Splendid Isolation A Slice Abstraction for SoftwareDened Networks Stephen Gutz Cornell - PDF document

SplendidIsolation:ASliceAbstractionforSoftware-DenedNetworksStephenGutzCornellAlecStoryCornellColeSchlesingerPrincetonNateFosterCornell (a)(b)(c) S1 S2 S3 S1 S2 S3 S1 S2 S3 S1 S2 S3 S4 S5 S1 S2 S3 S4 S5 S1 S2 S3 S4 S5 A1 A2 R1 R2 R3 A1 A2 R1 R2 R3 A1 A2 R1 R2 R3 Figure1:Examplenetworksandassociatedslices:(a)campus,(b)intelligence,and(c)datacenter.physicalnetworktopology,amappingfromthenodesinthisgraphtothenodesintheunderlyingnetwork,andacollec-tionofpredicatesthatspecifywhichpacketsarepermittedtoenterthesliceatitsperimeter.Programmersspecifyaseparateprogramforeachsliceandthecompilertakestheoverallcollectionofslices,togetherwiththeirassociatedprograms,andemitsaglobalcongurationfortheentirenetwork.Thespecicationforthecompilerensuresthattheslicesareisolatedfromeachother|i.e.,thatthepacketstraversingeachslicedonotinterferewiththeoperationofanyotherslice.Overall,thecontributionsofthispaperareasfollows:Wemakethecasefortreatingisolationatthelanguagelevel,usingexamplesinspiredbycommonnetworksce-narios(Section2).Wedeneasimpleandelegantprogrammingabstrac-tionfordeningslices(Section3).WedescribealgorithmsforcompilingslicestoOpen-Flowswitchesandpresentourprototypeimplementa-tionofthesealgorithms(Section4).Wediscusstechniquesforverifyingformalisolationpropertiesofprogramsexpressedusingslices,aswellasatoolthatimplementsthesetechniquesusingamodelchecker(Section5).Wefocusinthispaperonisolationwithrespecttopacketprocessing.Webelievethatoursliceabstractioncanbeex-tendedtohandleotherimportantissuessuchasbandwidthandcontrollerresources,butwedeferaninvestigationofthesetopicstofuturework.2.EXAMPLESThissectionintroducesaseriesofexamplesthatmotivatetheneedforseveraldierentkindsofisolation:traciso-lation,physicalisolation,andcontrolisolation.Weshowinformallyhowreasoningintermsofsliceshelpsstreamlinetheprocessofdevelopingprogramswiththeseproperties.Trafcisolation.ConsiderthetopologydepictedinFig-ure1(a),whichrepresentsafragmentofauniversitycam-pusnetwork.ThehostsconnectedtoswitchS1aredesk-topmachinesfortrusteduserssuchasthedean,registrar,andotheradministrators.ThehostsconnectedtoswitchS2areserversthatstoresensitiveinformationincludingstu-dentrecords.ThehostsconnectedwirelesslytoswitchS3aremachinesownedbyuntrusteduserssuchasstudentsandvisitors.Informally,theintendedpolicyforthenetworkisasfollows:S1hostsmaycommunicatewithS2servers,butnotracmay owbetweenS2serversandS3hosts;S3hostsmaycommunicatewithwebservicesonS2hosts,butnotwithanyotherservicesprovidedbythosemachines;andnetworkoperatorsmaysendpacketstomonitorthehealthofinternallinks,butthoseprobesmustnotreachthehostsconnectedtoS1,S2,andS3.Itispossibletocongurethenetworksothatitimple-mentsthispolicy|e.g.,introducingdistinctVLANtagsfortrusted,untrusted,andmonitoringpackets,andinstallingappropriateforwardingandlteringrulesforeachclassoftraconallthreeswitches|butthedetailsaretrickytogetright,andevensimpleerrorscouldeasilyleadtosecu-ritybreaches.Forexample,installingthewrongforwardingruleonS2couldallowanuntrustedS3hosttocommunicatewithandpotentiallycompromiseanS2server.Usingslices,itisstraightforwardtowriteaprogramthatcorrectlyimplementstheoverallpolicy.Wesimplycreateasliceforeachclassoftracandprogramtheslicessepa-rately.Figure1(a)depictsthethreeslices.Theredslice,shownontheleft,handlestracbetweenS1hostsandS2servers.Theblueslice,showninthemiddle,handlestracbetweenS3hostsandS2webservers.Theformaldenitionofthisslice(giveninthenextsection)restrictstraconS2topacketswithTCPsourceport80andonS3topacketswithTCPdestinationport80.Thegreenslice,shownontheright,handlesalltracbetweenS1,S2,andS3,butdoesnotincludethehostsconnectedtothoseswitches.Theprogramrunningoneachslicecanimplementforwardingwithintheslicehoweveritlikeswithoutworryingaboutviolatingtheoverallsecuritypolicy|thesemanticsofthesliceabstractionensurestracisolation.Overall,theprogramwrittenusingslicesissignicantlysimplerthanacorrespondingprogramwrittenusingexplicitVLANsorotherlow-levelmechanisms.Physicalisolation.Forthenextexample,consideranet-workthatcarriesclassiedinformationinanintelligenceor-ganization.Supposethatthesecuritypolicyforthisorga-nizationmandatesphysicalisolation|an\airgap"|betweenthedevicesandlinksthatprocesspacketsclassiedatdif-ferentlevelsofcondentiality.Asinthecampusexample,wecouldcarefullyconstructapolicythatmaintainsthisinvariant,butdoingthiswouldrequireperformingexplicitmanualreasoningaboutlow-levelswitchcongurationsandwouldbeveryeasytogetwrong.Usingslices,thesituationismuchsimpler.Wecreateaseparatesliceforeachlevelofcondentialityandcheckthattherequiredairgapexistsbyverifyingthatthesetsofphysicaldevicesusedtoimplementeachslicearedisjoint.Figure1(b)depictsonepossiblearrangementofslices.Theredslice,shownontheleft,connectsS1andS4andhan- workonnetworkupdates[15].Headerspaceanalysis[7]pro-videsaformalmodelofOpenFlownetworksasa\transferfunction"aswellasatoolforcheckingpropertiesofnet-worksincludingconnectivity,accesscontrol,andloopfree-dom.Anteater[10]veriesnetworkinvariantsbytranslatingthemintoSATinstancesandusinganexternalsolver.7.FUTUREWORKOurworkonslicesisongoing.Wearecurrentlydevelopingaformalsemanticsforslices,andprovingpropertiessuchasnon-interferencewithrespecttocondentiality(packetsdonotleakoutsideofaslice)andintegrity(packetsgeneratedbyotherslicesdonotaecttheoperationofaslice).Webelievethattheseintuitiveandrobustguaranteeswillbeapowerfulreasoningtoolforprogrammers.Wearealsodevelopingadditionaloptimizedcompilationalgorithmsthatexploitinformationaboutslices,programs,andthetopologytoprovideisolationwhileminimizingtheuseofVLANtags.Forexample,ifasinglelinkisonlyeverusedbyoneslice,thenpacketstraversingthatlinkdonotneedtobetaggedatall.Inthefuture,weplantoextendourslicingabstractiontohandleresourcessuchasbandwidthandcontrollerresources.Wealsoplantorelaxtherestrictionsonswitchandportmappingstoallowmore exibleslicedenitions.Finally,weplantodevelopaconvenientsurfacesyntaxfordescribingslicesandintegratethemintotheFreneticlanguage[6,12].Acknowledgments.WewishtothankShrutarshiBasu,JoshReich,MarkReitblatt,JenniferRexford,andDavidWalker,andtheanonymousreviewersformanyhelpfulcommentsandsuggestions.OurworkissupportedinpartbytheONRundergrantN00014-09-1-0652andbytheNSFundergrantsCNS-1111698,CCF-0424422,andSHF-1016937.8.REFERENCES[1]MartnCasado,TeemuKoponen,RajivRamanathan,andScottShenker.Virtualizingthenetworkforwardingplane.InWorkshoponProgrammableRoutersforExtensibleServicesofTomorrow(PRESTO),Philadelphia,PA,2010.[2]AlessandroCimatti,EdmundClarke,EnricoGiunchiglia,FaustoGiunchiglia,MarcoPistore,MarcoRoveri,RobertoSebastiani,andArmandoTacchella.NuSMV2:Anopensourcetoolforsymbolicmodelchecking.InInternationalConferenceonComputerAidedVerication(CAV),Copenhagen,Denmark,pages359{364,July2002.[3]E.M.Clarke,E.A.Emerson,andA.P.Sistla.Automaticvericationofnite-stateconcurrentsystemsusingtemporallogicspecications.ACMTransactionsonProgrammingLanguagesandSystems(TOPLAS),8(2):244{263,1986.[4]N.C.FernandesandO.C.M.B.Duarte.XNetMon:Anetworkmonitorforsecuringvirtualnetworks.InInternationalConferenceonCommunications(ICC),KyotoJapan,pages1{5,June2011.[5]FlowVisor.Bugreport,March2012.Seehttps://openflow.stanford.edu/bugs/browse/FLOWVISOR-171.[6]NateFoster,RobHarrison,MichaelJ.Freedman,ChristopherMonsanto,JenniferRexford,AlecStory,andDavidWalker.Frenetic:Anetworkprogramminglanguage.InACMSIGPLANInternationalConferenceonFunctionalProgramming(ICFP),Tokyo,Japan,pages279{291,September2011.[7]PeymanKazemian,GeorgeVarghese,andNickMcKeown.Headerspaceanalysis:Staticcheckingfornetworks.InUSENIXSymposiumonNetworkedSystemsDesignandImplementation(NSDI),SanJose,CA,April2012.[8]GeorgiaKontesidouandKyriakosZaris.OpenFlowvirtualnetworking:A ow-basednetworkvirtualization.Master'sthesis,KTHRoyalInstituteofTechnology,2009.[9]LosAlamosNationalLaboratory.NetworkX,November2011.Availablefromhttp://networkx.lanl.gov.[10]HaohuiMai,AhmedKhurshid,RachitAgarwal,MatthewCaesar,BrightenGodfrey,andSamuelTalmadgeKing.DebuggingthedataplanewithAnteater.InACMSIGCOMMConferenceonApplications,Technologies,Architectures,andProtocolsforComputerCommunications(SIGCOMM),Toronto,Canada,pages290{301,August2011.[11]N.McKeown,T.Anderson,H.Balakrishnan,G.Parulkar,L.Peterson,J.Rexford,S.Shenker,andJ.Turner.Open ow:Enablinginnovationincampusnetworks.ACMSIGCOMMComputerCommunicationsReview(CCR),38(2):69{74,2008.[12]ChristopherMonsanto,NateFoster,RobHarrison,andDavidWalker.Acompilerandrun-timesystemfornetworkprogramminglanguages.InACMSIGPLAN{SIGACTSymposiumonPrinciplesofProgrammingLanguages(POPL),Philadelphia,PA,pages217{230,January2012.[13]AmirPnueli,MichaelSiegel,andEliSingerman.Translationvalidation.InInternationalConferenceonToolsandAlgorithmsforConstructionandAnalysisofSystems(TACAS),Lisbon,Portugal,pages151{166,March1998.[14]JoshuaReich,NateFoster,JenniferRexford,andDavidWalker.Towardalanguagefornetworkvirtualization.Draft,April2012.[15]MarkReitblatt,NateFoster,JenniferRexford,ColeSchlesinger,andDavidWalker.Abstractionsfornetworkupdate.InACMSIGCOMMConferenceonApplications,Technologies,Architectures,andProtocolsforComputerCommunications(SIGCOMM),Helsinki,Finland,August2012.Toappear.