MatchKAT: An Algebraic Foundation For Match-Action
MMatchKAT: An Algebraic Foundation ForMatch-Action
Xiang Long ! Cornell University, Ithaca, New York, USA
Abstract
We present MatchKAT, an algebraic language for modeling match-action packet processing in networkswitches. Although the match-action paradigm has remained a popular low-level programming modelfor specifying packet forwarding behavior, little has been done towards giving it formal semantics.With MatchKAT, we hope to embark on the first steps in exploring how network programs compiledto match-action rules can be reasoned about formally in a reliable, algebraic way. In this paper, wegive details of MatchKAT and its metatheory, as well as a formal treatment of match expressionson binary strings that form the basis of “match” in match-action. Through a correspondence withNetKAT, we show that MatchKAT’s equational theory is sound and complete with regards to asimilar packet filtering semantics. We also demonstrate the complexity of deciding equivalence inMatchKAT is
PSPACE -complete.
Network services → Programmable networks; Theory of compu-tation → Formal languages and automata theory
Keywords and phrases
Kleene Algebra, Kleene Algebra with Tests, NetKAT, SDN, Software DefinedNetworks
Digital Object Identifier
The match-action paradigm has remained a popular low-level programming model forspecifying packet forwarding behavior in network switches. In this model, a switch isorganized as one or more match tables in sequence, each containing rules with patterns and actions . The pattern is some match specification on the binary data fields in a packet header,such as a ternary expression containing 0, 1 or don’t-care. The action is some modificationon the packet header. When a packet arrives at a match table, a rule is selected amongthose with matching patterns and the associated action is executed. The selection criterioncould be some pre-configured priority ordering on the rules, or based on some property of thepattern such as selecting the one with the fewest don’t-cares (longest prefix matching) [13].There are efficient hardware implementations of match-action [12], and it is a simplemodel accepted by network programmers. Nevertheless, high-level domain specific languages(DSLs) such as NetKAT [1] and P4 [2] are available to provide abstractions for networkpolicies that can then be compiled down to match-action tables in the target switch [3, 14, 15].Despite much theoretic work surrounding these DSLs, there has been comparatively littleinvestigation towards putting match-action itself on a firm theoretical foundation.Towards the goal of formalizing match-action, we present MatchKAT, a Kleene algebrawith tests (KAT) that employs match expressions on binary strings as tests. It is able toencode match and action while having a metatheory closely related to NetKAT. Leveragingresults from NetKAT, we are able to show MatchKAT is sound and complete with respect toits own packet filtering semantics. Through a translation to NetKAT, decision proceduressuch as those in [5] can also be adapted to MatchKAT. Although this paper will mainlyintroduce the basics of MatchKAT and its metatheory, the application-level motivation isthat in the future we may be able to give a formal semantics for match-action as used innetwork switches. It is hoped that MatchKAT will eventually allow for algebraic reasoning © Xiang Long;licensed under Creative Commons License CC-BY 4.0Leibniz International Proceedings in InformaticsSchloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany a r X i v : . [ c s . F L ] F e b X:2 MatchKAT: An Algebraic Foundation For Match-Action on local switch configurations similar to NetKAT for global network policies, which couldallow applications such as proving the equivalence of match-action switch configurations anddecompiling match-action rules to higher-level policies. Previous attempts at reasoning withmatch expressions on binary strings in the context of packet classification, such as in [8, 9],have been more ad hoc and without a formal metatheory.Our contributions can be summarized as follows:We give an algebraic formalization of ternary (0, 1, don’t-care) match expressions onbinary strings (Section 2.2). Although others have studied aspects of the theory of matchexpressions, for example [9], we present it here in a formal algebraic language as matchexpressions will be integral to the formalization of MatchKAT.We give the syntax and a packet filtering semantics for MatchKAT (Section 3), and showhow it is able to to encode match-action (Section 3.4). Despite being related to NetKAT,MatchKAT is able to encode operations that would require much longer expressions inNetKAT.We show that MatchKAT has a sound and complete equational theory with respectto its semantics by leveraging a correspondence with the dup -free fragment of NetKAT(Sections 4 and 5). The problem of deciding equivalence between MatchKAT terms isshown to be
PSPACE -complete (Section 5.1).
In this section we give some background on KATs, as well as a formal presentation of matchexpressions on binary strings. We will defer discussion on NetKAT to Section 4 when weclarify its connection with MatchKAT.
