Some Complexity Results for Stateful Network Verification

  • Yaron Velner
  • Kalev AlpernasEmail author
  • Aurojit Panda
  • Alexander Rabinovich
  • Mooly Sagiv
  • Scott Shenker
  • Sharon Shoham
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9636)


In modern networks, forwarding of packets often depends on the history of previously transmitted traffic. Such networks contain stateful middleboxes, whose forwarding behavior depends on a mutable internal state. Firewalls and load balancers are typical examples of stateful middleboxes.

This paper addresses the complexity of verifying safety properties, such as isolation, in networks with finite-state middleboxes. Unfortunately, we show that even in the absence of forwarding loops, reasoning about such networks is undecidable due to interactions between middleboxes connected by unbounded ordered channels. We therefore abstract away channel ordering. This abstraction is sound for safety, and makes the problem decidable. Specifically, we show that safety checking is EXPSPACE-complete in the number of hosts and middleboxes in the network. We further identify two useful subclasses of finite-state middleboxes which admit better complexities. The simplest class includes, e.g., firewalls and permits polynomial-time verification. The second class includes, e.g., cache servers and learning switches, and makes the safety problem coNP-complete.

Finally, we implement a tool for verifying the correctness of stateful networks.



The research leading to these results has received funding from the European Research Council under the European Union’s Seventh Framework Programme (FP7/2007–2013) / ERC grant agreement no [321174]. Research supported by the Israel Science Foundation grant no.652/11. This research was also supported in part by NSF grants 1040838 and 1420064, and funding provided by Intel Corporation.