[16]RobSherwood,MichaelChan,AdamCovington,GlenGibb,MarioFlajslik,NikhilHandigol,Te-YuanHuang,PeymanKazemian,MasayoshiKobayashi,JadNaous,SrinivasanSeetharaman,DavidUnderhill,TatsuyaYabe,Kok-KiongYap,YiannisYiakoumis,HongyiZeng,GuidoAppenzeller,RameshJohari,NickMcKeown,andGuruParulkar.Carvingresearchslicesoutofyourproductionnetworkswithopen ow.ACMSIGCOMMComputerCommunicationsReview(CCR),40(1):129{130,January2010. workonnetworkupdates[15].Headerspaceanalysis[7]pro-videsaformalmodelofOpenFlownetworksasa\transferfunction"aswellasatoolforcheckingpropertiesofnet-worksincludingconnectivity,accesscontrol,andloopfree-dom.Anteater[10]veri\fesnetworkinvariantsbytranslatingthemintoSATinstancesandusinganexternalsolver.7.FUTUREWORKOurworkonslicesisongoing.Wearecurrentlydevelopingaformalsemanticsforslices,andprovingpropertiessuchasnon-interferencewithrespecttocon\fdentiality(packetsdonotleakoutsideofaslice)andintegrity(packetsgeneratedbyotherslicesdonotaecttheoperationofaslice).Webelievethattheseintuitiveandrobustguaranteeswillbeapowerfulreasoningtoolforprogrammers.Wearealsodevelopingadditionaloptimizedcompilationalgorithmsthatexploitinformationaboutslices,programs,andthetopologytoprovideisolationwhileminimizingtheuseofVLANtags.Forexample,ifasinglelinkisonlyeverusedbyoneslice,thenpacketstraversingthatlinkdonotneedtobetaggedatall.Inthefuture,weplantoextendourslicingabstractiontohandleresourcessuchasbandwidthandcontrollerresources.Wealsoplantorelaxtherestrictionsonswitchandportmappingstoallowmore\rexibleslicede\fnitions.Finally,weplantodevelopaconvenientsurfacesyntaxfordescribingslicesandintegratethemintotheFreneticlanguage[6,12].Acknowledgments.WewishtothankShrutarshiBasu,JoshReich,MarkReitblatt,JenniferRexford,andDavidWalker,andtheanonymousreviewersformanyhelpfulcommentsandsuggestions.OurworkissupportedinpartbytheONRundergrantN00014-09-1-0652andbytheNSFundergrantsCNS-1111698,CCF-0424422,andSHF-1016937.8.REFERENCES[1]MartnCasado,TeemuKoponen,RajivRamanathan,andScottShenker.Virtualizingthenetworkforwardingplane.InWorkshoponProgrammableRoutersforExtensibleServicesofTomorrow(PRESTO),Philadelphia,PA,2010.[2]AlessandroCimatti,EdmundClarke,EnricoGiunchiglia,FaustoGiunchiglia,MarcoPistore,MarcoRoveri,RobertoSebastiani,andArmandoTacchella.NuSMV2:Anopensourcetoolforsymbolicmodelchecking.InInternationalConferenceonComputerAidedVeri\fcation(CAV),Copenhagen,Denmarkpages359{364,July2002.[3]E.M.Clarke,E.A.Emerson,andA.P.Sistla.Automaticveri\fcationof\fnite-stateconcurrentsystemsusingtemporallogicspeci\fcations.ACMTransactionsonProgrammingLanguagesandSystems(TOPLAS),8(2):244{263,1986.[4]N.C.FernandesandO.C.M.B.Duarte.XNetMon:Anetworkmonitorforsecuringvirtualnetworks.InInternationalConferenceonCommunications(ICC),KyotoJapan,pages1{5,June2011.[5]FlowVisor.Bugreport,March2012.Seehttps://openflow.stanford.edu/bugs/browse/FLOWVISOR-171[6]NateFoster,RobHarrison,MichaelJ.Freedman,ChristopherMonsanto,JenniferRexford,AlecStory,andDavidWalker.Frenetic:Anetworkprogramminglanguage.InACMSIGPLANInternationalConferenceonFunctionalProgramming(ICFP),Tokyo,Japan,pages279{291,September2011.[7]PeymanKazemian,GeorgeVarghese,andNickMcKeown.Headerspaceanalysis:Staticcheckingfornetworks.InUSENIXSymposiumonNetworkedSystemsDesignandImplementation(NSDI),SanJose,CA,April2012.[8]GeorgiaKontesidouandKyriakosZari\fs.OpenFlowvirtualnetworking:A\row-basednetworkvirtualization.Master'sthesis,KTHRoyalInstituteofTechnology,2009.[9]LosAlamosNationalLaboratory.NetworkX,November2011.Availablefromhttp://networkx.lanl.gov[10]HaohuiMai,AhmedKhurshid,RachitAgarwal,MatthewCaesar,BrightenGodfrey,andSamuelTalmadgeKing.DebuggingthedataplanewithAnteater.InACMSIGCOMMConferenceonApplications,Technologies,Architectures,andProtocolsforComputerCommunications(SIGCOMM),Toronto,Canada,pages290{301,August2011.[11]N.McKeown,T.Anderson,H.Balakrishnan,G.Parulkar,L.Peterson,J.Rexford,S.Shenker,andJ.Turner.Open\row:Enablinginnovationincampusnetworks.ACMSIGCOMMComputerCommunicationsReview(CCR),38(2):69{74,2008.[12]ChristopherMonsanto,NateFoster,RobHarrison,andDavidWalker.Acompilerandrun-timesystemfornetworkprogramminglanguages.InACMSIGPLAN{SIGACTSymposiumonPrinciplesofProgrammingLanguages(POPL),Philadelphia,PApages217{230,January2012.[13]AmirPnueli,MichaelSiegel,andEliSingerman.Translationvalidation.InInternationalConferenceonToolsandAlgorithmsforConstructionandAnalysisofSystems(TACAS),Lisbon,Portugal,pages151{166,March1998.[14]JoshuaReich,NateFoster,JenniferRexford,andDavidWalker.Towardalanguagefornetworkvirtualization.Draft,April2012.[15]MarkReitblatt,NateFoster,JenniferRexford,ColeSchlesinger,andDavidWalker.Abstractionsfornetworkupdate.InACMSIGCOMMConferenceonApplications,Technologies,Architectures,andProtocolsforComputerCommunications(SIGCOMM),Helsinki,Finland,August2012.Toappear.[16]RobSherwood,MichaelChan,AdamCovington,GlenGibb,MarioFlajslik,NikhilHandigol,Te-YuanHuang,PeymanKazemian,MasayoshiKobayashi,JadNaous,SrinivasanSeetharaman,DavidUnderhill,TatsuyaYabe,Kok-KiongYap,YiannisYiakoumis,HongyiZeng,GuidoAppenzeller,RameshJohari,NickMcKeown,andGuruParulkar.Carvingresearchslicesoutofyourproductionnetworkswithopen\row.ACMSIGCOMMComputerCommunicationsReview(CCR),40(1):129{130,January2010. 