A Kleene algebra with tests (KAT) [10] has a signature (
P, B, + , · , ∗ , , , ¯) such that( P, + , · , ∗ , , ) is a Kleene algebra.( B, + , · , ¯ , , ) is a Boolean algebra.( B, + , · , , ) is a subalgebra of ( P, + , · , , ). P is usually called the set of primitive actions while members of B are primitive tests. Notethat and are the identities of + and · respectively and is an annihilator for · . Terms ofthe KAT are then freely generated by P and B with the operators. We omit most of thealgebraic theories here as they are well-covered in literature [4, 10, 11]. We will howeverhighlight that KATs can possess interesting equational theories, as we will be studying later.It is possible to axiomatically derive equivalences between KAT terms, as well as assignsome denotational semantics to them. We say that the equational theory is sound withrespect to those semantics if all provably equal terms have equal semantics, and complete if proofs of equivalence exist for any two terms that are semantically equal. The decisionproblem of whether two terms are equal can also be studied and its complexity classified.Since KATs can often be used to encode programs, the equational theory is important forstudying program equivalence. We give a formalization of match expressions on binary strings as found in match-action tablesimplemented in network switches. These expressions will form the tests within MatchKAT. . Long XX:3 E ::= • | ⊥ | E + E | E ⊓ E | ¯ E E n +1 ::= E n @ 1 | E n @ 0 | E n @ x | ⊥ | E n +1 + E n +1 | E n +1 ⊓ E n +1 | ¯ E n +1 ⊤ ≜ • ⊤ n ≜ x . . . x | {z } n for all n > Figure 1
Syntax of match expressions. ¯0 = 1 1 + 0 = 0 + 1 = x 1 ⊓ ⊓ ⊥• e = e • = e ⊥ e = e ⊥ = ⊥ ee ′ = ¯ e ⊤ n + ⊤ n ¯ e ′ ( e e ) e = e ( e e ) e ( e + e ) = e e + e e e ( e ⊓ e ) = e e ⊓ e e ( e + e ) e = e e + e e ( e ⊓ e ) e = e e ⊓ e e Figure 2
Axioms for match expressions for e , e , e in E , e in E n , and e ′ in E n . These are inaddition to axioms that enforce ( E n , + , ⊓ , ¯ , ⊥ , ⊤ n ) for each n as Boolean algebras. The set E will be the set of all match expressions that we will define. The syntax ofexpressions is found in Figure 1. E is equipped with a concatenation operation @ and isstratified into subsets E n for all n ≥
0, such that E ≜ S n E n . Each E n is said to be the setof match expressions with width n , and has an algebraic signature ( E n , + , ⊓ , ¯ , ⊥ , ⊤ n ). +is union , ⊓ is intersection , ¯ is complementation , and ⊥ and ⊤ n are identities of + and ⊓ respectively. Terminology-wise, we will refer to the size of binary strings to be matched onas the width , reserving the word length for later quantifying the size of match expressionsthemselves.The actual members of the set E n are defined inductively on the width n . In the basecase, there are the empty • and bottom ⊥ expressions. Note that we distinguish betweenthe empty expression and the empty binary string ϵ . E n +1 is then built from members of E n with concatenation @. Notationally we will usually elide this operator.Intuitively, 1, 0 and x will correspond to matching 1, 0 or anything (don’t-care) at agiven position in the binary string, • is for matching ϵ , and ⊥ matches nothing. We use x toavoid confusion with the ∗ operator of KATs. This intuition of an expression matching bitswill be made formal shortly. Since E n at each width has the signature ( E n , + , ⊓ , ¯ , ⊥ , ⊤ n ), itis also extended freely with expressions built from +, ⊓ and ¯.Axiomatically, for every n we require ( E n , + , ⊓ , ¯ , ⊥ , ⊤ n ) to be a Boolean algebra. TheBoolean algebra axioms determine the behavior of ⊥ and ⊤ n when combined with the Booleanoperators. However, additionally we also need axioms that relate 1, 0, x and concatenation.They are found in Figure 2. Note that axiomatically all expressions concatenated with ⊥ collapse to just ⊥ . It is therefore unnecessary to distinguish ⊥ s of different widths. On theother hand ⊤ n is syntactic sugar for the wildcard expression matching any string of width n ,and there is a distinct such expression for each n .To formalize the semantics of match expressions, we come back to the notion of width andlength as mentioned at the start of this section. Let 2 n be the set of binary strings of width n , and in particular let 2 = { ϵ } be the set only containing the empty string ϵ . Anexpression e ∈ E n is said to have width n and matches strings in 2 n . X:4 MatchKAT: An Algebraic Foundation For Match-Action
We can model what it means for a match expression to match a binary string byinterpreting an expression as the set of all strings that match it. For some expression e ∈ E n ,its interpretation (cid:76) e (cid:77) is the set of all strings in 2 n that matches e . The definition of (cid:76) e (cid:77) ⊆ n is made inductively on e : (cid:76) • (cid:77) ≜ { ϵ } (cid:76) x (cid:77) ≜ { , } (cid:76) e + e ′ (cid:77) ≜ (cid:76) e (cid:77) ∪ (cid:76) e ′ (cid:77)(cid:76) (cid:77) ≜ { } (cid:76) ⊥ (cid:77) ≜ ∅ (cid:76) e ⊓ e ′ (cid:77) ≜ (cid:76) e (cid:77) ∩ (cid:76) e ′ (cid:77)(cid:76) (cid:77) ≜ { } (cid:76) ee ′ (cid:77) ≜ { xx ′ | x ∈ (cid:76) e (cid:77) , x ′ ∈ (cid:76) e ′ (cid:77) } (cid:76) ¯ e (cid:77) ≜ n − (cid:76) e (cid:77) ▶ Example 1.
