DyNetKAT: An Algebra of Dynamic Networks
Georgiana Caltais, Hossein Hojjat, Mohammad Mousavi, Hunkar Can Tunc
DDyNetKAT: An Algebra of Dynamic Networks
Georgiana Caltais ! ˇ University of Konstanz, Germany
Hossein Hojjat ! ˇ Tehran Institute for Advanced Studies, Iran
Mohammad Reza Mousavi ! ˇ University of Leicester, UK
Hünkar Can Tunç ! ˇ University of Konstanz, Germany
Abstract
We introduce a formal language for specifying dynamic updates for Software Defined Networks.Our language builds upon Network Kleene Algebra with Tests (NetKAT) and adds constructs forsynchronisations and multi-packet behaviour to capture the interaction between the control- anddata-plane in dynamic updates. We provide a sound and ground-complete axiomatization of ourlanguage. We exploit the equational theory to provide an efficient reasoning method about safetyproperties for dynamic networks. We implement our equational theory in DyNetiKAT – a toolprototype, based on the Maude Rewriting Logic and the NetKAT tool, and apply it to a case study.We show that we can analyse the case study for networks with hundreds of switches using our initialtool prototype.
Theory of computation → Semantics and reasoning
Keywords and phrases
Software Defined Networks, Dynamic Updates, Dynamic Network Reconfig-uration, NetKAT, Process Algebra, Equational Reasoning
Digital Object Identifier
Funding
Georgiana Caltais : supported by the DFG project “CRENKAT”, proj. no. 398056821
Mohammad Reza Mousavi : supported by the UKRI Trustworthy Autonomous Systems Node inVerifiability, Grant Award Reference EP/V026801/1.
Hünkar Can Tunç : supported by the DFG project “CRENKAT”, proj. no. 398056821
Software defined networking (SDN) has gained immense popularity due to simplicity innetwork management and offering network programmability. Many programming languageshave been designed for programming SDNs [25, 15]. They range from industrial-scale,hardware-oriented and low-level programming languages such as OpenFlow [18] to domain-specific, high-level and programmer-centric languages such as Frenetic [10]. In recent years,there has been a growing interest in analysable languages based on mathematical foundationswhich provide a solid reasoning framework to prove correctness properties in SDNs (e.g.,safety).There is a spectrum of mathematically inspired network programming languages thatvaries between those with a small number of language constructs and those with expressivelanguage design which allow them to support more networking features. On the moreexpressive side of the spectrum, Flowlog [20] is an example of a language that uses a powerfulformalism (first-order Horn clause logic) to program a Software Defined Network (SDN). Inorder to keep the language decidable, Flowlog disallows recursion in the clauses. For thepurpose of formal analysis of a Flowlog program, the authors of [20] provide a translatorto the Alloy tool. As another example of an expressive language, Kinetic [14] is a language © Georgiana Caltais, Hossein Hojjat, and Mohammad Reza Mousavi, Hünkar Can Tunç;licensed under Creative Commons License CC-BY 4.0ICALP 2021. Leibniz International Proceedings in InformaticsSchloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany a r X i v : . [ c s . N I] F e b based on finite state machines that is mostly geared towards dynamic feature of SDNs. Modelchecking is used to formally analyse the Kinetic programs. NetKAT [2, 9] is an example ofa minimalist language based on Kleene algebra with tests that has a sound and completeequational theory. While the core of the language is very simple with a few number ofoperators, the language has been extended in various ways to support different aspectsof networking such as congestion control [8], history-based routing [5] and higher-orderfunctions [26].Our starting point is NetKAT, because it provides a clean and analyseable frameworkfor specifying SDNs. The minimalist design of NetKAT does not cater for some common(failure) patterns in SDNs, particularly those arising from dynamic reconfiguration and theinteraction between the data- and control-plane flows. In [16], the authors have proposedan extension to NetKAT to support stateful network updates. The extension embraces thenotion of mutable state in the language which is in contrast to its pure functional nature.The purpose of this paper is to propose an extension to NetKAT to support dynamic andstateful behaviours. To this end, we pledge to keep the minimalist design of NetKAT withadding only a few number of new operators. Furthermore, our extension does not contradictthe nature of the language.A number of concurrent extensions of NetKAT have been introduced to date [22, 27, 13].These extensions followed different design decisions than the present paper and a comparisonof their approaches with ours is provided in Section 2; however, the most important differencelies in the fact that inspired by earlier abstractions in this domain [21], we were committed tocreate different layers for data-plane flows and dynamic updates such that every data-planepacket observes a single set of flow tables through its flight through the network. This allowedus, unlike the earlier approaches, to build a layer on top of NetKAT without modifying itssemantics. Throughout the paper, we focus on modelling with DyNetKAT two examples that involvedynamically updating the network configuration. In the first example, stateful firewall, thedata-plane initiates the update by allowing a disallowed path in the network as a result ofrequests received from the trusted intranet. In the second, distributed controller, the control-plane initiates the update by modifying the forwarding route of a packet in a multi-controllersetting. ▶ Example 1.
A firewall is supposed to protect the intranet of an organization fromunauthorised access from the Internet. However, due to certain requests from the intranet, itshould be able to open up connections from the Internet to intranet. An example is whena user within the intranet requests a secure connection to a node on the Internet; in thatcase, the response from the node should be allowed to enter the intranet. The behaviourof updating the flow tables with respects to some events in the network such as receiving aspecific packet is a challenging phenomenon for languages such as NetKAT.Figure 1 shows a simplified version of the stateful firewall network. In this version, the
Switch does not allow any packet from the port ext to int at the beginning. When the Host sends a request to the
Switch it opens up the connection. ▶ Example 2.
Another running example concerns a well-known challenge in SDNs, namely,race conditions resulting from dynamic updates of flow-tables and in-flight packets [17, 24].Below we specify a typical scenario for such race conditions; similar scenarios concerningactual bugs are abundant in the literature [24, 11, 12]. . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:3
SwitchHost int ext
Figure 1
Stateful Firewall
Consider the network topology depicted in Figure 2. The controller C S S S
5) and the controller C H
1, which enter the network through switch S S S S
2, to reach H
2. Due to an event, the controllershave to take down the previous route, and to install a new route in the network that routespackets from H S S S S H
4. It is an important security property that the trafficin these two routes should not mix. In particular, it will be serious breach if packets from H H H H S
31 3 S S
413 11 S S S H H H H C C Figure 2
Race Condition in a Distributed Controller
The contributions of this paper are summarized as follows:we define the syntax and operational semantics of a dynamic extension of NetKAT thatallows for modelling and reasoning about control-plane updates and their interactionwith data-plane flows;we give a sound and ground-complete axiomatization of our languages; andwe devise analysis methods for reasoning about flow properties using our axiomatization,apply them on examples from the domain and gather and analyze evidence of applicabilityand efficiency for our approach.
In Section 2, we provide a brief overview of NetKAT, review our design decision andintroduce the syntax and operational semantics of DyNetKAT. In Section 3, we investigate some semantic properties of DyNetKAT by defining a notion of behavioural equivalence andproviding a sound and ground-complete axiomatization. We exploit this axiomatization inSection 4 in an analysis method. We implement and apply our analysis method in Section 5on a case study and report about its scalability on large examples with hundreds of switches.We conclude the paper and present some avenues for future work in Section 6.
In what follows, we provide a brief overview of the NetKAT syntax and semantics [2]. Then,we motivate our language design decisions, we introduce the syntax of DyNetKAT and itsunderlying semantics, and provide the corresponding encoding of our running examplespresented in Section 1.1.
We proceed by first introducing some basic notions that are used throughout the paper. ▶ Definition 1 (Network Packets.) . Let F = { f , . . . , f n } be a set of field names f i with i ∈ { , . . . n } . We call network packet a function in F → N that maps field names in F tovalues in N . We use σ, σ ′ to range over network packets. We write, for instance, σ ( f i ) = v i to denote a test checking whether the value of f i in σ is v i . Furthermore, we write σ [ f i := n i ] to denote the assignment of f i to v i in σ .A (possibly empty) list of packets is formally defined as a function from natural numbersto packets, where the natural number in the domain denotes the position of the packet in thelist such that the domain of the function forms an interval starting from .The empty list is denoted by ⟨⟩ and is formally defined as the empty function (the functionwith the empty set as its domain). Let σ be a packet and l be a list, then σ :: l is the list l ′ inwhich σ is at position in l ′ , i.e., l ′ (0) = σ , and l ′ ( i + 1) = l ( i ) , for all i in the domain of l . In Figure 3, we recall the NetKAT syntax and semantics [2].
NetKAT Syntax: Pr ::= | | Pr + Pr | Pr · Pr | ¬ Pr N ::= Pr | f ← n | N + N | N · N | N ∗ | dupNetKAT Semantics: (cid:74) (cid:75) ( h ) ≜ { h } (cid:74) (cid:75) ( h ) ≜ {} (cid:74) f = n (cid:75) ( σ :: h ) ≜ (cid:26) { σ :: h } if σ ( f ) = n {} otherwise (cid:74) ¬ a (cid:75) ( h ) ≜ { h } \ (cid:74) a (cid:75) ( h ) (cid:74) f ← n (cid:75) ( σ :: h ) ≜ { σ [ f := n ]:: h } (cid:74) p + q (cid:75) ( h ) ≜ (cid:74) p (cid:75) ( h ) ∪ (cid:74) q (cid:75) ( h ) (cid:74) p · q (cid:75) ( h ) ≜ ( (cid:74) p (cid:75) • (cid:74) q (cid:75) ) ( h ) (cid:74) p ∗ (cid:75) ( h ) ≜ S i ∈ N F i ( h ) F ( h ) ≜ { h } F i +1 ( h ) ≜ ( (cid:74) p (cid:75) • F i ) ( h )( f • g )( x ) ≜ S { g ( y ) | y ∈ f ( x ) } (cid:74) dup (cid:75) ( σ :: h ) ≜ { σ ::( σ :: h ) } Figure 3
NetKAT: Syntax and Semantics [2]
The predicate for dropping a packet is denoted by , while passing on a packet (withoutany modification) is denoted by . The predicate checking whether the field f of a packethas value n is denoted by ( f = n ); if the predicate fails on the current packet it resultson dropping the packet, otherwise it will pass the packet on. Disjunction and conjunctionbetween predicates are denoted by Pr + Pr and Pr · Pr , respectively. Negation is denoted . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:5 by ¬ Pr . Predicates are the basic building blocks of NetKAT policies and hence, a predicateis a policy by definition. The policy that modifies the field f of the current packet to takevalue n is denoted by ( f ← n ). A multicast behaviour of policies is denoted by N + N , whilesequencing policies (to be applied on the same packet) are denoted by N · N . The repeatedapplication of a policy is encoded as N ∗ . The construct dup simply makes a copy of thecurrent network packet.In [2], lists of packets are referred to as histories . Let H stand for the set of packethistories, and P ( H ) denote the powerset of H . More formally, the denotational semanticsof NetKAT policies is inductively defined via the semantic map (cid:74) − (cid:75) : N → ( H → P ( H )) inFigure 3, where N stands for the set of NetKAT policies, h ∈ H is a packet history, a ∈ P r denotes a NetKAT predicate and σ ∈ F → N is a network packet.For a reminder, the equational axioms of NetKAT, denoted by E NK , are provided inFigure 4. E NK includes the Kleene Algebra axioms (KA- . . . ), Boolean Algebra axioms(BA- . . . ) and Packet Algebra axioms (PA- . . . ). The novelty is the set of PA-axioms. In short,PA-MOD-MOD-COMM states that the order in which two different packet fields are assigneddoes not matter. PA-MOD-FILTER-COMM encodes a similar property, for the case of afield assignment followed by a test of a different field’s value. PA-MOD-FILTER ignoresthe test of a field preceded by an assignment of the same value to the field. Orthogonaly,PA-FILTER-MOD ignores a field assignment preceded by a test against the assigned value.PA-MOD-MOD states that a sequence of assignments to the same field only takes intoconsideration the last assignment. PA-CONTRA encodes the fact that a field cannot havetwo different values at the same point. PA-MATCH-ALL identifies the policy acceptingall the packets with the sum of all possible tests of a field’s value. Intuitively, PA-DUP-FILTER-COMM states that adding the current packet to the history is independent oftests. p + ( q + r ) ≡ ( p + q ) + r KA-PLUS-ASSOC a + ( b · c ) ≡ ( a + b ) · ( a + c ) BA-PLUS-DIST p + q ≡ q + p KA-PLUS-COMM a + 1 ≡ BA-PLUS-ONE p + 0 ≡ p KA-PLUS-ZERO a + ¬ a ≡ BA-EXCL-MID p + p ≡ p KA-PLUS-IDEM a · b ≡ b · a BA-SEQ-COMM p · ( q · r ) ≡ ( p · q ) · r KA-SEQ-ASSOC a · ¬ a ≡ BA-CONTRA · p ≡ p KA-ONE-SEQ a · a ≡ a BA-SEQ-IDEM p · ≡ p KA-SEQ-ONE p · ( q + r ) ≡ p · q + p · r KA-SEQ-DIST-L f ← n · f ′ ← n ′ ≡ f ′ ← n ′ · f ← n, if f ̸ = f ′ PA-MOD-MOD-COMM ( p + q ) · r ≡ p · r + q · r KA-SEQ-DIST-R f ← n · f ′ = n ′ ≡ f ′ = n ′ · f ← n, if f ̸ = f ′ PA-MOD-FILTER-COMM · p ≡ KA-ZERO-SEQ dup · f = n ≡ f = n · dup PA-DUP-FILTER-COMM p · ≡ KA-ZERO-SEQ f ← n · f = n ≡ f ← n PA-MOD-FILTER p · p ∗ ≡ p ∗ KA-UNROLL-L f = n · f ← n ≡ f = n PA-FILTER-MOD p ∗ · p ≡ p ∗ KA-UNROLL-R f ← n · f ← n ′ ≡ f ← n ′ PA-MOD-MOD q + p · r ≤ r ⇒ p ∗ · q ≤ r KA-LFP-L f = n · f = n ′ ≡ , if n ̸ = n ′ PA-CONTRA p + q · r ≤ q ⇒ p · r ∗ ≤ q KA-LFP-R Σ i f = i ≡ PA-MATCH-ALL
Figure 4 E NK : NetKAT Equational Axioms [2] Our main motivation behind DyNetKAT was to have a minimalistic language that can model control-plane and data-plane network traffic and their interaction. Our choice for a minimallanguage is motivated by our desire to use our language as a basis for scalable analysis. Wewould like to be able to compile major practical languages into ours. Our minimal designhelps us reuse much of the well-known scalable analysis techniques. Regarding its modelling capabilities, we are interested in modelling the stateful and dynamic behaviour of networksemerging from these interactions. We would like to be able to model control messages,connections between controllers and switches, data packets, links among switches, and modeland analyse their interaction in a seamless manner.Based on these motivations, we started off with NetKAT as a fundamental and minimalnetwork programming language, which allows us to model the basic policies governing thenetwork traffic. The choice of NetKAT, in addition to its minimalist nature, is motivatedby its rigorous semantics and equational theory, and the existing techniques and tools forits analysis. This motivated our next design constraint, namely, to build upon NetKAT ina hierarchical manner and without redefining its semantics. This constraint should not betaken lightly as the challenges in the recent concurrent extensions of NetKAT demonstrated[22, 27, 13]. We will elaborate on this point, in the presentation of our syntax and semantics.We could achieve this thanks to the abstractions introduced in the domain [21] that allowedfor a neat layering of data-plane and control-plan flows such that every data-plane flow seesone set of flow-tables in its flight through the network.We then introduced few extensions and modifications to cater for the phenomena wedesired to model in our extension regarding control-plane and dynamic and stateful behaviour:Synchronization: we introduced a basic mechanism of handshake synchronization withthe possibility of communicating a network program (a flow table). This construct allowsfor capturing the dynamicity and interaction between the control and data planes.Guarded recursion: we introduced the concept of recursion to model the (persistent)dynamic changes that result from control messages and stateful behaviour; in otherwords, recursion is used to model the new state of the flow tables. An alternativemodelling construct could have been using “global” variables and guards, but we preferredrecursion due to its neat algebraic representation. We restricted the use of recursionto guarded recursion, that is a policy should be applied before changing state to a newrecursive definition, in order to remain within a decidable and analyse-able realm. Anatural extension of our framework could introduce formal parameters and parameterisedrecursive variables; this future extension is orthogonal to our existing extensions and inthis paper, we go for a minimal extension in which the parameters are coded in variablenames.Multi-packet semantics: we introduce the semantics of treating a list of packets, which isessential for studying the interaction between control- and data plane packets. This is incontrast with NetKAT where a single-packet semantics is introduced. The introductionof multi-packet semantics also called for a new operator to denote the end of applying aflow-table to the current packet and proceeding with the next packet (possibly with themodified flow-table in place). This is our new sequential composition operator, denotedby “;”.
