AllSynth: A BDD-Based Approach for Network Update Synthesis

The increasingly stringent dependability requirements on communication networks as well as the need to render these networks more adaptive to improve performance, demand for more automated approaches to operate networks. We present AllSynth, a symbolic synthesis tool for updating communication networks in a provably correct and eﬃcient manner. AllSynth automatically synthesizes network update schedules which transiently ensure a wide range of policy properties expressed using linear temporal logic (LTL). In particular, in contrast to existing approaches, AllSynth symbolically computes and compactly represents all feasible and cost-optimal solutions. At its heart, AllSynth relies on a novel parameterized use of binary decision diagrams (BDDs) which greatly improves performance. Indeed, AllSynth not only provides formal correctness guarantees and outperforms existing state-of-the-art tools in terms of generality, but also in terms of runtime as documented by experiments on a benchmark of real-world network topologies. © 2023 The Author(s). Published by Elsevier B.V. This is an open access article under the CC BY license (http://creativecommons .org /licenses /by /4 .0/).


Introduction
Improving the automated operation of communication networks is considered one of the most important research problems in networking today, for two main reasons.First, communication networks and their configurations are highly complex, forcing operators to become "masters of complexity" [25]; many major Internet outages over the past years were caused by human errors [5,13,16].Today's manual approach hence stands in stark contrast to the increasingly stringent dependability requirements on communication networks, which are a critical infrastructure of our digital society.Second, network traffic is not only constantly increasing but also features much more temporal and spatial structure [4,6,51]; this introduces a significant potential to improve operational efficiency by rendering networks more adaptive towards the actual traffic patterns they serve.
Motivated by the prospect of an increased level of automation in networks [18], over the past years, great efforts were made in laying the foundations for automated network verification, and in designing synthesis tools [3,17,28,44,47].Furthermore, motivated by the benefits of more adaptive network operations, e.g., to improve availability and performance [29], automated tools for consistently updating network configurations have been developed [12,24,40,45,48] which overcome the limitations of existing hand-crafted algorithms [1,36,39].However, the computation of provably consistent network update schedules remains challenging, due to the performance and expressiveness demands.The performance requirements are multidimensional: network update schedules should not only be quickly computable but also account for operator pref-erences, like requiring that certain switches or routers are updated first.However, existing approaches only provide one update sequence that may not satisfy additional requirements imposed by the network operator.
Our contributions.We present an automated network update synthesis tool, AllSynth, that computes and represents in a compact BDD (binary decision diagram) form all correct update sequences that respect various logical properties expressible in linear temporal logic (LTL) [43] such as reachability, waypointing and service chaining.AllSynth comes with formal correctness guarantees and in case it provably establishes that there does not exist any simple update schedule (where each switch is updated at most once), it can make suggestions for alternative solutions employing general update schedules (where a switch can be updated multiple times).
Despite being more general, AllSynth significantly outperforms state-of-the-art tools with regard to execution time on all non-trivial real-world networks from the standard Topology Zoo benchmark [30].The update synthesis problem solved by AllSynth is NP-hard, even when restricted to preserving the basic loop-freedom and waypointing properties [36].To overcome the complexity of the problem, AllSynth exploits a novel use of binary decision diagrams (BDDs) [34] to compactly encode not only the network topology and policy invariant, but also the set of all correct update sequences.
The fact that AllSynth computes all feasible update sequences enables future use cases for the tool, such as finding an optimal schedule with regard to a particular cost specification, providing multiple alternative solutions and filtering based on operator requirements (e.g.some switches must be updated before the rest or in a certain order).The source code of AllSynth and all our experimental artefacts are available at [33].
Related work.Motivated by the benefits of adaptive and software-defined (i.e., programmable) communication networks [31], as well as the increasingly stringent dependability requirements, the question of how to correctly update network configurations has received much attention over the last years.A recent survey summarizes over one hundred approaches [20].
In their seminal work, Reitblatt et al. [45] showed that strong per-packet consistency can be achieved using packet versioning during reconfigurations.Their approach, which was subsequently studied intensively in the literature [9,11,21,26,27,35,42], has the drawback that it requires packet header modifications and additional memory at the nodes: switches and routers need to store forwarding rules for each version.
A clever alternative approach, introduced by Mahajan and Wattenhofer [39], schedules batches of updates over time, where the set of updates within a batch can take effect in any order without harming consistency.This approach has also been explored extensively already [1,15,22,[36][37][38]50], however, it can only be used to provide a subset of the consistency properties of [45].This in turn motivated hybrid approaches such as FLIP [48].Interestingly, similar to AllSynth, FLIP also supports alternative solutions in case a simple update cannot be found.However, in contrast to FLIP which relies on a heuristic algorithm, AllSynth only presents alternative solutions in case a simple solution provably does not exist.Furthermore, while FLIP resorts to a packet tagging alternative (which consumes header space and switch memory), AllSynth is a light-weight and fully symbolic approach aiming at updating nodes multiple times.
The need for supporting more general or even customizable consistency properties [52] as well as more automated synthesis approaches [19,24,41] has already received attention in the literature as well.However, our approach is the first one that uses the BDD-based technology for the synthesis and representation of all correct network updates.The competing tool NetSynth [40] for update synthesis is relying on an incremental enumeration of candidates of update sequences that are then verified by external model checkers, like NuSMV [14], and the tool terminates as soon as the first correct update sequence is found.
This article is an extended version (with full proofs, cost-optimal update synthesis and additional experiments) of TASE'22 conference paper published in [32].The paper is organized as follows: in Section 2 we formally define the update synthesis problem, including the simple and generalized variants of the problem; in Section 3.2 we introduce our BDD-based tool for solving the problem and we construct a BDD representation of all feasible solutions to the update synthesis problem; in Section 4 we extend the methodology with the construction of a BDD representing all cost-optimal solutions; in Section 5 we evaluate the performance of our implementation against state-of-the-art approaches; finally in Section 6 we provide a conclusion and further perspectives of our work.We also include a short appendix showing how to run AllSynth.

A model for update synthesis
Before we formally define our problem, we shall provide an intuitive motivation for the update synthesis problem.In Fig. 1 we see a simple network with four nodes (routers).Packets from the source node s are forwarded to the destination node d along the solid edges (links) that represent the initial routing configuration.The network operator aims to change this routing to an alternative one represented by the dashed edges.The task is to schedule the order of node updates (changing the forwarding function at the updated node from the solid edge to the dashed one) so that in every intermediate routing configuration we preserve the reachability between s and d and at the same time always visit the waypoint node v 1 (representing for example a firewall).
If the node s is updated first, the new routing will follow the path s, v 2 , d which preserves the reachability property but not the waypointing.On the other hand, if we first update the node v 2 , we create an undesirable forwarding loop . .which breaks the reachability property.Hence the only option is to update first the node v 1 , after which  we have a correct forwarding path s, v 1 , d satisfying both reachability and waypointing.After this we can update the node v 2 because this update does not change the forwarding path and lastly, we update the node s that completes the update sequence from the initial to the final routing.
We are now ready to provide the formalization of the update synthesis problem.Table 1 contains a summary of the key notation.We model the network as a multigraph, allowing us to describe multiple connections between nodes (i.e., switches or routers, which are treated as synonyms in the following); these connections can have different quantitative attributes (e.g.latency).Henceforth, we adopt graph-theory terminology and refer to such connections or links as edges.

Definition 1 (Network topology).
A network topology is a directed multigraph G = (V , E, src, tgt) where V is the set of nodes, E is the set of edges and src, tgt : E → V are respectively the source and target functions.
In order to route traffic from a node v 0 to a node v , each node v has a forwarding rule that specifies an appropriate outgoing edge e such that src(e) = v.This rule can be per-flow or apply to multiple flows; in the following, we do not explicitly distinguish between the two scenarios.Not all nodes need to have defined their forwarding edge (e.g. the target node v or the nodes that are not involved in packet forwarding from v 0 to v ).We capture this formally by the notion of a routing configuration.

Definition 2 (Routing configuration).
A routing configuration, or routing for short, in a network topology For a given network topology G = (V , E, src, tgt) with the source node v 0 ∈ V , a routing configuration ρ defines a unique sequence of edges (a path) that is finite if the routing is loop free; otherwise it is infinite.In the finite case, the path is given by π = e 0 e 1 • • • e n such that ρ(tgt(e i−1 )) = e i for all i, 1 ≤ i ≤ n, and src(e 0 ) = v 0 , and where ρ(tgt(e n )) is undefined.The corresponding sequence of traversed nodes is then π = src(e 0 )src(e 1 ) • • • src(e n )tgt(e n ).In the infinite case, the path is given by π = e 0 e 1 • • • such that ρ(tgt(e i−1 )) = e i for all i > 0, and src(e 0 ) = v 0 .The sequence of traversed nodes is given by the infinite sequence π = src(e 0 )src(e 1 ) . . is a (finite or infinite) sequence of nodes then we refer to its suffix v i v i+1 . . .by π i and to the initial node v 0 by π[0].For a node v 0 ∈ V and routing ρ, we let π ρ (v 0 ) denote the unique (finite or infinite) path induced by ρ from the source node v 0 and let π ρ (v 0 ) be the corresponding sequence of traversed nodes.

Routing policies
We shall now define a variant of LTL [43] that allows us to describe specific policies that routings must enforce (both statically and transiently).

Definition 3 (Policy syntax).
For a network topology G = (V , E, src, tgt), a policy ϕ is constructed according to the following LTL-based abstract syntax, where v ∈ V : In addition to the classical LTL operators, our logic includes a loop-freeness predicate.We now give the formal semantics of our logic, interpreted both on infinite and finite paths [23].

Definition 4 (Policy semantics).
For a network topology G = (V , E, src, tgt), a policy ϕ is satisfied by a path π ∈ E * ∪ E ω , written π |= ϕ, iff the corresponding sequence of traversed nodes π satisfies π |= ϕ, defined inductively on the structure of ϕ as follows: Examples of standard routing policies are given in Fig. 2. The simplest policy, Reach(d), specifies that the destination node d must eventually be reached while Waypoint(v, d) asks that any path reaching the destination d must necessarily pass through waypoint node v.For multiple alternative waypoints, MultiWaypoint(W , d) specifies that any path reaching destination d must necessarily pass through either of the waypoints in W . Finally, Service(v

Update synthesis
In the following we assume a fixed network topology G = (V , E, src, tgt).An update u ∈ E ∪ V on G under a current routing configuration ρ specifies that the source node of edge u (if u ∈ E) must now forward its traffic along u or that the routing for the node u (if u ∈ V ) is set to undefined.We write ρ u for the new routing configuration, defined for any v ∈ V as We inductively extend this notation to sequences of updates by letting ρ ε = ρ and ρ wu = (ρ w ) u for any w ∈ (E ∪ V ) * and u ∈ E ∪ V .An update sequence may in general contain an arbitrary number of updates that change multiple times the routing of the same node, however an important set of update sequences is the class of simple update sequences.A simple update sequence consists of only simple updates that change, for a given node v, the initial routing ρ i (v) at v directly to its final routing ρ f (v).This implies that it does not make sense to update the node v (using simple updates) more than once; after the first simple update of v, no further simple updates of v change anything.

