using software engineering a to teach...
TRANSCRIPT
AAA
A
A
A
USING SOFTWARE ENGINEERING
TO TEACH NETWORKING
AT&T Labs—Research
Bedminster, New Jersey
Pamela Zave
USA
Princeton University
Princeton, New Jersey
AAA
A
A
A
John Gannon, Dick Hamlet, and Harlan Mills at the University of Maryland
HARLAN D. MILLS
1919 - 1996
IN 1997, THE INTERNET
WAS A WORLD-CHANGING PHENOMENON
WHAT HAS HAPPENED IN THE LAST TWENTY YEARS?
NEW CHALLENGES
most of the world’s . . .
. . . telecommunication infrastructure
. . . entertainment distribution . . .
has moved to the Internet
an explosion of security threats
most networked devices are mobile
cloud computing
exhaustion of the IP address space
the need for elastic resource allocationinstead of over-provisioning
NEW IMPLEMENTATIONTECHNOLOGIES
have separated high-speedforwarding from controlfunctions that can beimplemented in software
have made most networkelements programmable
as a result,networks are nowsoftware systems!
AAA
A
A
A
AT THE SAME TIME, IN ACADEMIA . . .
NETWORKING IS AN IMPORTANT FIELD, BUT IT STRUGGLESTO BECOME A MATURE DISCIPLINE WITHIN COMPUTER SCIENCE
core curriculum: teach how theInternet worked in 1997
this is as if databases had no relational model, . . . or today’scurriculum in programminglanguages consisted of teachingJava
theory concerns only resourceallocation: queueing theory, controltheory, linear and nonlinearoptimization, algorithms
these won’t solve the problemsof building secure softwaresystems to meet an ever-expanding set of requirements
the literature is full of narrow solutionsto narrowly-defined problems
there is little progress in generalizingthe problems or solutions
when challenged to propose“future Internet architectures,”each team took one approachto a one-size-fits-all extreme
“In my college networking class I fellasleep at the start of the semesterwhen the IP header was on the screen,and woke up at the end of the semesterwith the TCP header on the screen.”
AAA
A
A
A
THE NETWORKING FIELD’SCONVENTIONAL WISDOM
“We must choose between workingon short-term problems, or workingon long-term research that may bedifficult to apply.”
“We are looking for the killer appfor disruptive technology.”
and is certainlydifficult to publish
“Our problems are due to thedominance of a single artifact, with itsoverwhelming size, complexity, andindustrial investment.”
AAA
A
A
A
THE NETWORKING FIELD’SCONVENTIONAL WISDOM
“We must choose between workingon short-term problems, or workingon long-term research that may bedifficult to apply.”
“We are looking for the killer appfor disruptive technology.”
and is certainlydifficult to publish
“Our problems are due to thedominance of a single artifact, with itsoverwhelming size, complexity, andindustrial investment.”
A CONTRARIAN VIEW
Despite drawing people from manybackgrounds, the networking fieldlacks the crucial “gene” forappreciation of the importance ofprecise functional description.
Essentially every paper has centralterms that are ambiguous and notdefined.
get used to a lot ofshoulder-shrugging and
“we know what we mean”
The biggest symptom is the corebelief about the architecture of theInternet . . . .
without which there is no trueabstraction or generalization
APPLICATION LAYER
TRANSPORT LAYER
NETWORK LAYER
LINK LAYER
PHYSICAL LAYER many physical media (wires,optical fibers, radio channels)
best-effort local packet delivery
best-effort global packet delivery
reliable byte streams, messages
applications and mnemonic names
Ethernet header
IP header
TCP header
HTTP header
and so we expecta typical packet to look like this
BELIEF: THIS IS A USEFUL AND ADEQUATE DESCRIPTION OFINTERNET ARCHITECTURE (WHICH IT WAS, IN 1997)
THE REALITY:
12 headers instead of 4,with 3 IP headers!
Application
HTTP
TCP
IP
IPsec
IP
GTP
UDP
IP
MPLS
MPLS
Ethernet multiple layers ofresource management
cellular service(mobility, QoS, billing)
security
15 + load-balancing algorithmsoperate on this packet, most of them understood and tested onlyin isolation
THIS IS A TYPICAL PACKET IN THE AT&T BACKBONE
packets sampled elsewhere wouldlook different, but might beequally complex
THE INTERNET IS ACTUALLY A COMPOSITIONOF MANY NETWORKS
each network has all the basicmechanisms, . . .
. . . but in each network they arespecialized for the particularpurpose and span of thenetwork
TCP/UDP/IP is just the common software thatmost networked deviceshave installed
because all networks have fundamental similarity, they can havecommon interfaces for composition
this structure is obvious from observation, andit makes sense—how else could we get the flexibility to satisfy an ever-expanding roster ofrequirements and stakeholders?