Since ⊤ n ≜ x . . . x | {z } n for n > (cid:76) ⊤ n (cid:77) = 2 n by derivation from the definitions (cid:76) x (cid:77) and (cid:76) ee ′ (cid:77) .For any S ⊆ n , we say that e captures S if and only if (cid:76) e (cid:77) = S . When reasoning withbinary strings, we often wish to refer to individual bits within the string. For b ∈ n , wewrite b [ i ] for the i -th bit of b , and b [ i ← x ] for the string that is b but with x as the i -th bit.Conventionally, we will use base-1 for bit indices, strings are read left-to-right, and the mostsignificant bit is to the left whenever a string is interpreted as a binary number.Therefore it can be seen that a match expression has the same width as the strings itmatches. On the other hand, its length could be arbitrary in size, and it is a measure of thecomplexity of the expression. ▶ Example 2.
Suppose we are interested only in counting occurrences of ⊓ and +. For someeven width 2 n , consider the expression n (cid:108) i =1 ( ⊤ i − ⊤ n − ⊤ n − i + ⊤ i − ⊤ n − ⊤ n − i ) . It captures exactly the set (cid:8) bb | b ∈ n (cid:9) and its length is O ( n ) since that many ⊓ and +operators were used. An equivalent expression that captures the same set is n X i =1 ( ⊤ i − ⊤ n − ⊤ n − i + ⊤ i − ⊤ n − ⊤ n − i ) , which is also length O ( n ). However, if we are only allowed to use +, but not ⊓ andcomplementation, an expression capturing this set must have length at least exponential in n . This is because each string of the form bb must occur in the match expression explicitly.The same match expression could have different lengths depending on which operatorswe are interested in counting. This is useful for the application of relating match expressionlength to the complexity of a match program in a network switch. Some operations may beexpensive, such as ⊓ , while concatenation can be “free” and do not need to be counted as itis simply multiple hardware units placed in parallel.We end the discussion on match expressions by speaking briefly on the soundness andcompleteness of the equational theory of match expressions with respect to the binary stringsmodel. Proving soundness is a straightforward albeit tedious task. We simply go througheach axiom and show that the expressions on both sides of the equality capture the sameset. Completeness is also fairly easy. We can decide whether two match expressions e and e ′ are equivalent by expanding both to their disjunctive normal forms and then eliminateall occurrences of ⊓ . Equality can then be checked if the expressions are identical upto commutativity of +. Unfortunately, this axiomatic proof of equivalent introduces anexponential blowup. A more tractable, co-NP decision procedure is to non-deterministicallyguess a string in the symmetric difference of (cid:76) e (cid:77) and (cid:76) e ′ (cid:77) , which succeeds if and only if e and e ′ are not equivalent. . Long XX:5 Our discussion of MatchKAT starts with the intuition that each width- n space of matchexpressions E n can be seen as a Boolean algebra over n variables. A binary string correspondsto an assignment of truth values and a match expression is a propositional formula that issatisfied by exactly the assignments of matching binary strings. This is an alternative wayto think of the underlying model that we are working with as our definition of MatchKATevolves. Let n be a constant positive integer, which as before was used to denote the widths of binarystrings, but now we will refer to it as the packet size . Intuitively, MatchKAT is a KAT whoseterms operate on the finite state space created by n bits of random access memory occupiedby a packet header. It is defined by:Primitive tests are match expressions in E n , matching the whole memory at once. For1 ≤ i ≤ n and k ∈ { , } , we will adopt the shorthand i ≃ k for the match expression ⊤ i − k ⊤ n − i , which solely tests whether the i -th bit is k .Primitive actions are in the form i ← k , for 1 ≤ i ≤ n and k ∈ { , } , intended to meanassigning 0 or 1 to bit i .The operations