Definition 5 (Simple updates)
is undefined whenever u ∈ V .A simple update sequence is then a sequence of simple updates, where each update appears at most once.
A basic property of simple update sequences is that any reordering results in the same final routing configuration i.e., if w is a simple update sequence and w is any permutation of w, then ρ w = ρ w for any routing ρ.
Although any reordering of a simple update sequence yields the same final routing configuration, the intermediate routing configurations induced by each update may not uphold a given policy invariant.This is also the case for general update sequences.We therefore say that an update sequence is correct with respect to a policy ϕ and a node v, if the unique path from v induced by any intermediate routing configuration satisfies ϕ.

Definition 6 (Update correctness
).An update sequence w ∈ (E ∪ V ) * on network topology G with initial routing configuration ρ is correct with respect to source node v 0 and a policy ϕ, if π ρ w (v 0 ) |= ϕ for any prefix w of w.
The network update synthesis problem is thus the problem of constructing a correct update sequence that updates an initial routing to a desired final routing.

Definition 7 ((Simple) update synthesis problem).
Given a topology G, an initial routing configuration ρ i , a final routing configuration ρ f , source node v 0 ∈ V and a policy ϕ, the simple update synthesis problem asks to construct a simple update sequence w that is correct with respect to v 0 and ϕ such that ρ w i = ρ f .The update synthesis problem omits the requirement that the constructed update sequence is simple.
In the following, we let P = (G, ρ i , ρ f , v 0 , ϕ) denote a (simple) update synthesis problem and say that a constructed update sequence w that satisfies the conditions above is a solution.For any simple update synthesis problem P , the set of its solutions, denoted by Sol(P ), is always finite.This is not the case for the general problem as there may be infinitely many (longer and longer) solutions.
While much prior work focused on simple update problems, there are examples which are only solvable with a general solution (as supported by our approach).Consider for example the network topology in Fig. 3a with initial and final routings visualised respectively as solid and dashed lines in Fig. 3b.We fix the source node s and the policy ϕ = Waypoint(v 2 , d) ∧ Reach(d) requiring that waypoint v 2 must be visited before reaching d.An update of any node v from the initial to the final routing violates ϕ-either by introducing a loop or it bypasses the waypoint.Hence there is no correct simple update sequence.However, the update sequence that first updates s to route to v 2 , followed by the update of the nodes v 1 , v 2 and v 3 and finally updating s again to route to v 3 is a correct update sequence.

Simple update sequence reordering
In case of simple update sequences, we shall now argue that for routing policies that (i) include the preservation of reachability between the source and a target, and (ii) for which it holds that once a packet is delivered, no further routing is defined from the target node, we can reorder certain updates in the sequence without invalidating the correctness of the sequence.More specifically, we shall show that if a node routing is to be changed from undefined to some concrete edge, we can safely schedule such updates (in any order) to the very beginning of the update sequence.Similarly, all nodes that change their current routing into undefined can be scheduled (again in arbitrary order) at the end of the update sequence.

Lemma 1.
Let w be a solution to a simple update synthesis problem P = (G, ρ i , ρ f , v 0 , ϕ) where ϕ = Reach(d) ∧ ϕ for any policy ϕ and where ρ i (d) and ρ f (d) are undefined.
2. If w = w 1 uw 2 where u ∈ V updates the routing in u to undefined then w 1 w 2 u is a solution to P .Proof.As we assume that w is a correct update sequence from the initial node v 0 for the policy ϕ that includes the formula Reach(d), we know that for every prefix w of w the path π ρ w i (v 0 ) under the routing ρ w i necessarily ends in the node d.This implies that all nodes v on any such path (except for d) must have defined its routing function ρ w i (v).Now consider case (1) where w = w 1 uw 2 such that u ∈ E where ρ i (src(u)) is undefined.As the update sequence w is simple, there is only a single occurrence of the node src(u) in w.This implies that for any prefix w of w 1 the path π ρ w i (v 0 ) cannot contain the node src(u) as it will otherwise create a blackhole [39] (where a packet cannot be forwarded further) and invalidate the predicate Reach(d).Hence, moving the update u to the very beginning of the update sequence has no impact on the path from v 0 , meaning that it does not change the validity of the policy ϕ either.
For case (2) where w = w 1 uw 2 such that u ∈ V , we notice that after executing the updates in w 1 and u, the resulting routing does not define any forwarding for u, i.e. ρ w 1 u i (u) is undefined.As the update sequence w is simple, the routing of u remains undefined until the end of the update sequence w, while the property Reach(d) must still hold.This implies that after executing the update sequence w 1 the path under any future routing (after executing the updates w 1 w where w is a prefix of w 2 ) does not include the node u.Hence we can safely move the update u at the end of the sequence as it does not influence the validity of the policy ϕ .Lemma 1 can be used to identify all nodes that have an undefined forwarding function in ρ i and schedule them to the beginning of the update sequence.Symmetrically, all updates that change a node forwarding to an undefined value (in the routing ρ f ), can be placed at the end of the update sequence.This may simplify the synthesis of the update sequence by analysing only the nodes that have a defined forwarding function both in the initial and final routing.
The requirement in Lemma 1 that the policy must enforce at least the reachability of d is essential, as illustrated in Fig. 4 where e 2 e 3 e 4 is a correct update sequence preserving Waypoint(v 2 , d).This is because until the last update, the destination d is not reachable and hence the waypointing policy trivially holds.However, even though the routing of v 1 is undefined in the initial routing, moving the update e 4 to the beginning of the update sequence creates a transient forwarding following the path e 1 e 4 and violates Waypoint(v 2 , d).

BDD-based algorithm for update synthesis problem
We shall now present an overview of our tool AllSynth, including its inputs and outputs, followed by the theoretical foundations of the BDD-based synthesis algorithm implemented in the tool.

