P4R-Type: a Verified API for P4 Control Plane Programs (Technical Report)

TL;DR

This paper introduces P4R-Type, a verified Scala API for P4 control plane programs that performs static checks to prevent errors, enhancing safety and correctness in SDN network device management.

Contribution

It presents the first formal model and typing system for P4Runtime control plane applications, ensuring correctness and safety of network control operations.

Findings

P4R-Type prevents mismatches in control plane operations.

Formal foundation with $F_{P4R}$ calculus ensures safety.

Case studies demonstrate improved safety and flexibility.

Abstract

Software-Defined Networking (SDN) significantly simplifies programming, reconfiguring, and optimizing network devices, such as switches and routers. The de facto standard for programmming SDN devices is the P4 language. However, the flexibility and power of P4, and SDN more generally, gives rise to important risks. As a number of incidents at major cloud providers have shown, errors in SDN programs can compromise the availability of networks, leaving them in a non-functional state. The focus of this paper are errors in control-plane programs that interact with P4-enabled network devices via the standardized P4Runtime API. For clients of the P4Runtime API it is easy to make mistakes that lead to catastrophic failures, despite the use of Google's Protocol Buffers as an interface definition language. This paper proposes P4R-Type, a novel verified P4Runtime API for Scala that performs static checks for P4 control plane operations, ruling out mismatches between P4 tables, allowed actions, and action parameters. As a formal foundation of P4R-Type, we present the $F_{\text{P4R}}$ calculus and its typing system, which ensure that well-typed programs never get stuck by issuing invalid P4Runtime operations. We evaluate the safety and flexibility of P4R-Type with 3 case studies. To the best of our knowledge, this is the first work that formalises P4Runtime control plane applications, and a typing discipline ensuring the correctness of P4Runtime operations.