As already mentioned, NetKAT provides the possibility of recording the individual “hops”that packets take as they go through the network by using the so-called dup construct. Thelatter keeps track of the state of the packet at each intermediate hop. As a brief reminder ofthe approach in [2]: assume a NetKAT switch policy p and a topology t , together with aningress in and an egress out . Checking whether out is reachable from in reduces to checking: in · dup · ( p · t · dup ) ∗ · out ̸≡ (see Definition 2 and Theorem 4 in [2]). Furthermore, as shownin [9], dup plays a crucial role in devising the NetKAT language semantics in a coalgebraic . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:7 fashion, via Brzozowski-like derivatives on top of NetKAT coalgebras (or NetKAT automata)corresponding to NetKAT expressions.We decided to depart from NetKAT in this respect, due to our important constraint notto redefine the NetKAT semantics: the dup expression allows for observable intermediatesteps that result from incomplete application of flow-tables and in concurrency scenarios, thesame data packet may become subject to more than one flow table due to the concurrentinteractions with the control plain. For this semantics to be compositional, one needs todefine a small step operational semantics in such a way that the small steps in predicateevaluation also become visible (see our past work on compositionality of SOS with data onsuch constraints [19]). This will first break our constrain in building upon NetKAT semanticsand secondly, due to the huge number of possible interleavings, make the resulting state-spaceintractable for analysis.In addition to the argumentation above, note that similarly to the approach in [2], we workwith packet fields ranging over finite domains. Consequently, our analyses can be formulatedin terms of reachability properties, further verifiable by means of dup -free expressions ofshape: in · ( p · t ) ∗ · out ̸≡ . Hence, we chose to define DyNetKAT synchronization, guardedrecursion and multi-packet semantics on top of the dup -free fragment of NetKAT, denotedby NetKAT − dup .The syntax of DyNetKAT is defined on top of the dup -free fragment of NetKAT as: N ::= NetKAT − dup D ::= ⊥ | N ; D | x ? N ; D | x ! N ; D | D || D | D ⊕ D | XX ≜ D (1)We sometimes write p ∈ NetKAT, p ∈ NetKAT − dup or, respectively, p ∈ DyNetKAT inorder to refer to a NetKAT, NetKAT − dup or, respectively, DyNetKAT policy p .The DyNetKAT-specific constructs are as follows. By ⊥ we denote a dummy policywithout behaviour. Our new sequential composition operator, denoted by N ; D , specifieswhen the NetKAT − dup policy N applicable to the current packet has come to a successfulend and, thus, the packet can be transmitted further and the next packet can be fetched forprocessing according to the rest of the policy D .Communication in DyNetKAT, encoded via x ! N ; D and x ? N ; D , consists of two steps. Inthe first place, sending and receiving NetKAT − dup policies through channel x are denoted by x ! N , and x ? N . Intuitively, these correspond to updating the current network configurationaccording to N . Secondly, as soon as the sending or receiving messages are successfully com-municated, a new packet is fetched and processed according to D . The parallel compositionof two DyNetKAT policies (to enable synchronization) is denoted by D || D .As it will become clearer in Section 2.4 (semantics), communication in DyNetKATguarantees preservation of well-defined behaviours when transitioning between networkconfigurations. This corresponds to the so-called per-packet consistency in [21], and itguarantees that every packet traversing the network is processed according to exactly oneNetKAT − dup policy.Non-deterministic choice of DyNetKAT policies is denoted by D ⊕ D . For a non-determinstic choice over a finite domain P , we use the syntactic sugar ⊕ p ∈ P P ′ , where p appears as “bound variable” in P ′ ; this is interpreted as a sum of finite summand by replacingthe variable p with all its possible values in P .Finally, one can use recursive variables X in the specification of DyNetKAT policies,where each recursive variable should have a unique defining equation X ≜ D . For the simplicity of notation, we do not explicitly specify the trailing “; ⊥ ” in our policyspecifications, whenever clear from the context.In Figure 5 we provide the DyNetKAT formalization of the firewall in Example 1. In theDyNetKAT encoding, we use the message channel secConReq to open up the connection and secConEnd to close it. We model the behavior of the switch using the two programs Switch and
Switch ′ . Host ≜ secConReq ! ; Host ⊕ secConEnd ! ; HostSwitch ≜ (cid:0) ( port = int ) · ( port ← ext ) (cid:1) ; Switch ⊕ (cid:0) ( port = ext ) · (cid:1) ; Switch ⊕ secConReq ? ; Switch ′ Switch ′ ≜ (cid:0) ( port = int ) · ( port ← ext ) (cid:1) ; Switch ′ ⊕ (cid:0) ( port = ext ) · ( port ← int ) (cid:1) ; Switch ′ ⊕ secConEnd ? ; Switch
Init ≜ Host || Switch
Figure 5
Stateful Firewall in DyNetKAT
In Figure 6 we provide the DyNetKAT formalization of the distributed controllers inExample 2. In the code in Figure 6 the controllers work independently to update the network(which can lead to security breach). The specification
SwitchX ft is a generic specificationfor the behaviour of all switches in this example; the domain of P in this example is the setof all 5 policies that are being communicated, such as , (( port = 11) · ( port ← port = 5) · ( port ← The operational semantics of DyNetKAT in Figure 8 is provided over configurations ofshape ( d, H, H ′ ), where d stands for the current DyNetKAT policy, H is the list of pack-ets to be processed by the network according to d and H ′ is the list of packets handledsuccessfully by the network. The rule labels γ range over pairs of packets ( σ, σ ′ ) orcommunication/reconfiguration-like actions of shape x ! q, x ? q or rcfg ( x , q ), depending onthe context.Note that the DyNetKAT semantics is devised in a “layered” fashion. Rule ( cpol ✓ _ ; )in Figure 8 is the base rule that makes the transition between the NetKAT denotationsand DyNetKAT operations. More precisely, whenever σ ′ is a packet resulted from thesuccessful evaluation of a NetKAT policy p on σ , a ( σ, σ ′ )-labelled step is observed at thelevel of DyNetKAT. This transition applies whenever the current configuration encapsulatesa DyNetKAT policy of shape p ; q and a list of packets to be processed starting with σ . Theresulting configuration continues with evaluating q on the next packet in the list, while σ ′ ismarked as successfully handled by the network. . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:9 L ≜ ((( port = 3) · ( port ← port = 4) · ( port ← port = 7) · ( port ← port = 9) · ( port ← port = 10) · ( port ← port = 13) · ( port ← port = 14) · ( port ← S ≜ ( port = 2) · ( port ← S ≜ ( port = 12) · ( port ← S ≜ S ≜ S ≜ ( port = 6) · ( port ← S ≜ ( port = 8) · ( port ← SDN X ,...,X ≜ (( X + . . . + X ) · L ) ∗ ; SDN X ,...,X ⊕ P X ′ i ∈ FT upSi ? X ′ i ; SDN X ,...,X ′ i ,...,X ft3 ≜ ( port = 1) · ( port ← ft4 ≜ ( port = 11) · ( port ← ft5 ≜ ( port = 5) · ( port ← ft6 ≜ ( port = 8) · ( port ← FT = { , ft3 , ft4 , ft5 , ft6 } SDN ≜ SDN S ,...,S || C || C C ≜ upS || upS ft3 || upS ft5 C ≜ upS || upS ft4 || upS ft6 Figure 6
Distributed Controller in DyNetKAT: Independent Controllers C ≜ upS ; syn ! ; upS port = 1) · ( port ← upS port = 5) · ( port ← C ≜ upS ; syn ? ; upS port = 11) · ( port ← upS port = 8) · ( port ← Figure 7
Distributed Controller in DyNetKAT: Synchronizing Controllers
The remaining rules in Figure 8 define non-deterministic choice, synchronization andrecursion in the standard fashion.Rules ( cpol _ ⊕ ) and ( cpol _ ⊕ ) define non-deterministic behaviours. Assume H is thelist of packets to be processed by the network according to p (respectively, q ) and H ′ is thelist of packets handled successfully by the network. Whenever p (respectively, q ) determinesa γ -labelled transition into ( p ′ , H , H ′ ) (respectively, ( q ′ , H , H ′ )), the policy p ⊕ q is able tomimic the same behaviour. Rules ( cpol _ || ) and ( cpol || _ ) follow a similar pattern; the onlydifference is that the “inactive” operand is preserved by the target of the semantic rule.Mere sending ( cpol ! ) and receiving ( cpol ? ) entail transitions labelled accordingly, andcontinue with the DyNetKAT policy following the ; operator. Note that the list of packetsto be processed by the network and the list of packets handled successfully by the networkremain unchanged.DyNetKAT synchronization is defined by ( cpol !? ) and ( cpol ?! ). Intuitively, when bothoperands q and, respectively, s “agree” on sending/receiving a policy p on channel x in thecontext of the same packet lists H and H ′ , and behave like q ′ , respectively, s ′ afterwards,then a rcfg ( x , p ) step can be observed. The system proceeds with the continuation behaviour q ′ || s ′ .As denoted by ( cpol X ), a recursive variable defined as X ≜ p behaves according to p .In Figure 9 we depict a labelled transition system (LTS) encoding a possible behaviour ofthe stateful firewall in Example 1. We assume the list of network packets to be processedconsists of a “safe” packet σ i travelling from int to ext (i.e., σ i ( port ) = int ) followed by apotentially “dangerous” packet σ e travelling from ext to int (i.e., σ e ( port ) = ext ). For thesimplicity of notation, in Figure 9 we write H for Host , S for Switch , S ′ for Switch ′ , SCR for secConReq and
SCE for secConEnd . Note that σ e can enter the network only if a secureconnection request was received. More precisely, the transition labelled ( σ e , σ i ) is precededby a transition labelled SCR ?1 or rcfg ( SCR , ): n SCR ?1 , rcfg ( SCR , ) −−−−−−−−−−−−−→ n σ e ,σ i ) −−−−→ n .In Figure 10 we depict an excerpt of the LTS corresponding to the distributed independentcontrollers in Example 2, given a network packet denoted by σ . In Figure 10 we write σ i to denote a network packet such that σ i ( port ) = i . For instance, transitions of shape n σ ,σ i ) −−−−→ n i encode forwarding of the current packet from port 2 to port i based on thesubsequent unfoldings of the Kleene-star expression in the definition of SDN X ,...,X . Thetransition n σ ,σ ) −−−−−→ n reveals a breach in the network corresponding to the possibilityof forwarding the current packet from H to H . This is possible due to two consecutivereconfigurations of the flow tables of switches S and S , respectively, enabling traffic fromport 8 to 9, and from port 11 to 13. In this section we define bisimilarity of DyNetKAT policies, introduce some necessarydefinitions and terminology, and provide a corresponding sound and complete axiomatization.
DyNetKAT
Bisimilarity
Bisimilarity of DyNetKAT terms is defined in the standard fashion: ▶ Definition 2 (Bisimilarity ( ∼ )) . A symmetric relation R over DyNetKAT policies is a bisimulation whenever for ( p, q ) ∈ R the following holds:If ( p, H , H ) γ −→ ( p ′ , H ′ , H ′ ) then exists q ′ s.t. ( q, H , H ) γ −→ ( q ′ , H ′ , H ′ ) and ( p ′ , q ′ ) ∈ R ,with γ ::= ( σ, σ ′ ) | x ? r | x ! r | rcfg ( x , r ) . . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:11 ( cpol ✓ _ ; ) σ ′ ∈ (cid:74) p (cid:75) ( σ :: ⟨⟩ )( p ; q, σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( q, H, σ ′ :: H ′ ) ( cpol X ) ( p, H , H ) γ −→ ( p ′ , H ′ , H ′ )( X, H , H ) γ −→ ( p ′ , H ′ , H ′ ) X ≜ p ( cpol _ ⊕ ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p ⊕ q, H , H ′ ) γ −→ ( p ′ , H , H ′ ) ( cpol ⊕ _ ) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( p ⊕ q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( cpol _ || ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p || q, H , H ′ ) γ −→ ( p ′ || q, H , H ′ ) ( cpol || _ ) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( p || q, H , H ′ ) γ −→ ( p || q ′ , H , H ′ )( cpol ? ) ( x ? p ; q, H, H ′ ) x ? p −−→ ( q, H, H ′ ) ( cpol ! ) ( x ! p ; q, H, H ′ ) x ! p −−→ ( q, H, H ′ )( cpol !? ) ( q, H, H ′ ) x ! p −−→ ( q ′ , H, H ′ ) ( s, H, H ′ ) x ? p −−→ ( s ′ , H, H ′ )( q || s, H, H ′ ) rcfg ( x , p ) −−−−−−→ ( q ′ || s ′ , H, H ′ )( cpol ?! ) ( q, H, H ′ ) x ? p −−→ ( q ′ , H, H ′ ) ( s, H, H ′ ) x ! p −−→ ( s ′ , H, H ′ )( q || s, H, H ′ ) rcfg ( x , p ) −−−−−−→ ( q ′ || s ′ , H, H ′ ) γ ::= ( σ, σ ′ ) | x ! q | x ? q | rcfg ( x , q ) Figure 8
DyNetKAT: Operational Semantics
We call bisimilarity the largest bisimulation relation.Two policies p and q are bisimilar ( p ∼ q ) if and only if there is a bisimulation relation R such that ( p, q ) ∈ R . Semantic equivalence of NetKAT − dup policies is preserved by DyNetKAT bisimilarity. ▶ Proposition 3 (Semantic Layering) . Let p and q be two NetKAT − dup policies. The followingholds: (cid:74) p (cid:75) = (cid:74) q (cid:75) iff ( p ; d ) ∼ ( q ; d ) for any DyNetKAT policy d . Proof.
