1 / 20

Verifying Stability of Network Protocols

Verifying Stability of Network Protocols. Karthikeyan Bhargavan Carl A. Gunter Davor Obradovic University of Pennsylvania. Attributes of Network Protocols. Often multi-party Routing Group membership Reservations Stability and fault tolerance Failed routers, networks, interfaces, hosts

king
Download Presentation

Verifying Stability of Network Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Verifying Stability of Network Protocols Karthikeyan Bhargavan Carl A. Gunter Davor Obradovic University of Pennsylvania

  2. Attributes of Network Protocols • Often multi-party • Routing • Group membership • Reservations • Stability and fault tolerance • Failed routers, networks, interfaces, hosts • Interoperability • Multiple implementations must cooperate

  3. Verification • At what level? • Theory • Standard • Implementation • Example • Distributed asynchronous Bellman-Ford Algorithm • RFC 1058, Routing Information Protocol (RIP) • BSD RIP, PLANet RIP, XNS RIP

  4. Theory vs. Practice for RIP • Graph model • Theory: graph • Practice: bipartite graph with diameter less than 16 • State • Theory: keep values for all neighbors • Practice: keep only the best value

  5. Theory vs. Practice, continued • Time • Theory: actual times are irrelevant • Practice: actual times are important • Algorithm • Theory: uniform and simple assumptions • Practice: split horizons, poison reverse, triggered updates • Theorem • Theory: true and inspirational • Practice: mathematically unproved

  6. Our General Goal • Develop an approach to decreasing the gaps between these artifacts • Create methodology • Develop tool support • Experiment with interesting cases

  7. Methodology • Respect current practices • Reference implementations • RFC’s • Track “product cycle” timetables • Fast for endpoints (http) • Slow within the network (RSVP, Multicast) • Faster with active networks • Compromise appropriately • Key properties (like stability) • Practical correspondences • Appropriate automation • Integration with testing and simulation

  8. Tool Support: Layered Approach Standard informal general description HOL description high-level specification, abstraction properties SPIN model low-level specification, counterexamples PE/Slice of Implementation concrete, non-modular, real-time

  9. Experimentation with Tool Support • Mocha (Village Telephone System) • Maude (Flow-Based Adaptive Routing: FBAR) • Code analysis for RIP • Tempo • C-Mix • Code Surfer

  10. Experiments • Current • RIP • Confidentiality and Integrity for Flow-Based Adaptive Routing (FBAR) • Future • Authenticated RIP • Minimum delay routing

  11. Bellman Ford Equations • There is a unique solution to the following pair of equations. This solution is the set of correct distances to a given “destination” node. • D(I) = 1 + min { D(J) | J is a neighbor of I} where I is not the destination. • D(Destination) = 0. • Theorem: in N iterations of the first equation the values are all correct within N of the destination.

  12. 2   2   1 1  1 1 0 0 0 Synchronous Bellman-Ford

  13.   3 3   2 2      4  1 1   0 0 0 0 0 Asynchronous Version

  14. Sandwich Proof • From Bertsekas and Gallager. • Correctness theorem proved by sandwich technique.

  15. 0 2 0 2 0 0 1 0 1 1 0 1 0 0 0 Lower Sandwich Boundary Destination

  16. Radius Proof (Our Approach) • Definition of K Stability: the distance estimates and directions are correctly calculated within a radius of K of the destination, and all distance estimates outside of this radius are > K. • Theorem (Soundness): K stability is invariant under advertisements. • Theorem (Progress): if advertisements are fair, the state will become K stable.

  17. Radius Proof Corollary • Corollary: If K stability holds, and a value more than distance K from the destination is increased, then no value or direction within a radius of K will be affected.

  18. Automation of Verification • Standard-level specification in HOL. • Verification of Soundness and abstraction principles in HOL. • Verification of Progress uses SPIN on Promela program, generating about 7000 states. • Connection between SPIN and HOL currently informal, but we have an embedding of Promela in HOL.

  19. Code Level Verification • Networking software is mainly written in C. • Bell Labs work on “alpha form” C code could aid automated translation into Promela. • Existing programs are non-modular. • Approach this problem with specialization and slicing. (Joint effort with Luke Hornof.)

  20. Conclusions • Better correspondence between the “paper” theory and the standard is possible. • Automation can provide informative alternative lemmas. • Better correspondence between the standard and its implementations may be aided by progress in model checking.

More Related