An efficient framework for data-plane verification with geometric windowing queries

Modern networks have complex configurations to provide advanced functions, but the complexity also makes them error-prone. Network verification is attracting attention as a key technology to detect inconsistencies between a configuration and a policy before deployment. Existing verifiers, however, either generally verify various properties over the policy at the cost of efficiency, or efficiently perform configuration analysis without paying much attention to the policy. This paper presents a novel framework of data-plane verification, which flexibly checks the inconsistency with great efficiency. For the purpose of generality, our framework formalizes a verification process with three abstract steps: each step is related to 1) packet behaviors defined by a configuration, 2) operator intentions described in a policy, and 3) the inspection of their relation. These steps work efficiently with each other on the simple quotient set of packet headers. This paper also reveals how the second step can be regarded as the windowing query problem in computational geometry. Two novel windowing algorithms are proposed with solid theoretical analyses. Experiments on real network datasets show that our framework with the windowing algorithms is surprisingly fast even when verifying the policy compliance; e.g., in a medium-scale network with thousands of switches, our framework reduces the verification time of all-pairs reachability from ten hours to ten minutes.