The result follows directly according to the definition of bisimilarity and ( cpol ✓ _ ; ) inFigure 8. ◀ Next, we introduce the restriction operator δ L ( − ) [1, 3], with L a set of forbidden actionsranging over x ? z and x ! z as in (1). The semantics of δ L ( − ) is:( δ ) ( p, H , H ) γ −→ ( p ′ , H ′ , H ′ )( δ L ( p ) , H , H ) γ −→ ( δ L ( p ′ ) , H ′ , H ′ ) γ ̸∈ L (2) n : ( H || S, σ i :: σ e :: ⟨⟩ , ⟨⟩ ) n : ( H || S ′ , σ i :: σ e :: ⟨⟩ , ⟨⟩ ) n : ( H || S, σ e :: ⟨⟩ , σ e :: ⟨⟩ n : ( H || S ′ , σ e :: ⟨⟩ , σ e :: ⟨⟩ n : ( H || S ′ , ⟨⟩ , σ i :: σ e :: ⟨⟩ n : ( H || S, ⟨⟩ , σ i :: σ e :: ⟨⟩ SCE ! ,SCR ! S C R ! , r c f g ( S C R , ) SCE ! ,SCR ! SCE ! , rcfg ( SCE , ) ( σ i , σ e ) ( σ i , σ e ) SCE ! ,SCR ! SCR ! , rcfg ( SCR , ) SCE ! , rcfg ( SCE , ) ( σ e , σ i ) SCE ! ,SCR ! SCE ! ,SCR ! S C E ! , r c f g ( S C E , ) SCR ! , rcfg ( SCR , ) SCE ! ,SCR ! Figure 9
Stateful Firewall LTS
In practice, we use the restriction operator to force synchronous communication. For anexample, consider the synchronising controllers in Figure 7. Let L be the set of restrictedactions ranging over elements of shape upS i ? X , upS i ! X , syn ?1 and syn !1. The restrictedsystem δ L ( SDN S ,...,S || C || C ) ensures that: (1) traffic through S S rcfg ( upS2 , ) and rcfg ( upS1 , ) and (2) the controllers acknowledgethis deactivation via a synchronization step rcfg ( syn , ) before installing further flow tablesfor S S π n ( − ) that, intuitively, captures thefirst n steps of a DyNetKAT policy. Its formal semantics is:( π ) ( p, H , H ) γ −→ ( p ′ , H ′ , H ′ )( π n +1 ( p ) , H , H ) γ −→ ( π n ( p ′ ) , H ′ , H ′ ) (3)As we shall later see, π n ( − ) is crucial for defining the so-called “Approximation InductionPrinciple” that enables reasoning about equivalence of recursive DyNetKAT specifications.We further provide some additional ingredients needed to introduce the DyNetKAT axio-matization in Figure 11. First, note that our notion of bisimilarity identifies synchronizationsteps as in ( cpol !? ) and ( cpol ?! ). At the axiomatization level, this requires introducingcorresponding constants rcfg x,z defined as:( rcfg x , z ) ( rcfg x,z ; p, H , H ) rcfg ( x , z ) −−−−−−→ ( p, H , H ) (4)Last, but not least, we introduce the left-merge operator ( (cid:84) ) and the communication-merge operator ( | ) utilised for axiomatizing parallel composition. Intuitively, a process ofshape p (cid:84) q behaves like p as a first step, and then continues as the parallel compositionbetween the remaining behaviour of p and q . A process of shape p | q forces the synchronouscommunication between p and q in a first step, and then continues as the parallel composition . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:13 n : ( SDN, σ :: ⟨⟩ , ⟨⟩ ) . . .n : SDN S ,S ,S ,S ,S ,ft || C || ( upS || upS f t ) , σ :: ⟨⟩ , ⟨⟩ ) n : SDN S ,S ,S ,S ,S ,ft || C || ( upS ) , σ :: ⟨⟩ , ⟨⟩ ) n j : SDN S ,S ,S ,S ,S ,ft || C || ( upS || upS f t ) , ⟨⟩ , σ j :: ⟨⟩ ) n i : SDN, ⟨⟩ , σ j :: ⟨⟩ ) rcfg ( upS6 , ft ) rcfg ( upS4 , ft )( σ , σ j ) j ∈ { , , , , } ( σ , σ i ) i ∈ { , , , , } Figure 10
Independent Controllers LTS (excerpt) between the remaining behaviours of p and q . The corresponding semantic rules are:( (cid:84) ) ( p, H , H ) γ −→ ( p ′ , H ′ , H ′ )( p (cid:84) q, H , H )) γ −→ ( p ′ || q, H ′ , H ′ ) γ ::= ( σ, σ ′ ) | x ! p | x ? p | rcfg ( x , p )( | ?! ) ( p, H, H ′ ) x ? r −−→ ( p ′ , H, H ′ ) ( q, H, H ′ ) x ! r −−→ ( q ′ , H, H ′ )( p | q, H, H ′ ) rcfg ( x , p ) −−−−−−→ ( p ′ || q ′ , H, H ′ )( | !? ) ( p, H, H ′ ) x ! r −−→ ( p ′ , H, H ′ ) ( q, H, H ′ ) x ? r −−→ ( q ′ , H, H ′ )( p | q, H, H ′ ) rcfg ( x , p ) −−−−−−→ ( p ′ || q ′ , H, H ′ ) (5)From this point onward, we denote by DyNetKAT the extension with the operators in (2),(3) and (4): N ::= NetKAT − dup D e ::= ⊥ | N ; D | x ? N ; D e | x ! N ; D e | rcfg x,N ; D e | D e || D e | D e ⊕ D e | δ L ( D e ) | π n ( D e ) | D e (cid:84) D e | D e | D e | XX ≜ D e , n ∈ N , L = { c | c ::= x ? N | x ! N } (6)Bisimilarity is defined for DyNetKAT terms as in (6) in the natural fashion, according to theoperational semantics of the new operators in (2), (3) and (4). ▶ Lemma 3.
DyNetKAT bisimilarity is a congruence . Proof.
The result follows from the fact that the semantic rules defined in this paper complyto the congruence formats proposed in [19]. ◀▶ Definition 4 (Complete Tests & Assignments [2]) . Let F = { f , . . . , f n } be a set of fieldsnames with values in V i , for i ∈ { , . . . , n } . We call complete test (typically denoted by α ) an expression f = v · . . . · f n = v n , with v i ∈ V i , for i ∈ { , . . . , n } . We call completeassignment (typically denoted by π ) an expression f ← v · . . . · f n ← v n , with v i ∈ V i , for i ∈ { , . . . , n } . We sometimes write α π in order to denote the complete test derived from for p, q, r ∈ DyNetKAT and z, y ∈ NetKAT − dup for a ::= z | x ? z | x ! z | rcfg x,z ; p ≡ ⊥ ( A z + y ) ; p ≡ z ; p ⊕ y ; p ( A p ⊕ q ≡ q ⊕ p ( A p ⊕ q ) ⊕ r ≡ p ⊕ ( q ⊕ r ) ( A p ⊕ p ≡ p ( A p ⊕ ⊥ ≡ p ( A p || q ≡ q || p ( A p || ⊥ ≡ p ( A p || q ≡ p (cid:84) q ⊕ q (cid:84) p ⊕ p | q ( A ⊥ (cid:84) p ≡ ⊥ ( A a ; p ) (cid:84) q ≡ a ;( p || q ) ( A p ⊕ q ) (cid:84) r ≡ ( p (cid:84) r ) ⊕ ( q (cid:84) r ) ( A x ? z ; p ) | ( x ! z ; q ) ≡ rcfg x,z ;( p || q ) ( A p ⊕ q ) | r ≡ ( p | r ) ⊕ ( q | r ) ( A p | q ≡ q | p ( A p | q ≡ ⊥ [ owise ] ( A
15) for at ::= α.π | x ? z | x ! z | rcfg x,z : δ L ( ⊥ ) ≡ ⊥ ( δ ⊥ ) δ L ( at ; p ) ≡ at ; δ L ( p ) if at ̸∈ L ( δ ; ) δ L ( at ; p ) ≡ ⊥ if at ∈ L ( δ ⊥ ; ) δ L ( p ⊕ q ) ≡ δ L ( p ) ⊕ δ L ( q ) ( δ ⊕ )for n ∈ N : π ( p ) ≡ ⊥ (Π ) π n ( ⊥ ) ≡ ⊥ (Π ⊥ ) π n +1 ( at ; p ) ≡ at ; π n ( p ) (Π ; ) π n ( p ⊕ q ) ≡ π n ( p ) ⊕ π n ( q ) (Π ⊕ ) p ≡ q if ∀ n ∈ N : π n ( p ) ≡ π n ( q ) ( AIP ) E NK Figure 11
The axiom system E DNK (including E NK ) the complete assignment π by replacing all f i ← v i in π with f i = v i ; symmetrically for π α .Additionally, we sometimes write σ α to denote the network packet whose fields are assignedthe corresponding values in α ; symmetrically for σ π . In Figure 11, we introduce E DNK – the axiom system of DyNetKAT, including theNetKAT axiomatization E NK . Most of the axioms in Figure 11 comply to the standardaxioms of parallel and communicating processes [3], where, intuitively, ⊕ plays the roleof non-deterministic choice, ; resembles sequential composition and ⊥ is a process thatdeadlocks.For instance, axioms ( A − ( A
5) encode the ACI properties of ⊕ together with the factthat ⊥ is the neutral element.Axioms ( A − ( A
15) define parallel composition ( || ) in terms of left-merge ( (cid:84) ) andcommunication-merge ( | ) in the standard fashion. Additionally, ( A
12) “pin-points” acommunication step via the newly introduced constants of form rcfg x,z . An interestingaxiom is ( A
7) : p || ⊥ ≡ p which, intuitively, states that if one network component fails,then the whole system continues with the behaviour of the remaining components. This is adeparture from the approach in [13], where recovery is not possible in case of a component’sfailure; i.e., e || ≡ A
0) states that if the current packet is dropped as a result of the unsuccessfulevaluation of a NetKAT policy, then the continuation is deadlocked. ( A
1) enables mappingthe non-deterministic choice at the level of NetKAT to the setting of DyNetKAT.The axioms encoding the restriction operator δ L ( − ) and the projection operator π n ( − )are defined in the standard fashion, on top of DyNetKAT normal forms later defined inthis section. Intuitively, normal forms are defined inductively, as sums of complete testsand complete assignments α · π , or communication steps x ? q, x ! q and rcfg x,q , followed byarbitrary DyNetKAT policies.Last, but not least, ( AIP ) corresponds to the so-called “Approximation InductionPrinciple”, and it provides a mechanism for reasoning on the equivalence of recursivebehaviours, up to a certain limit denoted by n . . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:15 In what follows, we show that the axiom system E DNK is sound and ground-complete withrespect to DyNetKAT bisimilarity.We proceed by first defining a notion of normal forms of DyNetKAT terms, togetherwith a notion of guardedness and a statement about the branching finiteness of guardedDyNetKAT processes. ▶ Lemma 5 ( NetKAT − dup Normal Forms) . We call a
NetKAT − dup policy q in normal form (n.f.) whenever q is of shape Σ α · π ∈A α · π with A = { α i · π i | i ∈ I } . For every NetKAT − dup policy p there exists a NetKAT − dup policy q in n.f. such that E NK ⊢ p ≡ q . Proof.
The result follows by Lemma 4 in [2], stating that: (cid:74) p (cid:75) = [ x ∈ G ( p ) (cid:74) x (cid:75) (7)where G ( p ) defines the language model of NetKAT terms. Let A be the set of all completetests, and Π be the set of all complete assignments. Similarly to [2], we consider networkpackets with values in finite domains. Consequently, A and Π are finite. In [2], G ( p ) is definedas a set with elements in A · (Π · dup ) ∗ · Π. Recall that, in our setting, we work with the dup -freefragment of NetKAT. Hence, G ( p ) is a finite set of shape G = { α i · π i | i ∈ I, α i ∈ A, π i ∈ Π } .Based on the definition of (cid:74) − (cid:75) and (7) it follows that: (cid:74) p (cid:75) = (cid:74) Σ α · π ∈ G α · π (cid:75) (8)Therefore, by the completeness of NetKAT, it holds that: E NK ⊢ p ≡ Σ α · π ∈ G α · π . In otherwords, p can be reduced to a term in n.f. ◀▶ Definition 6 ( DyNetKAT
Normal Forms) . We call a
DyNetKAT policy in normal form (n.f.) if it is of shape Σ ⊕ i ∈ I ( α i · π i ); d i ⊕ Σ ⊕ j ∈ J c j ; d j ( ⊕⊥ ) where d i , d j range over DyNetKAT policies and c j ::= x ? q | x ! q | rcfg x,q with q denotingterms in NetKAT − dup . ▶ Definition 7 (Guardedness) . A DyNetKAT policy p is guarded if and only if all occurrencesof all variables X in p are guarded . An occurrence of a variable X in a policy p is guarded if and only if (i) p has a subterm of shape p ′ ; t such that either p ′ is variable-free, or all theoccurrences of variables Y in p ′ are guarded, and X occurs in t , or (ii) if p is of shape y ? X ; t , y ! X ; t or rcfg X,t . ▶ Lemma 8 (Branching Finiteness) . All guarded
DyNetKAT policies are finitely branching. ▶ Lemma 9 ( DyNetKAT
Normalization) . E DNK is normalising for
DyNetKAT . In otherwords, for every guarded
DyNetKAT policy p there exists a DyNetKAT policy q in n.f. suchthat E DNK ⊢ p ≡ q . Proof.
The proof follows from Lemma 5 and ( A
1) : ( z + y ); p ≡ z ; p ⊕ y ; p in a standardfashion, by structural induction. Base cases. p ≜ ⊥ trivially holds p ≜ q ; d with q a NetKAT − dup term holds by Lemma 5 and ( A p ≜ c ; d with c ::= x ? q | x ! q | rcfg x,q trivially holds Induction step. p ≜ p ⊕ p p ≜ X - case discarded, as p is not guarded p ≜ p (cid:84) p p ≜ π n ( ′ ) p ≜ p | p p ≜ δ L ( p ′ ) p ≜ p || p All items above follow by the axiom system E DNK and the induction hypothesis, under theassumption that p , p and p ′ are guarded. ◀ For simplicity, in what follows, we assume that DyNetKAT policies are guarded. ▶ Lemma 10 (Soundness of E DyNetKAT \ AIP ) . Let E DyNetKAT \ AIP stand for the axiom system E DNK in Figure 11, without the axiom ( AIP ) . E DyNetKAT \ AIP is sound for
DyNetKAT bisimilarity.
Proof.
The proof reduces to showing that for all p , q DyNetKAT policies, the followingholds: If E DyNetKAT \ AIP ⊢ p ≡ q then p ∼ q . This is proven in a standard fashion, by caseanalysis on transitions of shape( p, H , H ′ ) γ −→ ( q, H , H ′ )with γ ::= ( σ, σ ′ ) | x ? n | x ! n | rcfg ( x , n ), according to the semantic rules in Figure 8, (2),(3), (4) and (5).For an example, consider ( A
1) and ( A
12) in Figure 11; the proof of soundness for theseaxioms are given in the following. The soundness proofs for the rest of the axioms areprovided in Appendix A.Axiom under consideration:( z + y ) ; p ≡ z ; p ⊕ y ; p ( A
1) (9)for z, y ∈ NetKAT − dup and p ∈ DyNetKAT. Let σ z ≜ (cid:74) z (cid:75) ( σ :: ⟨⟩ ), σ y ≜ (cid:74) y (cid:75) ( σ :: ⟨⟩ ) and σ zy ≜ (cid:74) z + y (cid:75) ( σ :: ⟨⟩ ). According to the semantic rules of DyNetKAT, the derivations ofthe term ( z + y ) ; p are as follows:(a) For all σ ′ ∈ σ zy : ( cpol ✓ _ ; ) (( z + y ); p, σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( p, H, σ ′ :: H ′ )Accordingly, the derivations of the term z ; p ⊕ y ; p are as follows:(b) For all σ ′ ∈ σ z : ( cpol ✓ _ ; ) ( z ; p, σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( p, H, σ ′ :: H ′ )( cpol _ ⊕ ) ( z ; p ⊕ y ; p, σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( p, H, σ ′ :: H ′ )(c) For all σ ′ ∈ σ y : ( cpol ✓ _ ; ) ( y ; p, σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( p, H, σ ′ :: H ′ )( cpol ⊕ _ ) ( z ; p ⊕ y ; p, σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( p, H, σ ′ :: H ′ ) . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:17 As demonstrated in (a) and (b), (c), both of the terms ( z + y ) ; p and z ; p ⊕ y ; p initiallyonly afford a transition of shape ( σ, σ ′ ) and they converge into the same expression aftertaking that transition:(( z + y ); p, σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( p, H, σ ′ :: H ′ ) (10)( z ; p ⊕ y ; p, σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( p, H, σ ′ :: H ′ ) (11)In the case of the term ( z + y ) ; p , the possible values for the σ ′ ranges over σ zy . Whereasfor the term ( z + y ) ; p , the possible values for the σ ′ ranges over σ z ∪ σ y . However, observethat σ zy is equal to σ z ∪ σ y : σ zy = (cid:74) z + y (cid:75) ( σ :: ⟨⟩ ) (Definition of σ zy ) (12)= (cid:74) z (cid:75) ( σ :: ⟨⟩ ) ∪ (cid:74) y (cid:75) ( σ :: ⟨⟩ ) (Definition of +) (13)= σ z ∪ σ y (Definition of σ z and σ y ) (14)Hence, it is straightforward to conclude that the following holds:(( z + y ) ; p ) ∼ ( z ; p ⊕ y ; p ) (15)Axiom under consideration:( x ? z ; p ) | ( x ! z ; q ) ≡ rcfg x,z ;( p || q ) ( A
12) (16)for p, q ∈ DyNetKAT. The derivations of the term ( x ? z ; p ) | ( x ! z ; q ) are as follows:(a) ( cpol ? ) ( x ? z ; p, H, H ′ ) x ? z −−→ ( p, H, H ′ ) ( cpol ! ) ( x ! z ; q, H, H ′ ) x ! z −−→ ( q, H, H ′ )( | ?! ) (( x ? z ; p ) | ( x ! z ; q ) , H, H ′ ) rcfg ( x , z ) −−−−−−→ ( p || q, H, H ′ )The derivations of the term rcfg x,z ;( p || q ) are as follows:(b) ( rcfg x , z ) ( rcfg x,z ;( p || q ) , H, H ′ ) rcfg ( x , z ) −−−−−−→ ( p || q, H, H ′ )As demonstrated in (a) and (b), both of the terms ( x ? z ; p ) | ( x ! z ; q ) and rcfg x,z ;( p || q )initially only afford the transition rcfg ( x , z ) and they converge into the same expressionafter taking that transition:(( x ? z ; p ) | ( x ! z ; q ) , H, H ′ ) rcfg ( x , z ) −−−−−−→ ( p || q, H, H ′ ) (17)( rcfg x,z ;( p || q ) , H, H ′ ) rcfg ( x , z ) −−−−−−→ ( p || q, H, H ′ ) (18)Hence, it is straightforward to conclude that the following holds:(( x ? z ; p ) | ( x ! z ; q )) ∼ ( rcfg x,z ;( p || q )) . (19) ◀ ▶ Lemma 11 (Soundness of
AIP ) . The Approximation Induction Principle ( AIP ) is soundfor DyNetKAT bisimilarity.
