TY - GEN
T1 - Foundational Verification of Stateful P4 Packet Processing
AU - Wang, Qinshi
AU - Pan, Mengying
AU - Wang, Shengyi
AU - Doenges, Ryan
AU - Beringer, Lennart
AU - Appel, Andrew W.
N1 - Publisher Copyright:
© Qinshi Wang, Mengying Pan, Shengyi Wang, Ryan Doenges, Lennart Beringer, and Andrew W. Appel; licensed under Creative Commons License CC-BY 4.0 14th International Conference on Interactive Theorem Proving (ITP 2023)
PY - 2023/7
Y1 - 2023/7
N2 - P4 is a standardized programming language for the network data plane. But P4 is not just for routing anymore. As programmable switches support stateful objects, P4 programs move beyond just stateless forwarders into new stateful applications: network telemetry (heavy hitters, DDoS detection, performance monitoring), middleboxes (firewalls, NAT, load balancers, intrusion detection), and distributed services (in-network caching, lock management, conflict detection). The complexity of stateful programs and their richer specifications are beyond what existing P4 program verifiers can handle. Verifiable P4 is a new interactive verification framework for P4 that (1) allows reasoning about multi-packet properties by specifying the per-packet relation between initial and final states; (2) performs modular verification, especially providing a modular description for stateful objects; (3) is foundational, i.e., with a machine-checked soundness proof with respect to a formal operational semantics of P416 (the current specification of P4) in Coq. In addition, our framework includes a proved-correct reference interpreter. We demonstrate the framework with the specification and verification of a stateful firewall that uses a sliding-window Bloom filter on a Tofino switch to block (most) unsolicited traffic.
AB - P4 is a standardized programming language for the network data plane. But P4 is not just for routing anymore. As programmable switches support stateful objects, P4 programs move beyond just stateless forwarders into new stateful applications: network telemetry (heavy hitters, DDoS detection, performance monitoring), middleboxes (firewalls, NAT, load balancers, intrusion detection), and distributed services (in-network caching, lock management, conflict detection). The complexity of stateful programs and their richer specifications are beyond what existing P4 program verifiers can handle. Verifiable P4 is a new interactive verification framework for P4 that (1) allows reasoning about multi-packet properties by specifying the per-packet relation between initial and final states; (2) performs modular verification, especially providing a modular description for stateful objects; (3) is foundational, i.e., with a machine-checked soundness proof with respect to a formal operational semantics of P416 (the current specification of P4) in Coq. In addition, our framework includes a proved-correct reference interpreter. We demonstrate the framework with the specification and verification of a stateful firewall that uses a sliding-window Bloom filter on a Tofino switch to block (most) unsolicited traffic.
KW - Software Defined Networking
KW - Stateful data plane programming
KW - Verifiable P4
UR - http://www.scopus.com/inward/record.url?scp=85168757459&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85168757459&partnerID=8YFLogxK
U2 - 10.4230/LIPIcs.ITP.2023.32
DO - 10.4230/LIPIcs.ITP.2023.32
M3 - Conference contribution
AN - SCOPUS:85168757459
T3 - Leibniz International Proceedings in Informatics, LIPIcs
BT - 14th International Conference on Interactive Theorem Proving, ITP 2023
A2 - Naumowicz, Adam
A2 - Thiemann, Rene
PB - Schloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing
T2 - 14th International Conference on Interactive Theorem Proving, ITP 2023
Y2 - 31 July 2023 through 4 August 2023
ER -