  1. 1.
  2. 2.
    Abdulla, P., Jonsson, B.: Verifying programs with unreliable channels. In: Logic in Computer Science (LICS), pp. 160–170. IEEE (1993)Google Scholar
  3. 3.
    Abdulla, P.A., Čerāns, K., Jonsson, B., Tsay, Y.-K.: General decidability theorems for infinite-state systems. In: Logic in Computer Science (LICS), pp. 313–321. IEEE (1996)Google Scholar
  4. 4.
    Anderson, C.J., Foster, N., Guha, A., Jeannin, J.-B., Kozen, D., Schlesinger, C., Walker, D.: NetKAT: Semantic foundations for networks. In: POPL (2014)Google Scholar
  5. 5.
    Aref, M., ten Cate, B., Green, T.J., Kimelfeld, B., Olteanu, D., Pasalic, E., Veldhuizen, T.L., Washburn, G.: Design and implementation of the logicblox system. In: ACM SIGMOD International Conference on Management of Data, pp. 1371–1382 (2015)Google Scholar
  6. 6.
    Ball, T., Bjørner, N., Gember, A., Itzhaky, S., Karbyshev, A., Sagiv, M., Schapira, M., Valadarsky, A.: Vericon: towards verifying controller programs in software-defined networks. In: ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI, p. 31 (2014)Google Scholar
  7. 7.
    Bochmann, G.V.: Finite state description of communication protocols. Comput. Netw. 2(4–5), 361–372 (1978)Google Scholar
  8. 8.
    Brand, D., Zafiropulo, P.: On communicating finite-state machines. J. ACM (JACM) 30(2), 323–342 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Canini, M., Venzano, D., Peres, P., Kostic, D., Rexford, J.: A nice way to test openflow applications. In: 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2012) (2012)Google Scholar
  10. 10.
    Cardoza, E., Lipton, R., Meyer, A.R.: Exponential space complete problems for petri nets and commutative semigroups (preliminary report). In: Proceedings of the Eighth Annual ACM Symposium on Theory of Computing, pp. 50–54. ACM (1976)Google Scholar
  11. 11.
    Clarke, E.M., Jha, S., Marrero, W.: Using state space exploration and a natural deduction style message derivation engine to verify security protocols. In: Gries, D., de Roever, W.-P. (eds.) Programming Concepts and Methods PROCOMET 1998. IFIP, pp. 87–106. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  12. 12.
    Finkel, A., Schnoebelen, P.: Well-structured transition systems everywhere!. Theoret. Comput. Sci. 256(1), 63–92 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Fogel, A., Fung, S., Pedrosa, L., Walraed-Sullivan, M., Govindan, R., Mahajan, R., Millstein, T.D.: A general approach to network configuration analysis. In: 12th USENIX Symposium on Networked Systems Design and Implementation, NSDI 15, Oakland, CA, USA, May 4–6, pp. 469–483 (2015)Google Scholar
  14. 14.
    Foster, N., Kozen, D., Milano, M., Silva, A., Thompson, L.: A coalgebraic decision procedure for NetKAT. In: Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL , Mumbai, India, 15–17 January 2015, pp. 343–355 (2015)Google Scholar
  15. 15.
    Kazemian, P., Chang, M., Zeng, H., Varghese, G., McKeown, N., Whyte, S.: Real time network policy checking using header space analysis. In: 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2013) (2013)Google Scholar
  16. 16.
    Kazemian, P., Varghese, G., McKeown, N.: Header space analysis: Static checking for networks. In 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2012) (2012)Google Scholar
  17. 17.
    Khurshid, A., Zhou, W., Caesar, M., Godfrey, B.: Veriflow: verifying network-wide invariants in real time. Comput. Commun. Rev. 42(4), 467–472 (2012)CrossRefGoogle Scholar
  18. 18.
    Kuzniar, M., Peresini, P., Canini, M., Venzano, D., Kostic, D.: A soft way for openflow switch interoperability testing. In: CoNEXT, pp. 265–276 (2012)Google Scholar
  19. 19.
    Lopes, N.P., Bjørner, N., Godefroid, P., Jayaraman, K., Varghese, G.: Checking beliefs in dynamic networks. In: 12th USENIX Symposium on Networked Systems Design and Implementation, NSDI 15, Oakland, CA, USA, May 4–6, pp. 499–512 (2015)Google Scholar
  20. 20.
    Mai, H., Khurshid, A., Agarwal, R., Caesar, M., Godfrey, B., King, S.T.: Debugging the data plane with anteater. In: SIGCOMM (2011)Google Scholar
  21. 21.
    Nelson, T., Ferguson, A.D., Scheer, M.J.G., Krishnamurthi, S.: Tierless programming and reasoning for software-defined networks. In: Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation, NSDI, Seattle, WA, USA, April 2–4, 2014, pp. 519–531 (2014)Google Scholar
  22. 22.
    OpenStack. LogicBlox. Accessed 07 July 2015
  23. 23.
    Panda, A., Argyraki, K.J., Sagiv, M., Schapira, M., Shenker, S.: New directions for network verification. In: 1st Summit on Advances in Programming Languages, SNAPL 3–6, 2015, Asilomar, California, USA, pp. 209–220, May 2015Google Scholar
  24. 24.
    Panda, A., Lahav, O., Argyraki, K., Sagiv, M., Shenker, S.: Verifying isolation properties in the presence of middleboxes (2014). arXiv preprint arXiv: 1409.7687
  25. 25.
    Potharaju, R., Jain, N.: Demystifying the dark side of the middle: a field study of middlebox failures in datacenters. In: Proceedings of the 2013 Internet Measurement Conference, IMC 2013, Barcelona, Spain, October 23–25, 2013, pp. 9–22 (2013)Google Scholar
  26. 26.
    Rackoff, C.: The covering and boundedness problems for vector addition systems. Theoret. Comput. Sci. 6(2), 223–231 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Ritchey, R.W., Ammann, P.: Using model checking to analyze network vulnerabilities. In: Security and Privacy (2000)Google Scholar
  28. 28.
    Schmidt, K.: LoLA a low level analyser. In: Nielsen, M., Simpson, D. (eds.) ICATPN 2000. LNCS, vol. 1825, p. 465. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  29. 29.
    Schnoebelen, P.: Verifying lossy channel systems has nonprimitive recursive complexity. Inf. Process. Lett. 83(5), 251–261 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Sethi, D., Narayana, S., Malik, S.: Abstractions for model checking SDN controllers. In: FMCAD (2013)Google Scholar
  31. 31.
    Sherry, J., Hasan, S., Scott, C., Krishnamurthy, A., Ratnasamy, S., Sekar, V.: Making middleboxes someone else’s problem: Network processing as a cloud service. In: SIGCOMM (2012)Google Scholar
  32. 32.
    Skowyra, R., Lapets, A., Bestavros, A., Kfoury, A.: A verification platform for SDN-enabled applications. In: HiCoNS (2013)Google Scholar
  33. 33.
    Stoenescu, R., Popovici, M., Negreanu, L., Raiciu, C.: Symnet: static checking for stateful networks. In: Proceedings of the 2013 Workshop on Hot Topics in Middleboxes and Network Function Virtualization, pp. 31–36. ACM (2013)Google Scholar
  34. 34.
    Velner, Y., Aplernas, K., Panda, A., Rabinovich, A., Sagiv, M., Shenker, S., Shoham, S.: Some complexity results for stateful network verification.
  35. 35.
    Zeng, H., Zhang, S., Ye, F., Jeyakumar, V., Ju, M., Liu, J., McKeown, N., Vahdat, A.: Libra: Divide and conquer to verify forwarding tables in huge networks. In: NSDI (2014)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  • Yaron Velner
    • 1
  • Kalev Alpernas
    • 1
    Email author
  • Aurojit Panda
    • 2
  • Alexander Rabinovich
    • 1
  • Mooly Sagiv
    • 1
  • Scott Shenker
    • 2
  • Sharon Shoham
    • 3
  1. 1.Tel Aviv UniversityTel AvivIsrael
  2. 2.University of California BerkeleyBerkeleyUSA
  3. 3.The Academic College of Tel Aviv YaffoTel AvivIsrael

Personalised recommendations