Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

CrossCheck: Input Validation for WAN Control Systems

Alexander Krentsel, Rishabh Iyer, Isaac Keslassy, Bharath Modhipalli, Sylvia Ratnasamy, Anees Shaikh, Rob Shakir

TL;DR

This work presents CrossCheck, a system that validates inputs to the Software-Defined Networking (SDN) controller in a Wide Area Network (WAN), and shows that it reliably detects a wide range of invalid inputs and maintains a near-zero false positive rate for realistic levels of noisy, missing, or buggy telemetry data.

Abstract

We present CrossCheck, a system that validates inputs to the Software-Defined Networking (SDN) controller in a Wide Area Network (WAN). By detecting incorrect inputs - often stemming from bugs in the SDN control infrastructure - CrossCheck alerts operators before they trigger network outages. Our analysis at a large-scale WAN operator identifies invalid inputs as a leading cause of major outages, and we show how CrossCheck would have prevented those incidents. We deployed CrossCheck as a shadow validation system for four weeks in a production WAN, during which it accurately detected the single incident of invalid inputs that occurred while sustaining a 0% false positive rate under normal operation, hence imposing little additional burden on operators. In addition, we show through simulation that CrossCheck reliably detects a wide range of invalid inputs (e.g., detecting demand perturbations as small as 5% with 100% accuracy) and maintains a near-zero false positive rate for realistic levels of noisy, missing, or buggy telemetry data (e.g., sustaining zero false positives with up to 30% of corrupted telemetry data).

CrossCheck: Input Validation for WAN Control Systems

TL;DR

This work presents CrossCheck, a system that validates inputs to the Software-Defined Networking (SDN) controller in a Wide Area Network (WAN), and shows that it reliably detects a wide range of invalid inputs and maintains a near-zero false positive rate for realistic levels of noisy, missing, or buggy telemetry data.

Abstract

We present CrossCheck, a system that validates inputs to the Software-Defined Networking (SDN) controller in a Wide Area Network (WAN). By detecting incorrect inputs - often stemming from bugs in the SDN control infrastructure - CrossCheck alerts operators before they trigger network outages. Our analysis at a large-scale WAN operator identifies invalid inputs as a leading cause of major outages, and we show how CrossCheck would have prevented those incidents. We deployed CrossCheck as a shadow validation system for four weeks in a production WAN, during which it accurately detected the single incident of invalid inputs that occurred while sustaining a 0% false positive rate under normal operation, hence imposing little additional burden on operators. In addition, we show through simulation that CrossCheck reliably detects a wide range of invalid inputs (e.g., detecting demand perturbations as small as 5% with 100% accuracy) and maintains a near-zero false positive rate for realistic levels of noisy, missing, or buggy telemetry data (e.g., sustaining zero false positives with up to 30% of corrupted telemetry data).
Paper Structure (30 sections, 2 theorems, 7 equations, 13 figures, 1 table, 1 algorithm)

This paper contains 30 sections, 2 theorems, 7 equations, 13 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Motivation
  3. TE Inputs
  4. How Do Incorrect Inputs Occur?
  5. How Are Incorrect Inputs Detected Today?
  6. Bad Input Causes a Bad Day
  7. CrossCheck Overview
  8. System Architecture
  9. Collected Router Signals
  10. Network Invariants
  11. CrossCheck Repair and Validation
  12. Repair
  13. Validating Demand
  14. Validating Topology
  15. Analyzing CrossCheck’s Algorithms
  16. ...and 15 more sections

Key Result

Theorem 1

CrossCheck is guaranteed to detect and repair any corrupted counters when corruption is restricted to an arbitrary single link.

Figures (13)

  • Figure 1: CrossCheck high-level system design.
  • Figure 2: Measured imbalance in our network invariants for a large production WAN. For (b)-(d), $0$% implies that the equality holds perfectly.
  • Figure 3: Example network with a faulty router signal (in red).
  • Figure 4: Shadow-system validation on live production data from a large production WAN $A$.
  • Figure 5: CrossCheck's TPR with buggy demands. The x-axis displays the sum of the absolute values of the demand changes as a percentage of the total demand.
  • ...and 8 more figures

Theorems & Definitions (4)

  • Theorem 1
  • Theorem 2
  • proof
  • proof