In modern networks, forwarding of packets often depends on the history of previously transmitted traffic. Such networks contain stateful middleboxes, whose forwarding behaviour depends on a mutable internal state. Firewalls and load balancers are typical examples of stateful middleboxes. This work addresses the complexity of verifying safety properties, such as isolation, in networks with finite-state middleboxes. Unfortunately, we show that even in the absence of forwarding loops, reasoning about such networks is undecidable due to interactions between middleboxes connected by unbounded ordered channels. We therefore abstract away channel ordering. This abstraction is sound for safety, and makes the problem decidable. Specifically, safety checking becomes EXPSPACE-complete in the number of hosts and middleboxes in the network. To tackle the high complexity, we identify two useful subclasses of finite-state middleboxes which admit better complexities. The simplest class includes, e.g., firewalls and permits polynomial-time verification. The second class includes, e.g., cache servers and learning switches, and makes the safety problem coNP-complete. Finally, we implement a tool for verifying the correctness of stateful networks.
This is a preview of subscription content, log in to check access.
Buy single article
Instant access to the full article PDF.
Price includes VAT for USA
Subscribe to journal
Immediate online access to all issues from 2019. Subscription will auto renew annually.
This is the net price. Taxes to be calculated in checkout.
In this work we do not distinguish between routers and switches, since they obey similar forwarding models.
Routers may be considered a degenerate case of middleboxes, whose state is constant and hence their forwarding behaviour does not change over time.
A subsequence is a sequence that can be derived from another sequence by deleting some elements without changing the order of the remaining elements.
Abdulla P, Jonsson B (1993) Verifying programs with unreliable channels. In: Logic in computer science (LICS). IEEE, pp 160–170
Abdulla PA, Čerāns K, Jonsson B, Tsay YK (1996) General decidability theorems for infinite-state systems. In: Logic in computer science (LICS). IEEE, pp 313–321
Anderson CJ, Foster N, Guha A, Jeannin JB, Kozen D, Schlesinger C, Walker D (2014) NetKAT: semantic foundations for networks. In: POPL
Aref M, ten Cate B, Green TJ, Kimelfeld B, Olteanu D, Pasalic E, Veldhuizen TL, Washburn G (2015) Design and implementation of the LogicBlox system. In: ACM SIGMOD international conference on management of data, pp 1371–1382
Ball T, Bjørner N, Gember A, Itzhaky S, Karbyshev A, Sagiv M, Schapira M, Valadarsky A (2014) Vericon: towards verifying controller programs in software-defined networks. In: ACM SIGPLAN conference on programming language design and implementation, PLDI, p 31
Bochmann GV (1978) Finite state description of communication protocols. Comput Netw 2(4):361–372 (1976)
Brand D, Zafiropulo P (1983) On communicating finite-state machines. J ACM 30(2):323–342
Canini M, Venzano D, Peres P, Kostic D, Rexford J (2012) A nice way to test openflow applications. In: 9th USENIX symposium on networked systems design and implementation (NSDI’12)
Cardoza E, Lipton R, Meyer AR (1976) Exponential space complete problems for Petri nets and commutative semigroups (preliminary report). In: Proceedings of the eighth annual ACM symposium on theory of computing. ACM, pp 50–54
Clarke EM, Jha S, Marrero WR (1998) Using state space exploration and a natural deduction style message derivation engine to verify security protocols. In: IFIP TC2/WG2.2,2.3 international conference on programming concepts and methods (PROCOMET ’98), Shelter Island, New York, USA, 8–12 June 1998, pp 87–106
Finkel A, Schnoebelen P (2001) Well-structured transition systems everywhere!. Theor Comput Sci 256(1):63–92
Fogel A, Fung S, Pedrosa L, Walraed-Sullivan M, Govindan R, Mahajan R, Millstein TD (2015) A general approach to network configuration analysis. In: 12th USENIX symposium on networked systems design and implementation, NSDI 15, Oakland, CA, USA, 4–6 May 2015, pp 469–483
Foster N, Kozen D, Milano M, Silva A, Thompson L (2015) A coalgebraic decision procedure for NetKat. In: Proceedings of the 42nd annual ACM SIGPLAN-SIGACT symposium on principles of programming languages, POPL 2015, Mumbai, India, 15–17 Jan 2015, pp 343–355
Hengartner U, Moon S, Mortier R, Diot C (2002) Detection and analysis of routing loops in packet traces. In: Proceedings of the 2nd ACM SIGCOMM workshop on internet measurement. ACM, pp 107–112
Higman G (1952) Ordering by divisibility in abstract algebras. In: Proceedings of the London Mathematical Society, pp 326–336
Kazemian P, Chang M, Zeng H, Varghese G, McKeown N, Whyte S (2013) Real time network policy checking using header space analysis. In: 10th USENIX symposium on networked systems design and implementation (NSDI ’13)