AllSynth tool workflow
The diagram in Fig. 5 illustrates the main components of AllSynth.The inputs to AllSynth are the network topology G, a policy of interest ϕ, as well as the initial routing ρ i and final routing ρ f from the node v 0 .
From the input network topology G, a BDD representation of the edges in G is combined with the input policy ϕ and a source node v 0 to produce a BDD representing all routing configurations ρ where the unique path π ρ (v 0 ) satisfies ϕ.This Updates leading to final configuration with ϕ correctness preserved All solutions of length N, using N copies of z variables BDD is then in turn combined with the initial and final routing configurations ρ i and ρ f , to construct a BDD representation of all correct update sequences.

The synthesis algorithm
We now describe our algorithmic solution to the update synthesis problem, based on a symbolic encoding of routing configurations using BDDs.This encoding allows for an efficient fixed-point computation of those routing configurations that satisfy a given routing policy, and subsequently to find a correct update sequence solving the synthesis problem.
Boolean decision diagrams [34] are data structures for the compact representation of a Boolean function.A BDD is a rooted directed acyclic graph (DAG), with nonleaf nodes labelled by Boolean variables, and leaf nodes labelled with 0 (false) or 1 (true).Each node that is labelled by a variable has two outgoing edges, a solid one representing the true assignment to the variable and a dotted one for the false assignment.By following the paths from the root to the leaf labelled with 1, we obtain all satisfying Boolean assignments.BDDs were introduced by Lee [34] and later Bryant [10] presented their reduced ordered version (ROBDD), where the ordering between the Boolean variables are fixed along each path from the root to a leaf, and isomorphic parts are combined.We show how to exploit ROBDDs for solving the update synthesis problem.We refer to Table 2 for a summary of key notation used in the encoding.
First, let us recall how to encode subsets of a finite set S using Boolean expressions-hence ROBDDs.The encoding is relative to a given enumeration s 0 , s 1 , s 2 , . . .s |S|−1 of S and it is based on n = log(|S|) Boolean variables x = x 1 , x 2 , . . ., x n .Now, any truth assignment μ to x may be seen as a binary encoding of a natural number n(μ) ∈ N and hence an encoding of the n(μ)'th element s n(μ) ∈ S. We shall use the short notation s(μ) for the element s n(μ) as well as the notation x(s) to denote a Boolean expression over x encoding the singleton-set {s}.Now any Boolean expression t(x) over x may be seen as Example 1.Consider the network topology in Fig. 6a with the nodes V = {v 0 , v 1 , v 2 , v 3 } enumerated by the given indices.We encode any subset of V by a Boolean expression over two Boolean variables x 1 , x 2 -note that the encoding of e.g.{v 1 } is x(v 1 ) = ¬x 1 ∧ x 2 as the binary encoding of v 1 is 01.Conversely, the subset identified by the Boolean expression t ≡ ¬x 1 ∨ ¬x 2 is t = {v 0 , v 1 , v 2 } as the binary encoding of v 0 , v 1 , v 2 are 00, 01, 10, respectively.
BDD encoding of routing configurations.Let G = (V , E, src, tgt) be a network topology and let v ∈ V .We denote by E v the set of edges having v as a source-node, i.e.
indicating for each node v whether ρ(v) is defined and if so to identify an element from E v .For the Boolean encoding of (sets of) elements from E v we use, as described above, log(|E v |) Boolean variables z v .To indicate the definedness of ρ(v), we use an additional Boolean variable z d v .To encode the possible transitions between nodes v and v enabled by a given routing configuration ρ, we use Boolean variables x for encoding the source node v and equally many Boolean variables y for encoding the target node v .The following Boolean expression T encodes all possible transitions in a network: where V = {v 0 , . . ., v k }.
Example 2. Considering again the network topology from Fig. 6a, we shall use three Boolean variables z 0 , z 1 , z 2 for encoding routing configurations in terms of their choice of successor-node from v 0 , v 1 and v 2 . 1 Using the encoding of nodes from Definition 8. Let G = (V , E, src, tgt) be a network topology and ϕ a routing policy.We define the ROBDD B ϕ (x, z) inductively on ϕ as follows: In Definition 8 we exploit the fact that ROBDDs are closed under Boolean operations as well as Boolean quantification.
In the case of NoLoop and ϕ 1 U ϕ 2 , the changes of Boolean variables used in the parameter lists in the right-hand sides are obtained by simple substitution of variables, an operation that may efficiently be performed on ROBDDs.Finally, note that the definitions of B NoLoop and B ϕ 1 U ϕ 2 are given as least fixed points.Proof.The proof proceeds by structural induction on the formula ϕ.The cases ϕ = true and ϕ = v are trivial, while the case ϕ = ϕ 1 ∧ ϕ 2 follows directly by application of the induction hypothesis for the two conjuncts.We consider the remaining cases in turn.