Proof.
The proof is close to the one of Theorem 2 . . p, p ′ such that ∀ n ∈ N : π n ( p ) ≡ π n ( p ′ ) (20)By Lemma 10 it follows that ∀ n ∈ N : π n ( p ) ∼ π n ( p ′ ) (21)We want to prove that p ∼ p ′ . The idea is to build a bisimulation relation R such that( p, p ′ ) ∈ R . We define R as follows: R = { ( t, t ′ ) | ∀ n ∈ N : π n ( t ) ∼ π n ( t ′ ) } (22)Without loss of generality, assume that p and p ′ are in n.f. Assume ( p, p ′ ) ∈ R and( p, H , H ′ ) γ −→ ( p , H , H ′ ) (23)Next, for all n >
0, define S n = { p ′ | ( p ′ , H , H ′ ) γ −→ ( p ′ , H , H ′ ) and π n ( p ) ∼ π n ( p ′ ) } (24)The following hold: S ⊇ S . . . as if π n +1 ( p ) ∼ π n +1 ( p ′ ) then π n ( p ) ∼ π n ( p ′ ). The latter is a straightforwardresult derived according to the definition of ∼ and the semantics of π n ( − ), under theassumption that p, p ′ are in n.f. S n ̸ = ∅ for all n ≥ π n +1 ( p ) ∼ π n +1 ( p ′ ) by (21) and ( p, H , H ′ ) γ −→ ( p , H , H ′ )according to (23) S n is finite, for all n ∈ N , as p ′ is finitely branching according to Lemma 8Hence, the sequence S , S , . . . remains constant from some n onward and ∩ n ≥ S n ̸ = ∅ . Let p ′ ∈ ∩ n ≥ S n . It holds that:( p ′ , H , H ′ ) γ −→ ( p ′ , H , H ′ )( p , p ′ ) ∈ R by the definition of R and S n Symmetrically to (23), assume ( p, p ′ ) ∈ R and ( p ′ , H , H ′ ) γ −→ ( p ′ , H , H ′ ). By following asimilar reasoning, we can show that:( p, H , H ′ ) γ −→ ( p , H , H ′ )( p , p ′ ) ∈ R by the definition of R and S n Hence, R is a bisimulation relation and p ∼ p ′ . ◀▶ Theorem 4 (Soundness & Completeness) . E DNK is sound and ground-complete for
DyNetKAT bisimilarity. . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:19
Proof.
Soundness: if E DNK ⊢ p ≡ q then p ∼ q , follows from Lemma 10 and Lemma 11.Completeness: if p ∼ q then E DNK ⊢ p ≡ q , is shown as follows. Without loss of generality,assume p and q are in n.f., according to Lemma 9. We want to show that: p ≡ q ⊕ pq ≡ p ⊕ q (25)which, by ACI of ⊕ implies p ≡ q . This reduces to showing that every summand of p is asummand of q and vice-versa. We first argue that every summand of p is a summand of q .The reasoning is by structural induction. Base case. p ≜ ⊥ . It holds by the hypothesis p ∼ q that q ≜ ⊥ . Induction step. p ≜ (( α · π ); p ′ ) ⊕ p ′′ . Then, ( p, σ α :: H, H ′ ) ( σ α ,σ π ) −−−−−→ ( p ′ , H, σ π :: H ′ ) implies by thehypothesis p ∼ q that ( q, σ α :: H, H ′ ) ( σ α ,σ π ) −−−−−→ ( q ′ , H, σ π :: H ′ ) and p ′ ∼ q ′ . Recallthat q is in n.f.; hence, by the shape of the semantic rules in Figure 8 it holds that q ≜ (( α · π ); q ′ ) ⊕ q ′′ . By the induction hypothesis, it holds that p ′ ≡ q ′ hence, ( α · π ); p ′ is a summand of q as well.Cases p ≜ ( c ; p ′ ) ⊕ p ′′ with c ::= x ? n | x ! n | rcfg x,n follow in a similar fashion.Hence, p ≡ q ⊕ p holds. The symmetric case q ≡ p ⊕ q follows the same reasoning. ◀ In this section we provide a language for specifying safety properties of DyNetKAT networks,together with a procedure for reasoning about safety in an equational fashion. Intuitively,safety properties enable specifying undesired network behaviours. ▶ Definition 12 (Safety Properties - Syntax) . Let A be an alphabet over letters of shape α · π and rcfg ( x , p ) , with α and π ranging over complete tests and assignments as in Definition 4,and rcfg ( x , p ) ranging over reconfiguration actions. A safety property prop is defined as:act ::= α · π | rcfg x,p (where α · π, rcfg x,p ∈ A ) regexp ::= act | regexp + regexp | regexp · regexpprop ::= [ regexp ] false The intuition behind Definition 12 is as follows. A safety property specification prop issatisfied whenever the behaviour encoded by regexp cannot be observed within the network.Regular expressions regexp are defined with respect to actions act : a flow of shape α · π isthe observable behaviour of a (NetKAT − dup ) policy transforming a packet encoded by α into α π , whereas rcfg x,p corresponds to a reconfiguration step in a network. Recursively,a sum of regular expressions regexp + regexp encodes the union of the two behaviours,a concatenation of regular expressions regexp · regexp encodes the behaviour of regexp followed by the behaviour of regexp . ▶ Definition 5 (Head Normal Forms for Safety) . Let A be an alphabet over letters of shape α · π and rcfg ( x , p ) , with α and π ranging over complete tests and assignments as in Definition 4,and rcfg ( x , p ) ranging over reconfiguration actions. We write w, w ′ for (non-empty) words with letters in A (i.e., w, w ′ ∈ A ∗ ) and | w | for the length of w . We write w ′ ⪯ w whenever w ′ is a prefix of w (including w ).Let r be a regular expression (regexp) as in Definition 12. We call head normal form of r , denoted by hnf ( r ) , the sum of words obtained by distributing · over + in r , in the standardfashion: hnf ( a ) ≜ a ( a ∈ A ) hnf ( w ) ≜ w ( w ∈ A ∗ ) hnf ( r + r ) ≜ hnf ( r ) + hnf ( r ) hnf ( r · ( r + r )) ≜ hnf ( r · r ) + hnf ( r · r ) hnf (( r + r ) · r ) ≜ hnf ( r · r ) + hnf ( r · r ) hnf ( r ′ · ( r + r ) · r ′′ ) ≜ hnf ( r ′ · r · r ′′ ) + hnf ( r ′ · r · r ′′ )Next, we give the formal semantics of safety properties. ▶ Definition 13 (Safety Properties - Semantics) . Let Prop stand for the set of all propertiesas in Definition 12. The semantic map (cid:74) − (cid:75) : Prop → DyNetKAT associates to each safetyproperty in Prop a
DyNetKAT expression as follows.Let Θ be the DyNetKAT policy (in normal form) encoding all possible behaviours over A : Θ ≜ Σ ⊕ α · π ∈A ( α · π ; ⊥ ⊕ α · π ; Θ) ⊕ Σ ⊕ rcfg x,p ∈A ( rcfg x,p ; ⊥ ⊕ rcfg x,p ; Θ) Then: ( c ) (cid:74) [Σ i ∈ Iw i ∈ A ∗ w i ] false (cid:75) ≜ Σ ⊕ w ∈ A ∗ | w | < M ∀ i ∈ I : w i ̸⪯ w w ; ⊥ ⊕ Σ ⊕ w ∈ A ∗ | w | = M ∀ i ∈ I : w i ̸⪯ w ( w ; ⊥ ⊕ w ; Θ)( c ) (cid:74) [ r ] false (cid:75) ≜ (cid:74) [ hnf ( r )] false (cid:75) [otherwise] such that M is the length of the longest word w i , with i ∈ I , and w is a DyNetKAT -compatibleterm obtained from w where all letters have been separated by ; and inductively defined in theobvious way: a ≜ a ( a ∈ A ) a · w ≜ a ; w ( a ∈ A , w ∈ A ∗ )The semantic map (cid:74) − (cid:75) : Prop → DyNetKAT is defined in accordance with the intuitionprovided in the beginning of this section. For instance, as shown in ( c ), if none of thesequences of steps w i can be observed in the system, then the associated DyNetKAT termprevents the immediate execution of all w i . Typically, safety analysis is reduced to reachabilityanalysis. Intuitively, in our context, a safety property is violated whenever the networksystem under analysis displays a (finite) execution that is not in the behaviour of the property.Thus, the semantic map in Definition 13 is based on traces (or words in A ∗ ) and is notsensitive to branching; see the use of head normal forms in ( c ).With these ingredients at hand, we can reason about the satisfiability of safety propertiesin an equational fashion. ▶ Definition 14 ( E trDNK ) . Let E trDNK stand for the equational axioms in Figure 11, includingthe additional axiom that enables switching from the context of bisimilarity to trace equivalenceof DyNetKAT policies, namely: p ; ( q ⊕ r ) ≡ p ; q ⊕ p ; r ( A ) (26) . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:21 ▶ Definition 15 (Safe Network Systems) . Assume a specification given as the safety formula s and a network system implemented as the DyNetKAT policy i . We say that the network is safe whenever the following holds: E trDNK ⊢ (cid:74) s (cid:75) ⊕ i ≡ (cid:74) s (cid:75) (27) In words: checking whether i satisfies s reduces to checking whether the trace behaviour of i is included into that of s . In this section we introduce a version of safety properties extended with negated actions( ¬ ( α · π ) and, respectively, ¬ rcfg x,p ), the true construct and repetitions ( r n ), equally expressivebut enabling more concise property specifications. ▶ Definition 16 (Safety Properties - Extended Syntax) . Let A be an alphabet over letters ofshape α · π and rcfg x,p , with α and π ranging over complete tests and assignments as inDefinition 4, and rcfg x,p ranging over reconfiguration actions. Safety properties are extendedin the following fashion:act e ::= α · π | rcfg x,p | ¬ act e (with α · π, rcfg x,p ∈ A ) regexp e ::= true | act e | regexp e + regexp e | regexp e · regexp e | ( regexp e ) n (with n ≥ prop e ::= [ regexp e ] false Intuitively, a property of shape [ ¬ a ] false , with a ∈ A , states that the system cannot doanything apart from a as a first step. The property [ true ] false states that no action can beobserved in the network, whereas [ r n ] false encodes the repeated application of r for n times.Let Reg and, respectively,
Reg e denote the set of regular expressions regexp in Definition 12and, respectively, the set of regular expressions regexp e in Definition 16. The “desugaring”function defining the regular equivalent of the extended safety properties is defined as follows: ds : Reg e → Reg ds ( true ) ≜ Σ a ∈A ads ( ¬ ( α · π )) ≜ Σ α i · π i ∈ A α i ̸ = αorπ i ̸ = π α i · π i ds ( ¬ rcfg x,p ) ≜ Σ rcfg y,q ∈ A rcfg y,q ̸ = rcfg x,p rcfg y,q ds ( r n ) ≜ ds ( r · r · . . . · r | {z } n times ) ds ( r · r ) ≜ ds ( r ) · ds ( r ) if r · r ̸∈ Reg ds ( r + r ) ≜ ds ( r ) + ds ( r ) if r + r ̸∈ Reg ds ( r ) ≜ r [otherwise]The (overloaded) semantic map (cid:74) − (cid:75) : Prop e → DyNetKAT is defined as expected: (cid:74) [ r e ] false (cid:75) ≜ (cid:74) [ ds ( r e )] false (cid:75) For an example, consider the distributed controllers in Figure 2 and the correspondingencoding in Figure 6. Recall that reaching H S s n defined as [( true ) n · ( α · π )] false , for n ∈ N , α ≜ ( port = 2)and π ≜ ( port ← n ) is executed, α · π cannot happen as the next step. Therefore, checking whether the network is safe reducesto checking, for all n ∈ N : E trDNK ⊢ (cid:74) s n (cid:75) ⊕ SDN ≡ (cid:74) s n (cid:75) (28)Note that, for a fixed n , the verification procedure resembles bounded model checking [4]. In Section 4 we introduced a notion of safety for DyNetKAT and provided a mechanism forreasoning about safety in an equational fashion, by exploiting DyNetKAT trace semantics.To this end, we search for traces that violate the safety property, i.e., we turn the equationalreasoning about safety into checking for reachability properties of shape s ≜ ⟨ regexp ⟩ true ;for an implementation i , this is achieved by checking the following equation using ouraxiomatization: E trDNK ⊢ i ⊕ (cid:74) s (cid:75) ≡ i .We developed a prototype tool, called DyNetiKAT, based on Maude [7] and Python [23],for checking the aforementioned equation. We build upon the reachability checking method inNetKAT [2]. For a reminder: we state that out is reachable from in , in the context of a switchpolicy p and topology t , whenever the following property is satisfied: in · ( p · t ) ∗ · out ̸≡ (andvice-versa). The inputs to our tool are a DyNetKAT program p , a list of input predicates in , a list of output predicates out , and the equivalences that describe the desired properties.For an example, consider the stateful firewall in Figure 1 and the corresponding encoding inFigure 5. Consider that we have the input predicates in ≜ [ port = int, port = ext ]. We wouldlike to check if packets at port int can arrive at port ext before and after reconfigurationevents, and packets at port ext can arrive at port int only after a proper reconfiguration.This is achieved by analysing the step by step behaviour of DyNetKAT terms in normal formvia a set of operators head ( D ), and tail ( D, R ), where R is a set of terms of shape rcfg X,N .Intuitively, the operator head ( D ) returns a NetKAT policy which represents the currentconfiguration in the input D , and the operator tail ( D, R ) returns a DyNetKAT policy whichrepresents the configurations in the input D that appear after the events in R .For the firewall example, the analysis reduces to defining the output predicates out ≜ [ port = ext, port = int ], and the following properties: in (0) · head ( p ) · out (0) ̸≡ (29) in (0) · head ( tail ( p, { rcfg secConReq, } )) · out (0) ̸≡ (30) in (1) · head ( p ) · out (1) ≡ (31) in (1) · head ( tail ( p, { rcfg secConReq, } )) · out (1) ̸≡ (32)Intuitively, the equivalences in (29) and (30) express that packets at port int are able to reachto port ext in the current configuration and in the configuration after the synchronization onthe channel secConReq . The equivalence in (31) expresses that packets at port ext are notable to reach to port int in the initial configuration and (32) expresses that the configurationafter the synchronization on the channel secConReq allows this flow.We performed experiments on the FatTree topologies, which are most commonly used indata centers, to evaluate the performance of our implementation. A FatTree is a hierarchicaltree which typically consists of 3 layers: core, aggregation and top-of-rack (ToR). The switchesat each level contain a number of redundant links to the switches at the next upper level.The groups of ToR switches and their corresponding aggregation switches are called pods.In Figure 12 (left) we illustrate a FatTree topology with 4 pods. For analyzing scalability, . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:23 A A A A A A A A C C C C T T T T T T T T AggregationCoreTop-of-Rack
Pod 1 Pod 2 Pod 3 Pod 4
Figure 12
A FatTree Topology and Results of FatTree Experiments we generated 6 FatTree topologies that grow in size and achieve a maximum size of 612switches. We checked two properties on these topologies and assessed the time performanceof our tool. We first computed a shortest path forwarding policy between all pairs of ToRswitches in the networks and in these forwarding policies we enforced that for certain twoToR switches T a and T b that reside in different pods, T a is initially not able to communicatewith T b . Accordingly, the first property that we considered is to check if T b is reachable from T a in the initial configuration of the network. Then, in order to check a dynamic propertywe considered a scenario where in an updated configuration of the network, T b becomesaccessible to T a . In accordance with this scenario the second property that we consideredis to check if T b is reachable from T a after a proper reconfiguration. The experiments wereconducted on a computer running Ubuntu 18.04 LTS with 8 core 3.7GHz AMD Ryzen 7 2700xprocessors and 32 GB RAM. The results of these experiments are displayed in Figure 12(right). The results indicate that for relatively small networks with less than 100 switches, aresult is obtained in less than 20 seconds. For larger networks with sizes up to 375 switches,a result is obtained in less than 12 minutes. The experiment which contained 612 switchestook the longest time with approximately 51 minutes.In order to be able to compare our technique with another verification method, we alsoaimed to perform an analysis based on explicit state model checking. For this purpose, wedevised an operational semantics for NetKAT and implemented it in Maude along with theoperational semantics of DyNetKAT. However, this method immediately failed at scalingeven for small networks, hence, we did not perform further analysis by using this method.DyNetiKAT is available for download at: https://github.com/hcantunc/DyNetiKAT . We developed a language, called DyNetKAT for modelling and reasoning about dynamicreconfigurations in Software Defined Networks. Our language builds upon the concepts,syntax, and semantics of NetKAT and hence, provides a modular extension and makesit possible to reuse the theory and tools of NetKAT. We define a formal semantics forour language and provide a sound and ground-complete axiomatization. We exploit ouraxiomatization to analyse reachability properties of dynamic networks and show that ourapproach is indeed scalable to networks with hundreds of switches.Our language builds upon the assumption that control plane updates interleave with dataplane packet processing in such a way that each data plane packet sees one set of flow tablesthroughout their flight in the network. This assumption is inspired by the framework putforward by Reitblatt et al. [21] and is motivated by the requirement to design a modularextension on top of NetKAT. However, we have experimented with a much smaller-steppedsemantics in which the control plane updates can have a finer interleaving with in-flight packet moves. This alternative language breaks the hierarchy with NetKAT and a naivetreatment of this alternative semantics will lead to much larger state-spaces. We would liketo investigate this small-step semantics and efficient analysis techniques for it further.
