In [1]:
#use "topfind";;
#thread;;
#require "nv_jupyter"
#require "jupyter"
#require "jupyter.notebook"
#require "jupyter.comm"
open Nv_jupyter.Driver;;
open Nv_jupyter.Show;;
open Nv_solution;;

- : unit = ()
Findlib has been successfully loaded. Additional directives:
  #require "package";;      to load a package
  #list;;                   to list the available packages
  #camlp4o;;                to load camlp4 (standard syntax)
  #camlp4r;;                to load camlp4 (revised syntax)
  #predicates "p,q,...";;   to set these predicates
  Topfind.reset();;         to force that packages will be reloaded
  #thread;;                 to enable threads

- : unit = ()


/opt/local/lib/ocaml/threads: added to search path
/opt/local/lib/ocaml/unix.cma: loaded
/opt/local/lib/ocaml/threads/threads.cma: loaded
/Users/gian/.opam/default/lib/num: added to search path
/Users/gian/.opam/default/lib/num/nums.cma: loaded
/Users/gian/.opam/default/lib/num-top: added to search path
/Users/gian/.opam/default/lib/num-top/num_top.cma: loaded
/opt/local/lib/ocaml/bigarray.cma: loaded
/opt/local/lib/ocaml/str.cma: loaded
/Users/gian/.opam/default/lib/bytes: added to search path
/Users/gian/.opam/default/lib/batteries: added to search path
/Users/gian/.opam/default/lib/batteries/batteries.cma: loaded
/Users/gian/.opam/default/lib/batteries/batteriesConfig.cmo: loaded
/Users/gian/.opam/default/lib/batteries/batteriesHelp.cmo: loaded
/Users/gian/.opam/default/lib/batteries/batteriesPrint.cmo: loaded
/Users/gian/.opam/default/lib/batteries/batteriesThread.cma: loaded
/Users/gian/.opam/default/lib/batteries/batteriesThread.cma: loaded
/Users/gian/.opam/default/lib/cudd: add

/Users/gian/.opam/default/lib/result: added to search path
/Users/gian/.opam/default/lib/ppx_deriving/runtime: added to search path
/Users/gian/.opam/default/lib/ppx_deriving_yojson/runtime: added to search path
/Users/gian/.opam/default/lib/bytes: added to search path
/Users/gian/.opam/default/lib/uuidm: added to search path
/Users/gian/.opam/default/lib/easy-format: added to search path
/Users/gian/.opam/default/lib/biniou: added to search path
/Users/gian/.opam/default/lib/yojson: added to search path
/Users/gian/.opam/default/lib/jupyter: added to search path
/Users/gian/.opam/default/lib/base64: added to search path
/opt/local/lib/ocaml/compiler-libs: added to search path
/Users/gian/.opam/default/lib/jupyter/notebook: added to search path
/Users/gian/.opam/default/lib/jupyter/comm: added to search path


![NV Pipeline](pipeline.png)

# An intermediate language for network verification

NV is a functional language designed for modelling and verification of a network's routing behavior. Some of the design goals for NV are:
* Expressiveness. One should be able to express the semantics of common routing protocols such as BGP in a sufficiently detailed manner. At the same time, one should be able to express abstractions of protocols that are useful for verification.
* Tractable. NV's language constructs and semantics are chosen in a fashion that enables efficient verification, either through execution or using SMT solvers.
* Compact language, well-defined semantics. Having a small language, with conventional and hence well understood semantics simplifies rapid development and the maintenance of analyses.

## Modelling the control plane

To learn how to route traffic to different destinations (typically, IP prefixes) routers often rely on distributed routing protocols. According to these protocols, routers exchange *routing messages* (aka routes) containing information about a path to a given destination. Eventually, each router will select the *best* route among the ones it received; the route ranking algorithm depends on the protocol.

To define how a protocol works, one has to define the ingridients above:
1. The type (i.e. the components) of the routing messages exchanged
2. A *transfer function* defining how routes are transformed as they are propagated through the network.
3. A *merge function* defining how a router compares two routes to select the best one.

For instance, we can model BGP routes for a single destination as an optional record of 5 components. Lack of a value denotes the lack of a route. In the simple case, BGP will just increment the path length by 1. To implement more sophisticated routing policy a user may apply different changes to a route for each edge in the network.

The merge function simple selects the best route according to BGP's specification (i.e. higher local-pref, then shortest path, then lower med).