ϕ = NoLoop:
Recall that B NoLoop (x, z) is obtained as the limit of the finite sequence of approximations B n NoLoop (x, z) with B 0 NoLoop (x, z) = 0 and otherwise B n+1 NoLoop (x, z) = ∀y.(T(x, z, y) → B n NoLoop (y, z)) i.e. there exists a k for which For the left to right implication, assume (v, ρ) ∈ B NoLoop (x, z .The proof follows by induction on k.For the base case k = 1, it follows that T (x, z, y) is false for all y, implying that v does not have any outgoing transition under routing configuration ρ, hence, the path induced by ρ from v is loop-free.For the inductive step k > 1, NoLoop (y, z).As v has a unique successor under ρ, it must be the case that (v , ρ) ∈ B k−1 NoLoop (y, z) for the unique successor v. Thus, we can apply the inductive hypothesis to conclude π ρ (v ) |= NoLoop, i.e. the path π ρ (v ) is finite, hence the path π ρ (v) must necessarily be finite and we can conclude π ρ (v) |= NoLoop following the LTL semantics.
For the right to left implication, assume π ρ (v) |= NoLoop.Following the LTL semantics, this implies that π ρ (v) is finite.We proceed by induction on the length of π ρ (v).For the base case |π ρ (v)| = 1, v has no successor in the graph under ρ.Then trivially (v, ρ) ∈ B NoLoop (x, z) as T (x, z, y) is not satisfiable for any y.For the inductive step |π ρ (v)| > 1, v has a unique successor v under ρ.As π ρ (v) may only be finite if π ρ (v ) is finite, we can apply the induction hypothesis to conclude that (v , ρ) For the left to right implication, suppose (v, ρ) ∈ B Xϕ (x, z) .This implies that there exists a (unique) successor v of v under routing configuration ρ, encoded by the variables y, such that (v , ρ) ∈ B ϕ (y, z) .By applying the inductive hypothesis we immediately have that π ρ (v ) |= ϕ , which following the LTL semantics yields π ρ (v) |= ϕ.
For the right to left direction, suppose π ρ (v) |= X ϕ .Following the LTL semantics, we then have that for the unique successor v of v it holds that π ρ (v ) |= ϕ.By the inductive hypothesis we then have (v , ρ) Recall that B ϕ 1 U ϕ 2 is obtained as the limit of the finite sequence of approximations B n i.e. there exists a k for which B k+1 For the left to right implication, assume (v, ρ) ∈ B ϕ 1 U ϕ 2 (x, z) .We proceed by induction on k.For the base case k = 1, it follows that (v, ρ) ∈ B ϕ 2 (x, z) , hence π ρ (v) |= ϕ 2 by the induction hypothesis for the outer structural induction and thus π ρ (v) |= ϕ 1 U ϕ 2 following the LTL semantics.For the inductive step k > 1, we have and directly that (v, ρ) ∈ B ϕ (x, x) , hence π ρ (v) |= ϕ 1 by the inductive hypothesis for the outer structural induction.Furthermore, there exists a (unique) successor v of v such that (v , ρ) , which, by the induction hypothesis for the inner induction on k implies that π ρ (v ) |= ϕ 1 U ϕ 2 , hence π ρ (v) |= ϕ 1 U ϕ 2 following the LTL semantics.
For the right to left implication, assume π ρ (v) |= ϕ 1 U ϕ 2 .Suppose that π ρ (v) |= ϕ 2 .Then, by the inductive hypothesis for the outer structural induction we then have (v, ρ) ∈ B ϕ 2 (x, z) , hence (v, ρ) ∈ B ϕ 1 U ϕ 2 (x, z) .Otherwise, it must be the case that π ρ (v) |= ϕ 1 , while for the unique successor of v, v , we have π ρ (v ) |= ϕ 1 U ϕ 2 by LTL semantics.Hence, by applying the inductive hypothesis for the outer induction, we have (v, ρ) Example 3. Consider the network topology from Fig. 6a with the routing policy Reach(v 3 ).Given the LTL-definition of Reach(v 3 ), the ROBDD B Reach(v 3 ) is given by the limit of the following inductively defined sequence: Reach(v 3 ) (y, z) with B 0 Reach(v 3 ) = 0. Fig. 7 provides some of the approximants with B 4 Reach(v 3 ) found to be the least fixed point.BDD encoding of update sequences.Again let G = (V , E, src, tgt) be a network topology and let ϕ be a routing policy, with ρ i respectively ρ f being initial respectively final routing configuration.We shall show how to symbolically synthesize correct (simple) update sequences using BDD encodings.The basis of the synthesis is the ROBDD B * ϕ (z) encoding all routing configurations that are correct with respect to ϕ using Boolean variables z = z v 0 . . .
For simple updates it suffices to use single Boolean variables z v j , with z v j encoding ρ i (v j ) and ¬z v j encoding ρ f (v j ), i.e. in case ρ f (v j ) = ρ i (v j ).To encode a simple update between configurations ρ and ρ we shall use Boolean variables z for encoding ρ and a corresponding (distinct) sequence of Boolean variables zz for encoding ρ .The following Boolean expression U s ϕ encodes the set of possible simple updates that preserve correctness with respect to ϕ.
Note that in this simple update the routing configuration changes for exactly one node v i from the setting in the initial configuration ρ i , encoded as z v i , to the setting in final configuration ρ f , encoded as ¬zz v i .In the general case, the update can change the setting of any node arbitrarily, as given by the following Boolean expression U ϕ . (2) Lemma 3. We have (ρ, ρ ) ∈ U ϕ (z, zz) (resp.U s ϕ (z, zz) ) iff ρ = ρ and there exists an update (resp.simple update) u such that ρ u = ρ , π ρ (v 0 ) |= ϕ and π ρ (v 0 ) |= ϕ, where v 0 is the given source node.