THE FIELD OF NETWORKING NEEDS A THEORY OFCOMPOSITIONAL NETWORK ARCHITECTURE
WHY? BECAUSE THIS IS WHAT IS NEEDED TO . . .
understand networks as software systemswith ever-expanding requirements
introducing modularityis what we software
engineers understand best
jump-start a whole new body of theoryabout the functions of network software
show networking researchers that theInternet is already far more flexible thanthey think it is
to spread knowledge of networking beyondthe current guild of people who havedevoted themselves to arcane details
already, researchers inprogramming languages arejumping at the opportunities
offered by the increasedprogrammability of networks
AAA
A
A
A
NETWORKS SUPPORT DISTRIBUTED SYSTEMSBY PROVIDING THEM WITH COMMUNICATION SERVICES
DISTRIBUTEDSYSTEM
NETWORK
machine machine
application modules
network members(each machine’s interface
to the network)
software moduleson a machinecommunicatethrough itsoperating system,which is fastand reliable
communication through the network isinherently slower and less reliable
AAA
A
A
A
REQUIREMENTS ON SESSIONS
DISTRIBUTEDSYSTEM
(MANY CANSHARE A
NETWORK)
NETWORK(HAS A SINGLE
ADMINISTRATIVEAUTHORITY)
machine machine
packet: meaningful unit of data
send (s, p) deliver (s, p)
session: group of packets thatsource sees as belonging together
REACHABILITY
PERFORMANCE
RELIABILITY
SYNCHRONIZATION
SECURITYwhat are the possibledestinations?
minimum bandwidthmaximum latency
packet loss
systems use networkcommunication for thisas well as data transfer
DoS protectionmalware protection
privacydata integrity
authentication
lawful intercept
AAA
A
A
A
link(communication
channel)
sessionstate
1 2
3
4
5
(dest=E, in=4, out=5)
(dest=E, in=2, out=3)
forwarding state
PARTS AND STATE OF A NETWORK
Some parts and state componentsare created “on demand”, whichrequires additional user interfaces.
NETWORK
A C E
B D
namedmember
(src=A,dest=E,ident=s)
(src=A,dest=E,ident=s)
session (communication channel)
AAA
A
A
A
2
3
(dest=E, in=2, out=3)
(dest=E, in=1, out=2) forward packet
send (s, p) deliver (s, p)
A C E
B D
(src=A,dest=E,ident=s)
BEHAVIOR OF A NETWORK
the “DATA PLANE” does the packetprocessing, . . .
encapsulatepacket insession header
decapsulatepacket
. . . alsocreateson-demandstate, . . .
. . . andsatisfiesother sessionrequirementsthroughsessionprotocols and middleboxes
packet-processing, on-demand state, and TRUST BOUNDARIES are modeled
the “CONTROL PLANE” maintains theparts and state components that arenot on-demand—usually includes the traditional performance monitoringand routing
we need to formalize enoughfor composition and reasoningabout requirements, butnot too much
SESSIONPERFORMANCE
session path
session s
AAA
A
A
A
minimum bandwidth = min (S (B ))j
j
jlinksin path
linksin path
session’s shareof bandwidth
maximum latency = sum (L )
A E
REACHABILITY
forwardingrelation sayswhat can bereached from Ain one hop
reachabilityfrom A is thetransitiveclosure of theforwardingrelation SECURITY all paths to E go through
middleboxes that protect it fromDoS attacks and malware
SELF-CONTAINED REASONING ABOUT A NETWORK
send(s, p)
deliver(s, p)
S
AAA
A
A
A
OVERLAYNETWORK
UNDERLAYNETWORK
A COMPOSITION OPERATOR: LAYERING
A link in an “overlay” network . . .
. . . is implemented by a sessionin an “underlay” network.
requires extrastate in bothnetworks
link
session
uses
implements
N
N’
attached to
location of
name
name
Compositional reasoning requiresnothing new—the specified propertiesof the underlay session are simply theassumed properties of the overlay link.
to share the resourcesof a network in adisciplined way
to build improvedcommunicationservices on top ofan existing network
AAA
A
A
A
LAYERING HAS MANY USES
to build a network witha larger span out ofsmaller, heterogeneousnetworks
AAA
A
A
A
shared session
because each network is autonomous,a shared member is usually owned andtrusted by one network, not the other
A COMPOSITION OPERATOR: BRIDGING
similar networksshared member
BRIDGING EXTENDS THE REACH OF SIMILAR NETWORKS
AAA
A
A
ACHANGE ANALYSIS
what sequences of changes can thecontrol plane make while preservingconsistency and other propertiesthroughout?
THEOREMS
THEORY CONTENTS
VALIDATED DEFINITIONS OF PROPERTIES
consistency propertiesrequirements
design properties (specializations)
A FORMAL MODEL OF A NETWORK
customizable with properties and librariescomposablecompositions of networks can be verifiedor simulated
theorems relate the properties ofnetworks (or compositions of them) toeach othera sufficiently general theorem is called a“principle”
AAA
A
A
ACHANGE ANALYSIS
what sequences of changes can thecontrol plane make while preservingconsistency and other propertiesthroughout?
