SlideShare a Scribd company logo

VeriFlow Presentation

K
Krystle Bates

VeriFlow is a system that provides real-time verification of network-wide invariants by obtaining a real-time view of the network and using dynamic monitoring and custom algorithms for error detection. It works by generating equivalence classes to limit the search space, representing forwarding behavior using forwarding graphs, and running queries to check invariants. Experiments show that VeriFlow can verify most updates within 1 millisecond with minimal impact on TCP connection latency. While faster than Header Space Analysis, VeriFlow and HSA both aim to verify the data plane but use different data structures and approaches.

Technology
1 of 32
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
VeriFlow: Verifying Network-Wide Invariants in Real Time Krystle Bates Yenming Chen
Agenda ● Introduction ● VeriFlow ● Experiments ● Comparison: Header Space Analysis (HSA) ● Lessons Learned ● Conclusion & Discussion
Introduction
SDN’s Refresh ● Software Defined Network (SDN) allows the use of programming network devices Fig. 1: Software Defined Networking Architecture [1]
Challenges of SDNs - A logically-centralized network applications allow bugs occur due to the increases in software complexities. - The use of multiple applications or user’s ability to program the same physical network simultaneously, could result in conflicting rules.
Overview Approach - Uses real-time data plane verification. - Has a standardized and open interface to read and write the data plane of network devices and a centralized device can run code and is responsible for transmitting commands to network devices.
Challenges - Obtaining real time view of network - Verification speed Photo by ✿ SUMAYAH ©™ - Creative Commons Attribution-NonCommercial-ShareAlike License https://farm8.staticflickr.com/7042/7098318665_9cb251bcd2_b.jpg
VeriFlow
Structure of VeriFlow - Real - Time analysis - Function by - Dynamic Monitor - Model Behavior - Custom Algorithms for Error Detection
1. Limit the Search Space Generate Equivalence Classes Veriflow Updates
Computing Equivalence Classes (EC)
2. Represent Forwarding Behavior Generate Equivalence Classes Generate Forwarding Graphs Veriflow Updates
Forwarding Graphs
3. Run Query to Check Invariants Generate Equivalence Classes Run Queries Generate Forwarding Graphs Veriflow Updates
Experiment
Evaluation #1- Microbenchmarking VeriFlow run time Goal - Observe Veriflow’s different phases contributions to the overall run time Simulated an IP network with 172 routers Replayed BGP traces, with 5 million RIB entries and 90k BGP updates
Performance Results 97.8% of the updates were verified within 1 millisecond
Evaluation #2 - Effect on TCP Connection Setup Latency Goal - Understand the impact of Veriflow on TCP connection setup latency Mininet OpenFlow network 10 switched arranged in chain-like topology A host connect to every switch Nox controller running “learning switch” app TCP connections between random pairs of hosts
Evaluation Results
Time Consume
Comparison: HSA
Header Space Analysis Operating overview ● Extract header from packets in binary {0,1} ● Construct forwarding transfer function T(h,p) ● Mathematical computation for verification Achievements ● Reachability analysis ● Loop detection ● Slice isolation P. Kazemian, G. Varghese and N. McKeown, “Header space analysis: static checking for networks”, NSDI'12 Proceedings of USENIX conference on Networked Systems Design and Implementation, 2012 Time Consume ~= second base
NetPlumber Features ● Based on HSA ● Built dependency graph Improvements of HSA ● Incremental update rules (achieve real-time) ● Without ad hoc code required by HSA (generalize to probe nodes) ● Cluster graph and reduce inner-edges (parallelization) P. Kazemian, M.l Chang, H. Zeng, G. Varghese , N. McKeown, S. Whyte, “Real Time Network Policy Checking using Header Space Analysis”, NSDI'12 Proceedings of USENIX conference on Networked Systems Design and Implementation, 2013
conti. NetPlumber
Time Consume ~= millisecond
Lessons Learned
VeriFlow vs NetPlumber (HSA) VeriFlow NetPlumber(HSA) History 2013 by UIUC 2013(2012) by Stanford Apply Layer Data-Plane Data-Plane Data Structure Tree Graph Time Consume millisecond millisecond Steps Class / Flow / Queries Space / Topology / Algebra Verification Custom Query Procedure Algebra Operation Both support forwarding actions and verification
Conclusion & Discussion
Conclusion VeriFlow achieves real-time verification - A layer between SDN controller and network elements - Finds faulty flows issued by SDN applications - Verifies network-wide invariants as each flow is inserted Can prevent a flow from reaching the network
Thanks for your attention!
Problems and Discussion 1) Is there any limitation on Data-Plane verification ? 2) How can we improve the speed of Veriflow ? 3) Within the experimental results, there is a long tail behavior in the CDF. Why do you think that is? 4) Is it possible for VeriFlow to deal with the control logic error? 5) Is SDN pre-requisite for VeriFlow? Can we implement VeriFlow without the SDN's implementation? 6) Can Veriflow replace firewall in a networked system?
References - A. Khurshid, X. Zou, W. Zhou, M. Caesar, P. Godfrey, VeriFlow: Verifying Network-Wide Invariants in Real Time, (Paper) and “VeriFlow: Verifying Network-Wide Invariants in Real Time”, PPT, http://conferences.sigcomm.org/sigcomm/2012/slides/sdn/session2/03-Veriflow.pdf, 2012 - P. Kazemian, G. Varghese, N. McKeown, “Header Space Analysis: Static Checking For Networks” - G. N. Nde and R. Khondoker, "SDN testing and debugging tools: A survey," 2016 5th International Conference on Informatics, Electronics and Vision (ICIEV), Dhaka, 2016, pp. 631-635. - D. Nicol, K. Jin, M. Caesar, B. Sanders, “A Hypothesis Testing Framework for Network Security”, PPT - Peyman Kazemian, Network Debugging, http://yuba.stanford.edu/~peyman/research.html