Proof.We prove the case for general updates.The simple case follows the same reasoning.First recall Equation (2).For the left to right implication, assume (ρ, ρ ) ∈ U ϕ (z, zz) .By Lemma 2, it follows from the first two conjuncts B * ϕ (z) and B * ϕ (zz) that the routing configurations encoded by z and zz, namely ρ and ρ have the property that the induced path (starting from v 0 ) satisfies ϕ, thus π ρ (v 0 ) |= ϕ and π ρ (v 0 ) |= ϕ.The last conjunct ensures that the two routing configurations ρ and ρ differ by exactly one update u, hence ρ = ρ u .For the right to left implication, assume the existence of an update u such that ρ u = ρ , π ρ (v 0 ) |= ϕ and π ρ (v 0 ) |= ϕ.By Lemma 2 we then have (v 0 , ρ) ∈ B ϕ (x, z) and (v 0 , ρ ) ∈ B ϕ (x, z) , implying ρ ∈ B * ϕ (z) and ρ ∈ B * ϕ (zz) .As ρ u = ρ and ρ = ρ , there exists exactly one node where the routing is changed by the update u, implying that the last conjunct is satisfied by ρ and ρ , encoded by variables z and zz respectively.We can now conclude that (ρ, ρ ) ∈ U ϕ (z, zz) .
To enable synthesis of correct (simple) update sequences, the following recursively defined ROBDD is the key.
The expression encodes the set of simple updates that preserve correctness with respect to ϕ while ensuring reachability of the final routing configuration.
Lemma 4. We have (ρ, ρ ) ∈ R s ϕ (z, zz) iff there exists a correct simple update sequence w = u 0 u 1 • • • u k with respect to ρ and ϕ such that ρ = ρ u 0 and ρ w = ρ f .Proof.We recall Equation ( 3) and that R s ϕ (z, zz) is obtained as the limit of the finite sequence of approximations R n ϕ (x, z) with R 0 ϕ (x, z) = 0 and otherwise For the left to right implication, we assume (ρ, ρ ) ∈ R s ϕ (z, zz) and proceed by induction on k.For the base case k = 0, we immediately have that ρ = ρ f by the first conjunct and thus there exists a trivial empty update sequence with the desired properties.For the inductive step k > 0, we have As (by assumption) (ρ, ρ ) ∈ R s ϕ (z, zz) and therefore (ρ, ρ ) ∈ R k+1 ϕ(z, zz) , there exists a configuration ρ such that (ρ , ρ ) ∈ R k ϕ (zz, zzz) while also (ρ, ρ ) ∈ U s ϕ (z, zz) .By application of Lemma 3, we immediately have that (ρ, ρ ) ∈ U s ϕ (z, zz) implies the existence of a ϕ-preserving update u from ρ to ρ .Furthermore, (ρ , ρ ) ∈ R k ϕ (zz, zzz) implies, by application of the inductive hypothesis, that there exists a correct simple update sequence w = u 0 u 1 • • • u n with respect to ρ and ϕ such that ρ = ρ u 0 and ρ w = ρ f .In conclusion, there must necessarily exists an update sequence w * = uw that is simple and correct with respect to ρ and ϕ such that ρ = ρ u and ρ w * = ρ f .For the right to left implication, we assume the existence of a correct simple update sequence w = u 0 u 1 • • • u n with respect to ρ and ϕ such that ρ = ρ u 0 and ρ w = ρ f .We proceed by induction on the length of w.For the base case |w| = 0, it is the case that ρ = ρ f and trivially (ρ, ρ ) ∈ R s ϕ (z, zz) by the first conjunct.For the inductive step |w| > 0, notice first by Lemma 3 that (ρ, ρ ) ∈ U s ϕ (z, zz) by the property that w is correct with respect to ϕ.Now let w = u 1 u 2 • • • u n be the suffix of w starting from u 1 .As w is a correct simple update sequence w.r.t.ρ and ϕ such that ρ = ρ u 0 and ρ w = ρ f , w must be a correct simple update sequence with respect to ρ u 0 and ϕ such that ρ u 0 u 1 = ρ u 0 u 1 and ρ u w 0 = ρ f .We can now apply the inductive hypothesis as |w | < |w| to conclude that (ρ u 0 , ρ All correct, simple update sequences of length N may now be characterized by the following Boolean expression, where z i are (distinct) Boolean variables encoding the routing configuration after i updates: Theorem 1.We have (ρ 0 , ρ 1 , . . ., ρ N ) ∈ S s ϕ (z 0 , . . ., z N ) iff there exists a simple correct update sequence w = u 0 u 1 • • • u N−1 with respect to ϕ and ρ 0 such that ρ k+1 = ρ u k k for all k with 0 ≤ k < N, ρ 0 = ρ i and ρ N = ρ f .Proof.We recall Equation ( 4).For the left to right direction, suppose (ρ 0 , ρ 1 , . . ., ρ N ) ∈ S s ϕ (z 0 , . . ., z N ) .The first two conjuncts directly ensure that ρ 0 = ρ i and ρ n = ρ f .By repeated application of Lemma 4, the last conjunct ensures for all k with 0 ≤ k < N the existence of a simple update u k such that ρ k+1 = ρ u k k with ϕ preserved by both ρ k+1 and ρ k .Hence the update sequence w = u 0 u 1 . . .u N−1 is a simple correct update sequence with respect to ϕ with the desired properties.
For the synthesis in the general case, we simply replace U s ϕ in (3) with U ϕ to get a ROBDD R ϕ characterizing (general) update sequences leading to ρ f .We can now replace R s ϕ with R ϕ in (4) to get a characterization of all correct (general) update sequences of length N.
Example 5. Consider again the network topology from Fig. 6a and the routing policies W = Waypoint(v 2 , v 3 ) and R = Reach(v 3 ).The full sets of correct simple update-steps with respect to W , R and W ∧ R are given by the ROBDDs R s W , R s R and R s W ∧R given in Fig. 9(a-c).Instantiating Equation ( 4) with these ROBDDs reveals that there are 3, 3 respectively 1 correct simple update sequences of length 3 with respect to the routing policies W , R respectively W ∧ R.
The unique simple update sequence for W ∧ R (ignoring the initial and final routing configurations) is given by the ROBDD in Fig. 9(d).Here the values suggested for the first three Boolean variables z 1 0 , z 1 1 , z 1 2 indicate that the routing configuration after the first update is given by the edges Similarly, the values of the last three Boolean ) as the configuration after the second update.Note, that in case there is no correct (simple) update sequence the resulting ROBDD becomes empty (just consisting of the node false).