are plus +, composition · , complementation ¯ p , and Kleene star p ∗ . Fortests, + and · correspond respectively to + and ⊓ within match expressions E n (notconcatenation within E ). Sometimes we may write composition as ⊓ between terms thatare known to be tests.The identity of + is ⊥ , and for · it is ⊤ n , or just ⊤ for short.We admit all the axioms required of a KAT, and those of match expressions presentedpreviously. This is already a sufficient definition for a valid KAT. However, we requireadditional packet algebra axioms in order to allow commutation of actions and tests onunrelated memory locations, and absorption of related ones. For i ̸ = j : i ← k · j ← k ′ ≡ j ← k ′ · i ← k i ← k · j ≃ k ′ ≡ j ≃ k ′ · i ← ki ← k · i ≃ k ≡ i ← k i ≃ k · i ← k ≡ i ≃ k We use ≡ to denote the equivalence of terms in order to avoid ambiguity with ≃ and=. Readers familiar with NetKAT may wonder why we do not require axioms of the forms i ≃ k · i ≃ k ≡ i ≃ k , k ̸ = k ′ = ⇒ i ≃ k · i ≃ k ′ ≡ ⊥ , and P k i ≃ k ≡ ⊤ . These are derivabletheorems within the algebra of match expressions. ▶ Example 3. If k ̸ = k ′ , then i ≃ k · i ≃ k ′ ≡ ( ⊤ i − k ⊤ n − i ) ⊓ ( ⊤ i − k ′ ⊤ n − i ) ≡ ⊤ i − ( k ⊓ k ′ ) ⊤ n − i ≡ ⊥ as k ⊓ k ′ ≡ ⊥ . We now discuss the semantics of MatchKAT as applied to packet forwarding. Naturally, the n bits of state we have in mind will be modeled by packet headers, which we will just referto as packets. The following semantics operate on sets of packets at both input and output,intending to model the packets that arrive at a switch and what packets will be forwardedafter filtering by the MatchKAT term. We denote the set of packets as P k , which we will
X:6 MatchKAT: An Algebraic Foundation For Match-Action represent as strings in 2 n (so really P k = 2 n ). The semantics of a MatchKAT term e is afunction (cid:74) e (cid:75) : P ( P k ) → P ( P k ): (cid:74) ⊥ (cid:75) ( P ) ≜ ∅ (cid:74) p + q (cid:75) ( P ) ≜ (cid:74) p (cid:75) ( P ) ∪ (cid:74) q (cid:75) ( P ) (cid:74) ⊤ (cid:75) ( P ) ≜ P (cid:74) p · q (cid:75) ( P ) ≜ ( (cid:74) q (cid:75) ◦ (cid:74) p (cid:75) ) ( P ) (cid:74) a (cid:75) ( P ) ≜ P ∩ (cid:76) a (cid:77) , a ∈ E n (cid:74) ¯ p (cid:75) ( P ) ≜ P k − (cid:74) p (cid:75) ( P ) (cid:74) i ← k (cid:75) ( P ) ≜ { π [ i ← k ] | π ∈ P } (cid:74) p ∗ (cid:75) ( P ) ≜ S k ≥ (cid:74) p (cid:75) k ( P )We call this the packet filtering semantics as the semantic functions are transformers on setsof packets. Suppose a network switch is modeled by a MatchKAT term, the output denotesthe set of packets that is produced given some set of input packets. The next sections willgive examples of how MatchKAT terms can be used in practice, while later in Section 5 wewill show the equational theory of MatchKAT is sound and complete with respect to thissemantics, and deciding equivalence is PSPACE -complete.
In match-action, “match” refers to matching of binary data in packet headers, which we havecovered so far. On the other hand, “actions” in this context refer to simple modificationsof the packet header. Once a rule is matched, its action is performed and the switch thenforwards (or keeps on processing) the packet based on the updated header fields. For example,there may be a port field specifying the egress port the packet should be moved. It is possibleto encode modifications on fields in MatchKAT.
Assignment/test of a constant value over a range of bits can be performed by assigning/testingthe value’s binary representation. ▶ Example 4.
Assigning the value 6 (binary 110) to bits 2 through 4 can be written as2 ← · ← · ← ▶ Example 5.
To assign the values contained in bits 1 through 3 to bits 4 through 6, wecan write(1 ≃ · ← ≃ · ← · (2 ≃ · ← ≃ · ← · (3 ≃ · ← ≃ · ← . We can simply replace ← with ≃ above instead to test for equality. Since we know in advance the packet size n , and the range of bits to operate on, we canencode arithmetic on sets of bits in MatchKAT through simple fixed-width algorithms. Wegive incrementation just as an example. . Long XX:7 ▶ Example 6.