References Luca Aceto, Bard Bloom, and Frits W. Vaandrager. Turning SOS rules into equations.
Inf.Comput. , 111(1):1–52, 1994. doi:10.1006/inco.1994.1040 . Carolyn Jane Anderson, Nate Foster, Arjun Guha, Jean-Baptiste Jeannin, Dexter Kozen,Cole Schlesinger, and David Walker. NetKAT: semantic foundations for networks. In SureshJagannathan and Peter Sewell, editors,
The 41st Annual ACM SIGPLAN-SIGACT Symposiumon Principles of Programming Languages, POPL ’14, San Diego, CA, USA, January 20-21,2014 , pages 113–126. ACM, 2014. doi:10.1145/2535838.2535862 . Jos C. M. Baeten and W. P. Weijland.
Process algebra , volume 18 of
Cambridge tracts intheoretical computer science . Cambridge University Press, 1990. Christel Baier and Joost-Pieter Katoen.
Principles of model checking . MIT Press, 2008. Ryan Beckett, Michael Greenberg, and David Walker. Temporal netkat. In Chandra Krintz andEmery Berger, editors,
Proceedings of the 37th ACM SIGPLAN Conference on ProgrammingLanguage Design and Implementation, PLDI 2016, Santa Barbara, CA, USA, June 13-17,2016 , pages 386–401. ACM, 2016. doi:10.1145/2908080.2908108 . Georgiana Caltais, Hossein Hojjat, Mohammad Mousavi, and Hünkar Can Tunç. DyNetKAT:An Algebra of Dynamic Networks. URL: . Manuel Clavel, Francisco Durán, Steven Eker, Patrick Lincoln, Narciso Martí-Oliet, JoséMeseguer, and Carolyn L. Talcott. Full Maude: Extending Core Maude. In Manuel Clavel,Francisco Durán, Steven Eker, Patrick Lincoln, Narciso Martí-Oliet, José Meseguer, andCarolyn L. Talcott, editors,
All About Maude - A High-Performance Logical Framework, Howto Specify, Program and Verify Systems in Rewriting Logic , volume 4350 of
Lecture Notes inComputer Science , pages 559–597. Springer, 2007. doi:10.1007/978-3-540-71999-1\_18 . Nate Foster, Dexter Kozen, Konstantinos Mamouras, Mark Reitblatt, and Alexandra Silva.Probabilistic NetKAT. In Peter Thiemann, editor,
Programming Languages and Systems -25th European Symposium on Programming, ESOP 2016, Held as Part of the European JointConferences on Theory and Practice of Software, ETAPS 2016, Eindhoven, The Netherlands,April 2-8, 2016, Proceedings , volume 9632 of
Lecture Notes in Computer Science , pages 282–309.Springer, 2016. doi:10.1007/978-3-662-49498-1\_12 . Nate Foster, Dexter Kozen, Matthew Milano, Alexandra Silva, and Laure Thompson. ACoalgebraic Decision Procedure for NetKAT. In Sriram K. Rajamani and David Walker,editors,
Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principlesof Programming Languages, POPL 2015, Mumbai, India, January 15-17, 2015 , pages 343–355.ACM, 2015. doi:10.1145/2676726.2677011 . Nate Foster, Rob Harrison, Michael J. Freedman, Christopher Monsanto, Jennifer Rexford,Alec Story, and David Walker. Frenetic: a network programming language. In
Proceeding ofthe 16th ACM SIGPLAN international conference on Functional Programming (ICFP 2011) .pages 279–291, ACM, 2011. . Ahmed El-Hassany, Ahmed Miserez, Pavol Bielik, Laurent Vanbever, and Martin T. Vechev.SDNRacer: concurrency analysis for software-defined networks. In Chandra Krintz and EmeryBerger, Eds. ,
Proceedings of the 37th ACM SIGPLAN Conference on Programming LanguageDesign and Implementation (PLDI 2016) , 402–415, ACM, 2016. . Maciej Kuzniar, Peter Peresíni, and Dejan Kostic. Providing Reliable FIB Update Acknow-ledgments in SDN. In Aruna Seneviratne, Christophe Diot, Jim Kurose, Augustin Chaintreau,and Luigi Rizzo, Eds.
Proceedings of the 10th ACM International on Conference on emergingNetworking Experiments and Technologies (CoNEXT 2014) , 415–422, ACM, 2014. . . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:25 Tobias Kappé, Paul Brunet, Alexandra Silva, Jana Wagemaker, and Fabio Zanasi. ConcurrentKleene Algebra with Observations: from Hypotheses to Completeness.
CoRR , abs/2002.09682,2020. URL: https://arxiv.org/abs/2002.09682 , arXiv:2002.09682 . Hyojoon Kim, Joshua Reich, Arpit Gupta, Muhammad Shahbaz, Nick Feamster, and Russell J.Clark. Kinetic: Verifiable dynamic network control. In , pages59–72. USENIX Association, 2015. URL: . Zohaib Latif, Kashif Sharif, Fan Li , Md. Monjurul Karim, Sujit Biswas, and Yu Wang. Acomprehensive survey of interface protocols for software defined networks. J. Netw. Comput.Appl. 156:102563, 2020. . Jedidiah McClurg, Hossein Hojjat, Nate Foster, and Pavol Cerný. Event-driven networkprogramming. In Chandra Krintz and Emery Berger, editors,
Proceedings of the 37th ACMSIGPLAN Conference on Programming Language Design and Implementation, PLDI 2016,Santa Barbara, CA, USA, June 13-17, 2016 , pages 369–385. ACM, 2016. doi:10.1145/2908080.2908097 . Jedidiah McClurg, Hossein Hojjat, and Pavol Cerný. Synchronization Synthesis for NetworkPrograms. In
Proceedings of the 29th International Conference on Computer Aided Verification(CAV 2017) . volume 10427 of Lecture Notes in Computer Science, pages 301–321, Springer,2017. . Nick McKeown, Thomas E. Anderson, Hari Balakrishnan, Guru M. Parulkar, Larry L. Peterson,Jennifer Rexford, Scott Shenker, and Jonathan S. Turner. OpenFlow: enabling innovation incampus networks. Computer Communication Review, 38(2):69–74, 2008. . Mohammad Reza Mousavi, Michel A. Reniers, and Jan Friso Groote. Notions of bisimulationand congruence formats for SOS with data.
Information and Computation , 200(1):107 – 147,2005. doi:https://doi.org/10.1016/j.ic.2005.03.002 . Tim Nelson, Andrew D. Ferguson, Michael J. G. Scheer, and Shriram Krishnamurthi. Tierlessprogramming and reasoning for software-defined networks. In Ratul Mahajan and Ion Stoica,editors,
Proceedings of the 11th USENIX Symposium on Networked Systems Design andImplementation, NSDI 2014, Seattle, WA, USA, April 2-4, 2014 , pages 519–531. USENIX As-sociation, 2014. URL: . Mark Reitblatt, Nate Foster, Jennifer Rexford, Cole Schlesinger, and David Walker. Abstrac-tions for network update. In Lars Eggert, Jörg Ott, Venkata N. Padmanabhan, and GeorgeVarghese, editors,
ACM SIGCOMM 2012 Conference, SIGCOMM ’12, Helsinki, Finland -August 13 - 17, 2012 , pages 323–334. ACM, 2012. doi:10.1145/2342356.2342427 . Alexandra Silva. Models of Concurrent Kleene Algebra. In Elvira Albert and Laura Kovács,editors,
LPAR 2020: 23rd International Conference on Logic for Programming, ArtificialIntelligence and Reasoning, Alicante, Spain, May 22-27, 2020 , volume 73 of
EPiC Series inComputing , page 516. EasyChair, 2020. URL: https://easychair.org/publications/paper/6C8R . Guido van Rossum. Python programming language. In Jeff Chase and Srinivasan Seshan,editors,
Proceedings of the 2007 USENIX Annual Technical Conference, Santa Clara, CA,USA, June 17-22, 2007 . USENIX, 2007. Teemu Koponen, Keith Amidon, Peter Balland, Martín Casado, Anupam Chanda, BryanFulton, Igor Ganichev, Jesse Gross, Paul Ingram, Ethan J. Jackson, Andrew Lambeth, RomainLenglet, Shih-Hao Li, Amar Padmanabhan, Justin Pettit, Ben Pfaff, Rajiv Ramanathan, ScottShenker, Alan Shieh, Jeremy Stribling, Pankaj Thakkar, Dan Wendlandt, Alexander Yip, andRonghua Zhang. Network Virtualization in Multi-tenant Datacenters. In Ratul Mahajan andIon Stoica, Eds.,
Proceedings of the 11th USENIX Symposium on Networked Systems Designand Implementation (NSDI 2014) , 203–216, USENIX Association, 2014. Celio Trois, Marcos Didonet Del Fabro, Luis Carlos Erpen De Bona, and Magnos Martinello.A Survey on SDN Programming Languages: Toward a Taxonomy. IEEE Commun. Surv.Tutorials 18(4): 2687–2712, 2016. . Alexander Vandenbroucke and Tom Schrijvers. P λω nk: functional probabilistic netkat. Proc.ACM Program. Lang. , 4(POPL):39:1–39:27, 2020. doi:10.1145/3371107 . Jana Wagemaker, Paul Brunet, Simon Docherty, Tobias Kappé, Jurriaan Rot, and AlexandraSilva. Partially Observable Concurrent Kleene Algebra. In Igor Konnov and Laura Kovács,editors, , volume 171 of
LIPIcs , pages 20:1–20:22. SchlossDagstuhl - Leibniz-Zentrum für Informatik, 2020. doi:10.4230/LIPIcs.CONCUR.2020.20 . A Soundness Proofs
Axiom under consideration: ; p ≡ ⊥ ( A
0) (33)for p ∈ DyNetKAT. According to the semantic rules of DyNetKAT, the derivations ofthe term ; p are as follows:(a) For all σ ′ ∈ (cid:74) (cid:75) ( σ :: ⟨⟩ ) : ( cpol ✓ _ ; ) ( ; p, σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( p, H, σ ′ :: H ′ )However, observe that (cid:74) (cid:75) ( σ :: ⟨⟩ ) is equal to empty set: (cid:74) (cid:75) ( σ :: ⟨⟩ ) = {} (Definition of ) (34)Hence, the term ; p does not afford any transition. Similarly, observe that according tothe semantic rules of DyNetKAT, the term ⊥ does not afford a transition. Hence, thefollowing trivially holds:( ; p ) ∼ ⊥ (35)Axiom under consideration: p ⊕ q ≡ q ⊕ p ( A
2) (36)for p, q ∈ DyNetKAT. According to the semantic rules of DyNetKAT, the following arethe possible transitions that can initially occur in the terms p ⊕ q and q ⊕ p : ( (1) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )(2) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ ) γ ::= ( σ, σ ′ ) | x ! z | x ? z | rcfg ( x , z ) Case (1): ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )The derivations of p ⊕ q are as follows:(a) ( cpol _ ⊕ ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p ⊕ q, H , H ′ ) γ −→ ( p ′ , H , H ′ ) . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:27 The derivations of q ⊕ p are as follows:(b) ( cpol ⊕ _ ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( q ⊕ p, H , H ′ ) γ −→ ( p ′ , H , H ′ )As demonstrated in (a) and (b), if ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ ) holds then both of theterms p ⊕ q and q ⊕ p converge to the same expression with the γ transition:( p ⊕ q, H , H ′ ) γ −→ ( p ′ , H , H ′ )( q ⊕ p, H , H ′ ) γ −→ ( p ′ , H , H ′ ) (37) Case (2): ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )The derivations of p ⊕ q are as follows:(c) ( cpol ⊕ _ ) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( p ⊕ q, H , H ′ ) γ −→ ( q ′ , H , H ′ )The derivations of q ⊕ p are as follows:(d) ( cpol _ ⊕ ) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( q ⊕ p, H , H ′ ) γ −→ ( q ′ , H , H ′ )As demonstrated in (c) and (d), if ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ ) holds then both of theterms p ⊕ q and q ⊕ p converge to the same expression with the γ transition:( p ⊕ q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( q ⊕ p, H , H ′ ) γ −→ ( q ′ , H , H ′ ) (38)Therefore, by (37) and (38) it is straightforward to conclude that the following holds:( p ⊕ q ) ∼ ( q ⊕ p ) (39)Axiom under consideration:( p ⊕ q ) ⊕ r ≡ p ⊕ ( q ⊕ r ) ( A
3) (40)for p, q, r ∈ DyNetKAT. According to the semantic rules of DyNetKAT, the following arethe possible transitions that can initially occur in the terms ( p ⊕ q ) ⊕ r and p ⊕ ( q ⊕ r ): (1) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )(2) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )(3) ( r, H , H ′ ) γ −→ ( r ′ , H , H ′ ) γ ::= ( σ, σ ′ ) | x ! z | x ? z | rcfg ( x , z ) Case (1): ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )The derivations of ( p ⊕ q ) ⊕ r are as follows: (a) ( cpol _ ⊕ ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p ⊕ q, H , H ′ ) γ −→ ( p ′ , H , H ′ )( cpol _ ⊕ ) (( p ⊕ q ) ⊕ r, H , H ′ ) γ −→ ( p ′ , H , H ′ )The derivations of p ⊕ ( q ⊕ r ) are as follows:(b) ( cpol _ ⊕ ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p ⊕ ( q ⊕ r ) , H , H ′ ) γ −→ ( p ′ , H , H ′ )As demonstrated in (a) and (b), if ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ ) holds then both of theterms ( p ⊕ q ) ⊕ r and p ⊕ ( q ⊕ r ) converge to the same expression with the γ transition:(( p ⊕ q ) ⊕ r, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p ⊕ ( q ⊕ r ) , H , H ′ ) γ −→ ( p ′ , H , H ′ ) (41) Case (2): ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )The derivations of ( p ⊕ q ) ⊕ r are as follows:(c) ( cpol ⊕ _ ) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( p ⊕ q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( cpol _ ⊕ ) (( p ⊕ q ) ⊕ r, H , H ′ ) γ −→ ( q ′ , H , H ′ )The derivations of p ⊕ ( q ⊕ r ) are as follows:(d) ( cpol _ ⊕ ) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( q ⊕ r, H , H ′ ) γ −→ ( q ′ , H , H ′ )( cpol ⊕ _ ) ( p ⊕ ( q ⊕ r ) , H , H ′ ) γ −→ ( q ′ , H , H ′ )As demonstrated in (c) and (d), if ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ ) holds then both of theterms ( p ⊕ q ) ⊕ r and p ⊕ ( q ⊕ r ) converge to the same expression with the γ transition:(( p ⊕ q ) ⊕ r, H , H ′ ) γ −→ ( q ′ , H , H ′ )( p ⊕ ( q ⊕ r ) , H , H ′ ) γ −→ ( q ′ , H , H ′ ) (42) Case (3): ( r, H , H ′ ) γ −→ ( r ′ , H , H ′ )The derivations of ( p ⊕ q ) ⊕ r are as follows:(e) ( cpol ⊕ _ ) ( r, H , H ′ ) γ −→ ( r ′ , H , H ′ )(( p ⊕ q ) ⊕ r, H , H ′ ) γ −→ ( r ′ , H , H ′ ) . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:29 The derivations of p ⊕ ( q ⊕ r ) are as follows:(f) ( cpol ⊕ _ ) ( r, H , H ′ ) γ −→ ( r ′ , H , H ′ )( q ⊕ r, H , H ′ ) γ −→ ( r ′ , H , H ′ )( cpol ⊕ _ ) ( p ⊕ ( q ⊕ r ) , H , H ′ ) γ −→ ( r ′ , H , H ′ )As demonstrated in (e) and (f), if ( r, H , H ′ ) γ −→ ( r ′ , H , H ′ ) holds then both of the terms( p ⊕ q ) ⊕ r and p ⊕ ( q ⊕ r ) converge to the same expression with the γ transition:(( p ⊕ q ) ⊕ r, H , H ′ ) γ −→ ( r ′ , H , H ′ )( p ⊕ ( q ⊕ r ) , H , H ′ ) γ −→ ( r ′ , H , H ′ ) (43)Therefore, by (41), (42) and (43) it is straightforward to conclude that the followingholds:(( p ⊕ q ) ⊕ r ) ∼ ( p ⊕ ( q ⊕ r )) (44)Axiom under consideration: p ⊕ p ≡ p ( A
4) (45)for p ∈ DyNetKAT. According to the semantic rules of DyNetKAT, the following are thepossible transitions that can initially occur in the terms p ⊕ p and p : n (1) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ ) γ ::= ( σ, σ ′ ) | x ! z | x ? z | rcfg ( x , z ) Case (1): ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )The derivations of p ⊕ p are as follows:(a) ( cpol _ ⊕ ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p ⊕ p, H , H ′ ) γ −→ ( p ′ , H , H ′ )(b) ( cpol ⊕ _ ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p ⊕ p, H , H ′ ) γ −→ ( p ′ , H , H ′ )As demonstrated in (a) and (b), if ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ ) holds then it is also thecase that the term p ⊕ p evolves into the same expression with the γ transition:( p ⊕ p, H , H ′ ) γ −→ ( p ′ , H , H ′ ) (46)Hence, it is straightforward to conclude that the following holds:( p ⊕ p ) ∼ p (47) Axiom under consideration: p ⊕ ⊥ ≡ p ( A