Synthesis with additional optimization criteria
During update synthesis, we may be interested in accounting for performance aspects in the update synthesis, which is of practical importance but has not been studied yet in the literature.To this end, we extend our model to weighted topologies representing quantities such as latency and hop-count [7,20,49].In the following, we ignore loops as they can be detected and do not need to be considered for optimization.

Definition 9 (Weighted topology and path weight).
A weighted network topology is a tuple G = (V , E, src, tgt, η) where (V , E, src, tgt) is a network topology and η : E → N is the edge weight function.The weight extends in a natural way to paths, by η(e 1 e 2 . . .e n ) = n i=1 η(e i ) where e 1 e 2 . . .e n ∈ E * .
Definition 10 (Optimal update synthesis problem).For an update synthesis problem P = (G, ρ i , ρ f , v 0 , ϕ) and path valuation function f over some edge weight function η, the optimal synthesis problem is to find a solution w opt ∈ Sol(P ) such that Example 6.Consider a network update synthesis problem (G, ρ i , ρ f , v 0 , Reach(v 2 )) where ρ i (solid arrows) and ρ f (dashed arrows) are depicted in Fig. 10 and edges are annotated by weights.Any of the two possible simple update sequences is a solution.For the sequence that first updates v 0 to use the expensive edge of weight 4 to v 1 , there is an intermediate configuration of weight 7.However, the optimal solution is the update sequence that first updates v 1 followed by v 0 and creates a transient configuration of weight only 2.
We shall now extend our symbolic encoding of routing configurations, policies and (simple) update sequences to the weighted setting.In particular, we shall show how our encoding allows us to synthesize weight-optimal simple update sequences.Let G = (V , E, src, tgt, η) be a weighted topology, and let C ∈ N be the maximum weight of any acyclic path in G. Using k = log(C ) Boolean variables c = c 0 , . . ., c k−1 we may encode in binary any weight between 0 and C .As in before we shall encode routing configurations ρ by using Boolean variables z v for each node v to encode the edge ρ(v).For simplicity we shall assume that ρ(v) is defined for any node v in the remainder of this section.Using Boolean variables x and y to encode source and target nodes and Boolean variables c to encode the weight of edges, the following Boolean expression T c encodes the possible weighted transitions: As in Section 2.3, we shall assume that the routing policy ϕ considered enforces at least reachability, i.e. ϕ = ϕ ∧ Reach(d) for some node d.Now let R d = R d (x, z, c) be the minimal fixed point defined by Here we use the existence of simple ROBDD sum and leq encoding addition and comparison (as ternary and binary predicates) of natural numbers such that (n 1 , n 2 , n 3 ) encodes a single correctness preserving update between configurations whose accumulated weight is bounded by c.Thus, all correct, weight-bounded simple update sequences of length N may be characterized by the following Boolean expression S c ϕ , where z i are (distinct) Boolean variables encoding the routing configuration after i updates: Finally, the update sequences of length N solving the optimal synthesis problem are easily characterized by the following single expression O : Example 7. Recall the weighted topology from Fig. 6a.To encode the routing configurations, two Boolean variables z 0 and z 1 suffice (with the initial routing being encoded by z 0 ∧ z 1 ).Given that the maximum weight of a path is 7, three Boolean variables c 0 , c 1 , c 2 suffice to encode weight of any acyclic path.In this example, we consider the property ϕ = Reach(v 2 ).indicates the update from the initial routing to the "expensive" routing, again with the path indicating the weight 7. Finally, O ϕ (z 0 , . . ., z N ) encodes the optimal (correct) update sequence, which first updates the routing for v 1 and only then the routing for v 0 .

Implementation and evaluation
Our tool AllSynth for solving the update synthesis problem is implemented in Python and relies on a Cython wrapper [2] of the CUDD [46] package for manipulation of ROBDD.The overall tool architecture is given in Fig. 5. From a given network topology with the initial and final routing, the tool produces either a simple or general update sequence satisfying a given policy, as well as the information about the number of possible solutions.As all such correct solutions are symbolically represented in a compact way as an ROBDD, it is possible to generate alternative solutions without any additional computational effort.
We evaluate AllSynth, both with and without cost-optimization, against two state-of-the-art update synthesis tools, Net-Synth [40] and FLIP [48].NetSynth can compute only a simple update sequence or inform the user that there is no solution; the synthesis of general update sequences is not supported.FLIP can synthesise sequences of steps (groups of switches or routers) in which order the network can be updated, however, if such a sequence does not exist, the tool may introduce additional forwarding rules and use tagging of packets.As NetSynth and FLIP do not support general update sequences, the running times are only compared for simple update sequences.
All experiments are executed on Ubuntu 14.04 cluster with 2.3 GHz AMD Opteron 6376 processors with 2 hour timeout and 14 GB memory limit.To ensure the correctness of our implementation, we checked that for all instances, we agree with both NetSynth and FLIP on the existence/nonexistence of simple update sequences and we verified that the update sequences returned by NetSynth and FLIP are included in the ROBDD computed by AllSynth.A reproducibility package with the Python implementation and all benchmarks with scripts allowing to rerun the experiments is available in [33].
We consider a scalable synthetic topology and the standard benchmark of 261 real-world network topologies from the Topology Zoo dataset [30].The class of synthetic topologies, referred to as diamond topologies, are taken from the NetSynth evaluation benchmark [40] and are formed by disjoint initial and final routing paths that only share the initial and final node.The size of the problem is defined to be the sum of the lengths of the two paths-we include instances of sizes up to 2000.The Topology Zoo instances are five times sequentially concatenated in order to obtain larger topologies where the size of the update problems ranges from 20 to 679.We display the 50 most difficult instances of the problem.
We consider three classes of update policies: Reach(d), MultiWaypoint(W , d) and Service(ω, d).For MultiWaypoint(W , d), we let every 5th node on both the initial and final path be included in W .For Service(ω, d), the sequence ω is generated by including every 5th node that is traversed by both the initial and final path.Because the diamond update problem consists of two disjoint paths, the service chaining policy is not considered here.The policy language of NetSynth is identical to our LTL-based specifications and hence we are able to directly express all these properties in this language.On the other hand, the policy input to FLIP enumerates all admissible subpaths that are considered, in logical disjunction.The encoding of the service chaining policy then entails an exhaustive enumeration of all paths that satisfy the service chaining policy and we therefore do not include FLIP in our service chaining experiments.
Results.The experiments are summarized in a number of so-called cactus plots [8] in Fig. 12, where for each method all instances of the problem are independently sorted from the fastest to the slowest one and plotted on the x-axis, and the y-axis (note the logarithmic scale) shows the increasing running time.If some curve does not reach to the right end of the plot, this means that the corresponding tool is not able to solve the remaining instances within the given timeout and memory limit.While cactus plots do not provide instance-to-instance runtime comparison, they provide an overall performance evaluation of the different tools.
For the experiments on the collection of real networks from the Topology Zoo presented in Figs.12a to 12c, we notice that none of the tools has difficulty solving the synthesis of the plain reachability policy and it takes less than 10 seconds for all instances-here our approach without the cost optimization (BDD) has a slight margin, whereas the cost optimal algorithm (BDD-opt) is the slowest one (though solving a more general problem than the other ones).For waypointing, while FLIP is performing well on small instances, it shows a noticeable decrease in performance once it reaches the most difficult problems: its running time quickly deteriorates and it is as the only tool not able to solve some of the largest instances.We maintain about one order of magnitude advantage over NetSynth (NS), which is the case also for service chaining.The overhead for computing the cost optimal solutions is less significant for the more complex policies.
Results for diamond topologies are given in Figs.12d and 12e.We observe that for reachability our computation of all solutions is about one order of magnitude faster than FLIP (and even the cost optimal algorithm is faster than FLIP) and several orders of magnitude faster than NetSynth (both tools terminate as soon as they find the first correct update sequence).For waypointing, we still significantly outperform NetSynth and both BDD and BDD-opt are almost comparable with FLIP which shows better performance at the largest instances.
In conclusion, our experiments demonstrate that AllSynth, based on the symbolic BDD technology, not only significantly outperforms state-of-the-art tools on all non-trivial real-world networks, but also provides higher generality.Indeed, AllSynth computes all solutions, compared to only one solution returned by NetSynth or a more general sequence of update steps generated by FLIP.This aspect is important for the practical usage by network operators as it allows them to iteratively choose the most suitable update sequence.The additional optimization for computing cost optimal update sequences yields an acceptable overhead compared, especially for the more complex routing policies like waypointing and service chaining.

