Model Checking for Dynamic Datapaths

We explore how to verify useful properties about networks that include “dynamic” elements, whose state and functionality may depend on previously observed traffic, e.g., caches, WAN optimizers, firewalls, and DPI boxes. We present the design and implementation of a tool that takes as input a network specification and verifies properties such as “traffic from host A will never reach host B directly or indirectly (e.g., through caching)”; or “traffic from A to B will always pass through a given middlebox (e.g., firewall or transcoder).” Our tool leverages recent advances in model checking. The challenge lies in scaling model checking with network size and complexity, and we address this by (a) modeling only globally visible middlebox behavior and (b) defining and focusing on “rest of network oblivious” (RONO) properties — properties that hold for a given traffic class independently from the rest of the network state. We have implemented our approach and can verify realistic invariants on very large networks containing 30,000 middleboxes in 2 to 5 minutes.