AAA

A

A

A

USING SOFTWARE ENGINEERING

TO TEACH NETWORKING

AT&T Labs—Research

Bedminster, New Jersey

Pamela Zave

USA

Princeton University

Princeton, New Jersey

AAA

A

A

A

John Gannon, Dick Hamlet, and Harlan Mills at the University of Maryland

HARLAN D. MILLS

1919 - 1996

IN 1997, THE INTERNET

WAS A WORLD-CHANGING PHENOMENON

WHAT HAS HAPPENED IN THE LAST TWENTY YEARS?

NEW CHALLENGES

most of the world’s . . .

. . . telecommunication infrastructure

. . . entertainment distribution . . .

has moved to the Internet

an explosion of security threats

most networked devices are mobile

cloud computing

exhaustion of the IP address space

the need for elastic resource allocationinstead of over-provisioning

NEW IMPLEMENTATIONTECHNOLOGIES

have separated high-speedforwarding from controlfunctions that can beimplemented in software

have made most networkelements programmable

as a result,networks are nowsoftware systems!

AAA

A

A

A

AT THE SAME TIME, IN ACADEMIA . . .

NETWORKING IS AN IMPORTANT FIELD, BUT IT STRUGGLESTO BECOME A MATURE DISCIPLINE WITHIN COMPUTER SCIENCE

core curriculum: teach how theInternet worked in 1997

this is as if databases had no relational model, . . . or today’scurriculum in programminglanguages consisted of teachingJava

theory concerns only resourceallocation: queueing theory, controltheory, linear and nonlinearoptimization, algorithms

these won’t solve the problemsof building secure softwaresystems to meet an ever-expanding set of requirements

the literature is full of narrow solutionsto narrowly-defined problems

there is little progress in generalizingthe problems or solutions

when challenged to propose“future Internet architectures,”each team took one approachto a one-size-fits-all extreme

“In my college networking class I fellasleep at the start of the semesterwhen the IP header was on the screen,and woke up at the end of the semesterwith the TCP header on the screen.”

AAA

A

A

A

THE NETWORKING FIELD’SCONVENTIONAL WISDOM

“We must choose between workingon short-term problems, or workingon long-term research that may bedifficult to apply.”

“We are looking for the killer appfor disruptive technology.”

and is certainlydifficult to publish

“Our problems are due to thedominance of a single artifact, with itsoverwhelming size, complexity, andindustrial investment.”

AAA

A

A

A

THE NETWORKING FIELD’SCONVENTIONAL WISDOM

“We must choose between workingon short-term problems, or workingon long-term research that may bedifficult to apply.”

“We are looking for the killer appfor disruptive technology.”

and is certainlydifficult to publish

“Our problems are due to thedominance of a single artifact, with itsoverwhelming size, complexity, andindustrial investment.”

A CONTRARIAN VIEW

Despite drawing people from manybackgrounds, the networking fieldlacks the crucial “gene” forappreciation of the importance ofprecise functional description.

Essentially every paper has centralterms that are ambiguous and notdefined.

get used to a lot ofshoulder-shrugging and

“we know what we mean”

The biggest symptom is the corebelief about the architecture of theInternet . . . .

without which there is no trueabstraction or generalization

APPLICATION LAYER

TRANSPORT LAYER

NETWORK LAYER

LINK LAYER

PHYSICAL LAYER many physical media (wires,optical fibers, radio channels)

best-effort local packet delivery

best-effort global packet delivery

reliable byte streams, messages

applications and mnemonic names

Ethernet header

IP header

TCP header

HTTP header

and so we expecta typical packet to look like this

BELIEF: THIS IS A USEFUL AND ADEQUATE DESCRIPTION OFINTERNET ARCHITECTURE (WHICH IT WAS, IN 1997)

THE REALITY:

12 headers instead of 4,with 3 IP headers!

Application

HTTP

TCP

IP

IPsec

IP

GTP

UDP

IP

MPLS

MPLS

Ethernet multiple layers ofresource management

cellular service(mobility, QoS, billing)

security

15 + load-balancing algorithmsoperate on this packet, most of them understood and tested onlyin isolation

THIS IS A TYPICAL PACKET IN THE AT&T BACKBONE

packets sampled elsewhere wouldlook different, but might beequally complex

THE INTERNET IS ACTUALLY A COMPOSITIONOF MANY NETWORKS

each network has all the basicmechanisms, . . .

. . . but in each network they arespecialized for the particularpurpose and span of thenetwork

TCP/UDP/IP is just the common software thatmost networked deviceshave installed

because all networks have fundamental similarity, they can havecommon interfaces for composition

this structure is obvious from observation, andit makes sense—how else could we get the flexibility to satisfy an ever-expanding roster ofrequirements and stakeholders?