Suppose a range of bits contains a binary value we wish to increment. Wewrite [ i . . . j ] ++ for the term that increments the value contained in bits i through j . It canbe defined inductively as:[ i . . . j ] ++ ≜ ( ⊤ j ≃ · j ← j ≃ · j ← · [ i . . . j − ++ j < i otherwise In real match-action tables, match patterns and actions are paired in rules. A single rule canbe easily encoded in MatchKAT as the composition of a test with actions. Less straightforwardis capturing the rule selection mechanism of the table. For example, let match expressions be b . . . b k and actions p . . . p k . In a table with rules ( b p ) . . . ( b k p k ), we may have multiple b expressions matching an incoming packet. In a priority -ordered table, the rule that isactually selected and has its action executed is based on some pre-assigned priority orderingon the rules. Here suppose 1 is the highest priority and k the lowest. A naive MatchKATencoding of the table as b p + · · · + b k p k does not work, since in a KAT + is commutative.To impose an order, the simplest way is to negate all higher-priority tests: b p + b b p + · · · + b . . . b k − b k p k . This term contains O ( k ) sums and O (cid:0) k (cid:1) compositions. Albeit inefficient, in this case indeeda rule’s action will only be executed if no higher-priority rule matched.An alternative encoding is to set aside some metadata bits as a counter to record thecurrent rule being matched. Suppose this counter resides in bits i through j , then usingincrementation from the previous section, we can write:([ i . . . j ] ← " k X r =1 (cid:16) [ i . . . j ] = r · (cid:16) b r p r · [ i . . . j ] ← ( k + 1) + b [ i . . . j ] ++ (cid:17)(cid:17) ∗ . Here we write [ i . . . j ] = r as shorthand for testing the range bitwise for the binary number r . The encoded term works by only testing rule r if [ i . . . j ] has value r . If b r succeeds thenaction p r is executed, and the rule counter is set to the end value k + 1. If b r fails then therule counter is incremented. Kleene star is used to iterate through all the rules.The above examples are not the only possible ways to encode match-action tables inMatchKAT. However, since we will prove that the equational theory of MatchKAT is soundand complete with respect to its packet filtering semantics, in principle we should be able toprove equivalence between all possible valid encodings. Even though different encodings haveequivalent semantics, they may have different implementation qualities such as the length ofmatch expressions, the depth of nesting, and the use of additional bits to store metadatasuch as [ i . . . j ] in the example above. Nevertheless we can establish a notion of programequivalence between these two ways of representing a table of match-action rules.In some network switches there exist more than one match-action table organized in a pipeline [2, 13] . The tables can be sequentially composed, or possibly be in parallel withbranching and loops. These can all be handled by MatchKAT’s · for sequencing, + forparallelism or branching, and ∗ for loops. NetKAT is an algebraic language based on Kleene algebra with tests that is able to specifypacket forwarding policies in a network [1]. Before we study the equational theory of
X:8 MatchKAT: An Algebraic Foundation For Match-Action
MatchKAT, we will precisely define a connection between MatchKAT and NetKAT in both asyntactic and also semantic sense. This will allow us to leverage known results about NetKATin the MatchKAT setting. Syntactically, there is a correspondence between MatchKATand the dup -free fragment of NetKAT, and we will elaborate on this shortly. Semantically,NetKAT is mainly concerned with the possible progressions of a packet through the network,whereas we are more interested in the behavior of a single, local switch on packets. Thesyntactic and semantic relationships are entirely consistent. dup can be used in NetKATto record the states of a packet at different hops, so it is natural that without dup , weinstead reason about what happens on the local hop. This is referred to in [15] as the “localprogram”, where the switch configuration is still in NetKAT but agnostic about the networktopology. However, we emphasize that MatchKAT is not intended to serve the same purposeas NetKAT. The language instead focuses on lower-level match expressions and manipulationof bits as this is closer to what is implemented in hardware.We give a short description of NetKAT’s syntax and its axioms, but since NetKAT iswell-presented elsewhere, we will not discuss too many details here. What we will see at bythe end of this section, however, are mutual translations between MatchKAT and NetKATthat will come in useful when we study MatchKAT’s equational theory.
Let F = { f , f , . . . , f n } be some fixed, finite set of fields . NetKAT is a KAT again withsignature ( P, B, + , · , ∗ , , , ¯) whose primitive tests B and actions P are defined with respectto F :In addition to and , primitive tests are of the form f i = k , for some natural number k and f i ∈ F .There is a special primitive action named dup . Other primitive actions are in “assignment”form f i ← k .We assume for each field f i there exists a finite set of natural numbers that could be associatedwith the field. Hence a NetKAT term is not well-formed if it contains f i = k or f i ← k for k not in that set. Just like MatchKAT, in addition to the standard KAT axioms, NetKATrequires packet algebra axioms governing mainly when tests and actions can commute. Theycan be found in [1] and it suffices for us to say that they are similar to those in MatchKAT,except for one additional axiom involving dup .We highlight the fact that tests and actions in NetKAT involve constant values. Atfirst glance this may appear more limited than MatchKAT’s ability to perform indirectassignment and computation on fields as demonstrated previously. We point out that this isonly possible in MatchKAT’s case since the size n of the state space is known and we areperforming fixed-width arithmetic. Although we will see later that there is a close connectionbetween the two, this difference in focus between NetKAT and MatchKAT means they arestill separate languages dealing with different levels of abstraction of network programs. We will talk briefly about the semantics of NetKAT, while readers interested in a formaldetailed treatment are invited to read [1]. In NetKAT, a packet is a record of field-value pairs { f = k , . . . , f n = k n } where each field has a valid assignment of values. This representsthe header of a real-life packet that is of interest when we are deciding on its forwardingbehavior. A packet history is simply a list of packets with the head being the most recent. . Long XX:9 ▶ Definition 7.
