Abstract: Embodiments described herein describe a network tester that is configured to perform packet modification at an egress pipeline of a programmable packet engine. A packet stream is received at an egress pipeline of an output port of the programmable packet engine, wherein the output port includes a packet modifier. Packets of the packet stream are modified at the packet modifier. The packet stream including modified packets is transmitted through an egress pipeline of the output port.

Abstract: Example implementations relate to determining whether network invariants are violated by flow rules to be implemented by the data plane of a network. In an example, a verification module implemented on a device receives a flow rule transmitted from an SDN controller to a switch, the flow rule relating to an event. The module determines whether the flow rule matches any of a plurality of network invariants cached in the device. If determined that the flow rule matches one of the plurality of network invariants, the verification module determines whether the flow rule violates the matched network invariant. If determined that the flow rule does not match any of the plurality of network invariants, the verification module (1) reports the event associated with the flow rule to a policy management module, (2) receives a new network invariant related to the event from the policy management module, and (3) determines whether the flow rule violates the new network invariant.

Abstract: Example implementations disclosed herein can be used to generate composite network policy graphs based on multiple network policy graphs input by network users that may have different goals for the network. The resulting composite network policy graph can be used to program a network so that it meets the requirements necessary to achieve the goals of at least some of the network users. In one example implementation, a method can include receiving multiple network policy graphs, generating composite endpoint groups based on relationships between endpoint groups and policy graph sources, generating composite paths based on the relationships between the endpoints and the network policy graphs, generating a composite network policy graph based on the composite endpoint groups and the composite paths, and analyzing the composite network policy graph to determine conflicts or errors.

Abstract: In some examples, a system can verify a network function by inquiring a model using a query language is described. In some examples, the system can include at least a memory and a processor coupled to the memory. The processor can execute instructions stored in the memory to transmit a plurality of packets into at least one network function that is unverifiable; describe the at least one network function using a model comprising a set of match action rules and a state machine; inquire the model using a query language comprising a temporal logic to obtain a query result indicating an expected behavior of the plurality of packets; and verify the at least one network function based on the query result and the expected behavior of the plurality of packets.

Abstract: Example method includes: receiving, by a network device in a network, a first network policy and a second network policy configured by a network administrator, wherein the first network policy comprises a first metric and the second network policy comprises a second and different metric; detecting, by the network device, a conflict between the first network policy and the second network policy; determining, by the network device, a relationship between the first metric and the second metric; modifying, by the network device, at least one of the first network policy and the second network policy to resolve the conflict based on the relationship between the first metric and the second metric; and combining, by the network device, the first network policy and the second network policy to generate a composite network policy that is represented on a single policy graph.

Abstract: Embodiments described herein describe a network tester that is configured to perform packet modification at an egress pipeline of a programmable packet engine. A packet stream is received at an egress pipeline of an output port of the programmable packet engine, wherein the output port includes a packet modifier. Packets of the packet stream are modified at the packet modifier. The packet stream including modified packets is transmitted through an egress pipeline of the output port.

Abstract: Example method includes: identifying three relationships about a network function in an intent-based stateful network—(1) the network function forwarding a network packet implies that at least one previous network packet was received by the network function in the same direction prior to the network packet is forwarded, (2) an established state in the network function implies that at least one previous network packet was received at the network function, (3) the network function receiving the network packet as a downward network function implies the network packet was previously sent by a second network function acting as an upward network function; encoding the network function using a combination of at least one of the three identified relationships; and verifying a plurality of network intents in the intent-based stateful network based at least in part on the encoding of the network function.

Abstract: Example implementations relate to determining whether network invariants are violated by flow rules to be implemented by the data plane of a network. In an example, a verification module implemented on a device receives a flow rule transmitted from an SDN controller to a switch, the flow rule relating to an event. The module determines whether the flow rule matches any of a plurality of network invariants cached in the device. If determined that the flow rule matches one of the plurality of network invariants, the verification module determines whether the flow rule violates the matched network invariant. If determined that the flow rule does not match any of the plurality of network invariants, the verification module (1) reports the event associated with the flow rule to a policy management module, (2) receives a new network invariant related to the event from the policy management module, and (3) determines whether the flow rule violates the new network invariant.

Abstract: Example method includes: identifying three relationships about a network function in an intent-based stateful network—(1) the network function forwarding a network packet implies that at least one previous network packet was received by the network function in the same direction prior to the network packet is forwarded, (2) an established state in the network function implies that at least one previous network packet was received at the network function, (3) the network function receiving the network packet as a downward network function implies the network packet was previously sent by a second network function acting as an upward network function; encoding the network function using a combination of at least one of the three identified relationships; and verifying a plurality of network intents in the intent-based stateful network based at least in part on the encoding of the network function.

Abstract: Example method includes: receiving, by a network device, a plurality of input policy graphs and a composed policy graph associated with the input policy graphs; dividing the composed policy graph into a plurality of sub-graphs, each sub-graph comprising a plurality of edges and a plurality of source nodes and destination nodes that the edges are connected to; selecting a first subset of sub-graphs that include, as a source node, a disjoint part of an original source EPG for each input policy graph; identifying a second subset within the first subset of sub-graphs that include, as a destination node, a disjoint part of an original destination EPG for the each input policy graph; and verifying whether connectivity in the composed policy graph reflects a corresponding policy in the plurality of input policy graphs for each sub-graph in the second subset.