5) (48)for p ∈ DyNetKAT. According to the semantic rules of DyNetKAT, the following are thepossible transitions that can initially occur in the terms p ⊕ ⊥ and p : n (1) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ ) γ ::= ( σ, σ ′ ) | x ! z | x ? z | rcfg ( x , z ) Case (1): ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )The derivations of p ⊕ ⊥ are as follows:(a) ( cpol _ ⊕ ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p ⊕ ⊥ , H , H ′ ) γ −→ ( p ′ , H , H ′ )As demonstrated in (a), if ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ ) holds then it is also the case thatthe term p ⊕ ⊥ evolves into the same expression with the γ transition:( p ⊕ ⊥ , H , H ′ ) γ −→ ( p ′ , H , H ′ ) (49)Hence, it is straightforward to conclude that the following holds:( p ⊕ ⊥ ) ∼ p (50)Axiom under consideration: p || q ≡ q || p ( A
6) (51)for p, q ∈ DyNetKAT. According to the semantic rules of DyNetKAT, the following arethe possible transitions that can initially occur in the terms p || q and q || p : (1) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )(2) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )(3) ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ )(4) ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ ) γ ::= ( σ, σ ′ ) | x ! z | x ? z | rcfg ( x , z ) Case (1): ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )The derivations of p || q are as follows:(a) ( cpol _ || ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p || q, H , H ′ ) γ −→ ( p ′ || q, H , H ′ )The derivations of q || p are as follows: . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:31 (b) ( cpol || _ ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( q || p, H , H ′ ) γ −→ ( q || p ′ , H , H ′ )As demonstrated in (a) and (b), if ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ ) holds then both of theterms p || q and q || p are able to perform the γ transition:( p || q, H , H ′ ) γ −→ ( p ′ || q, H , H ′ )( q || p, H , H ′ ) γ −→ ( q || p ′ , H , H ′ ) (52)However, the terms p || q and q || p evolve into different expressions and we would nowneed to check if ( p ′ || q ) ∼ ( q || p ′ ) holds. Observe that the set of possible transitions thatcan occur in these terms are the same as the set of transitions that can occur in the initialterms p || q and q || p . Hence, proving that ( p || q ) ∼ ( q || p ) holds will also constitute aproof for that ( p ′ || q ) ∼ ( q || p ′ ) holds. Case (2): ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )The derivations of p || q are as follows:(c) ( cpol || _ ) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( p || q, H , H ′ ) γ −→ ( p || q ′ , H , H ′ )The derivations of q || p are as follows:(d) ( cpol _ || ) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( q || p, H , H ′ ) γ −→ ( q ′ || p, H , H ′ )As demonstrated in (c) and (d), if ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ ) holds then both of theterms p || q and q || p are able to perform the γ transition:( p || q, H , H ′ ) γ −→ ( p || q ′ , H , H ′ )( q || p, H , H ′ ) γ −→ ( q ′ || p, H , H ′ ) (53)However, the terms p || q and q || p evolve into different expressions and we would nowneed to check if ( p || q ′ ) ∼ ( q ′ || p ) holds. Observe that the set of possible transitions thatcan occur in these terms are the same as the set of transitions that can occur in the initialterms p || q and q || p . Hence, proving that ( p || q ) ∼ ( q || p ) holds will also constitute aproof for that ( p || q ′ ) ∼ ( q ′ || p ) holds. Case (3): ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ )The derivations of p || q are as follows:(e) ( cpol !? ) ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ )( p || q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ ) The derivations of q || p are as follows:(f) ( cpol ?! ) ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ ) ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ )( q || p, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || p ′ , H , H ′ )As demonstrated in (e) and (f), if ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ ) and ( p, H , H ′ ) x ! z −−→ ( p ′ ,H , H ′ ) hold then both of the terms p || q and q || p are able to perform the rcfg ( x , z )transition:( p || q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ )( q || p, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || p ′ , H , H ′ ) (54)However, the terms p || q and q || p evolve into different expressions and we would nowneed to check if ( p ′ || q ′ ) ∼ ( q ′ || p ′ ) holds. Observe that the set of possible transitionsthat can occur in these terms are the same as the set of transitions that can occur in theinitial terms p || q and q || p . Hence, proving that ( p || q ) ∼ ( q || p ) holds will also constitutea proof for that ( p ′ || q ′ ) ∼ ( q ′ || p ′ ) holds. Case (4): ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ )The derivations of p || q are as follows:(g) ( cpol ?! ) ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ )( p || q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ )The derivations of q || p are as follows:(h) ( cpol !? ) ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ ) ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ )( q || p, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || p ′ , H , H ′ )As demonstrated in (g) and (h), if ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ ) and ( p, H , H ′ ) x ? z −−→ ( p ′ ,H , H ′ ) hold then both of the terms p || q and q || p are able to perform the rcfg ( x , z )transition:( p || q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ )( q || p, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || p ′ , H , H ′ ) (55)However, the terms p || q and q || p evolve into different expressions and we would nowneed to check if ( p ′ || q ′ ) ∼ ( q ′ || p ′ ) holds. Observe that the set of possible transitionsthat can occur in these terms are the same as the set of transitions that can occur in theinitial terms p || q and q || p . Hence, proving that ( p || q ) ∼ ( q || p ) holds will also constitutea proof for that ( p ′ || q ′ ) ∼ ( q ′ || p ′ ) holds.Therefore, by (52), (53), (54) and (55) it is straightforward to conclude that the followingholds:( p || q ) ∼ ( q || p ) (56) . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:33 Axiom under consideration: p || ⊥ ≡ p ( A
7) (57)for p ∈ DyNetKAT. According to the semantic rules of DyNetKAT, the following are thepossible transitions that can initially occur in the terms p || ⊥ and p : n (1) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ ) γ ::= ( σ, σ ′ ) | x ! z | x ? z | rcfg ( x , z ) Case (1): ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )The derivations of p || ⊥ are as follows:(a) ( cpol _ || ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p || ⊥ , H , H ′ ) γ −→ ( p ′ || ⊥ , H , H ′ )As demonstrated in (a), if ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ ) holds then it is also the case thatthe term p || ⊥ can perform the γ transition:( p || ⊥ , H , H ′ ) γ −→ ( p ′ || ⊥ , H , H ′ ) (58)However, the terms p || ⊥ and p evolve into different expressions and we would now needto check if ( p ′ || ⊥ ) ∼ p ′ holds. Observe that in principle showing that ( p ′ || ⊥ ) ∼ p ′ holdsis the same as showing the initial case holds, i.e. ( p || ⊥ ) ∼ p . However, we alreadyestablished by case 1 that both of the expressions are always able to perform the sametransitions. Hence, it is straightforward to conclude that the following holds:( p || ⊥ ) ∼ p (59)Axiom under consideration: p || q ≡ p (cid:84) q ⊕ q (cid:84) p ⊕ p | q ( A
8) (60)for p, q ∈ DyNetKAT. According to the semantic rules of DyNetKAT, the following arethe possible transitions that can initially occur in the terms p || q and p (cid:84) q ⊕ q (cid:84) p ⊕ p | q : (1) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )(2) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )(3) ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ )(4) ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ ) γ ::= ( σ, σ ′ ) | x ! z | x ? z | rcfg ( x , z ) Case (1): ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )The derivations of p || q are as follows: (a) ( cpol _ || ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p || q, H , H ′ ) γ −→ ( p ′ || q, H , H ′ )The derivations of p (cid:84) q ⊕ q (cid:84) p ⊕ p | q are as follows:(b) ( (cid:84) ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p (cid:84) q, H , H ′ ) γ −→ ( p ′ || q, H , H ′ )( cpol _ ⊕ ) ( p (cid:84) q ⊕ q (cid:84) p ⊕ p | q, H , H ′ ) γ −→ ( p ′ || q, H , H ′ )As demonstrated in (a) and (b), if ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ ) holds then both of theterms p || q and p (cid:84) q ⊕ q (cid:84) p ⊕ p | q converge to the same expression with the γ transition:( p || q, H , H ′ ) γ −→ ( p ′ || q, H , H ′ )( p (cid:84) q ⊕ q (cid:84) p ⊕ p | q, H , H ′ ) γ −→ ( p ′ || q, H , H ′ ) (61) Case (2): ( q, H , H ′ ) γ −→ ( p ′ , H , H ′ )The derivations of p || q are as follows:(c) ( cpol || _ ) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( p || q, H , H ′ ) γ −→ ( p || q ′ , H , H ′ )The derivations of p (cid:84) q ⊕ q (cid:84) p ⊕ p | q are as follows:(d) ( (cid:84) ) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( q (cid:84) p, H , H ′ ) γ −→ ( q ′ || p, H , H ′ )( cpol ⊕ _ ) ( p (cid:84) q ⊕ q (cid:84) p, H , H ′ ) γ −→ ( q ′ || p, H , H ′ )( cpol _ ⊕ ) ( p (cid:84) q ⊕ q (cid:84) p ⊕ p | q, H , H ′ ) γ −→ ( q ′ || p, H , H ′ )As demonstrated in (c) and (d), if ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ ) holds then both of theterms p || q and p (cid:84) q ⊕ q (cid:84) p ⊕ p | q are able to perform the γ transition:( p || q, H , H ′ ) γ −→ ( p || q ′ , H , H ′ )( p (cid:84) q ⊕ q (cid:84) p ⊕ p | q, H , H ′ ) γ −→ ( q ′ || p, H , H ′ ) (62)Observe that the terms evolve into different expressions, however, according to the axiom A || operator is commutative. Hence, the following holds:( p || q ′ ) ∼ ( q ′ || p ) (63) Case (3): ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ )The derivations of p || q are as follows: . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:35 (e) ( cpol !? ) ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ )( p || q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ )The derivations of p (cid:84) q ⊕ q (cid:84) p ⊕ p | q are as follows:(f) ( cpol !? ) ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ )( p | q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ )( cpol ⊕ _ ) ( p (cid:84) q ⊕ q (cid:84) p ⊕ p | q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ )As demonstrated in (e) and (f), if ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) and ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ )hold then both of the terms p || q and p (cid:84) q ⊕ q (cid:84) ⊕ p | q converge to the same expressionwith the rcfg ( x , z ) transition:( p || q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ )( p (cid:84) q ⊕ q (cid:84) p ⊕ p | q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ ) (64) Case (4): ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ )The derivations of p || q are as follows:(g) ( cpol ?! ) ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ )( p || q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ )The derivations of p (cid:84) q ⊕ q (cid:84) p ⊕ p | q are as follows:(h) ( cpol ?! ) ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ )( p | q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ )( cpol ⊕ _ ) ( p (cid:84) q ⊕ q (cid:84) p ⊕ p | q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ )As demonstrated in (e) and (f), if ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ ) and ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ )holds then both of the terms p || q and p (cid:84) q ⊕ q (cid:84) ⊕ p | q converge to the same expressionwith the rcfg ( x , z ) transition:( p || q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ )( p (cid:84) q ⊕ q (cid:84) p ⊕ p | q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ ) (65)Therefore, by (61), (62), (63) (64) and (65) it is straightforward to conclude that thefollowing holds:( p || q ) ∼ ( p (cid:84) q ⊕ q (cid:84) p ⊕ p | q ) (66) Axiom under consideration: ⊥ (cid:84) p ≡ ⊥ ( A
9) (67)for p ∈ DyNetKAT. Observe that according to the semantic rules of DyNetKAT, theterms ⊥ (cid:84) p and ⊥ do not afford a transition. Hence, the following trivially holds:( ⊥ (cid:84) p ) ∼ ⊥ (68)Axiom under consideration:( a ; p ) (cid:84) q ≡ a ;( p || q ) ( A