84 takesincomingpacketsfromS3withVLANtag,re-tagsthemwithVLAN,andforwardsthemoutitsedgeports.ItisworthnotingthattheuseofVLANsbyourcom-pilerisnotessential;thereferenceimplementationsketchedhereisnottheonlypossibility.Wearecurrentlyworkingtodevelopothercompilationalgorithmsforslicesthatmakemoreprudentuseoflow-levelswitchresources.5.VERIFICATIONOneofthemainadvantagesofdevelopingabstractionsatthelanguagelevelisthathavingaprogramtoanalyzeprovidesameansforestablishingcorrectnessusinglanguage-basedtools.Wehavebuiltaveri\fcationtoolthatchecksisolationpropertiesofslicesexpressedusinglogicformulas.Ourtoolimplementsanapproachtocompilercorrectnessknownastranslationvalidation[13].Insteadofverifyingthecorrectnessofthecompilerdirectly|somethingthatwouldbequitediculttodo,asitwouldentaildevelopingcom-pleteaformalspeci\fcationoftheintendedbehaviorofthecompiler|weanalyzeitsoutputandcheckthatithasthere-quiredproperties.Thisapproachremovesthecompilerfromthetrustedcomputingbaseandreplacesitwithawidely-usedandwell-testedveri\fcationtool.Hence,bugsinthecompilerdonotinvalidatepropertiesestablishedusingourtool.Ofcourse,thetoolitselfmayhaveerrors,butitisextremelyunlikelythatasinglebugwouldmanifestintwopiecesofsoftwaredevelopedindependently.Intuitively,isolationinvolvesrestrictingthepathsthatpacketsmaytakethroughthenetwork.Forexample,tracisolationrestrictsthesetofdestinationsthatapacketmayreachandphysicalisolationrestrictstheswitchesandlinksitmaytraverse.Temporallogicsareanaturaltoolforexpress-ingsuchproperties,sincetheirformulasdescribethepathsasystemcantakeasitevolvesovertime.OurtoolsupportspropertiesexpressedinComputationTreeLogic(CTL)[3]andusestheNuSMVmodelchecker[2]toverifyformulasagainstmodelsextractedfromOpenFlowcon\fgurations.Beforepresentingthespeci\fcisolationpropertieswever-i\fedwithoursystem,letusbrie\ryreviewthebasicsyntaxofCTL.Propertiesofindividualpacketscanbeexpressedusingequalityconstraintsandbooleanconnectives,asindstip=10.0.0.1&switch=S.Thisformulaissatis\fedbyallpacketslocatedatswitchwhosedestinationIPad-dressis10.0.0.1.CTL'stemporaloperatorsprovideawaytoexpresspropertiesofpacketsasthey\rowthroughthenetwork.TheformulaAFstatesthatonallpaths,theformulaholdsatsomepointinthefuture.Forexample,AF(switch=S)statesthatpacketscanalwaysreachswitchfromthecurrentlocation.Similarly,AGstatesthatonallpathsfromthecurrentposition,mustholdglobally.Us-inglogicalimplication,wecanproducemoreinterestingfor-mulas,suchas(switch=S1)-�AF(switch=S2),whichstatesthatallpacketsatswitchS1musteventuallybefor-wardedtoS2Trafcisolation.Toprovidetracisolation,aslicemustensurethateverypacketthatarrivesatoneitsedgeports(andmatchesthepredicateassociatedwiththatport)onlyevertraversesswitches,ports,andlinksbelongingtothesameslice.ConsiderthecampusexamplefromSection2,andsupposethatportsP1andP2representtheportsonS1andS2respectively.Thefollowingformulaissatis\fedonlyiftheredsliceenforcestracisolation:(loc=P1|loc=P2)-�AF(loc=P1|loc=P2|loc=DROP)Intuitively,thisformulastatesthatanypacketarrivingatoneoftheedgeportsoftheslicemusteventuallyreachoneoftheedgeportsinthesamesliceorbedropped.ThevariablelocmentionedinthisformulareferstothelocationofthepacketinthenetworkonaswitchorahostandDROPisaspeciallocationfordroppedpackets.Physicalisolation.Insomenetworks,itisimportanttoensurethatallswitchesandlinksareonlyeverusedtopro-cesspacketsforatmostoneslice.ConsidertheblueslicefromtheintelligenceorganizationexampleinSection2.Thefollowingformulaissatis\fedonlyifthebluesliceenforcesphysicalisolation:(switch=S5&port=1)-�AG(switch=S2|switch=S5|loc=DROP)Intuitively,itsaysthatanypacketenteringtheslicemustonlytraverseswitchesS2andS5orbedropped.Deployingverication.Language-basedveri\fcationhasarichhistoryintraditionalsoftwaresystems,whereanaly-sistoolsareoftenappliedatcompiletimetodetectbugsearlyinthedevelopmentcycle.Webelievethatapplyingthesametechniquescouldhelpincreasethereliabilityofnetworkprogramstoo.Althoughveri\fcationtoolssuchasmodelcheckerscantakealongtimetocomplete,networkcon\fgurationsareoftenwrittenwellinadvance,soprogram-merscouldcompileandverifytheirprogramsbeforetheyaredeployed.Verifyingthebehaviorofahypervisor,ontheotherhand,couldonlytakeplaceatrun-time,andglobalin-variantswouldneedtobere-veri\fedoneverynetworkeventandcontrolmessage.6.RELATEDWORKNetworkstodaytypicallyachieveisolationusinglow-levelmechanismssuchasVLANsor\frewalls.Thesemechanismscanbeusedtoeectivelyprovidebothtracandphysi-calisolation,buttheiruserequirescarefulcon\fgurationbyexpertoperatorsandispronetoerrors.FlowvisoristhemostprominentexampleofasystemthatprovidesisolationinOpenFlownetworks.Itallowsmultiplecontrollerstomanageasinglenetwork[16].Architecturally,Flowvisorisorganizedasahypervisorthatsitsbetweenthecontrollersandswitches,\flteringtheeventsgoinguptocon-trollersandmaskingthemessagesgoingdowntoswitches.Flowvisorallowsanadministratortoidentify\slices"ofthe\rowspaceusingtopologyandpacketheadercharacteristicssimilartoourslices.Inaddition,Flowvisoralsosupportsbandwidth,switchcontrolplane,andcontrollerisolationforslices,usingheuristicstoestimatetheamountofprocessingpowerneededtoimplementbyeachslice.Anotherexampleofasystemthatprovidesisolationusingahypervisor-basedapproachisXNetMon[4].TheframeworksforvirtualizingOpenFlownetworksdescribedbyCasadoetal.