Conclusion
We presented an efficient approach for synthesizing correct update sequences for software-defined networks.In contrast to existing tools, our approach is fully symbolic and relies on BDD technology.As a result, we are able to represent all solutions to the update synthesis problem in a succinct binary tree, preserving generic routing policies (e.g., service chaining) that can be described in LTL.Our prototype implementation of AllSynth outperforms the state-of-the-art tools NetSynth and FLIP in many scenarios (e.g., on the real-world Internet topologies), while at the same time extending the generality.
Our experiments focused on the generation of simple update sequences (at most one update per flow per switch), similar to the methodology used in NetSynth and FLIP.AllSynth however also supports a novel generalization where a switch can be updated several times.This is particularly useful for the instances of the update synthesis problem that do not have any simple solution.In this case, NetSynth does not provide any alternative (and in fact does not terminate even on relatively small negative instances); FLIP may degrade to a two-phase commit strategy that is less preferable as it requires the duplication of forwarding rules as well as additional packet header space.AllSynth instead tries to suggest a general update sequence that does not require packet tagging.Moreover, our tool allows us to further select cost-optimal solutions with respect to any given cost function, representing for example the worst-case latency in any transient configuration.

Declaration of competing interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Fig. 1 .
Fig. 1.Update synthesis problem aiming to preserve reachability between s and d via the waypoint v 1 .

Fig. 3 .
Fig. 3. Update synthesis problem with only a general solution.

Fig. 6 .
Fig. 6.Running example and encoding of the transition function.
ends in d with a total weight η(π ρ (v)) not exceeding c.The Boolean expression R * d (z, c) given by ∃x.x(v 0 ) ∧ R d (x, z, c) describes all pairs (ρ, c), where the weight of the path π ρ (v 0 ) does not exceed c.Now to ensure that the encoded routing configuration in addition satisfies the routing policy ϕ , we use the Boolean expression B * ,c ϕ (z, c) = B ϕ (z) ∧ R * d (z, c).Now, the expression

Now Fig. 11
(a) is B * ,c ϕ (z, c) encoding all pairs (ρ, c), where ρ is a correct routing wrt.ϕ with total reachability weight no more than c.The highlighted path is the encoding of the routing where the node v 0 uses the expensive edge (weight 4) to v 1 and v 1 is still using the initial routing.It can be seen that the total weight indicated by the path is 7. Now, Fig.11(b) is U s,cϕ (z, zz, c), encoding all updates that are correct wrt.ϕ as well as their weight.Here the highlighted path

Table 1
Key notation of network model.
w Routing after applying update sequence w ρ i , ρ f Initial and final routing configurations ϕ Policy specified in LTL logic P Update synthesis problem Sol(P ) Set of solutions to problem P

Table 2
Key notation of BDD encoding.
NoLoop = 0, where 0 stands for false, and terminating when B n+1 NoLoop = B n exist because the applications of the right-hand sides can only monotonically increase the respective Boolean functions represented by the ROBDDs.
These fixed points, e.g.B NoLoop , are obtained after a finite number of applications of the corresponding right-hand sides on increasing approximations B n NoLoop , starting with B 0 NoLoop , and similarly for B ϕ 1 U ϕ 2 .Such an n must 2 Recall that z consists of variables z v1 , . . ., z v k and z d v1 , . . ., z d v k .necessarily Lemma 2. We have (v, ρ) ∈ B ϕ (x, z) if and only if π ρ (v) |= ϕ.