Let H be the set of packet histories. For π ∈ P k , we write π :: ⟨⟩ for thepacket history with π at its head and nothing else, and hd to be the function that takespacket history to their head packets. When we conflate notation and write hd H for H ⊆ H ,we mean the set { hd h | h ∈ H } .In NetKAT’s packet filtering semantics, the interpretation of a term e is a function (cid:74) e (cid:75) : H →P ( H ). Composition of these functions is done through Kleisli composition in the powersetmonad. The semantics can be thought of as the behavior of a switch when it is presentedwith the head packet in a packet history. Each packet in the history represents a previousstate of the head packet, possibly at a previous switch in the network. Using packet histories,as opposed to simply packets, allows us to distinguish packets that have taken different pathsin the network. However, the input history beyond the head packet cannot be accesseddirectly by NetKAT terms, consistent with a switch not being able to see the operations thatprevious switches have done to the packet.The semantics of NetKAT can be explained intuitively. lets a packet through unchanged,while drops the packet. f = k and f ← k tests and assigns the field f with the value k respectively, in the head packet of the input packet history. dup duplicates the current headpacket and places a copy of it at the head of the history, i.e. (cid:74) dup (cid:75) ( π :: h ) ≜ { π :: π :: h } . Note also that the codomain of the semantic function is sets of packet histories. Thisaccommodates the fact that it is possible for a switch to egress multiple packets in responseto a packet at ingress, possibly different in content and to different destinations. Composition · of interpretations having type H → P ( H ) is done through Kleisli composition in the powersetmonad, in contrast to function composition in MatchKAT. + and ¯ becomes union andcomplementation in the result sets respectively, and ∗ takes the usual meaning of iteratedcomposition. ▶ Example 8.
Suppose the set of fields is { pt , proto , ttl } and pt is understood to be the switchport where the packet is located. The NetKAT term pt = 1 · proto = 6 · dup · ttl ← · pt = 3is the policy “If the packet is at port 1 and has proto value 6, take a snapshot of its currentstate, change the ttl value to 40 and move the packet to port 3. Otherwise drop the packet.” We will now formally define a translation from MatchKAT to NetKAT. For a MatchKATwith packet size n , the corresponding NetKAT will be over n fields, f through f n , eachtaking 0 or 1 in value. We define a homomorphism ⌈·⌉ that takes terms in this MatchKATto the corresponding NetKAT terms as follows: ⌈⊥⌉ ≜ ⌈⊤⌉ ≜ ⌈ i ← k ⌉ ≜ f i ← k The definitions for +, · , ∗ and ¯ terms extend homomorphically, i.e. ⌈ e + e ′ ⌉ ≜ ⌈ e ⌉ + ⌈ e ′ ⌉ ⌈ e · e ′ ⌉ ≜ ⌈ e ⌉ · ⌈ e ′ ⌉ ⌈ e ∗ ⌉ ≜ ⌈ e ⌉ ∗ ⌈ e ⌉ ≜ ⌈ e ⌉ . We complete the definition for primitive tests by giving the translation in terms of matchexpressions on single bits and then concatenation. Translations of more complex matchexpressions extend naturally from the definitions for + and · . ⌈ ⌉ ≜ f i = 0 ⌈ ⌉ ≜ f i = 1 ⌈ x ⌉ ≜ ⌈ e @ e ′ ⌉ ≜ ⌈ e ⌉ · ⌈ e ′ ⌉ X:10 MatchKAT: An Algebraic Foundation For Match-Action
Here i refers to the bit position that the single-bit expression 0 or 1 is matching. We canpre-compute these position values for every 0 or 1 that appears in the expression beforecarrying out the translation. Notice that the translation does not introduce any dup s, and isa straightforward syntactic embedding into NetKAT. More importantly, this translation issemantic preserving in the following way. ▶ Theorem 9.
