Scaling Network Verification using Symmetry and Surgery

On the surface, large data centers with ∼105 stations and nearly a million routing rules are complex and hard to verify. However, these networks are highly regular by design; for example they employ fat tree topologies with backup routers interconnected by redundant patterns. To exploit these regularities, we introduce network transformations: given a reachability formula ϕ and a network N,we transform N into(a simpler to verify)network ¯ N and a corresponding transformed formula ϕ such that (for example) ϕ is valid in N if and only ϕ is valid in ¯ N. Our network transformations exploit network surgery (in which irrelevant or redundant sets of nodes, headers, ports, or rules are “sliced” away) and network symmetry (say between backup routers). The validity of these transformations is established using a formal theory of networks. In particular, using Van Benthem Hennessy-Milner style bisimulation, we show that one can generally associate bisimulations to transformations connecting networks and formulas with their transforms. Our work is a development in an area of current wide interest: applying programming language techniques (in our case bisimulation and modal logic) to problems in switching networks. We provide experimental evidence that our network transformations can speed up the task of verifying the communication between all pairs of Virtual Machines in a large data center network with∼100,000 VMs by 65×. An all-pair reachability calculation, which formerly took 5.5 days, can be done in 2 hours, and can be easily parallelized to complete in minutes.