Kazemian P, Varghese G, McKeown N (2012) Header space analysis: static checking for networks. In: 9th USENIX symposium on networked systems design and implementation (NSDI ’12)
Khurshid A, Zhou W, Caesar M, Godfrey B (2012) Veriflow: verifying network-wide invariants in real time. Comput Commun Rev 42(4):467–472
Kozen D (1977) Lower bounds for natural proof systems. In: 18th annual symposium on foundations of computer science. IEEE, pp 254–266
Kuzniar M, Peresini P, Canini M, Venzano D, Kostic D (2012) A soft way for OpenFlow switch interoperability testing. In: CoNEXT, pp 265–276
Lipton R (1976) The reachability problem requires exponential space. Technical report 62, Department of Computer Science, Yale University
LogicBlox. http://www.logicblox.com/. Retrieved 7 July 2015
Lola 2.0 sources. http://download.gna.org/service-tech/lola/lola-2.0.tar.gz
Lopes NP, Bjørner N, Godefroid P, Jayaraman K, Varghese G (2015) Checking beliefs in dynamic networks. In: 12th USENIX symposium on networked systems design and implementation, NSDI 15, Oakland, CA, USA, 4–6 May 2015, pp 499–512
Mai H, Khurshid A, Agarwal R, Caesar M, Godfrey B, King ST (2011) Debugging the data plane with anteater. In: SIGCOMM
Minsky ML (1961) Recursive unsolvability of post’s problem of “tag” and other topics in theory of turing machines. Ann Math 74:437–455
Nelson T, Ferguson AD, Scheer MJG, Krishnamurthi S (2014) Tierless programming and reasoning for software-defined networks. In: Proceedings of the 11th USENIX symposium on networked systems design and implementation, NSDI 2014, Seattle, WA, USA, 2–4 Apr 2014, pp 519–531
Panda A, Argyraki KJ, Sagiv M, Schapira M, Shenker S (2015) New directions for network verification. In: 1st summit on advances in programming languages, SNAPL 2015, Asilomar, California, USA, 3–6 May 2015, pp 209–220
Panda A, Lahav O, Argyraki K, Sagiv M, Shenker S (2014) Verifying isolation properties in the presence of middleboxes. arXiv preprint arXiv:1409.7687
Peterson JL (1977) Petri nets. ACM Comput Surv 9(3):223–252
Potharaju R, Jain N (2013) Demystifying the dark side of the middle: a field study of middlebox failures in datacenters. In: Proceedings of the 2013 internet measurement conference, IMC 2013, Barcelona, Spain, 23–25 Oct 2013, pp 9–22
Rackoff C (1978) The covering and boundedness problems for vector addition systems. Theor Comput Sci 6(2):223–231
Ritchey RW, Ammann P (2000) Using model checking to analyze network vulnerabilities. In: Security and privacy
Schmidt K (2000) Lola a low level analyser. In: Application and theory of Petri nets 2000. Springer, pp 465–474
Schnoebelen P (2002) Verifying lossy channel systems has nonprimitive recursive complexity. Inf Process Lett 83(5):251–261
Sen K, Viswanathan M (2006) Model checking multithreaded programs with asynchronous atomic methods. In: International conference on computer aided verification. Springer, pp 300–314
Sethi D, Narayana S, Malik S (2013) Abstractions for model checking SDN controllers. In: FMCAD
Sherry J, Hasan S, Scott C, Krishnamurthy A, Ratnasamy S, Sekar V (2012) Making middleboxes someone else’s problem: network processing as a cloud service. In: SIGCOMM
Skowyra R, Lapets A, Bestavros A, Kfoury A (2013) A verification platform for SDN-enabled applications. In: HiCoNS
Stoenescu R, Popovici M, Negreanu L, Raiciu C (2013) Symnet: static checking for stateful networks. In: Proceedings of the 2013 workshop on Hot topics in middleboxes and network function virtualization. ACM, pp 31–36
Velner Y, Alpernas K, Panda A, Rabinovich A, Sagiv M, Shenker S, Shoham S (2016) Some complexity results for stateful network verification. In: International conference on tools and algorithms for the construction and analysis of systems. Springer, pp 811–830
Zeng H, Zhang S, Ye F, Jeyakumar V, Ju M, Liu J, McKeown N, Vahdat A (2014) Libra: divide and conquer to verify forwarding tables in huge networks. In: NSDI
This publication is part of projects that have received funding from the European Research Council (ERC) under the European Union’s Seventh Framework Program (FP7/2007–2013)/ERC Grant Agreement No. 321174-VSSC, and Horizon 2020 research and innovation programme (Grant Agreement No. 759102-SVIS). The research was supported in part by Len Blavatnik and the Blavatnik Family foundation, the Blavatnik Interdisciplinary Cyber Research Center, Tel Aviv University, and the Pazy Foundation. This material is based upon work supported by the United States-Israel Binational Science Foundation (BSF) Grant Nos. 2016260 and 2012259. This research was also supported in part by NSF Grants 1704941 and 1420064, and funding provided by Intel Corporation.
A preliminary version of this work appeared in .
About this article
Cite this article
Alpernas, K., Panda, A., Rabinovich, A. et al. Some complexity results for stateful network verification. Form Methods Syst Des 54, 191–231 (2019). https://doi.org/10.1007/s10703-018-00330-9
- Safety verification
- Stateful networks
- Channel systems
- Petri nets
- Complexity bounds