For any MatchKAT term e , (cid:74) e (cid:75) ( P ) = S π ∈ P hd [ (cid:74) ⌈ e ⌉ (cid:75) ( π :: ⟨⟩ )] . The proof is a standard induction on e . We will simply observe that since the translationintroduces no dup s, hd ( π :: ⟨⟩ ) = π , and it is clear that ⌈ e ⌉ performs the same operations inNetKAT as e does in MatchKAT. Similarly, there is a translation from NetKAT to MatchKAT. Since the latter is dup -free,such a translation is forgetful in the sense that we lose the packet history structure entirelyand only track the state of the head packet.Suppose the particular NetKAT we wish to translate from has fields f through f m . Weassume it is possible to represent the values in each field in binary, and let | f i | denote thenumber of bits required to store f i . We set the target MatchKAT packet size to be n = P i | f i | .The translation from NetKAT terms to MatchKAT terms is again a homomorphic function ⌊·⌋ , and it is only necessary for us to specify its action on the on primitives: ⌊ ⌋ ≜ ⊥ ⌊ ⌋ ≜ ⊤ ⌊ dup ⌋ ≜ ⊤⌊ f i = k ⌋ ≜ (cid:100) | f i | j =1 pos j ( f i ) ≃ bin j ( k ) ⌊ f i ← k ⌋ ≜ Q | f i | j =1 pos j ( f i ) ← bin j ( k )The function pos j ( f i ) gives bit position for the j -th bit in the header space allocated for f i ,i.e. it is pos j ( f i ) = j + P i ′
For any NetKAT term e , hd [ (cid:74) e (cid:75) ( h )] = (cid:74) ⌊ e ⌋ (cid:75) ( { hd h } ) . Again the proof proceeds by induction on e , but we will elaborate slightly this time. Thebase cases are all straightforward by the following reasoning. Both and ⊥ filter out allpacket (histories), while and ⊤ let through everything. Assignments and tests in bothworlds perform the same operations on the (head) packet. dup does not change the headpacket, and on both sides we only consider the head packets. The inductive cases then relyon hd commuting with the semantics of the NetKAT operators +, · and ∗ , which it doessince NetKAT terms do not examine or modify packets in the packet history beyond thehead. dup -Free NetKAT As promised, we show that the equational theory of MatchKAT is sound and complete withrespect to the packet filtering semantics, through borrowing soundness and completenessresults of NetKAT’s equational theory from [1]. . Long XX:11
Consider two NetKAT terms e and e ′ . Suppose ∀ h ∈ H . hd [ (cid:74) e (cid:75) ( h )] = hd [ (cid:74) e ′ (cid:75) ( h )] , it is not necessarily the case that (cid:74) e (cid:75) = (cid:74) e ′ (cid:75) . Although NetKAT terms cannot access packetsbeyond the head in the input packet history, (cid:74) e (cid:75) may still produce different output packethistories compared to (cid:74) e ′ (cid:75) by using dup . If e and e ′ are dup -free however, we are then ableto deduce (cid:74) e (cid:75) = (cid:74) e ′ (cid:75) . The equational theory of dup -free NetKAT is therefore determinedentirely by the operations on the head packet. This idea can be developed into a proof forthe soundness and completeness for the equational theory of MatchKAT. First we requiretwo lemmas. ▶ Lemma 11.
For any MatchKAT expression e , (cid:74) e (cid:75) = (cid:74) ⌊⌈ e ⌉⌋ (cid:75) . ▶ Lemma 12.
For all MatchKAT expressions e and e ′ , e ≡ e ′ ⇐⇒ ⌈ e ⌉ ≡ ⌈ e ′ ⌉ . Proofs of these results can be found in the Appendix, with the insight in both being thattranslations to/from NetKAT preserve equations syntactically and semantically. ▶ Theorem 13. (Soundness and completeness.) For all MatchKAT expressions e and e ′ , e ≡ e ′ ⇐⇒ (cid:74) e (cid:75) = (cid:74) e ′ (cid:75) . This follows from the implications e ≡ e ′ ⇐⇒ ⌈ e ⌉ ≡ ⌈ e ′ ⌉ (Lemma 12) ⇐⇒ (cid:74) ⌈ e ⌉ (cid:75) = (cid:74) ⌈ e ′ ⌉ (cid:75) (NetKAT sound & completeness) ⇐⇒ (cid:74) ⌊⌈ e ⌉⌋ (cid:75) = (cid:74) ⌊⌈ e ′ ⌉⌋ (cid:75) (Theorem 10) ⇐⇒ (cid:74) e (cid:75) = (cid:74) e ′ (cid:75) (Lemma 11) . This third step follows from Theorem 10 since ⌈ e ⌉ and ⌈ e ′ ⌉ , being translations from MatchKATand therefore dup -free, have interpretations determined entirely by modifications on the headpacket. In this section, we discuss the complexity of deciding equivalence in MatchKAT, and howthe result relates to NetKAT. ▶ Theorem 14.
