
VigNAT: A Formally Verified Performant NAT - signa11
https://vignat.github.io/
======
runeks
> Our proof applies directly to the C code of a network function, and it
> demonstrates the absence of implementation bugs.

Isn’t this just like a type system? You specify what you want in types, and
the type checker complains if there are implementation bugs (the inferred type
doesn’t match the specified type).

Of course, this just means that the hard part is now correctly expressing all
the invariants (and combinations hereof) of your program as a
type/proposition.

~~~
SolalPirelli
(2nd author of the paper here)

By "implementation bugs" we mean _any_ bug that could cause the NAT to not
satisfy its spec, which is a formalized version of RFC 3022.

This includes bugs that a type system would catch, such as improper use of
void pointers, as well as lack of crashes (e.g. Out-of-bounds indexing,
division by zero...); but most importantly, it includes _semantic_ bugs, such
as forwarding a packet to the wrong port, incorrectly modifying a packet, not
updating the internal state properly (so that future packets are handled
correctly), etc.

The main contribution here is that only the data structures (which are
reusable) need to be proven by hand; for a new NF, you only need a
specification - which is, as you point out, not always easy to do.

~~~
drsopp
IMO this kind of work is very important, and is necessary to be able to
categorize computer science as engineering. How do you see the future of this
kind of programming? Will it become much easier/semi automated? Even
mainstream? Could we see operating systems made with these methods?

~~~
pvg
Do you mean 'programming'? Because 'Computer Science' doesn't really need to
be categorized as engineering, being a science and all.

~~~
diroussel
Yeah. It's the other way around. Science is about learning. Engineering is
build things based on knowledge gained from using the scientific method.

Building things without using scientific knowledge is not engineering. It's
hacking.

~~~
drsopp
Yes. Mainstream programming is more art than engineering, like how we built
buildings before statics.

~~~
pvg
Buildings before statics were not built by 'art'. That entire 'programming is
not like engineering' analogy is just terrible in almost every conceivable
dimension, despite its enduring popularity.

------
travbrack
Why choose this problem to solve in 2018? NAT is a hacky solution to an old
problem which is fixed by IPv6.

~~~
beagle3
It was not a design feature, but IPv4 NAT provides some anonymity that IPv6
will take away in the future (if it hasn't already).

ISPs in my area assign a prefix per customer; If you know the ISP, you know
the length of the prefix, and can thus pinpoint the exact ISP customer with
every connection.

On ISPv4+CGNAT, the common deployment, they can't do that.

~~~
travbrack
The IPv4 equivalent of that is giving each customer their own IP which happens
all the time now. Individual devices within a customer network can be uniquely
identified with IPv6 though which is new.

~~~
beagle3
The IPv4 equiv cannot and does not happen because of address pool size.

Most ISPs charge extra for a fixed IPv4; and many default to CGNAT which makes
it impossible to correlate even within a 10 minute period.

------
signa11
code is also available here:
[https://github.com/vignat/vignat](https://github.com/vignat/vignat)

yay !

------
devxpy
Don't leave out NAT PCP (RFC6887)!

It's a must for p2p communication

[https://tools.ietf.org/html/rfc6887](https://tools.ietf.org/html/rfc6887)

------
candiodari
I wish they tested a few adversarial conditions as well, like for instance
having MANY open nat connections. At some point the memory runs out, right ?

~~~
SolalPirelli
The size of the flow table is configurable, and the NAT drops connections once
the table is full. (Of course, the NAT also expires old connections)

~~~
candiodari
Interesting. Does it keep actively used connections open so as to maintain as
much functionality as possible if it's under attack ?

~~~
SolalPirelli
Yes, existing connections are kept as long as there is traffic often enough
(in either direction) - the timeout is configurable.

~~~
loxias
This is truly amazing work, I'm glad you chose Nat as your NF example. One
minor question I haven't seen answered anywhere: For vignat, in the git
repository and the paper, I see no mention of software license.

May I assume that it is in the public domain, or if not, BSD licensed?

~~~
SolalPirelli
Good point. Will talk about it with the other authors. Thanks.

------
zurn
How does symbolic execution w KLEE work to formally verify programs, are there
tradeoffs in coverage? For complete coverage you'd have to get it to cover the
whole possible spaces of states and execution paths of the analyzed system.

~~~
cvwright
The way they work around state space explosion is pretty cool. They push all
the state off into another module, whose correctness they verify using other
methods. Then they tell the symbolic execution engine that the state-holding
module does not misbehave. So it's a hybrid -- use each verification technique
where it's strong, to shore up the weaknesses/shortcomings in the other one.

------
andrewchambers
Anyone know if there is anyone working on an equivalent of ascl or verifast
for golang?

------
geggam
How does this work with IPV6 ?

~~~
xxpor
It's easy to prove correctness for IPv6 NAT: if you're doing it, it's wrong.

~~~
DanielDent
Let's imagine a small business with two IPv6-capable ISPs & a router. They
want to make effective use of their two links for load balancing & failover.

There's not a chance that BGP is going to get set up or that their own IP
allocation is going to happen.

How do you propose they implement multi-homing for their entire network? How
do you propose they balance their link utilization?

~~~
xxpor
>There's not a chance that BGP is going to get set up or that their own IP
allocation is going to happen.

Why not? There's no restrictions on V6, unlike V4 where a small biz might not
be able to afford even a /24.

~~~
DanielDent
Here are the three most significant problems from my perspective:

(1) Cost - IP allocation isn't close to free, either in $ or in
time/administrative overhead.

(2) Technical Complexity - Using routing protocols like BGP is not currently a
process with enough automated tooling to make it realistic

Those problems could likely be overcome with concerted effort.

But the biggest problem of all may be what this would do to the size of global
routing tables. We've already got a problem with routing table size exploding
with more and more people advertising smaller and smaller prefixes. All of
that high-performance ram is expensive. That routing table is globally
replicated.

If it were affordable for everyone to announce their own prefixes, routing
tables would be prohibitively large. I don't think we yet have any good
answers to this problem, and I am genuinely interested if you are aware of
any.