Abstract: Example implementations relate to determining whether network invariants are violated by flow rules to be implemented by the data plane of a network. In an example, a verification module implemented on a device receives a flow rule transmitted from an SDN controller to a switch, the flow rule relating to an event. The module determines whether the flow rule matches any of a plurality of network invariants cached in the device. If determined that the flow rule matches one of the plurality of network invariants, the verification module determines whether the flow rule violates the matched network invariant. If determined that the flow rule does not match any of the plurality of network invariants, the verification module (1) reports the event associated with the flow rule to a policy management module, (2) receives a new network invariant related to the event from the policy management module, and (3) determines whether the flow rule violates the new network invariant.

Abstract: A method for verifying network intents may include decomposing at least one network intent into a plurality of sub-verification tasks, generating a set of normalized configurations for a plurality of network devices in a target network based on a set of current configurations for the plurality of network devices and generating a network graph based on the set of normalized configurations and a topology of the target network. The method may further include analyzing the plurality of sub-verification tasks and the network graph to determine if the set of current configurations for the plurality of network devices satisfies the at least one network intent. If the at least one network intent is not satisfied, a report may be generated indicating that the target network is not in compliance. If the at least one network intent is satisfied, information may be provided indicating that target network is in compliance.

Abstract: Example method includes: receiving, by a network device, a plurality of input policy graphs and a composed policy graph associated with the input policy graphs; dividing the composed policy graph into a plurality of sub-graphs, each sub-graph comprising a plurality of edges and a plurality of source nodes and destination nodes that the edges are connected to; selecting a first subset of sub-graphs that include, as a source node, a disjoint part of an original source EPG for each input policy graph; identifying a second subset within the first subset of sub-graphs that include, as a destination node, a disjoint part of an original destination EPG for the each input policy graph; and verifying whether connectivity in the composed policy graph reflects a corresponding policy in the plurality of input policy graphs for each sub-graph in the second subset.

Abstract: Example implementations relate to determining whether network invariants are violated by flow rules to be implemented by the data plane of a network. In an example, a verification module implemented on a device receives a flow rule transmitted from an SDN controller to a switch, the flow rule relating to an event. The module determines whether the flow rule matches any of a plurality of network invariants cached in the device. If determined that the flow rule matches one of the plurality of network invariants, the verification module determines whether the flow rule violates the matched network invariant. If determined that the flow rule does not match any of the plurality of network invariants, the verification module (1) reports the event associated with the flow rule to a policy management module, (2) receives a new network invariant related to the event from the policy management module, and (3) determines whether the flow rule violates the new network invariant.

Abstract: Example method includes: receiving, by a network device in a network, a first network policy and a second network policy configured by a network administrator, wherein the first network policy comprises a first metric and the second network policy comprises a second and different metric; detecting, by the network device, a conflict between the first network policy and the second network policy; determining, by the network device, a relationship between the first metric and the second metric; modifying, by the network device, at least one of the first network policy and the second network policy to resolve the conflict based on the relationship between the first metric and the second metric; and combining, by the network device, the first network policy and the second network policy to generate a composite network policy that is represented on a single policy graph.

Abstract: Example method includes: negotiating, by a network device, a location of a data source for a particular network infrastructure manager; inferring, by the network device, a meta label namespace by analyzing the data source, wherein the meta label namespaces comprises at least a relationship between a plurality of meta labels; inferring, by the network device, a label namespace that is specific to the particular network infrastructure manager from the meta label namespace; converting, by the network device, the label namespace to an abstract label namespace; and aggregating, by the network device, the abstract label namespace into a global label namespace that is applicable across diverse network infrastructures.

Abstract: Distributed data structures in a software defined networking (SDN) environment is disclosed. One example is a system including at least one processor and a memory storing instructions executable by the at least one processor to access a tree data structure located at a central node in the SDN environment, retrieve, at a local node of the network, a sub-tree of the data structure, the sub-tree determined based on a management policy associated with the local node or the central node, and cache sub-trees of the data structure at respective local nodes to generate a distributed data structure in the environment.

Abstract: In some examples, a system can verify a network function by inquiring a model using a query language is described. In some examples, the system can include at least a memory and a processor coupled to the memory. The processor can execute instructions stored in the memory to transmit a plurality of packets into at least one network function that is unverifiable; describe the at least one network function using a model comprising a set of match action rules and a state machine; inquire the model using a query language comprising a temporal logic to obtain a query result indicating an expected behavior of the plurality of packets; and verify the at least one network function based on the query result and the expected behavior of the plurality of packets.

Abstract: Example implementations disclosed herein can be used to generate composite network policy graphs based on multiple network policy graphs input by network users that may have different goals for the network. The resulting composite network policy graph can be used to program a network so that it meets the requirements necessary to achieve the goals of at least some of the network users. In one example implementation, a method can include receiving multiple network policy graphs, generating composite endpoint groups based on relationships between endpoint groups and policy graph sources, generating composite paths based on the relationships between the endpoints and the network policy graphs, generating a composite network policy graph based on the composite endpoint groups and the composite paths, and analyzing the composite network policy graph to determine conflicts or errors.

Abstract: Disclosed are an apparatus and method for managing user-centered context, the apparatus including a sensor level unit including a plurality of sensors to transmit respective pieces of first context collected from the plurality of sensors, a domain level unit including a plurality of domain context management modules (domain_U-CoUDE) to produce a first inferred context by aggregating and inferring a corresponding second context among the respective pieces of first context by use of a context model and transmit the produced first inferred context, and a user level unit including a plurality of user context management modules (user_U-CoUDE) to produce and transmit a second inferred context by aggregating and inferring the first inferred context by use of the context model, so that different forms of context generated from various domains are converted into a standardized from, thereby providing and using the context in a more efficient manner.