THEOREMS
THEORY CONTENTS THEORY USES
VALIDATED DEFINITIONS OF PROPERTIES
consistency propertiesrequirements
design properties (specializations)
A FORMAL MODEL OF A NETWORK
customizable with properties and librariescomposablecompositions of networks can be verifiedor simulated
theorems relate the properties ofnetworks (or compositions of them) toeach othera sufficiently general theorem is called a“principle”
UNDERSTAND . . .
how to satisfy requirements
structured trade-off spaces
find more solution patterns
GENERALIZE, RE-USE,OPTIMIZE, GENERATE,VERIFY . . .
data plane software andhardware
eventually, the control plane
TEACH AND LEARN . . .
help people understandnetworking more quickly andmore deeply . . .
. . . by teaching principles rather than details
make precise comparisons
AAA
A
A
A
administrator’s subnet
physical LAN physical LANcampus
IP network
*samephysical link
*
DEFINING CONSISTENCY
EXAMPLE: a campus (private) IP network, with a “VXLAN” architecture
other subnetworks(departments, students,
etc.)
campusIP
network physical virtual
administrator’sVirtual LAN
(extendsacross campus)
M1
M1
M1
there cannot be cycles in resource usage,. . . but this applies to links, . . . not to networks
AAA
A
A
A S
S
GW GW
M1
S
M2
S
M3
1
2
3
4
5
6 7
8
9
10
P, 1, 2P, 2, 4P, 4, 6
P, 2, 3P, 3, 2
P, 4, 5P, 5, 4
P, 6, 7 P, 7, 8P, 8, 10
P, 8, 9P, 9, 8
topology changes
node and link failures
policy changes
fluctuations in load
routers of the data centerhave rules for each of
10,000 policies
REASONING ABOUT COSTS 1
RR R
POLICY: packets that matchpattern P must go throughmiddleboxes of types <M1, M2, M3>
not possible!. . . and the rules would change for . . .
AAA
A
A
A
S
S
GW GW
M1
M2 M3
1
2
3
4 6
7
P, 1, 2P, 2, 3
P, 3, 4P, 4, 5
P, 5, 6P, 6, 7
P, ext, 1
because paths in the previousnetwork are completely determinedby switches, a general theorem saysthat this network is equivalent
each cause for changeaffects one network only
REASONING ABOUT COSTS 2
S
S
the inter-switch links are implemented byan underlay network with the centralizedrouters, and only enough forwardingpaths to connect the switches
AAA
A
A
A
THE INTERNET OF THINGS
according to short-term estimates, . . .there will be 25 times as many networked things as cellphones, . . .
and they will need mobile connectivity at 1/25 the cost
the FIRST RESULT of the theory ofCompositional Network Architecture
was that there are two patterns for implementing mobility:
DYNAMIC ROUTING MOBILITY
built into network infrastructure,changes routing as devices move
very expensive on a large scale
this is what cellular providers use
SESSION-LOCATION MOBILITY
uses the session protocol totransmit new endpoint locations
easy to implement on a large scale
security and deployment problems
AAA
A
A
A
INTERNET OF THINGS: RESEARCH CHALLENGE
Use Compositional Network Architectureto find a version of mobility that is scalable,secure, and easily deployed.
SECURITY
use the model (isolation, trustboundaries) to limit where securityis needed
design protocols to minimizethe burden on low-powerdevices, without sacrificingother requirements
provide provable security where itis needed
DEPLOYMENT
design robust interoperation withthe existing Internet
select appropriate technology fordistributed directories
PROTOCOLS
THIS CHALLENGE REQUIRES:
architectural flexibility
rigorous reasoning
exactly whatthe theoryprovides!
AAA
A
A
A
TEACHING
my graduate course “Patterns in NetworkArchitecture” at Princeton showed howall the new Internet features since 1997can be explained and modeled withcompositions of networks
including cloud computing,data-centric networking,multicast, multihoming,
and proxies
WERE ANY GENES TRANSPLANTED?
it took most of the semester to getacross that I was using terms withmathematical precision, not in theusual handwaving way
I think they really learned somethingabout seeing the big picture
to learn a lot of specifics, they wouldneed a more competent professor
AAA
A
A
A
TEACHING
my graduate course “Patterns in NetworkArchitecture” at Princeton showed howall the new Internet features since 1997can be explained and modeled withcompositions of networks
including cloud computing,data-centric networking,multicast, multihoming,
and proxies
WERE ANY GENES TRANSPLANTED?
it took most of the semester to getacross that I was using terms withmathematical precision, not in theusual handwaving way
I think they really learned somethingabout seeing the big picture
to learn a lot of specifics, they wouldneed a more competent professor
THIS IS ONLY THE BEGINNING!
experienced researchersin other fields
could learn the importantthings about networking
very quickly and efficiently
continuing to develop thetheory
continuing to improve thecourse
there is a planned applicationof the theory at AT&T, for dataplane implementation
AAA
A
A
A
ACKNOWLEDGMENTS
This talk is based on joint work withJennifer Rexford of Princeton University.
All the formal modeling has been done in Alloy,with thanks to Daniel Jackson of MIT for making it possible.
John Day’s book Patterns in Network Architecturewas my Rosetta Stone.
www.cs.princeton.edu/courses/archive/spr17/cos598D