[1],Zari\fsandKontesidou[8],andReichetal.[14]canalsobeusedtoprovidevariousformsofisolation.Thereisgrowinginterestinapplyingveri\fcationtech-niquestonetworks.Theveri\fcationtooldescribedinthispaperbuildsononeoriginallydevelopedinthecontextof 83 #topology topo=nxtopo.NXTopo() topo.add_switch(name="X",ports=[1,2,3,4]) topo.add_switch(name="Y",ports=[1,2,3,4]) topo.add_link(("X",4),("Y",4)) #mappings s_map={"X""S2""Y""S3" p_map=identity_port_map(topo,s_map) maps=(s_map,p_map) #predicates preds=\ ([(p,header("srcport",80)) forpintopo.edge_ports("X")]+ [(p,header("dstport",80)) forpintopo.edge_ports("Y")]) #sliceconstructor slice=Slice(topo,phys_topo,maps,preds)Figure2:Bluecampusslice.Toillustratetheuseofslices,considerthePythoncodeshowninFigure2thatimplementstheblueslicefromthecampusnetworkexample.The\frstfewlinesofcodede\fnethetopology,representedasaNetworkX[9]graphwithtwoswitches:and.Theswitcheshavethreeedgeportseachandareconnectedbyalink.Thenextfewlinesofcodede\fnetheswitchandportmappingsfromtheslicedowntotheunderlyingnetwork:switchmapstoS2mapstoS3,andtheportmappingistheidentityfunction.Thesubsequentlinesassociateapredicatewitheachedgeport.Thesepredicatesmapwebtracintotheslicebutexcludeothertrac.Thencmoduleusedinthiscodepro-videsanimplementationofNetCore,ahigh-levellanguageforwritingpredicatesonpacketsthatcanbecompiledtoOpenFlow[12].The\fnallineintheprograminvokestheSliceconstructorandbuildstheactualslice.Asanexampleofaprogramwemightrunonthisnetwork,considerthefollowingNetCoreprogram,whichimplementsasimplebroadcastprotocolconnectingthehostsontheblueslice: (inport("X",[1,2,3]) |then|forward(4)) +(inport("X",4) |then|forward([1,2,3])) +(inport("Y",[1,2,3]) |then|forward(4)) +(inport("Y",4) |then|forward([1,2,3]))Wewillusethisexampleinthenextsectiontoexplainthedetailsofthecompilationalgorithm.4.THESLICECOMPILERWehaveimplementedaprototypecompilerforslices.ThecodeforourcompilerisavailableatthefollowingURL:https://github.com/frenetic-lang/slicesThecompilertakesasinputacollectionofslicede\fnitionsandtheirassociatedprograms,expressedinNetCore,andemitsasoutputalistofOpenFlowforwardingrulesforeachswitchinthephysicalnetwork.Ingeneral,aslicecompilerhassigni\fcant\rexibilityinhowitimplementsisolation.Theonlyrequirementisthatitmustcorrectlyimplementthesemanticsofslicesdescribedintheprecedingsection.Incaseswheretheslicesarede\fnedoverdisjointsetsofswitches,thecompilercanoftensimplyrewriteeachprogramusingtheswitchandportmappingsinthecorrespondingslicede\fnition.Butingeneral,thecompilermustinstrumenttheprogramstoensureisolation.Ourcompilerusesasimplestrategyforinstrumentingpro-gramsusingVLANtags.Itworksbycreatingaprogramforeachslicethatis|byconstruction|isolatedfromeveryotherslice.Moreformally,compilationproceedsasfollows.Foreachslice,thecompilerappliesthefollowingtransfor-mationsto,theNetCoreprogramassociatedwithAllocateafreshVLANtagCreateaprogrambyrestrictingsothatitonlyappliestopacketswhoseVLAN\feldisCreateaprogrambyrestrictingtoonlyapplytopacketsatedgeportsthatmatchtheassociatedpred-icateinandhavenoVLANtag,andaddanactionthatpushestheVLANtagontoeverysuchpacket.CreateaprogrambyrestrictingtoonlyapplytopacketswithVLANtagbeingforwardedoutedgeports,andaddanactiontoremovetheVLANtagfromeverysuchpacket.Createaprogrambyrestrictingtoonlyap-plytopacketsatedgeportsthatmatchtheassociatedpredicateinwithnoVLANtagwhereyieldsafor-wardingactionthatimmediatelyforwardsthepacketoutanedgeport.Applytheswitchandportmappingstotheprogramformedbytakingtheunionof,andIntuitively,theprogramhandlespacketstraversingtheinterioroftheslice,programsandhandlepacketsenteringandexitingtheslicerespectively,andhan-dlespacketsthatenterandexitthesliceinasinglehop.EachoftheseprogramsarestraightforwardtoconstructinNetCore,because(unlikerawOpenFlowforwardingrules)thelanguagesupportspowerfulset-theoreticoperatorssuchasunion,intersection,negation,etc.Togeneratethe\fnalresult,thecompilerformstheunionoftheinstrumentedprogramsforeachslice,andusestheNetCorecompilertoconverttheresultintoalistofOpenFlowrules.Asanexampletoillustratethecompilational-gorithm,considerthebroadcastprogramdescribedintheprevioussectionandthebluecampusslice.Becausetherearenonon-trivialinternalpaths,theinteriorprogramisempty.Likewise,becausetherearenonon-trivialone-hoppaths,theprogramisalsoempty.Theonlyinterestingprogramsaretheinputprogram ((inport("S2",[1,2,3])& header("srcport",80)& header("vlan",0)) |then|action([4],{"vlan":1})) |...andtheoutputprogram ((inport("S2",4)&header("vlan",1) |then|action([1,2,3],{"vlan":0})) |...TheinputprogramforS2takesallpacketsthatmatchtheslicepredicatewithVLANtag,re-tagsthemwithVLAN,andforwardsthemoutport.TheoutputprogramforS2 