THE FIELD OF NETWORKING NEEDS A THEORY OFCOMPOSITIONAL NETWORK ARCHITECTURE

WHY? BECAUSE THIS IS WHAT IS NEEDED TO . . .

understand networks as software systemswith ever-expanding requirements

introducing modularityis what we software

engineers understand best

jump-start a whole new body of theoryabout the functions of network software

show networking researchers that theInternet is already far more flexible thanthey think it is

to spread knowledge of networking beyondthe current guild of people who havedevoted themselves to arcane details

already, researchers inprogramming languages arejumping at the opportunities

offered by the increasedprogrammability of networks

AAA

A

A

A

NETWORKS SUPPORT DISTRIBUTED SYSTEMSBY PROVIDING THEM WITH COMMUNICATION SERVICES

DISTRIBUTEDSYSTEM

NETWORK

machine machine

application modules

network members(each machine’s interface

to the network)

software moduleson a machinecommunicatethrough itsoperating system,which is fastand reliable

communication through the network isinherently slower and less reliable

AAA

A

A

A

REQUIREMENTS ON SESSIONS

DISTRIBUTEDSYSTEM

(MANY CANSHARE A

NETWORK)

NETWORK(HAS A SINGLE

ADMINISTRATIVEAUTHORITY)

machine machine

packet: meaningful unit of data

send (s, p) deliver (s, p)

session: group of packets thatsource sees as belonging together

REACHABILITY

PERFORMANCE

RELIABILITY

SYNCHRONIZATION

SECURITYwhat are the possibledestinations?

minimum bandwidthmaximum latency

packet loss

systems use networkcommunication for thisas well as data transfer

DoS protectionmalware protection

privacydata integrity

authentication

lawful intercept

AAA

A

A

A

link(communication

channel)

sessionstate

1 2

3

4

5

(dest=E, in=4, out=5)

(dest=E, in=2, out=3)

forwarding state

PARTS AND STATE OF A NETWORK

Some parts and state componentsare created “on demand”, whichrequires additional user interfaces.

NETWORK

A C E

B D

namedmember

(src=A,dest=E,ident=s)

(src=A,dest=E,ident=s)

session (communication channel)

AAA

A

A

A

2

3

(dest=E, in=2, out=3)

(dest=E, in=1, out=2) forward packet

send (s, p) deliver (s, p)

A C E

B D

(src=A,dest=E,ident=s)

BEHAVIOR OF A NETWORK

the “DATA PLANE” does the packetprocessing, . . .

encapsulatepacket insession header

decapsulatepacket

. . . alsocreateson-demandstate, . . .

. . . andsatisfiesother sessionrequirementsthroughsessionprotocols and middleboxes

packet-processing, on-demand state, and TRUST BOUNDARIES are modeled

the “CONTROL PLANE” maintains theparts and state components that arenot on-demand—usually includes the traditional performance monitoringand routing

we need to formalize enoughfor composition and reasoningabout requirements, butnot too much

SESSIONPERFORMANCE

session path

session s

AAA

A

A

A

minimum bandwidth = min (S (B ))j

j

jlinksin path

linksin path

session’s shareof bandwidth

maximum latency = sum (L )

A E

REACHABILITY

forwardingrelation sayswhat can bereached from Ain one hop

reachabilityfrom A is thetransitiveclosure of theforwardingrelation SECURITY all paths to E go through

middleboxes that protect it fromDoS attacks and malware

SELF-CONTAINED REASONING ABOUT A NETWORK

send(s, p)

deliver(s, p)

S

AAA

A

A

A

OVERLAYNETWORK

UNDERLAYNETWORK

A COMPOSITION OPERATOR: LAYERING

A link in an “overlay” network . . .

. . . is implemented by a sessionin an “underlay” network.

requires extrastate in bothnetworks

link

session

uses

implements

N

N’

attached to

location of

name

name

Compositional reasoning requiresnothing new—the specified propertiesof the underlay session are simply theassumed properties of the overlay link.

to share the resourcesof a network in adisciplined way

to build improvedcommunicationservices on top ofan existing network

AAA

A

A

A

LAYERING HAS MANY USES

to build a network witha larger span out ofsmaller, heterogeneousnetworks

AAA

A

A

A

shared session

because each network is autonomous,a shared member is usually owned andtrusted by one network, not the other

A COMPOSITION OPERATOR: BRIDGING

similar networksshared member

BRIDGING EXTENDS THE REACH OF SIMILAR NETWORKS

AAA

A

A

ACHANGE ANALYSIS

what sequences of changes can thecontrol plane make while preservingconsistency and other propertiesthroughout?

THEOREMS

THEORY CONTENTS

VALIDATED DEFINITIONS OF PROPERTIES

consistency propertiesrequirements

design properties (specializations)

A FORMAL MODEL OF A NETWORK

customizable with properties and librariescomposablecompositions of networks can be verifiedor simulated

theorems relate the properties ofnetworks (or compositions of them) toeach othera sufficiently general theorem is called a“principle”

AAA

A

A

ACHANGE ANALYSIS

what sequences of changes can thecontrol plane make while preservingconsistency and other propertiesthroughout?

