200 likes | 303 Views
Verifying Stability of Network Protocols. Karthikeyan Bhargavan Carl A. Gunter Davor Obradovic University of Pennsylvania. Attributes of Network Protocols. Often multi-party Routing Group membership Reservations Stability and fault tolerance Failed routers, networks, interfaces, hosts
E N D
Verifying Stability of Network Protocols Karthikeyan Bhargavan Carl A. Gunter Davor Obradovic University of Pennsylvania
Attributes of Network Protocols • Often multi-party • Routing • Group membership • Reservations • Stability and fault tolerance • Failed routers, networks, interfaces, hosts • Interoperability • Multiple implementations must cooperate
Verification • At what level? • Theory • Standard • Implementation • Example • Distributed asynchronous Bellman-Ford Algorithm • RFC 1058, Routing Information Protocol (RIP) • BSD RIP, PLANet RIP, XNS RIP
Theory vs. Practice for RIP • Graph model • Theory: graph • Practice: bipartite graph with diameter less than 16 • State • Theory: keep values for all neighbors • Practice: keep only the best value
Theory vs. Practice, continued • Time • Theory: actual times are irrelevant • Practice: actual times are important • Algorithm • Theory: uniform and simple assumptions • Practice: split horizons, poison reverse, triggered updates • Theorem • Theory: true and inspirational • Practice: mathematically unproved
Our General Goal • Develop an approach to decreasing the gaps between these artifacts • Create methodology • Develop tool support • Experiment with interesting cases
Methodology • Respect current practices • Reference implementations • RFC’s • Track “product cycle” timetables • Fast for endpoints (http) • Slow within the network (RSVP, Multicast) • Faster with active networks • Compromise appropriately • Key properties (like stability) • Practical correspondences • Appropriate automation • Integration with testing and simulation
Tool Support: Layered Approach Standard informal general description HOL description high-level specification, abstraction properties SPIN model low-level specification, counterexamples PE/Slice of Implementation concrete, non-modular, real-time
Experimentation with Tool Support • Mocha (Village Telephone System) • Maude (Flow-Based Adaptive Routing: FBAR) • Code analysis for RIP • Tempo • C-Mix • Code Surfer
Experiments • Current • RIP • Confidentiality and Integrity for Flow-Based Adaptive Routing (FBAR) • Future • Authenticated RIP • Minimum delay routing
Bellman Ford Equations • There is a unique solution to the following pair of equations. This solution is the set of correct distances to a given “destination” node. • D(I) = 1 + min { D(J) | J is a neighbor of I} where I is not the destination. • D(Destination) = 0. • Theorem: in N iterations of the first equation the values are all correct within N of the destination.
2 2 1 1 1 1 0 0 0 Synchronous Bellman-Ford
3 3 2 2 4 1 1 0 0 0 0 0 Asynchronous Version
Sandwich Proof • From Bertsekas and Gallager. • Correctness theorem proved by sandwich technique.
0 2 0 2 0 0 1 0 1 1 0 1 0 0 0 Lower Sandwich Boundary Destination
Radius Proof (Our Approach) • Definition of K Stability: the distance estimates and directions are correctly calculated within a radius of K of the destination, and all distance estimates outside of this radius are > K. • Theorem (Soundness): K stability is invariant under advertisements. • Theorem (Progress): if advertisements are fair, the state will become K stable.
Radius Proof Corollary • Corollary: If K stability holds, and a value more than distance K from the destination is increased, then no value or direction within a radius of K will be affected.
Automation of Verification • Standard-level specification in HOL. • Verification of Soundness and abstraction principles in HOL. • Verification of Progress uses SPIN on Promela program, generating about 7000 states. • Connection between SPIN and HOL currently informal, but we have an embedding of Promela in HOL.
Code Level Verification • Networking software is mainly written in C. • Bell Labs work on “alpha form” C code could aid automated translation into Promela. • Existing programs are non-modular. • Approach this problem with specialization and slicing. (Joint effort with Luke Hornof.)
Conclusions • Better correspondence between the “paper” theory and the standard is possible. • Automation can provide informative alternative lemmas. • Better correspondence between the standard and its implementations may be aided by progress in model checking.