Model Checking Data Flows in Concurrent Network Updates (Full Version)

TL;DR

This paper introduces a model checking method for verifying data flow correctness during concurrent network updates in SDN, ensuring properties like cycle-freedom are maintained, using Petri nets and circuit model checking techniques.

Contribution

It extends Petri nets with transits to model data flows and reduces verification to circuit model checking, enabling effective analysis of network updates.

Findings

Effective verification of data flows during network updates.

Prototype implementation demonstrates practical feasibility.

Reduction to circuit model checking enables use of existing tools.

Abstract

We present a model checking approach for the verification of data flow correctness in networks during concurrent updates of the network configuration. This verification problem is of great importance for software-defined networking (SDN), where errors can lead to packet loss, black holes, and security violations. Our approach is based on a specification of temporal properties of individual data flows, such as the requirement that the flow is free of cycles. We check whether these properties are simultaneously satisfied for all active data flows while the network configuration is updated. To represent the behavior of the concurrent network controllers and the resulting evolutions of the configurations, we introduce an extension of Petri nets with a transit relation, which characterizes the data flow caused by each transition of the Petri net. For safe Petri nets with transits, we reduce the verification of temporal flow properties to a circuit model checking problem that can be solved with effective verification techniques like IC3, interpolation, and bounded model checking. We report on encouraging experiments with a prototype implementation based on the hardware model checker ABC.