More Related Content

PDF
Investigating the Impact of Network Topology on the Processing Times of SDN C...
Steffen Gebert
 
PDF
ppbench - A Visualizing Network Benchmark for Microservices
Nane Kratzke
 
PDF
SDN interfaces and performance analysis of SDN components
Steffen Gebert
 
PPTX
Efficient Topology Discovery in Software Defined Networks
Farzaneh Pakzad
 
PPTX
Group Communication Techniques in Overlay Networks
Knut-Helge Vik
 
PPTX
SDN: is it a solution for network security?
ARCCN
 
PDF
Capstone Poster Final Draft - 2
Krishna Prasad A R
 
PPTX
Ravi Namboori Software Defined Network Presentation
ravi namboori
 
Investigating the Impact of Network Topology on the Processing Times of SDN C...
Steffen Gebert
 
ppbench - A Visualizing Network Benchmark for Microservices
Nane Kratzke
 
SDN interfaces and performance analysis of SDN components
Steffen Gebert
 
Efficient Topology Discovery in Software Defined Networks
Farzaneh Pakzad
 
Group Communication Techniques in Overlay Networks
Knut-Helge Vik
 
SDN: is it a solution for network security?
ARCCN
 
Capstone Poster Final Draft - 2
Krishna Prasad A R
 
Ravi Namboori Software Defined Network Presentation
ravi namboori
 

What's hot (20)

PDF
An Overview of Distributed Debugging
Anant Narayanan
 
PPTX
Link Capacity Estimation in Wireless Software Defined Networks
Farzaneh Pakzad
 
PDF
Insight DE project
Kat Chuang
 
PPTX
SC'18 BoF Presentation
rcastain
 
PPT
Colloque IMT -04/04/2019- L'IA au cœur des mutations industrielles - L'IA pou...
I MT
 
PPTX
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
Christian Esteve Rothenberg
 
PPTX
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware
 
PDF
Resume
Siddharth Joshi
 
PPTX
Smart Contract Security Testing
Dilum Bandara
 
PDF
SFBay OpenStack Meetup // Neutron and SDN in Production – Dec 3 2013
Randy Bias
 
PPT
Krabbenhoft_TavernaARC_BOSC2009
bosc
 
PDF
SDN-ppt-new
Gifty Susan Mani
 
PDF
OpenFlow Aware Network Processor
Mahesh Dananjaya
 
PPTX
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
PLUMgrid
 
PDF
Sdn&security
Cristiano Monteiro
 
PPTX
DEVNET-1114 Automated Management Using SDN/NFV
Cisco DevNet
 
PDF
The Impact of Software-based Virtual Network in the Public Cloud
Chunghan Lee
 
PPTX
Software defined network
Deeptiman Mallick
 
PDF
Making Runtime Data Useful for Incident Diagnosis: An Experience Report
QAware GmbH
 
PDF
Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...
DigitalOcean
 
An Overview of Distributed Debugging
Anant Narayanan
 
Link Capacity Estimation in Wireless Software Defined Networks
Farzaneh Pakzad
 
Insight DE project
Kat Chuang
 
SC'18 BoF Presentation
rcastain
 
Colloque IMT -04/04/2019- L'IA au cœur des mutations industrielles - L'IA pou...
I MT
 
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
Christian Esteve Rothenberg
 
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware
 
Resume
Siddharth Joshi
 
Smart Contract Security Testing
Dilum Bandara
 
SFBay OpenStack Meetup // Neutron and SDN in Production – Dec 3 2013
Randy Bias
 
Krabbenhoft_TavernaARC_BOSC2009
bosc
 
SDN-ppt-new
Gifty Susan Mani
 
OpenFlow Aware Network Processor
Mahesh Dananjaya
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
PLUMgrid
 
