Some complexity results for stateful network verification

Kalev Alpernas*, Aurojit Panda, Alexander Rabinovich, Mooly Sagiv, Scott Shenker, Sharon Shoham, Yaron Velner

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

Abstract

In modern networks, forwarding of packets often depends on the history of previously transmitted traffic. Such networks contain stateful middleboxes, whose forwarding behaviour depends on a mutable internal state. Firewalls and load balancers are typical examples of stateful middleboxes. This work addresses the complexity of verifying safety properties, such as isolation, in networks with finite-state middleboxes. Unfortunately, we show that even in the absence of forwarding loops, reasoning about such networks is undecidable due to interactions between middleboxes connected by unbounded ordered channels. We therefore abstract away channel ordering. This abstraction is sound for safety, and makes the problem decidable. Specifically, safety checking becomes EXPSPACE-complete in the number of hosts and middleboxes in the network. To tackle the high complexity, we identify two useful subclasses of finite-state middleboxes which admit better complexities. The simplest class includes, e.g., firewalls and permits polynomial-time verification. The second class includes, e.g., cache servers and learning switches, and makes the safety problem coNP-complete. Finally, we implement a tool for verifying the correctness of stateful networks.

Original languageEnglish
Pages (from-to)191-231
Number of pages41
JournalFormal Methods in System Design
Volume54
Issue number2
DOIs
StatePublished - 1 Nov 2019

Funding

FundersFunder number
National Science Foundation321174, 1704941, 759102, 1420064
Intel Corporation
Seventh Framework Programme
Blavatnik Family Foundation
European Research Council
United States-Israel Binational Science Foundation2016260, 2012259
Tel Aviv University
Horizon 2020
PAZY Foundation

    Keywords

    • Channel systems
    • Complexity bounds
    • Middleboxes
    • Petri nets
    • Safety verification
    • Stateful networks

    Fingerprint

    Dive into the research topics of 'Some complexity results for stateful network verification'. Together they form a unique fingerprint.

    Cite this