Below is an example of an NV program representing a hijack analysis over a network running BGP. In this network, node 4 (the purple node) announces a symbolic (i.e. an unknown) route and we want to see whether it can drive traffic away from the blue nodes which represent our network.
![Hijack Network](hijack.png)

```ocaml
type bgp = {length:int;
            lp:int;
            med:int;
            comms:set[int];
            origin: tnode}

type attribute = option[bgp]

let nodes = 5
let edges = {0=1;0=2;1=4;2=4;1=3;2=3;}

symbolic route : option[bgp]

let init (u : tnode) = match u with
| 0n -> Some {length=0; lp=100; med=80; comms={}; origin=0n}
| 4n -> route
| _ -> None

let trans (e: tedge) x =
  match x with
  | None -> None
  | Some b -> Some {b with length = b.length+1}

let isBetter x y =
  match (x,y) with
  | (None, _) -> false
  | (_, None) -> true
  | (Some b1, Some b2) ->
    if b1.lp > b2.lp then true
    else if b2.lp > b1.lp then false
    else if b1.length < b2.length then true
    else if b2.length < b1.length then false
    else if b1.med <= b2.med then true else false

let merge (u: tnode) x y =
  if isBetter x y then x else y

let assert (u : tnode) x =
  match x with
  | None -> false
  | Some b -> if !(u = 4n) then b.origin = 0n else true

```

In [2]:
let _ = loadNetwork ()

- : unit = ()


In [3]:
let bgpFile = createSrp ()

val bgpFile : string =
  "/var/folders/4x/l5qrl7s17x135nls9r3vxsgw0000gn/T/nv5ce7d6file"


### Using SMT solvers for exhaustive verification

The NV simulator did not find a counterexample in the above case.
However, that does not mean that our network is "safe". In the presence of "unknown" factors, such as routes from external peers, verification is best done using an SMT-based approach. In this case, we will verify that the assertion holds against any possible route announced by node 4.

In [4]:
let bgpSol = computeFile [|"-inline";"-smt"; |] bgpFile
let _ = checkAssertions bgpSol

Processing /var/folders/4x/l5qrl7s17x135nls9r3vxsgw0000gn/T/nv5ce7d6file
Inlining took: 0.000579 secs to complete
Map unrolling took: 0.001209 secs to complete
Inlining took: 0.000148 secs to complete
Unbox options took: 0.000295 secs to complete
Flattening Tuples took: 0.001139 secs to complete
Partially Evaluating Network took: 0.001427 secs to complete
Encoding network took: 0.075624 secs to complete
Compiling query took: 0.005585 secs to complete
Z3 stats:
  :memory              3.39
 :time                0.03)
Slice 0 took: 0.220743 secs to complete


val bgpSol : Nv_solution.Solution.t option =
  Some
   {Nv_solution.Solution.symbolics = <abstr>; labels = <abstr>;
    assertions = Some <abstr>; mask = None}


Symbolic,Concrete Value
route,Some {comms = {}; length = 0u32; lp = 100u32; med = 80u32; origin = 8366u32; }

Assertion,Nodes
Passed,4
Failed,123


- : Jupyter_notebook.display_id = <abstr>


We can also display the solutions the SMT solver computed to better understand what's going on.

In [7]:
showSolutions ~asTable:true bgpSol

Node,Solution
0,Some {comms = {}; length = 0u32; lp = 100u32; med = 80u32; origin = 0u32; }
1,Some {comms = {}; length = 1u32; lp = 100u32; med = 80u32; origin = 8366u32; }
2,Some {comms = {}; length = 1u32; lp = 100u32; med = 80u32; origin = 8366u32; }
3,Some {comms = {}; length = 2u32; lp = 100u32; med = 80u32; origin = 8366u32; }
4,Some {comms = {}; length = 0u32; lp = 100u32; med = 80u32; origin = 8366u32; }


- : Jupyter_notebook.display_id = <abstr>


### Routing to multiple destinations

```ocaml
type rib = dict[prefix,route]
```

The above model of BGP represents a single route. In practice, routers forward traffic to multiple destinations, potentially using different routes. To accommodate this, NV provides a dictionary/map construct. But, its the semantics and implementation of maps in NV that makes them more than a simple mechanism to represent collections of values. Somewhat unconventional, NV maps are total maps; this choice enabled novel implementations in the simulator (as Multi-Terminal Binary Decision Diagrams) and in the SMT backend (by statically unrolling the maps).
Focusing on the simulator, the advantage of using MTBDDs to represent maps is that they enable efficient representation of large maps and processing their values in bulk, as common values are represented by a single node in the decision diagram. In the context of routing, this allows us to perform fast simulation of the network, as routers often keep track of a small set of routes to thousands of destinations. For more details see our paper on NV.