THEOREMS

THEORY CONTENTS THEORY USES

VALIDATED DEFINITIONS OF PROPERTIES

consistency propertiesrequirements

design properties (specializations)

A FORMAL MODEL OF A NETWORK

customizable with properties and librariescomposablecompositions of networks can be verifiedor simulated

theorems relate the properties ofnetworks (or compositions of them) toeach othera sufficiently general theorem is called a“principle”

UNDERSTAND . . .

how to satisfy requirements

structured trade-off spaces

find more solution patterns

GENERALIZE, RE-USE,OPTIMIZE, GENERATE,VERIFY . . .

data plane software andhardware

eventually, the control plane

TEACH AND LEARN . . .

help people understandnetworking more quickly andmore deeply . . .

. . . by teaching principles rather than details

make precise comparisons

AAA

A

A

A

administrator’s subnet

physical LAN physical LANcampus

IP network

*samephysical link

*

DEFINING CONSISTENCY

EXAMPLE: a campus (private) IP network, with a “VXLAN” architecture

other subnetworks(departments, students,

etc.)

campusIP

network physical virtual

administrator’sVirtual LAN

(extendsacross campus)

M1

M1

M1

there cannot be cycles in resource usage,. . . but this applies to links, . . . not to networks

AAA

A

A

A S

S

GW GW

M1

S

M2

S

M3

1

2

3

4

5

6 7

8

9

10

P, 1, 2P, 2, 4P, 4, 6

P, 2, 3P, 3, 2

P, 4, 5P, 5, 4

P, 6, 7 P, 7, 8P, 8, 10

P, 8, 9P, 9, 8

topology changes

node and link failures

policy changes

fluctuations in load

routers of the data centerhave rules for each of

10,000 policies

REASONING ABOUT COSTS 1

RR R

POLICY: packets that matchpattern P must go throughmiddleboxes of types <M1, M2, M3>

not possible!. . . and the rules would change for . . .

AAA

A

A

A

S

S

GW GW

M1

M2 M3

1

2

3

4 6

7

P, 1, 2P, 2, 3

P, 3, 4P, 4, 5

P, 5, 6P, 6, 7

P, ext, 1

because paths in the previousnetwork are completely determinedby switches, a general theorem saysthat this network is equivalent

each cause for changeaffects one network only

REASONING ABOUT COSTS 2

S

S

the inter-switch links are implemented byan underlay network with the centralizedrouters, and only enough forwardingpaths to connect the switches

AAA

A

A

A

THE INTERNET OF THINGS

according to short-term estimates, . . .there will be 25 times as many networked things as cellphones, . . .

and they will need mobile connectivity at 1/25 the cost

the FIRST RESULT of the theory ofCompositional Network Architecture

was that there are two patterns for implementing mobility:

DYNAMIC ROUTING MOBILITY

built into network infrastructure,changes routing as devices move

very expensive on a large scale

this is what cellular providers use

SESSION-LOCATION MOBILITY

uses the session protocol totransmit new endpoint locations

easy to implement on a large scale

security and deployment problems

AAA

A

A

A

INTERNET OF THINGS: RESEARCH CHALLENGE

Use Compositional Network Architectureto find a version of mobility that is scalable,secure, and easily deployed.

SECURITY

use the model (isolation, trustboundaries) to limit where securityis needed

design protocols to minimizethe burden on low-powerdevices, without sacrificingother requirements

provide provable security where itis needed

DEPLOYMENT

design robust interoperation withthe existing Internet

select appropriate technology fordistributed directories

PROTOCOLS

THIS CHALLENGE REQUIRES:

architectural flexibility

rigorous reasoning

exactly whatthe theoryprovides!

AAA

A

A

A

TEACHING

my graduate course “Patterns in NetworkArchitecture” at Princeton showed howall the new Internet features since 1997can be explained and modeled withcompositions of networks

including cloud computing,data-centric networking,multicast, multihoming,

and proxies

WERE ANY GENES TRANSPLANTED?

it took most of the semester to getacross that I was using terms withmathematical precision, not in theusual handwaving way

I think they really learned somethingabout seeing the big picture

to learn a lot of specifics, they wouldneed a more competent professor

AAA

A

A

A

TEACHING

my graduate course “Patterns in NetworkArchitecture” at Princeton showed howall the new Internet features since 1997can be explained and modeled withcompositions of networks

including cloud computing,data-centric networking,multicast, multihoming,

and proxies

WERE ANY GENES TRANSPLANTED?

it took most of the semester to getacross that I was using terms withmathematical precision, not in theusual handwaving way

I think they really learned somethingabout seeing the big picture

to learn a lot of specifics, they wouldneed a more competent professor

THIS IS ONLY THE BEGINNING!

experienced researchersin other fields

could learn the importantthings about networking

very quickly and efficiently

continuing to develop thetheory

continuing to improve thecourse

there is a planned applicationof the theory at AT&T, for dataplane implementation

AAA

A

A

A

ACKNOWLEDGMENTS

This talk is based on joint work withJennifer Rexford of Princeton University.

All the formal modeling has been done in Alloy,with thanks to Daniel Jackson of MIT for making it possible.

John Day’s book Patterns in Network Architecturewas my Rosetta Stone.

www.cs.princeton.edu/courses/archive/spr17/cos598D