82 dlesunclassi\fedtrac.Theblueslice,showninthemiddle,connectsS2andS5andhandlessecrettrac.Thegreenslice,shownontheright,connectshostsonS3andhandlestop-secrettrac.Theseslicescouldbeprogrammedsepa-ratelywithoutworryingabouttraconanygivensegmentescapingtoadierentsegment.Aseachprogramcanonlyreferenceswitchesandportsincludedinthevirtualtopol-ogyfortheslice,itiseasyforanadministratortocheckthattheoverallpolicyissatis\fed|thesemanticsofslicesensuresthatprogramscannotevenreferencetheportsad-jacenthostsatdierentlevels,letalonedirectpacketstothem!Controlisolation.Asa\fnalexample,consideramulti-tenantclouddatacenterconsistingofacollectionofhostsrunningclientvirtualmachinesandanetworkorganizedintoa\fat-tree"topology|i.e.,thephysicalhostsareconnectedtotop-of-rackswitches,whichareconnectedtoaggregationswitchesonelevelup.Toallowtenantstousethenetworkinthemostecientwaypossible,wewouldliketoallowthemtocustomizethenetwork|e.g.,writingaprogramthatim-plementsacustommulticastprotocolandecientlymovesdatabetweentheirmachines.Butforsecurity,wealsoneedtoensurethataprogramwrittenbyonetenantdoesnotaecttracforothertenants.Unlikethepreviousexamples,wecannotconstructapro-gramwiththedesiredisolationproperty|theprogramsarebeingprovidedbythetenants!Wecoulduseahypervisortomonitorandcheckthecon\fgurationsgeneratedbyeachclientprogram,butinterposingahypervisorintothenet-workhasnumerousdisadvantages.Forone,itrequirespro-cessingeverycontrolmessageusingthehypervisor,whichaddslatencytooneofthecriticalpathsforperformance.Foranother,ahypervisorisalargeapplication(e.g.,theFlowvi-sorhypervisorisanon-trivial16KlinesofJavacode),andbugscouldbreakimportantinvariantsrelatedtoisolation.Usingoursliceabstraction,wecancreateasliceforeachtenantasshowninFigure1(c).Eachslicecontainsthema-chinesleasedbyeachclientaswellasthetop-of-rackandaggregationswitchesconnectingthem.Weassumethatitispossibletoidentifyeachclient'stracusing\feldsinpacketheaderssuchasIPaddresses.Notethatindividualmachinesandswitchescanbeincludedinmultipleslices.Itissafetolettenantsprogramtheirslicesbecausethecompilercon-structsawhole-networkcon\fgurationthatkeepsthetracgeneratedbyeachtenant'smachinesseparate.Thiscon\fg-urationcanbevalidatedagainstaformalspeci\fcationthatcapturestheintendedisolationpolicy,soeventhoughthecompilerisalargepieceofsoftware,itneednotbetrustedtoobtainassurance.Overall,slicesprovideeectivecon-trolisolation,eveninscenarioswherethenetworkmustbeprogrammedbymultipleparties.3.THESLICEABSTRACTIONOnereasonthatisolationcanbedicultforprogram-merstoreasonaboutisthatitisaglobalproperty|e.g.,nopacketsoriginatinginoneregionofthenetworkcanreachdevicesinsomeotherregionofthenetwork.Slicesprovideameansforprogrammerstolimitthescopeofanetworkpro- Thisconcernisnothypothetical:arecentbugintheFlowvisorhypervisorcausedportstatisticstobeincorrectlysenttoallslices[5].gram,restrictingthedevicesthatcanbeinvolvedwiththeexecutionoftheprogramaswellasthepacketsthatcanbeprocessedbyit.Theencapsulationprovidedbysliceshelpsfacilitatecompositionalreasoningaboutprogrambehavior.Formally,asliceisde\fnedintermsofthefol-lowingingredients:topologythatcomprisesswitches,ports,andlinks,mappingfromswitches,ports,andlinksintheslicetoswitches,ports,andlinksintheunderlyingnetwork,andacollectionofpredicatesonpackets,oneforeachoftheoutward-facingedgeportsintheslice.Thetopologyisagraphwithswitchesasnodes,portsasan-notationsonnodes,andlinksasedges.Itspeci\festhenet-workelementscontainedintheslice.Themappingspeci\feshowelementsintheslicetopologyrelatetocorrespondingelementsinthephysicalnetwork.Themappingisrequiredtosatisfysomestraightforwardconditionstoensurethatitiscompatiblewiththeunderlyingnetwork.Forinstance,ev-eryswitchinaslicemustmaptoauniquephysicalswitch,andeverypairofportsconnectedbyalinkinaslicemustmaptophysicalportsalsoconnectedbyaphysicallinkintheunderlyingnetwork.Webelieveitshouldbepossibletorelaxsomeoftheseconditions|e.g.,allowingmany-to-oneswitchmappings|butourimplementationdoesnotyetsupportthesegeneralizations.Finally,thepredicatesspecifythesetofpacketsthatmayenterthesliceatedgeports.Asliceextendsthenetworkwithnewlogicalswitchesthatcanbecon\fguredjustlikeanordinaryswitch.Thesemanticsofaslicecanbeunderstoodintermsofafewsimpleprinciples:Apacketentersasliceifitarrivesanexternalportforthesliceandmatchesthepredicateassociatedwiththatport.Packetprocessingoneachsliceisdictatedexclusivelybytheprogramforthatslice,andisnotaectedbytheprogramsforanyotherslices.Fromtheseprinciples,itisstraightforwardtoshowthatslicesdonotinterferewitheachother,exceptpossiblybysendingpacketsfromanedgeportononeslicetoanedgeportontheotherslice.Eventhisformofindirectinterfer-encecanalsoberuledoutifthesliceshavedisjointpredi-catesandextendallthewaytotheedgeoftheunderlyingnetwork(asinthedatacenterexampleintheprecedingsec-tion).Moreover,theseguaranteesholdeveniftheslicesareimplementedusingthesamephysicalswitches.Takento-gether,theyserveasastrongspeci\fcationforthecompiler,ensuringthatittranslatestheprogramswrittenforeachsliceintophysicalrulesthatimplementthesameforwardingbehaviorwhileprovidingisolation.Notethatthesede\fnitionsdonotprecludehavingmulti-pleoverlappingslicesde\fnedoverthesamephysicalswitches.Ifapacketarrivesataportthatconnectstomultipleslices,acopyofthepacketissenttoeachslicewhosepredicateismatchedbythepacket.Thisfeatureisimportantinscenar-ioslikethecampusnetworkexample,wheretracfromthewebserversmustbesenttoboththeredandblueslices. 