### Novel analyses as meta-routing protocols

One of the strenghts of NV is the flexibility it offers. Existing tools either try to model routing protocols as faithfully as possible, or create a limited set of ad-hoc abstractions that would require further engineering to compose with each other.
On the other hand, in NV a protocol is expressed as a typed program ---which can be naturally composed--- and no additional changes are required to simulate or verify using SMT. Additionally, an NV program is not necessarily modelling a routing protocol. In just a few lines of NV code, we implement a fault tolerance analysis that is exhaustive, can handle any protocol expressible in NV, and scales beyond the current state-of-the-art. 
Our analysis leverages the MTBDD based implementation of maps in NV; the key insight is that different failure scenarios have the same effect on the routes computed by each node and hence they don't need to be processed separately. 

![FatTree Network](fattree.png)

Networks usually have layers of redundancy to cope with failures: when routing towards the purple node, a single failure will not affect the routing of ToR nodes in the above FatTree because there is always an alternative. Similarly, two link failures in a pod will only affect the routing within that pod (and it will do so in the same way for any pod!). Exploiting such symmetries is very important for scaling fault tolerance analyses, but unfortunately, in most cases they cannot be done statically (i.e. without solving the routing problem). MTBDDs allow us to automatically "fuse" the process of figuring out these symmetries and computing the routing problem.
Here is the implementation as an NV program:

```ocaml
type bgp = option[...]
type attribute = map[tedge, bgp]

let init u = createDict (fun e -> initBgp u)

let trans e x = mapIte (fun e' -> e = e') (fun v -> None) (fun v -> transBgp e' v) x

let merge u x y = combine (mergeBgp u) x y
```

And that's it! In this "meta-protocol", the attribute represents single-link "failure scenarios". The initial route for every scenario is the initial route of the underlying protocol analyzed (say an instance of BGP) as link failures do not affect the routes announced by each node.
The transfer function is where all the magic happens: to transmit an attribute over an edge, we map one of two functions over our "failure scenarios" map. If the key of the map corresponds to the edge over which we are transmitting then the function applied is the one that returns the constant ```None``` (denoting no route). Otherwise, we just use the transfer function of the underlying protocol. 

![MTBDD Fault Tolerance Evaluation](fault-eval.png)


# Future work (in progress)
## Modelling the data plane

Beyond the control plane, it would be interesting to model other parts of the networking stack and compose the analyses to provide stronger end-to-end guarantees. Towards this goal, we are working on building a model of the dataplane as well.

We start with a basic model of the dataplane as an instance of the stable paths problem. In this instance of SPP:
- The type of "information" exchanged is sets of packets. 
- A packet is forwarded over an edge if: 1. according to the FIB of the node, this edge is the forwarding edge for the packet's destination, 2. there are no ACLs installed that prevent forwarding this packet. 
- Merging the information received from two different nodes simple amounts to taking the union of the sets.

The above SPP essentially computes for each node the packets that traversed it.

```ocaml
type prefix = (int,int)
type packet = {srcIp:prefix; dstIp:prefix}
type attribute = set[packet]

symbolic fib : ...

let trans e ps = 
  mapIte (fun p -> isForwarding e fib p.dstIp) (fun v -> true) (fun v -> false) ps
  
let merge u xs ys = xs union ys
```