Sdn&security
Cristiano Monteiro
 
DEVNET-1114 Automated Management Using SDN/NFV
Cisco DevNet
 
The Impact of Software-based Virtual Network in the Public Cloud
Chunghan Lee
 
Software defined network
Deeptiman Mallick
 
Making Runtime Data Useful for Incident Diagnosis: An Experience Report
QAware GmbH
 
Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...
DigitalOcean
 
Ad

Similar to VeriFlow Presentation (20)

PDF
BuildingSDNmanageableswitch.pdf
Fernando Velez Varela
 
PDF
DesignofSDNmanageableswitch.pdf
Fernando Velez Varela
 
PPTX
Software Defined Networks
Shreeya Shah
 
PPTX
Distributed Clouds and Software Defined Networking
US-Ignite
 
PPTX
Software-Defined Networking(SDN):A New Approach to Networking
Anju Ann
 
PPTX
Software_Defined_Networking.pptx
AsfawGedamu
 
PDF
SDN Security Talk - (ISC)2_3
Wen-Pai Lu
 
PDF
Final_Report
Tlhologelo Mphahlele
 
PPTX
CloudComp 2015 - SDN-Cloud Testbed with Hyper-convergent SmartX Boxes
GIST (Gwangju Institute of Science and Technology)
 
PPTX
SDN - a new security paradigm?
Sophos Benelux
 
PDF
Radisys/Wind River: The Telcom Cloud - Deployment Strategies: SDN/NFV and Vir...
Radisys Corporation
 
PDF
SDN: A New Approach to Networking Technology
IRJET Journal
 
PPTX
Introduction to SDN: Software Defined Networking
Ankita Mahajan
 
PPTX
Software Define Network, a new security paradigm ?
Jean-Marc ANDRE
 
PPT
FlowN vs FlowVisor: Scalable Network Virtualization in SDN
Hao Jiang
 
PPTX
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SAMeh Zaghloul
 
PDF
Understanding network and service virtualization
SDN Hub
 
PPTX
Software Defined Networking
Anshuman Singh
 
PDF
The Challenges of SDN/OpenFlow in an Operational and Large-scale Network
Open Networking Summits
 
PPTX
SDN Multi-Controller Domain.pptx
Sandeep Maurya
 
BuildingSDNmanageableswitch.pdf
Fernando Velez Varela
 
DesignofSDNmanageableswitch.pdf
Fernando Velez Varela
 
Software Defined Networks
Shreeya Shah
 
Distributed Clouds and Software Defined Networking
US-Ignite
 
Software-Defined Networking(SDN):A New Approach to Networking
Anju Ann
 
Software_Defined_Networking.pptx
AsfawGedamu
 
SDN Security Talk - (ISC)2_3
Wen-Pai Lu
 
Final_Report
Tlhologelo Mphahlele
 
CloudComp 2015 - SDN-Cloud Testbed with Hyper-convergent SmartX Boxes
GIST (Gwangju Institute of Science and Technology)
 
SDN - a new security paradigm?
Sophos Benelux
 
Radisys/Wind River: The Telcom Cloud - Deployment Strategies: SDN/NFV and Vir...
Radisys Corporation
 
SDN: A New Approach to Networking Technology
IRJET Journal
 
Introduction to SDN: Software Defined Networking
Ankita Mahajan
 
Software Define Network, a new security paradigm ?
Jean-Marc ANDRE
 
FlowN vs FlowVisor: Scalable Network Virtualization in SDN
Hao Jiang
 
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SAMeh Zaghloul
 
Understanding network and service virtualization
SDN Hub
 
Software Defined Networking
Anshuman Singh
 
The Challenges of SDN/OpenFlow in an Operational and Large-scale Network
Open Networking Summits
 
SDN Multi-Controller Domain.pptx
Sandeep Maurya
 
Ad

Recently uploaded (20)

PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
A Presentation on Artificial Intelligence
memembruh336
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
MYSQL Presentation for SQL database connectivity
Swati270511
 