81 (b)(c) S1 S2 S3 S1 S2 S3 S1 S2 S3 S1 S2 S3 S4 S5 S1 S2 S3 S4 S5 S1 S2 S3 S4 S5 A1 A2 R1 R2 R3 A1 A2 R1 R2 R3 A1 A2 R1 R2 R3 igure1:Examplenetworksandassociatedslices:(a)campus,(b)intelligence,and(c)datacenter.physicalnetworktopology,amappingfromthenodesinthisgraphtothenodesintheunderlyingnetwork,andacollec-tionofpredicatesthatspecifywhichpacketsarepermittedtoenterthesliceatitsperimeter.Programmersspecifyaseparateprogramforeachsliceandthecompilertakestheoverallcollectionofslices,togetherwiththeirassociatedprograms,andemitsaglobalcon\fgurationfortheentirenetwork.Thespeci\fcationforthecompilerensuresthattheslicesareisolatedfromeachother|i.e.,thatthepacketstraversingeachslicedonotinterferewiththeoperationofanyotherslice.Overall,thecontributionsofthispaperareasfollows:Wemakethecasefortreatingisolationatthelanguagelevel,usingexamplesinspiredbycommonnetworksce-narios(Section2).Wede\fneasimpleandelegantprogrammingabstrac-tionforde\fningslices(Section3).WedescribealgorithmsforcompilingslicestoOpen-Flowswitchesandpresentourprototypeimplementa-tionofthesealgorithms(Section4).Wediscusstechniquesforverifyingformalisolationpropertiesofprogramsexpressedusingslices,aswellasatoolthatimplementsthesetechniquesusingamodelchecker(Section5).Wefocusinthispaperonisolationwithrespecttopacketprocessing.Webelievethatoursliceabstractioncanbeex-tendedtohandleotherimportantissuessuchasbandwidthandcontrollerresources,butwedeferaninvestigationofthesetopicstofuturework.2.EXAMPLESThissectionintroducesaseriesofexamplesthatmotivatetheneedforseveraldierentkindsofisolation:traciso-lation,physicalisolation,andcontrolisolation.Weshowinformallyhowreasoningintermsofsliceshelpsstreamlinetheprocessofdevelopingprogramswiththeseproperties.Trafcisolation.ConsiderthetopologydepictedinFig-ure1(a),whichrepresentsafragmentofauniversitycam-pusnetwork.ThehostsconnectedtoswitchS1aredesk-topmachinesfortrusteduserssuchasthedean,registrar,andotheradministrators.ThehostsconnectedtoswitchS2areserversthatstoresensitiveinformationincludingstu-dentrecords.ThehostsconnectedwirelesslytoswitchS3aremachinesownedbyuntrusteduserssuchasstudentsandvisitors.Informally,theintendedpolicyforthenetworkisasfollows:S1hostsmaycommunicatewithS2servers,butnotracmay\rowbetweenS2serversandS3hosts;S3hostsmaycommunicatewithwebservicesonS2hosts,butnotwithanyotherservicesprovidedbythosemachines;andnetworkoperatorsmaysendpacketstomonitorthehealthofinternallinks,butthoseprobesmustnotreachthehostsconnectedtoS1S2,andS3Itispossibletocon\fgurethenetworksothatitimple-mentsthispolicy|e.g.,introducingdistinctVLANtagsfortrusted,untrusted,andmonitoringpackets,andinstallingappropriateforwardingand\flteringrulesforeachclassoftraconallthreeswitches|butthedetailsaretrickytogetright,andevensimpleerrorscouldeasilyleadtosecu-ritybreaches.Forexample,installingthewrongforwardingruleonS2couldallowanuntrustedS3hosttocommunicatewithandpotentiallycompromiseanS2server.Usingslices,itisstraightforwardtowriteaprogramthatcorrectlyimplementstheoverallpolicy.Wesimplycreateasliceforeachclassoftracandprogramtheslicessepa-rately.Figure1(a)depictsthethreeslices.Theredslice,shownontheleft,handlestracbetweenS1hostsandS2servers.Theblueslice,showninthemiddle,handlestracbetweenS3hostsandS2webservers.Theformalde\fnitionofthisslice(giveninthenextsection)restrictstraconS2topacketswithTCPsourceport80andonS3topacketswithTCPdestinationport80.Thegreenslice,shownontheright,handlesalltracbetweenS1S2,andS3,butdoesnotincludethehostsconnectedtothoseswitches.Theprogramrunningoneachslicecanimplementforwardingwithintheslicehoweveritlikeswithoutworryingaboutviolatingtheoverallsecuritypolicy|thesemanticsofthesliceabstractionensurestracisolation.Overall,theprogramwrittenusingslicesissigni\fcantlysimplerthanacorrespondingprogramwrittenusingexplicitVLANsorotherlow-levelmechanisms.Physicalisolation.Forthenextexample,consideranet-workthatcarriesclassi\fedinformationinanintelligenceor-ganization.Supposethatthesecuritypolicyforthisorga-nizationmandatesphysicalisolation|an\airgap"|betweenthedevicesandlinksthatprocesspacketsclassi\fedatdif-ferentlevelsofcon\fdentiality.Asinthecampusexample,wecouldcarefullyconstructapolicythatmaintainsthisinvariant,butdoingthiswouldrequireperformingexplicitmanualreasoningaboutlow-levelswitchcon\fgurationsandwouldbeveryeasytogetwrong.Usingslices,thesituationismuchsimpler.Wecreateaseparatesliceforeachlevelofcon\fdentialityandcheckthattherequiredairgapexistsbyverifyingthatthesetsofphysicaldevicesusedtoimplementeachslicearedisjoint.Figure1(b)depictsonepossiblearrangementofslices.Theredslice,shownontheleft,connectsS1andS4andhan- 