10) (69)for a ∈ { z, x ? z, x ! z, rcfg x,z } , z ∈ NetKAT − dup and p, q ∈ DyNetKAT. In the following,we make a case analysis on the shape of a and show that the terms ( a ; p ) (cid:84) q and a ;( p || q )are bisimilar. Case (1): a ≜ z and σ z ≜ (cid:74) z (cid:75) ( σ :: ⟨⟩ )The derivations of ( z ; p ) (cid:84) q are as follows:(a) For all σ ′ ∈ σ z : ( cpol ✓ _ ; ) ( z ; p, σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( p, H, σ ′ :: H ′ )( (cid:84) ) (( z ; p ) (cid:84) q, σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( p || q, H, σ ′ :: H )The derivations of z ;( p || q ) are as follows:(b) For all σ ′ ∈ σ z : ( cpol ✓ _ ; ) ( z ;( p || q ) , σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( p || q, H, σ ′ :: H ′ )As demonstrated in (a) and (b), both of the terms ( z ; p ) (cid:84) q and z ;( p || q ) initially affordthe same set of transitions of shape ( σ, σ ′ ) and they converge to the same expression aftertaking these transitions:(( z ; p ) (cid:84) q, σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( p || q, H, σ ′ :: H ′ )( z ;( p || q ) , σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( p || q, H, σ ′ :: H ′ ) (70) Case (2): a ≜ x ? z The derivations of ( x ? z ; p ) (cid:84) q are as follows:(c) ( cpol ? ) ( x ? z ; p, H, H ′ ) x ? z −−→ ( p, H, H ′ )( (cid:84) ) (( x ? z ; p ) (cid:84) q, H, H ′ ) x ? z −−→ ( p || q, H, H ′ )The derivations of x ? z ;( p || q ) are as follows: . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:37 (d) ( cpol ? ) ( x ? z ;( p || q ) , H, H ′ ) x ? z −−→ ( p || q, H, H ′ )As demonstrated in (c) and (d), both of the terms ( x ? z ; p ) (cid:84) q and x ? z ;( p || q ) initiallyonly afford the x ? z transition and they converge to the same expression after taking thistransition:(( x ? z ; p ) (cid:84) q, H, H ′ ) x ? z −−→ ( p || q, H, H ′ )( x ? z ;( p || q ) , H, H ′ ) x ? z −−→ ( p || q, H, H ′ ) (71) Case (3): a ≜ x ! z The derivations of ( x ! z ; p ) (cid:84) q are as follows:(e) ( cpol ! ) ( x ! z ; p, H, H ′ ) x ! z −−→ ( p, H, H ′ )( (cid:84) ) (( x ! z ; p ) (cid:84) q, H, H ′ ) x ! z −−→ ( p || q, H, H ′ )The derivations of x ! z ;( p || q ) are as follows:(f) ( cpol ! ) ( x ! z ;( p || q ) , H, H ′ ) x ! z −−→ ( p || q, H, H ′ )As demonstrated in (e) and (f), both of the terms ( x ! z ; p ) (cid:84) q and x ! z ;( p || q ) initiallyonly afford the x ! z transition and they converge to the same expression after taking thistransition:(( x ! z ; p ) (cid:84) q, H, H ′ ) x ! z −−→ ( p || q, H, H ′ )( x ! z ;( p || q ) , H, H ′ ) x ! z −−→ ( p || q, H, H ′ ) (72) Case (4): a ≜ rcfg x,z The derivations of ( rcfg x,z ; p ) (cid:84) q are as follows:(g) ( rcfg x , z ) ( rcfg x,z ; p, H, H ′ ) rcfg ( x , z ) −−−−−−→ ( p, H, H ′ )( (cid:84) ) (( rcfg x,z ; p ) (cid:84) q, H, H ′ ) rcfg ( x , z ) −−−−−−→ ( p || q, H, H ′ )The derivations of rcfg x,z ;( p || q ) are as follows:(h) ( rcfg x , z ) ( rcfg x,z ;( p || q ) , H, H ′ ) rcfg ( x , z ) −−−−−−→ ( p || q, H, H ′ ) As demonstrated in (g) and (h), both of the terms ( rcfg x,z ; p ) (cid:84) q and rcfg x,z ;( p || q )initially only afford the rcfg ( x , z ) transition and they converge to the same expressionafter taking this transition:(( rcfg x,z ; p ) (cid:84) q, H, H ′ ) rcfg ( x , z ) −−−−−−→ ( p || q, H, H ′ )( rcfg x,z ;( p || q ) , H, H ′ ) rcfg ( x , z ) −−−−−−→ ( p || q, H, H ′ ) (73)Therefore, by (70), (71), (72) and (73) it is straightforward to conclude that the followingholds:(( a ; p ) (cid:84) q ) ∼ ( a ;( p || q )) (74)Axiom under consideration:( p ⊕ q ) (cid:84) r ≡ ( p (cid:84) r ) ⊕ ( q (cid:84) r ) ( A
11) (75)for p, q, r ∈ DyNetKAT. According to the semantic rules of DyNetKAT, the following arethe possible transitions that can initially occur in the terms ( p ⊕ q ) (cid:84) r and ( p (cid:84) r ) ⊕ ( q (cid:84) r ): ( (1) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )(2) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ ) γ ::= ( σ, σ ′ ) | x ! z | x ? z | rcfg ( x , z ) Case (1): ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )The derivations of ( p ⊕ q ) (cid:84) r are as follows:(a) ( cpol _ ⊕ ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p ⊕ q, H , H ′ ) γ −→ ( p ′ , H , H ′ )( (cid:84) ) (( p ⊕ q ) (cid:84) r, H , H ′ ) γ −→ ( p ′ || r, H , H ′ )The derivations of ( p (cid:84) r ) ⊕ ( q (cid:84) r ) are as follows:(b) ( (cid:84) ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p (cid:84) r, H , H ′ ) γ −→ ( p ′ || r, H , H ′ )( cpol _ ⊕ ) (( p (cid:84) r ) ⊕ ( q (cid:84) r ) , H , H ′ ) γ −→ ( p ′ || r, H , H ′ )As demonstrated in (a) and (b), if ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ ) holds then both of theterms ( p ⊕ q ) (cid:84) r and ( p (cid:84) r ) ⊕ ( q (cid:84) r ) converge to the same expression with the γ transition:(( p ⊕ q ) (cid:84) r, H , H ′ ) γ −→ ( p ′ || r, H , H ′ )(( p (cid:84) r ) ⊕ ( q (cid:84) r ) , H , H ′ ) γ −→ ( p ′ || r, H , H ′ ) (76) Case (2): ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )The derivations of ( p ⊕ q ) (cid:84) r are as follows: . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:39 (c) ( cpol ⊕ _ ) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( p ⊕ q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( (cid:84) ) (( p ⊕ q ) (cid:84) r, H , H ′ ) γ −→ ( q ′ || r, H , H ′ )The derivations of ( p (cid:84) r ) ⊕ ( q (cid:84) r ) are as follows:(d) ( (cid:84) ) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( q (cid:84) r, H , H ′ ) γ −→ ( q ′ || r, H , H ′ )( cpol ⊕ _ ) (( p (cid:84) r ) ⊕ ( q (cid:84) r ) , H , H ′ ) γ −→ ( q ′ || r, H , H ′ )As demonstrated in (c) and (d), if ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ ) holds then both of theterms ( p ⊕ q ) (cid:84) r and ( p (cid:84) r ) ⊕ ( q (cid:84) r ) converge to the same expression with the γ transition:(( p ⊕ q ) (cid:84) r, H , H ′ ) γ −→ ( q ′ || r, H , H ′ )(( p (cid:84) r ) ⊕ ( q (cid:84) r ) , H , H ′ ) γ −→ ( q ′ || r, H , H ′ ) (77)Therefore, by (76) and (77) it is straightforward to conclude that the following holds:(( p ⊕ q ) (cid:84) r ) ∼ (( p (cid:84) r ) ⊕ ( q (cid:84) r )) (78)Axiom under consideration:( p ⊕ q ) | r ≡ ( p | r ) ⊕ ( q | r ) ( A
13) (79)for p, q, r ∈ DyNetKAT. According to the semantic rules of DyNetKAT, the following arethe possible transitions that can initially occur in the terms ( p ⊕ q ) | r and ( p | r ) ⊕ ( q | r ): (1) ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) ( r, H , H ′ ) x ? z −−→ ( r ′ , H , H ′ )(2) ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ ) ( r, H , H ′ ) x ! z −−→ ( r ′ , H , H ′ )(3) ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ ) ( r, H , H ′ ) x ? z −−→ ( r ′ , H , H ′ )(4) ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ ) ( r, H , H ′ ) x ! z −−→ ( r ′ , H , H ′ ) Case (1): ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) ( r, H , H ′ ) x ? z −−→ ( r ′ , H , H ′ )The derivations of ( p ⊕ q ) | r are as follows:(a) ( cpol _ ⊕ ) ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ )( p ⊕ q, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) ( r, H , H ′ ) x ? z −−→ ( r ′ , H , H ′ ( | !? ) ( p ⊕ q ) | r, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || r ′ , H , H ′ )The derivations of ( p | r ) ⊕ ( q | r ) are as follows: (b) ( | !? ) ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) ( r, H , H ′ ) x ? z −−→ ( r ′ , H , H ′ )( p | r, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || r ′ , H , H ′ )( cpol _ ⊕ ) (( p | r ) ⊕ ( q | r ) , H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || r ′ , H , H ′ )As demonstrated in (a) and (b), if ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) and ( r, H , H ′ ) x ! z −−→ ( r ′ ,H , H ′ ) hold then both of the terms ( p ⊕ q ) | r and ( p | r ) ⊕ ( q | r ) converge to the sameexpression with the rcfg ( x , z ) transition:(( p ⊕ q ) | r, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || r ′ , H , H ′ )(( p | r ) ⊕ ( q | r ) , H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || r ′ , H , H ′ ) (80) Case (2): ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ ) ( r, H , H ′ ) x ! z −−→ ( r ′ , H , H ′ )The derivations of ( p ⊕ q ) | r are as follows:(c) ( cpol _ ⊕ ) ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ )( p ⊕ q, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ ) ( r, H , H ′ ) x ! z −−→ ( r ′ , H , H ′ ( | ?! ) ( p ⊕ q ) | r, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || r ′ , H , H ′ )The derivations of ( p | r ) ⊕ ( q | r ) are as follows:(d) ( | ?! ) ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ ) ( r, H , H ′ ) x ! z −−→ ( r ′ , H , H ′ )( p | r, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || r ′ , H , H ′ )( cpol ⊕ _ ) (( p | r ) ⊕ ( q | r ) , H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || r ′ , H , H ′ )As demonstrated in (c) and (d), if ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) and ( r, H , H ′ ) x ? z −−→ ( r ′ ,H , H ′ ) hold then both of the terms ( p ⊕ q ) | r and ( p | r ) ⊕ ( q | r ) converge to the sameexpression with the rcfg ( x , z ) transition:(( p ⊕ q ) | r, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || r ′ , H , H ′ )(( p | r ) ⊕ ( q | r ) , H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || r ′ , H , H ′ ) (81) Case (3): ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ ) ( r, H , H ′ ) x ? z −−→ ( r ′ , H , H ′ )The derivations of ( p ⊕ q ) | r are as follows:(e) ( cpol ⊕ _ ) ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ )( p ⊕ q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ ) ( r, H , H ′ ) x ? z −−→ ( r ′ , H , H ′ ( | !? ) ( p ⊕ q ) | r, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || r ′ , H , H ′ ) . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:41 The derivations of ( p | r ) ⊕ ( q | r ) are as follows:(f) ( | !? ) ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ ) ( r, H , H ′ ) x ? z −−→ ( r ′ , H , H ′ )( q | r, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || r ′ , H , H ′ )( cpol ⊕ _ ) (( p | r ) ⊕ ( q | r ) , H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || r ′ , H , H ′ )As demonstrated in (e) and (f), if ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ ) and ( r, H , H ′ ) x ! z −−→ ( r ′ ,H , H ′ ) hold then both of the terms ( p ⊕ q ) | r and ( p | r ) ⊕ ( q | r ) converge to the sameexpression with the rcfg ( x , z ) transition:(( p ⊕ q ) | r, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || r ′ , H , H ′ )(( p | r ) ⊕ ( q | r ) , H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || r ′ , H , H ′ ) (82) Case (4): ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ ) ( r, H , H ′ ) x ! z −−→ ( r ′ , H , H ′ )The derivations of ( p ⊕ q ) | r are as follows:(g) ( cpol ⊕ _ ) ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ )( p ⊕ q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ ) ( r, H , H ′ ) x ! z −−→ ( r ′ , H , H ′ ( | ?! ) ( p ⊕ q ) | r, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || r ′ , H , H ′ )The derivations of ( p | r ) ⊕ ( q | r ) are as follows:(h) ( | ?! ) ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ ) ( r, H , H ′ ) x ! z −−→ ( r ′ , H , H ′ )( q | r, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || r ′ , H , H ′ )( cpol ⊕ _ ) (( p | r ) ⊕ ( q | r ) , H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || r ′ , H , H ′ )As demonstrated in (g) and (h), if ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ ) and ( r, H , H ′ ) x ! z −−→ ( r ′ ,H , H ′ ) hold then both of the terms ( p ⊕ q ) | r and ( p | r ) ⊕ ( q | r ) converge to the sameexpression with the rcfg ( x , z ) transition:(( p ⊕ q ) | r, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || r ′ , H , H ′ )(( p | r ) ⊕ ( q | r ) , H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || r ′ , H , H ′ ) (83)Therefore, by (80), (81), (82) and (83) it is straightforward to conclude that the followingholds:(( p ⊕ q ) | r ) ∼ (( p | r ) ⊕ ( q | r )) (84) Axiom under consideration: p | q ≡ q | p ( A
14) (85)for p, q ∈ DyNetKAT. According to the semantic rules of DyNetKAT, the following arethe possible transitions that can initially occur in the terms p | q and q | p : ( (1) ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ )(2) ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ ) Case (1): ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ )The derivations of p | q are as follows:(a) ( | !? ) ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ )( p | q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ )The derivations of q | p are as follows:(b) ( | ?! ) ( q, H , H ′ ) x ? z −−→ ( q ′ , H , H ′ ) ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ )( q | p, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || p ′ , H , H ′ )As demonstrated in (a) and (b), if ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) and ( q, H , H ′ ) x ? z −−→ ( q ′ ,H , H ′ ) hold then both of the terms p | q and q | p are able to perform the rcfg ( x , z )transition:( p | q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ )( q | p, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || p ′ , H , H ′ ) (86)Observe that the terms evolve into different expressions and we would now need to checkif these terms are bisimilar. According to the axiom A
6, the || operator is commutative.Hence, the following holds:( p ′ || q ′ ) ∼ ( q ′ || p ′ ) (87) Case (2): ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ )The derivations of p | q are as follows:(c) ( | ?! ) ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ ) ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ )( p | q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ )The derivations of q | p are as follows: . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:43 (d) ( | ?! ) ( q, H , H ′ ) x ! z −−→ ( q ′ , H , H ′ ) ( p, H , H ′ ) x ? z −−→ ( p ′ , H , H ′ )( q | p, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || p ′ , H , H ′ )As demonstrated in (c) and (d), if ( p, H , H ′ ) x ! z −−→ ( p ′ , H , H ′ ) and ( q, H , H ′ ) x ? z −−→ ( q ′ ,H , H ′ ) holds then both of the terms p | q and q | p are able to perform the rcfg ( x , z )transition:( p | q, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( p ′ || q ′ , H , H ′ )( q | p, H , H ′ ) rcfg ( x , z ) −−−−−−→ ( q ′ || p ′ , H , H ′ ) (88)Observe that the terms evolve into different expressions and we would now need to checkif these terms are bisimilar. According to the axiom A
6, the || operator is commutative.Hence, the following holds:( p ′ || q ′ ) ∼ ( q ′ || p ′ ) (89)Therefore, by (86), (87), (88) and (89) it is straightforward to conclude that the followingholds:( p | q ) ∼ ( q | p ) (90)Axiom under consideration: p | q ≡ ⊥ [ owise ] ( A
15) (91)for p, q ∈ DyNetKAT. Observe that the [ owise ] condition implies that p cannot be ofshape x ? z ; r when q is of shape x ! z ; r ′ , as otherwise the axiom ( A
12) would becomeapplicable (or vice versa due to commutativity of | ). Furthermore, note that if p or q contains operators other than ;, that is the operators ⊕ , (cid:84) , || , then the axioms such as( A A
10) and ( A
13) would become applicable and hence the [ owise ] condition wouldnot be met. The axiom ( A
