Tim Alberdingk Thijm will present his FPO "Modular Control Plane Verification" on Friday, February 9, 2024 at 1:30pm in CS 105 (and Zoom). Zoom link: [ https://princeton.zoom.us/j/95302742818 | https://princeton.zoom.us/j/95302742818 ] The members of his committee are as follows: - Advisor: Aarti Gupta - Reader: David Walker - Reader: Ryan Beckett (Microsoft Research) - Examiner: Maria Apostolaki (ECE) - Examiner: Zak Kincaid Please see talk abstract below. All are welcome to attend. Abstract: Networks continue to experience costly outages due to misconfigured control planes. Avoiding misconfigurations is challenging: control planes often use notoriously inscrutable distributed routing protocols. One remedy is control plane verification, which analyzes control planes to uncover violations of desired properties. Unfortunately, most verification tools analyze the entire network at once. Hence, these monolithic tools often do not scale well as networks grow in size and properties increase in complexity, or compromise on the networks and properties they support. To address these limitations, we explore modular control plane verification, where the user divides their network into fragments to verify independently, and annotates each fragment with an interface. These interfaces summarize each fragment’s routing announcements (a.k.a. routes). We prove that if each fragment guarantees its interface, assuming the interfaces of its neighbors, then properties of the fragments’ routes hold of the monolithic network’s. We present Kirigami, a formal model of network fragments where users specify interfaces as cuts dividing the network into fragments, annotating fragment boundaries with nodes’ stable routes. We define a Satisfiability Modulo Theories (SMT)-based procedure for checking interfaces, implemented as an extension to the NV (monolithic) verification tool. Kirigami’s SMT checks are up to five orders of magnitude faster than NV’s for a range of industrial topologies with synthesized network policies. Unfortunately, Kirigami’s interfaces are not change-resilient if network updates change fragments’ stable routes. However, if we naïvely extend Kirigami’s interfaces to use over-approximate sets of routes instead of exact routes, the resulting verification procedure allows unsound circular reasoning. To prevent circularity, we introduce a new model, Timepiece, where interfaces are defined using temporal invariants inspired by temporal logic. We implement a new SMT-based checking procedure, which scales to verify networks with thousands of nodes in minutes (compared to hours for a monolithic baseline) and allows users to write change-resilient interfaces.