80 SplendidIsolation:ASliceAbstractionforSoftware-DenedNetworksStephenGutzCornellAlecStoryCornellColeSchlesingerPrincetonNateFosterCornellABSTRACTThecorrectoperationofmanynetworksdependsonkeep-ingcertainkindsoftracisolatedfromothers,butachiev-ingisolationinnetworkstodayisfarfromstraightforward.Toachieveisolation,programmerstypicallyresorttolow-levelmechanismssuchasVirtualLANs,ortheyinterposecomplicatedhypervisorsintothecontrolplane.Thispaperpresentsabetteralternative:anabstractionthatsupportsprogrammingisolatedslicesofthenetwork.Thesemanticsofslicesensuresthattheprocessingofpacketsonasliceisindependentofallotherslices.Wede\fneoursliceabstrac-tionprecisely,developalgorithmsforcompilingslices,andillustratetheiruseonexamples.Inaddition,wedescribeaprototypeimplementationandatoolforautomaticallyver-ifyingformalisolationproperties.CategoriesandSubjectDescriptorsC.2.1[Computer-CommunicationNetworks]:NetworkOperations|Networkmanagement;D.4.6[OperatingSys-tems]:SecurityandProtection|Information\rowcontrolsKeywordsIsolation,software-de\fnednetworking,OpenFlow,networkprogramminglanguages,Frenetic.1.INTRODUCTIONNetworksaredesignedtobeshared|afterall,havingsomesharedinfrastructureisanecessaryprerequisiteforcommu-nication.Butthecorrectoperationofmanynetworksde-pendsonkeepingcertainkindsoftracisolatedfromoth-ers.Forexample,universitiesmustrestrictaccesstotheserversthatmanagestudentrecordstocomplywithdataprotectionlaws;intelligenceorganizationsoftenmaintainaphysical\airgap"betweenthedevicesthatprocesspacketsclassi\fedatdierentlevelsofcon\fdentiality;anddatacen-teroperatorstypicallyensurethattracgeneratedbyonetenantcannot\rowtothemachinesleasedbyanothertenant.Permissiontomakedigitalorhardcopiesofallorpartofthisworkforpersonalorclassroomuseisgrantedwithoutfeeprovidedthatcopiesarenotmadeordistributedforprotorcommercialadvantageandthatcopiesbearthisnoticeandthefullcitationontherstpage.Tocopyotherwise,torepublish,topostonserversortoredistributetolists,requirespriorspecicpermissionand/orafee.August13,2012,Helsinki,Finland.Copyright2012ACM978-1-4503-1477-0/12/08...$15.00.Innetworkstoday,isolationisusuallyachievedthroughavarietyofmechanisms,manyofthemadhoc:virtualLANs(VLANs)provideawaytoseparatetheprocessingofdier-entclassesofpacketsinthenetwork;special-purposedevicessuchas\frewallspreventpacketsfrom\rowingontocertainsegmentsofthenetwork;andsystemssuchasFlowvisor[16]allowmultipleprogramstocontrolanOpenFlow[11]net-workwithoutinterferingwitheachother.Butalthougheachofthesemechanismsprovidesakindofisolation,noneisacompletelysatisfactorysolution.VLANsprovidetraciso-lation,butaddextracomplexitytothealreadydiculttaskofwritingnetworkcon\fgurations.Firewallsprovidephysicalisolationbutrequirepurchasinganddeployingspecialde-vicesatappropriatelocationsinthetopology.SystemslikeFlowvisorprovidecontrolisolationbutrequireinterposingahypervisorintothemanagementplaneandplacingtrustinalargeandpotentiallybuggypieceofsoftware.Furthermore,thesemechanismsdonotprovideawaytoformallyverifythatagivennetworkhastherequiredisolationproperties.Webelievethatisolationshouldbeprovidedatthelan-guagelevel.Insteadofrelyingonlow-levelmechanisms(e.g.VLANs),special-purposedevices(e.g.,\frewalls),orcompli-catedhypervisors(e.g.,Flowvisor),wearguethatlanguagesforprogrammingnetworksshouldcomeequippedwithintu-itiveandcomposableconstructsthatcanbeusedtoestablisharangeofisolationpropertiesincludingtrac,physical,andcontrolisolation.Therearenumerousadvantagestotreat-ingisolationatthelanguagelevel.Thecompilercanhandleallofthetediousdetailsrelatedtoimplementingisolation,freeingprogrammersfromhavingtoreasonaboutVLANsortrickyissuessuchastheplacementof\frewallboxesintothetopology.Itcanalsoautomaticallyapplyoptimizationsthatmakeecientuseoflimitedlow-levelresourcessuchasVLANtags.Unlikeahypervisor,whichmustinterceptandanalyzeeveryeventandcontrolmessageatrun-time,thecompileronlyneedstobeexecutedonce|beforetheprogramisdeployedinthenetwork|whichstreamlinesthecontrolplaneandreduceslatency.Finally,obtainingisola-tionthroughlanguageabstractionsprovidesopportunitiesforobtainingassuranceusingformalveri\fcationtools.Thispaperpresentsasliceabstractionthatmakesiteasytoisolatenetworkprogramsfromeachother.Slicesallowasinglephysicalnetworktobeusedbymultipleprogramswithoutharmfulinterference.Theycanalsobeusedwithinasingleprogramtoobtainakindofmodularity|e.g.,en-suringthatadministrativetracdoesnotinterferewiththeprocessingofordinarypackets.Formally,asliceisde\fnedintermsofagraphthatrepresentsarestrictedversionofthe 79