15) can be written explicitly as follows:( z ; p ) | q ≡ ⊥ (92)( x ? z ; p ) | ( x ′ ? z ′ ; q ) ≡ ⊥ (93)( x ! z ; p ) | ( x ′ ! z ′ ; q ) ≡ ⊥ (94)( x ? z ; p ) | ( x ′ ! z ′ ; q ) ≡ ⊥ if x ̸ = x ′ or z ̸ = z ′ (95)( rcfg x,z ; p ) | q ≡ ⊥ (96)for z ∈ NetKAT − dup . Observe that the term ⊥ does not afford a transition and noneof the terms on the left hand side of the equivalences above afford a transition as well.Therefore, the following holds if the [ owise ] condition is met:( p | q ) ∼ ⊥ (97) Axiom under consideration: δ L ( ⊥ ) ≡ ⊥ ( δ ⊥ ) (98)Observe that according to the semantic rules of DyNetKAT, the terms δ L ( ⊥ ) and ⊥ donot afford a transition. Hence, the following trivially holds:( δ L ( ⊥ )) ∼ ⊥ (99)Axiom under consideration: δ L ( at ; p ) ≡ at ; δ L ( p ) if at ̸∈ L ( δ ; ) (100)for at ∈ { α · π, x ? z, x ! z, rcfg x,z } , z ∈ NetKAT − dup and p ∈ DyNetKAT. In the following,we make a case analysis on the shape of a and show that the terms δ L ( at ; p ) and at ; δ L ( p )are bisimilar. In our analysis we always assume that the condition at ̸∈ L is satisfied, asotherwise this axiom is not applicable. Case (1): at ≜ α · π and σ απ ≜ (cid:74) α · π (cid:75) ( σ :: ⟨⟩ )The derivations of δ L (( α · π ) ; p ) are as follows:(a) For all σ ′ ∈ σ απ : ( cpol ✓ _ ; ) (( α · π ) ; p, σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( p, H, σ ′ :: H ′ )( δ ) ( δ L (( α · π ) ; p ) , σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( δ L ( p ) , H, σ ′ :: H )The derivations of ( α · π ) ; δ L ( p ) are as follows:(b)For all σ ′ ∈ σ απ : ( cpol ✓ _ ; ) (( α · π ) ; δ L ( p ) , σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( δ L ( p ) , H, σ ′ :: H ′ )As demonstrated in (a) and (b), both of the terms δ L (( α · π ) ; p ) and ( α · π ) ; δ L ( p ) initiallyafford the same set of transitions of shape ( σ, σ ′ ) and they converge to the same expressionafter taking these transitions:( δ L (( α · π ) ; p ) , σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( δ L ( p ) , H, σ ′ :: H ′ )(( α · π ) ; δ L ( p ) , σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( δ L ( p ) , H, σ ′ :: H ′ ) (101) Case (2): at ≜ x ? z The derivations of δ L ( x ? z ; p ) are as follows:(c) ( cpol ? ) ( x ? z ; p, σ :: H, H ′ ) x ? z −−→ ( p, H, σ ′ :: H ′ )( δ ) ( δ L ( x ? z ; p ) , σ :: H, H ′ ) x ? z −−→ ( δ L ( p ) , H, σ ′ :: H )The derivations of x ? z ; δ L ( p ) are as follows: . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:45 (d) ( cpol ? ) ( x ? z ; δ L ( p ) , σ :: H, H ′ ) x ? z −−→ ( δ L ( p ) , H, σ ′ :: H ′ )As demonstrated in (c) and (d), both of the terms δ L ( x ? z ; p ) and x ? z ; δ L ( p ) initiallyonly afford the x ? z transition and they converge to the same expression after taking thistransition:( δ L ( x ? z ; p ) , σ :: H, H ′ ) x ? z −−→ ( δ L ( p ) , H, σ ′ :: H ′ )( x ? z ; δ L ( p ) , σ :: H, H ′ ) x ? z −−→ ( δ L ( p ) , H, σ ′ :: H ′ ) (102) Case (3): at ≜ x ! z The derivations of δ L ( x ! z ; p ) are as follows:(e) ( cpol ! ) ( x ! z ; p, σ :: H, H ′ ) x ! z −−→ ( p, H, σ ′ :: H ′ )( δ ) ( δ L ( x ! z ; p ) , σ :: H, H ′ ) x ! z −−→ ( δ L ( p ) , H, σ ′ :: H )The derivations of x ! z ; δ L ( p ) are as follows:(f) ( cpol ! ) ( x ! z ; δ L ( p ) , σ :: H, H ′ ) x ! z −−→ ( δ L ( p ) , H, σ ′ :: H ′ )As demonstrated in (e) and (f), both of the terms δ L ( x ! z ; p ) and x ! z ; δ L ( p ) initiallyonly afford the x ! z transition and they converge to the same expression after taking thistransition:( δ L ( x ! z ; p ) , σ :: H, H ′ ) x ! z −−→ ( δ L ( p ) , H, σ ′ :: H ′ )( x ! z ; δ L ( p ) , σ :: H, H ′ ) x ! z −−→ ( δ L ( p ) , H, σ ′ :: H ′ ) (103) Case (4): at ≜ rcfg x,z The derivations of δ L ( rcfg x,z ; p ) are as follows:(g) ( rcfg x , z ) ( rcfg x,z ; p, σ :: H, H ′ ) rcfg ( x , z ) −−−−−−→ ( p, H, σ ′ :: H ′ )( δ ) ( δ L ( rcfg x,z ; p ) , σ :: H, H ′ ) rcfg ( x , z ) −−−−−−→ ( δ L ( p ) , H, σ ′ :: H )The derivations of rcfg x,z ; δ L ( p ) are as follows:(h) ( rcfg x , z ) ( rcfg x,z ; δ L ( p ) , σ :: H, H ′ ) rcfg ( x , z ) −−−−−−→ ( δ L ( p ) , H, σ ′ :: H ′ ) As demonstrated in (g) and (h), both of the terms δ L ( rcfg x,z ; p ) and x ! z ; δ L ( p ) initiallyonly afford the rcfg ( x , z ) transition and they converge to the same expression after takingthis transition:( δ L ( rcfg x,z ; p ) , σ :: H, H ′ ) rcfg ( x , z ) −−−−−−→ ( δ L ( p ) , H, σ ′ :: H ′ )( rcfg x,z ; δ L ( p ) , σ :: H, H ′ ) rcfg ( x , z ) −−−−−−→ ( δ L ( p ) , H, σ ′ :: H ′ ) (104)Therefore, if at ̸∈ L , by (101), (102), (103) and (104) it is straightforward to concludethat the following holds:( δ L ( at ; p )) ∼ ( at ; δ L ( p )) (105)Axiom under consideration: δ L ( at ; p ) ≡ ⊥ if at ∈ L ( δ ⊥ ; ) (106)Observe that according to the semantic rules of DyNetKAT, the term ⊥ do not afford atransition. Furthermore, if the condition at ∈ L is satisfied, then the term δ L ( at ; p ) alsodoes not afford a transition. Therefore, if at ∈ L , the following trivially holds: δ L ( at ; p ) ∼ ⊥ (107)Axiom under consideration: δ L ( p ⊕ q ) ≡ δ L ( p ) ⊕ δ L ( q ) ( δ ⊕ ) (108)for p, q ∈ DyNetKAT. According to the semantic rules of DyNetKAT, the following arethe possible transitions that can initially occur in the terms δ L ( p ⊕ q ) and δ L ( p ) ⊕ δ L ( q ): ( (1) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )(2) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ ) γ ::= ( σ, σ ′ ) | x ! z | x ? z | rcfg ( x , z ) Case (1): ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )The derivations of δ L ( p ⊕ q ) are as follows:(a) ( cpol _ ⊕ ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p ⊕ q, H , H ′ ) γ −→ ( p ′ , H , H ′ )( δ ) ( δ L ( p ⊕ q ) , H , H ′ ) γ −→ ( δ L ( p ′ ) , H , H ′ )The derivations of δ L ( p ) ⊕ δ L ( q ) are as follows:(b) ( δ ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( δ L ( p ) , H , H ′ ) γ −→ ( δ L ( p ′ ) , H , H ′ )( cpol _ ⊕ ) ( δ L ( p ) ⊕ δ L ( q ) , H , H ′ ) γ −→ ( δ L ( p ′ ) , H , H ′ ) . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:47 As demonstrated in (a) and (b), if ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ ) holds then both of theterms δ L ( p ⊕ q ) and δ L ( p ) ⊕ δ L ( q ) converge to the same expression with the γ transition:( δ L ( p ⊕ q ) , H , H ′ ) γ −→ ( δ L ( p ′ ) , H , H ′ )( δ L ( p ) ⊕ δ L ( q ) , H , H ′ ) γ −→ ( δ L ( p ′ ) , H , H ′ ) (109) Case (2): ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )The derivations of δ L ( p ⊕ q ) are as follows:(c) ( cpol ⊕ _ ) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( p ⊕ q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( δ ) ( δ L ( p ⊕ q ) , H , H ′ ) γ −→ ( δ L ( q ′ ) , H , H ′ )The derivations of δ L ( p ) ⊕ δ L ( q ) are as follows:(d) ( δ ) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( δ L ( q ) , H , H ′ ) γ −→ ( δ L ( q ′ ) , H , H ′ )( cpol ⊕ _ ) ( δ L ( p ) ⊕ δ L ( q ) , H , H ′ ) γ −→ ( δ L ( q ′ ) , H , H ′ )As demonstrated in (c) and (d), if ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ ) holds then both of theterms δ L ( p ⊕ q ) and δ L ( p ) ⊕ δ L ( q ) converge to the same expression with the γ transition:( δ L ( p ⊕ q ) , H , H ′ ) γ −→ ( δ L ( q ′ ) , H , H ′ )( δ L ( p ) ⊕ δ L ( q ) , H , H ′ ) γ −→ ( δ L ( q ′ ) , H , H ′ ) (110)Therefore, by (109), and (110) it is straightforward to conclude that the following holds:( δ L ( p ⊕ q )) ∼ ( δ L ( p ) ⊕ δ L ( q )) (111)Axiom under consideration: π ( p ) ≡ ⊥ (Π ) (112)for p ∈ DyNetKAT. Observe that according to the semantic rules of DyNetKAT, theterms π ( p ) and ⊥ do not afford a transition. Hence, the following trivially holds: π ( p ) ∼ ⊥ (113)Axiom under consideration: π n ( ⊥ ) ≡ ⊥ (Π ⊥ ) (114)for n ∈ N . Observe that according to the semantic rules of DyNetKAT, the terms π ( ⊥ )and ⊥ do not afford a transition. Hence, the following trivially holds: π n ( ⊥ ) ∼ ⊥ (115) Axiom under consideration: π n +1 ( at ; p ) ≡ at ; π n ( p ) (Π ; ) (116)for at ∈ { α · π, x ? z, x ! z, rcfg x,z } , z ∈ NetKAT − dup , n ∈ N and p ∈ DyNetKAT. In thefollowing, we make a case analysis on the shape of a and show that the terms π n +1 ( at ; p )and at ; π n ( p ) are bisimilar. Case (1): at ≜ α · π and σ απ ≜ (cid:74) α · π (cid:75) ( σ :: ⟨⟩ )The derivations of π n +1 (( α · π ) ; p ) are as follows:(a)For all σ ′ ∈ σ απ : ( cpol ✓ _ ; ) (( α · π ) ; p, σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( p, H, σ ′ :: H ′ )( π ) ( π n +1 (( α · π ) ; p ) , σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( π n ( p ) , H, σ ′ :: H )The derivations of ( α · π ) ; π n ( p ) are as follows:(b)For all σ ′ ∈ σ απ : ( cpol ✓ _ ; ) (( α · π ) ; π n ( p ) , σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( π n ( p ) , H, σ ′ :: H ′ )As demonstrated in (a) and (b), both of the terms π n +1 (( α · π ) ; p ) and ( α · π ) ; π n ( p )initially only afford the same set of transitions of shape ( σ, σ ′ ) and they converge to thesame expression after taking these transitions:( π n +1 (( α · π ) ; p ) , σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( π n ( p ) , H, σ ′ :: H ′ )(( α · π ) ; π n ( p ) , σ :: H, H ′ ) ( σ,σ ′ ) −−−−→ ( π n ( p ) , H, σ ′ :: H ′ ) (117) Case (2): at ≜ x ? z The derivations of π n +1 ( x ? z ; p ) are as follows:(c) ( cpol ? ) ( x ? z ; p, σ :: H, H ′ ) x ? z −−→ ( p, H, σ ′ :: H ′ )( π ) ( π n +1 ( x ? z ; p ) , σ :: H, H ′ ) x ? z −−→ ( π n ( p ) , H, σ ′ :: H )The derivations of x ? z ; δ L ( p ) are as follows:(d) ( cpol ? ) ( x ? z ; π n ( p ) , σ :: H, H ′ ) x ? z −−→ ( π n ( p ) , H, σ ′ :: H ′ )As demonstrated in (c) and (d), both of the terms π n +1 ( x ? z ; p ) and x ? z ; π n ( p ) initiallyonly afford x ? z transition and they converge to the same expression after taking thistransition:( π n +1 ( x ? z ; p ) , σ :: H, H ′ ) x ? z −−→ ( π n ( p ) , H, σ ′ :: H ′ )( x ? z ; π n ( p ) , σ :: H, H ′ ) x ? z −−→ ( π n ( p ) , H, σ ′ :: H ′ ) (118) . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:49 Case (3): at ≜ x ! z The derivations of π n +1 ( x ! z ; p ) are as follows:(e) ( cpol ! ) ( x ! z ; p, σ :: H, H ′ ) x ! z −−→ ( p, H, σ ′ :: H ′ )( π ) ( π n +1 ( x ! z ; p ) , σ :: H, H ′ ) x ! z −−→ ( π n ( p ) , H, σ ′ :: H )The derivations of x ! z ; π n ( p ) are as follows:(f) ( cpol ! ) ( x ! z ; π n ( p ) , σ :: H, H ′ ) x ! z −−→ ( π n ( p ) , H, σ ′ :: H ′ )As demonstrated in (e) and (f), both of the terms π n +1 ( x ! z ; p ) and x ! z ; π n ( p ) initiallyonly afford the x ! z transition and they converge to the same expression after taking thistransition:( π n +1 ( x ! z ; p ) , σ :: H, H ′ ) x ! z −−→ ( π n ( p ) , H, σ ′ :: H ′ )( x ! z ; π n ( p ) , σ :: H, H ′ ) x ! z −−→ ( π n ( p ) , H, σ ′ :: H ′ ) (119) Case (4): at ≜ rcfg x,z The derivations of π n +1 ( rcfg x,z ; p ) are as follows:(g) ( rcfg x , z ) ( rcfg x,z ; p, σ :: H, H ′ ) rcfg ( x , z ) −−−−−−→ ( p, H, σ ′ :: H ′ )( δ ) ( π n +1 ( rcfg x,z ; p ) , σ :: H, H ′ ) rcfg ( x , z ) −−−−−−→ ( π n ( p ) , H, σ ′ :: H )The derivations of rcfg x,z ; π n ( p ) are as follows:(h) ( rcfg x , z ) ( rcfg x,z ; π n ( p ) , σ :: H, H ′ ) rcfg ( x , z ) −−−−−−→ ( π n ( p ) , H, σ ′ :: H ′ )As demonstrated in (g) and (h), both of the terms π n +1 ( rcfg x,z ; p ) and x ! z ; π n ( p ) initiallyonly afford the same set of transitions of shape rcfg ( x , z ) and they converge to the sameexpression after taking these transitions:( π n +1 ( rcfg x,z ; p ) , σ :: H, H ′ ) rcfg ( x , z ) −−−−−−→ ( π n ( p ) , H, σ ′ :: H ′ )( rcfg x,z ; π n ( p ) , σ :: H, H ′ ) rcfg ( x , z ) −−−−−−→ ( π n ( p ) , H, σ ′ :: H ′ ) (120)Therefore, if at ̸∈ L , by (117), (118), (119) and (120) it is straightforward to concludethat the following holds:( π n +1 ( at ; p )) ∼ ( at ; π n ( p )) (121) Axiom under consideration: π n ( p ⊕ q ) ≡ π n ( p ) ⊕ π n ( q ) ( π ⊕ ) (122)for p, q ∈ DyNetKAT. Observe that if n = 0, then both of the terms do not afford anytransition and bisimilarity holds trivially. If n >
0, according to the semantic rules ofDyNetKAT, the following are the possible transitions that can initially occur in the terms π n ( p ⊕ q ) and π n ( p ) ⊕ π n ( q ): ( (1) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )(2) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ ) γ ::= ( σ, σ ′ ) | x ! z | x ? z | rcfg ( x , z ) Case (1): ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )The derivations of π n ( p ⊕ q ) are as follows:(a) ( cpol _ ⊕ ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( p ⊕ q, H , H ′ ) γ −→ ( p ′ , H , H ′ )( π ) ( π n ( p ⊕ q ) , H , H ′ ) γ −→ ( π n − ( p ′ ) , H , H ′ )The derivations of π n ( p ) ⊕ π n ( q ) are as follows:(b) ( π ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( π n ( p ) , H , H ′ ) γ −→ ( π n − ( p ′ ) , H , H ′ )( cpol _ ⊕ ) ( π n ( p ) ⊕ π n ( q ) , H , H ′ ) γ −→ ( π n − ( p ′ ) , H , H ′ )As demonstrated in (a) and (b), if ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ ) holds then both of theterms π n ( p ⊕ q ) and π n ( p ) ⊕ π n ( q ) converge to the same expression with the γ transition:( π n ( p ⊕ q ) , H , H ′ ) γ −→ ( π n − ( p ′ ) , H , H ′ )( π n ( p ) ⊕ π n ( q ) , H , H ′ ) γ −→ ( π n − ( p ′ ) , H , H ′ ) (123) Case (2): ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )The derivations of π n ( p ⊕ q ) are as follows:(c) ( cpol ⊕ _ ) ( p, H , H ′ ) γ −→ ( p ′ , H , H ′ )( q ⊕ q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( π ) ( π n ( p ⊕ q ) , H , H ′ ) γ −→ ( π n − ( q ′ ) , H , H ′ )The derivations of π n ( p ) ⊕ π n ( q ) are as follows: . Caltais, H. Hojjat, M. Mousavi, H. C. Tunç 23:51 (d) ( π ) ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ )( π n ( q ) , H , H ′ ) γ −→ ( π n − ( q ′ ) , H , H ′ )( cpol ⊕ _ ) ( π n ( p ) ⊕ π n ( q ) , H , H ′ ) γ −→ ( π n − ( q ′ ) , H , H ′ )As demonstrated in (c) and (d), if ( q, H , H ′ ) γ −→ ( q ′ , H , H ′ ) holds then both of theterms π n ( p ⊕ q ) and π n ( p ) ⊕ π n ( q ) converge to the same expression with the γ transition:( π n ( p ⊕ q ) , H , H ′ ) γ −→ ( π n − ( p ′ ) , H , H ′ )( π n ( p ) ⊕ π n ( q ) , H , H ′ ) γ −→ ( π n − ( p ′ ) , H , H ′ ) (124)Therefore, by (123), and (124) it is straightforward to conclude that the following holds:( π n ( p ⊕ q )) ∼ ( π n ( p ) ⊕ π n ( qq