VeriFlow Presentation

  • 1. VeriFlow: Verifying Network-Wide Invariants in Real Time Krystle Bates Yenming Chen
  • 2. Agenda ● Introduction ● VeriFlow ● Experiments ● Comparison: Header Space Analysis (HSA) ● Lessons Learned ● Conclusion & Discussion
  • 4. SDN’s Refresh ● Software Defined Network (SDN) allows the use of programming network devices Fig. 1: Software Defined Networking Architecture [1]
  • 5. Challenges of SDNs - A logically-centralized network applications allow bugs occur due to the increases in software complexities. - The use of multiple applications or user’s ability to program the same physical network simultaneously, could result in conflicting rules.
  • 6. Overview Approach - Uses real-time data plane verification. - Has a standardized and open interface to read and write the data plane of network devices and a centralized device can run code and is responsible for transmitting commands to network devices.
  • 7. Challenges - Obtaining real time view of network - Verification speed Photo by ✿ SUMAYAH ©™ - Creative Commons Attribution-NonCommercial-ShareAlike License https://farm8.staticflickr.com/7042/7098318665_9cb251bcd2_b.jpg
  • 9. Structure of VeriFlow - Real - Time analysis - Function by - Dynamic Monitor - Model Behavior - Custom Algorithms for Error Detection
  • 10. 1. Limit the Search Space Generate Equivalence Classes Veriflow Updates
  • 12. 2. Represent Forwarding Behavior Generate Equivalence Classes Generate Forwarding Graphs Veriflow Updates
  • 14. 3. Run Query to Check Invariants Generate Equivalence Classes Run Queries Generate Forwarding Graphs Veriflow Updates
  • 16. Evaluation #1- Microbenchmarking VeriFlow run time Goal - Observe Veriflow’s different phases contributions to the overall run time Simulated an IP network with 172 routers Replayed BGP traces, with 5 million RIB entries and 90k BGP updates
  • 17. Performance Results 97.8% of the updates were verified within 1 millisecond
  • 18. Evaluation #2 - Effect on TCP Connection Setup Latency Goal - Understand the impact of Veriflow on TCP connection setup latency Mininet OpenFlow network 10 switched arranged in chain-like topology A host connect to every switch Nox controller running “learning switch” app TCP connections between random pairs of hosts
  • 22. Header Space Analysis Operating overview ● Extract header from packets in binary {0,1} ● Construct forwarding transfer function T(h,p) ● Mathematical computation for verification Achievements ● Reachability analysis ● Loop detection ● Slice isolation P. Kazemian, G. Varghese and N. McKeown, “Header space analysis: static checking for networks”, NSDI'12 Proceedings of USENIX conference on Networked Systems Design and Implementation, 2012 Time Consume ~= second base
  • 23. NetPlumber Features ● Based on HSA ● Built dependency graph Improvements of HSA ● Incremental update rules (achieve real-time) ● Without ad hoc code required by HSA (generalize to probe nodes) ● Cluster graph and reduce inner-edges (parallelization) P. Kazemian, M.l Chang, H. Zeng, G. Varghese , N. McKeown, S. Whyte, “Real Time Network Policy Checking using Header Space Analysis”, NSDI'12 Proceedings of USENIX conference on Networked Systems Design and Implementation, 2013
  • 27. VeriFlow vs NetPlumber (HSA) VeriFlow NetPlumber(HSA) History 2013 by UIUC 2013(2012) by Stanford Apply Layer Data-Plane Data-Plane Data Structure Tree Graph Time Consume millisecond millisecond Steps Class / Flow / Queries Space / Topology / Algebra Verification Custom Query Procedure Algebra Operation Both support forwarding actions and verification
  • 29. Conclusion VeriFlow achieves real-time verification - A layer between SDN controller and network elements - Finds faulty flows issued by SDN applications - Verifies network-wide invariants as each flow is inserted Can prevent a flow from reaching the network
  • 31. Problems and Discussion 1) Is there any limitation on Data-Plane verification ? 2) How can we improve the speed of Veriflow ? 3) Within the experimental results, there is a long tail behavior in the CDF. Why do you think that is? 4) Is it possible for VeriFlow to deal with the control logic error? 5) Is SDN pre-requisite for VeriFlow? Can we implement VeriFlow without the SDN's implementation? 6) Can Veriflow replace firewall in a networked system?
  • 32. References - A. Khurshid, X. Zou, W. Zhou, M. Caesar, P. Godfrey, VeriFlow: Verifying Network-Wide Invariants in Real Time, (Paper) and “VeriFlow: Verifying Network-Wide Invariants in Real Time”, PPT, http://conferences.sigcomm.org/sigcomm/2012/slides/sdn/session2/03-Veriflow.pdf, 2012 - P. Kazemian, G. Varghese, N. McKeown, “Header Space Analysis: Static Checking For Networks” - G. N. Nde and R. Khondoker, "SDN testing and debugging tools: A survey," 2016 5th International Conference on Informatics, Electronics and Vision (ICIEV), Dhaka, 2016, pp. 631-635. - D. Nicol, K. Jin, M. Caesar, B. Sanders, “A Hypothesis Testing Framework for Network Security”, PPT - Peyman Kazemian, Network Debugging, http://yuba.stanford.edu/~peyman/research.html