TY - GEN
T1 - APKeep
T2 - 17th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2020
AU - Zhang, Peng
AU - Liu, Xu
AU - Yang, Hongkun
AU - Kang, Ning
AU - Gu, Zhengchang
AU - Li, Hao
N1 - Publisher Copyright:
© Proc. of the 17th USENIX Symposium on Networked Systems Design and Impl., NSDI 2020. All rights reserved.
PY - 2020
Y1 - 2020
N2 - Realtime network verification ensures the correctness of network by incrementally checking data plane updates in real time (e.g., < 1ms per rule update). Even state-of-the-art methods can already achieve sub-millisecond verification time, such speed is achieved mostly for pure IP forwarding devices, and is unrealistic for real-world networks, due to two reasons. (1) Their network models cannot express the forwarding behavior of real devices, which have various functions including IP forwarding, ACL, NAT, policy-based routing, etc. (2) Their update algorithms do not scale in space and/or time: multi-field rules (e.g., ACL rules) can make these tools run out of memory and/or incur long verification time. To scale realtime verification to real networks, we propose APKeep based on a new modular network model that is expressive for real devices, and propose new algorithms that can achieve low memory cost and fast update speed at the same time. Our experiments show that for real-world update traces consisting of IP forwarding rules and ACL rules, existing methods either run out of memory or incur a prohibitively long verification time, while APKeep still achieves a sub-millisecond verification time. We also show that APKeep can verify an update of NAT rule mostly in less than 1 millisecond.
AB - Realtime network verification ensures the correctness of network by incrementally checking data plane updates in real time (e.g., < 1ms per rule update). Even state-of-the-art methods can already achieve sub-millisecond verification time, such speed is achieved mostly for pure IP forwarding devices, and is unrealistic for real-world networks, due to two reasons. (1) Their network models cannot express the forwarding behavior of real devices, which have various functions including IP forwarding, ACL, NAT, policy-based routing, etc. (2) Their update algorithms do not scale in space and/or time: multi-field rules (e.g., ACL rules) can make these tools run out of memory and/or incur long verification time. To scale realtime verification to real networks, we propose APKeep based on a new modular network model that is expressive for real devices, and propose new algorithms that can achieve low memory cost and fast update speed at the same time. Our experiments show that for real-world update traces consisting of IP forwarding rules and ACL rules, existing methods either run out of memory or incur a prohibitively long verification time, while APKeep still achieves a sub-millisecond verification time. We also show that APKeep can verify an update of NAT rule mostly in less than 1 millisecond.
UR - https://www.scopus.com/pages/publications/85091860222
M3 - 会议稿件
AN - SCOPUS:85091860222
T3 - Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2020
SP - 241
EP - 255
BT - Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2020
PB - USENIX Association
Y2 - 25 February 2020 through 27 February 2020
ER -