summaryrefslogtreecommitdiffstats
path: root/docs/developer/design/verigraph.rst
blob: 1362e2326fa5053f9df43bdfc3594df2683a9081 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0

================
Parser verigraph
================

This document provides a description of VeriGraph, a formal verification tool for service graphs.

.. contents::
   :depth: 3
   :local:

Overview
--------
Given a service graph, which can include stateful network functions and their configurations
(e.g., filtering rules for firewalls, and blacklists for anti-spamming filters), VeriGraph can
accurately and quickly check reachability properties in the graph (e.g. if a particular flow of
packets can go from one node of the graph to another node).

VeriGraph exploits Satisfiability Modulo Theories (SMT) and the general-purpose SMT solver Z3.
It includes a library of network function models.

Architecture
------------
VeriGraph exploits two sub-modules:

- **Z3**, the SMT solver developed by Microsoft
- **Neo4JManger**, a module that can store service graphs into a *Neo4J* graph-oriented database

Neo4JManager can also extract from a service graph all the VNF chains that are
relevant for checking the reachability properties of that graph.

How the tool works
------------------
VeriGraph accepts JSON service graph descriptions that include endpoints, VNF instances, logical
directed links connecting them, and VNF configurations.

When VeriGraph receives a service graph and a reachability property to verify, it forwards the graph
to Neo4JManager and asks Neo4JManager to extract the chains that connect the nodes addressed by the
property to be checked. For each one of these chains, VeriGraph builds a set of first order logic
formulas that represent a mathematical model of the forwarding behavior of the chain.
This model takes into account the forwarding behavior of the links and of the VNFs included in the chain,
taking into consideration their configurations. If the formulas that make up the model are satisfiable,
this means that it is possible for a packet to traverse the chain from one end to the other.
VeriGraph passes this model to Z3 which checks its satisfiability.
Based on the satisfiability result of the formulas that model the different paths, VeriGraph finally
derives the overall result (reachability property satisfied or not).

.. image:: /images/verigraph.png