A working example is provided below.

```ocaml

type prefix = (int,int)

type bgp = { nexthop: option[tedge];
             bgpad : int;
             lp : int;
             cost : int; }
type ribEntry = option[bgp]

type packet = { srcIp: int; dstIp: int; }
type packets = set[packet]

type attr = {dataplane:packets; controlplane:dict[prefix,ribEntry];}
type attribute = attr

let nodes = 4

let edges = {
  0=1;
  0=2;
  1=3;
  2=3;
 }

(* Data Plane functions *)
let mergePackets node x y = x union y

(* longestMatchingPrefix, should check whether p's headers match an
   entry in the rib and whether edge is the forwarding edge on that rib *)
let longestMatchingPrefix edge p rib =
  let dst = p.dstIp in
  match rib[(dst,32)] with
  | None -> false (*repeat 32 times...*)
  | Some route ->
    (match route.nexthop with
    | None -> false
    | Some fwd ->
     fwd = edge)

(* filter the set of packets *)
let transPackets edge rib ps =
  mapIf (fun p -> !(longestMatchingPrefix edge p rib)) (fun b -> false) ps

let initPackets node =
  match node with
  | 3n -> {{ srcIp = 1; dstIp=0; }}
  | _ -> {}

let flipEdge e =
  match e with
  | a~b -> toEdge b a

let transRoute edge b =
    match b with
    | None -> None
    | Some b ->
         Some ({nexthop= flipEdge edge; cost = b.cost + 1; bgpad=b.bgpad; lp=b.lp})

(* bgp attributes comparison *)
let betterBgp o1 o2 =
  if o1.lp > o2.lp then true
  else if o2.lp > o1.lp then false
  else if o1.cost < o2.cost then true
  else false

let pickOption f x y =
  match (x,y) with
  | (None, None) -> None
  | (None, Some _) -> y  | (Some _, None) -> x
  | (Some a, Some b) ->
    Some (if f a b then a else b)

let mergeRoute lab1 lab2 =
  pickOption (fun x y -> betterBgp x y) lab1 lab2

let initRoute node =
  let d = createDict None in
  match node with
  | 0n ->
     let b0 = {nexthop=None; bgpad=20; lp=100; cost=0;} in
     d[(0,32) := Some b0]
  | _ -> d

(* Combined functions *)

let merge node x y =
  let psx = x.dataplane in
  let psy = y.dataplane in
  let labx = x.controlplane in
  let laby = y.controlplane in
  {dataplane=mergePackets node psx psy;
   controlplane=combine mergeRoute labx laby}

let trans edge x =
  let ps = x.dataplane in
  let rib = x.controlplane in
  {dataplane = transPackets edge rib ps;
   controlplane = map (transRoute edge) rib}

let init node =
  {dataplane = initPackets node;
   controlplane = initRoute node}

let assert node x =
  match node with
  | 1n ->
     (
       let ps = x.dataplane in
       match ps[{ srcIp = 1; dstIp=0; }] with
       | true ->
          true
       | false -> false)
  | _ -> true
```

In [14]:
let _ = loadNetwork ()

- : unit = ()


In [15]:
let dataplaneExample = createSrp () 
let dataplaneSol = computeFile [|"-inline";"-simulate"|] dataplaneExample

val dataplaneExample : string =
  "/var/folders/4x/l5qrl7s17x135nls9r3vxsgw0000gn/T/nv79d51efile"


Processing /var/folders/4x/l5qrl7s17x135nls9r3vxsgw0000gn/T/nv79d51efile
Inlining took: 0.001865 secs to complete
Interpreted simulation took: 0.016167 secs to complete


val dataplaneSol : Nv_solution.Solution.t option =
  Some
   {Nv_solution.Solution.symbolics = <abstr>; labels = <abstr>;
    assertions = Some <abstr>; mask = None}


In [16]:
let _ = checkAssertions dataplaneSol
let _ = showSolutions ~asTable:false dataplaneSol

- : Jupyter_notebook.display_id = <abstr>


controlplane,dataplane
"(0u32,32u32)Some {bgpad = 20u32; cost = 0u32; lp = 100u32; nexthop = None; }*None","{(0u32,1u32)}"

0,1
"(0u32,32u32)",Some {bgpad = 20u32; cost = 0u32; lp = 100u32; nexthop = None; }
*,

controlplane,dataplane
"(0u32,32u32)Some {bgpad = 20u32; cost = 1u32; lp = 100u32; nexthop = Some 1~0; }*None","{(0u32,1u32)}"

0,1
"(0u32,32u32)",Some {bgpad = 20u32; cost = 1u32; lp = 100u32; nexthop = Some 1~0; }
*,

controlplane,dataplane
"(0u32,32u32)Some {bgpad = 20u32; cost = 1u32; lp = 100u32; nexthop = Some 2~0; }*None",{}

0,1
"(0u32,32u32)",Some {bgpad = 20u32; cost = 1u32; lp = 100u32; nexthop = Some 2~0; }
*,

controlplane,dataplane
"(0u32,32u32)Some {bgpad = 20u32; cost = 2u32; lp = 100u32; nexthop = Some 3~1; }*None","{(0u32,1u32)}"

0,1
"(0u32,32u32)",Some {bgpad = 20u32; cost = 2u32; lp = 100u32; nexthop = Some 3~1; }
*,


- : Jupyter_notebook.display_id = <abstr>
