Object-oriented” style Visitable Visitable Visitable Visitable Visitable Visitor

  107. Compute reachability and loop detection Src FW R1 R2 R3

    Dst Visitable „Object-oriented” style Visitable Visitable Visitable Visitable Visitable Visitor Visitor

  108. Compute reachability and loop detection Src FW R1 R2 R3

    Dst Visitable „Object-oriented” style Visitable Visitable Visitable Visitable Visitable Visitor Visitor

  109. Compute reachability and loop detection Src FW R1 R2 R3

    Dst Visitable „Object-oriented” style Visitable Visitable Visitable Visitable Visitable Visitor Visitor

  110. Compute reachability and loop detection Src FW R1 R2 R3

    Dst Visitable „Object-oriented” style Visitable Visitable Visitable Visitable Visitable Visitor

  111. Compute reachability and loop detection Src FW R1 R2 R3

    Dst Visitable „Object-oriented” style Visitable Visitable Visitable Visitable Visitable Visitor

  112. Compute reachability and loop detection Src FW R1 R2 R3

    Dst Visitable „Object-oriented” style Visitable Visitable Visitable Visitable Visitable Visitor

  113. How the code looks like...

  114. How the code looks like... abstract class Element {

  115. How the code looks like... abstract class Element { public

    boolean match(Flow f);

  116. How the code looks like... abstract class Element { public

    boolean match(Flow f); public Map<Element,Flow> apply(Flow f);

  117. How the code looks like... abstract class Element { public

    boolean match(Flow f); public Map<Element,Flow> apply(Flow f); }

  118. How the code looks like... abstract class Element { public

    boolean match(Flow f); public Map<Element,Flow> apply(Flow f); public void accept(Visitor v){ ... } }

  119. How the code looks like... abstract class Visitor { private

    Flow currentFlow(); public Set<Element> visit(Element e){ ... } }

  120. How the code looks like... abstract class Visitor { private

    Flow currentFlow(); public Set<Element> visit(Element e){ Map<Element, Flow> m = ... if (e.match(currentFlow()){ m = e.apply(currentFlow()); // process m } return m.keySet(); } }

  121. How the code looks like... abstract class Element { public

    boolean match(Flow f); public Map<Element,Flow> apply(Flow f); public void accept(Visitor v){ for (Element e:v.visit(this)){ e.accept(v); } }

  122. Compute reachability and loop detection „Functional” style

  123. Compute reachability and loop detection Src FW R1 R2 R3

    Dst „Functional” style

  124. Compute reachability and loop detection Src FW R1 R2 R3

    Dst „Functional” style (match,apply) (match,apply) (match,apply) (match,apply)

  125. Compute reachability and loop detection Src FW R1 R2 R3

    Dst „Functional” style (match,apply) (match,apply) (match,apply) (match,apply) Push ports into the flow

  126. Compute reachability and loop detection Src FW R1 R2 R3

    Dst „Functional” style (match,apply) (match,apply) (match,apply) (match,apply) Push ports into the flow

  127. Compute reachability and loop detection FW R1 R2 R3 „Functional”

    style (match,apply) (match,apply) (match,apply) (match,apply) Network Function F

  128. How the code looks like... F :: [Flow] -> [Flow]

  129. How the code looks like... F :: [Flow] -> [Flow]

    F [] = [„the initial flow, with it’s corresponding port” ]

  130. How the code looks like... F :: [Flow] -> [Flow]

    F [] = [„the initial flow, with it’s corresponding port” ] F X = map (\(f,r) -> apply f r) $ [(f,r) | f <- X , r <- ruleList, match f r]

  131. How the code looks like... F :: [Flow] -> [Flow]

    F [] = [„the initial flow, with it’s corresponding port” ] F X = map (\(f,r) -> apply f r) $ [(f,r) | f <- X , r <- ruleList, match f r] What happens next?

  132. We compute...

  133. We compute... F [] = F0

  134. We compute... F [] = F0 F F0 = F1

  135. We compute... F [] = F0 F F0 = F1

    ...

  136. We compute... F [] = F0 F F0 = F1

    ... F Fn = Fn+1

  137. We compute... F [] = F0 F F0 = F1

    ... F Fn = Fn+1 ...

  138. We compute... F [] = F0 F F0 = F1

    ... F Fn = Fn+1 ... The sequence stabilises eventually

  139. We compute... F [] = F0 F F0 = F1

    ... F Fn = Fn+1 ... lfp :: ([Flow] -> [Flow]) -> [Flow] lfp F = let g x y = if x == x ++ y then x else g (x++y) (F y) in g [] (F []) The sequence stabilises eventually

  140. Final remarks

  141. Final remarks • The code on the slides will not

    compile

  142. Final remarks • The code on the slides will not

    compile • Many ideas are due: – Kazemian et al. Header Space Analysis: Static Checking For Networks

  143. Final remarks • The code on the slides will not

    compile • Many ideas are due: – Kazemian et al. Header Space Analysis: Static Checking For Networks • One of our contributions is in modelling packet state, by pushing it in the flow

  144. Final remarks • The code on the slides will not

    compile • Many ideas are due: – Kazemian et al. Header Space Analysis: Static Checking For Networks • One of our contributions is in modelling packet state, by pushing it in the flow • Does the functional style beat the object oriented one?