Scalable verification of border gateway protocol configurations with an SMT solver-Reference-Cited by-同舟云学术

Scalable verification of border gateway protocol configurations with an SMT solver

Published:2016-12-05 Issue:10 Volume:51 Page:765-780
ISSN:0362-1340
Container-title:ACM SIGPLAN Notices
language:en
Short-container-title:SIGPLAN Not.

Author:

Weitz Konstantin¹,Woos Doug¹,Torlak Emina¹,Ernst Michael D.¹,Krishnamurthy Arvind¹,Tatlock Zachary¹

Affiliation:

1. University of Washington, USA

Abstract

Internet Service Providers (ISPs) use the Border Gateway Protocol (BGP) to announce and exchange routes for de- livering packets through the internet. ISPs must carefully configure their BGP routers to ensure traffic is routed reli- ably and securely. Correctly configuring BGP routers has proven challenging in practice, and misconfiguration has led to worldwide outages and traffic hijacks. This paper presents Bagpipe, a system that enables ISPs to declaratively express BGP policies and that automatically verifies that router configurations implement such policies. The novel initial network reduction soundly reduces policy verification to a search for counterexamples in a finite space. An SMT-based symbolic execution engine performs this search efficiently. Bagpipe reduces the size of its search space using predicate abstraction and parallelizes its search using symbolic variable hoisting. Bagpipe's policy specification language is expressive: we expressed policies inferred from real AS configurations, policies from the literature, and policies for 10 Juniper TechLibrary configuration scenarios. Bagpipe is efficient: we ran it on three ASes with a total of over 240,000 lines of Cisco and Juniper BGP configuration. Bagpipe is effective: it revealed 19 policy violations without issuing any false positives.

Funder

DARPA

NSF

Publisher

Association for Computing Machinery (ACM)

Subject

Computer Graphics and Computer-Aided Design,Software

Link

https://dl.acm.org/doi/pdf/10.1145/3022671.2984012

Reference41 articles.

1. C. J. Anderson etal “NetKAT: Semantic Foundations for Networks”. In: POPL. 2014. 10.1145/2535838.2535862 C. J. Anderson et al. “NetKAT: Semantic Foundations for Networks”. In: POPL. 2014. 10.1145/2535838.2535862

2. T. Ball etal “VeriCon: Towards Verifying Controller Programs in Software-defined Networks”. In: PLDI. 2014. 10.1145/2594291.2594317 T. Ball et al. “VeriCon: Towards Verifying Controller Programs in Software-defined Networks”. In: PLDI. 2014. 10.1145/2594291.2594317

3. BelWü. https://www.belwue.de/. BelWü. https://www.belwue.de/.

4. BGP Feature Guide for the OCX Series. 2015. BGP Feature Guide for the OCX Series. 2015.

5. M. Brown. Pakistan hijacks YouTube. http://research. dyn.com/2008/02/pakistan-hijacks-youtube-1/. 2008. M. Brown. Pakistan hijacks YouTube. http://research. dyn.com/2008/02/pakistan-hijacks-youtube-1/. 2008.

Cited by 31 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Network Can Help Check Itself: Accelerating SMT-based Network Configuration Verification Using Network Domain Knowledge;IEEE INFOCOM 2024 - IEEE Conference on Computer Communications;2024-05-20

2. Network Specification Mining with High Fidelity and Scalability;2023 IEEE 31st International Conference on Network Protocols (ICNP);2023-10-10

3. Beyond a Centralized Verifier: Scaling Data Plane Checking via Distributed, On-Device Verification;Proceedings of the ACM SIGCOMM 2023 Conference;2023-09

4. Lightyear: Using Modularity to Scale BGP Control Plane Verification;Proceedings of the ACM SIGCOMM 2023 Conference;2023-09

5. Toward Privacy-Preserving Interdomain Configuration Verification via Multi-Party Computation;Proceedings of the 7th Asia-Pacific Workshop on Networking;2023-06-29