Deciding equivalence in MatchKAT is
PSPACE -complete
Membership of
PSPACE is argued by translating the MatchKAT terms to the dup -freefragment of NetKAT as shown previously. The equational theory of this fragment is in
PSPACE since that of NetKAT is in
PSPACE [1].For hardness, we can encode a word problem for a linear-bounded automaton as aMatchKAT term e , such that the automaton accepts the given word if and only if e ̸≡ ⊥ .The proof is given in the Appendix. The word problem for a linear-bounded automaton isknown to be PSPACE -hard [6].The hardness result in [1] of deciding equivalence in NetKAT relies on a simple translationof regular expressions to NetKAT expressions containing many dup s. Our result improvesthis slightly: ▶ Corollary 15.
Deciding equivalence of dup -free NetKAT terms is
PSPACE -complete.
This can be seen through a similar encoding of the linear-bounded automaton.
X:12 MatchKAT: An Algebraic Foundation For Match-Action
We will end by discussing the potential applications and decision procedures of MatchKAT,as the latter will be crucial in any real-world application in reasoning with match-actiontables. Efficient procedures for NetKAT have already been discovered, such as in [5, 15], thatwork well on many real-life cases. Much of the difficult work is in reasoning with dup , whichMatchKAT does without. We conjecture that it should be possible to adapt these previousdecision procedures to MatchKAT with much simplification. A coalgebraic treatment ofMatchKAT directly is also conjectured to be possible.Application-wise, it is envisaged that MatchKAT could be used to reason about localswitch behavior, in contrast to NetKAT on global network policies, when the switch hasalready been configured by match-action rules. This could be useful for various reasons:MatchKAT has a sound and complete equational theory. Equivalence of terms can bedecided and is guaranteed to be sound. This helps in the verification of correctness aswell as potential configuration optimizations in reducing the number of rules. We havepreviously talked about the notion of length for MatchKAT terms, and so equivalenceof terms of different lengths is potentially proof of equivalence between optimized andunoptimized configurations.MatchKAT is equivalent to dup -free NetKAT, and there is a well-defined translationbetween the two. This could help in decompiling match-action tables to NetKAT in orderto make sense of the global policies they are implementing.MatchKAT’s match expressions is closer to how bits in packet headers are matched onswitches at low-level. MatchKAT could potentially help with efficient implementations ofhardware that performs matching.These all distinguish our work from previous attempts such as [8, 9] that also reasoned withbinary data in packet headers theoretically. We also note with interest that other authorshave also created new algebraic systems with a strong relationship to NetKAT, such as [7].In the future, we intend to further develop concrete applications of MatchKAT in the settingof match-action tables, and demonstrate the usefulness of its algebraic theory.
References Carolyn Jane Anderson, Nate Foster, Arjun Guha, Jean-Baptiste Jeannin, Dexter Kozen, ColeSchlesinger, and David Walker. NetKAT: Semantic foundations for networks. In
Proceedingsof the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages ,POPL ’14, pages 113–126, New York, NY, USA, 2014. ACM. URL: http://doi.acm.org/10.1145/2535838.2535862 , doi:10.1145/2535838.2535862 . Pat Bosshart, Dan Daly, Glen Gibb, Martin Izzard, Nick McKeown, Jennifer Rexford,Cole Schlesinger, Dan Talayco, Amin Vahdat, George Varghese, and David Walker. P4:Programming protocol-independent packet processors.
SIGCOMM Comput. Commun.Rev. , 44(3):87–95, July 2014. URL: http://doi.acm.org/10.1145/2656877.2656890 , doi:10.1145/2656877.2656890 . Sean Choi, Xiang Long, Muhammad Shahbaz, Skip Booth, Andy Keep, John Marshall, andChanghoon Kim. Pvpp: A programmable vector packet processor. In
Proceedings of theSymposium on SDN Research , SOSR ’17, pages 197–198, New York, NY, USA, 2017. ACM.URL: http://doi.acm.org/10.1145/3050220.3060609 , doi:10.1145/3050220.3060609 . J.H. Conway.
Regular algebra and finite machines . Chapman and Hall mathematics series.Chapman and Hall, 1971. URL: https://books.google.com/books?id=xBXvAAAAMAAJ . Nate Foster, Dexter Kozen, Matthew Milano, Alexandra Silva, and Laure Thompson. Acoalgebraic decision procedure for NetKAT. In
Proceedings of the 42Nd Annual ACM SIGPLAN- . Long XX:13
SIGACT Symposium on Principles of Programming Languages , POPL ’15, pages 343–355,New York, NY, USA, 2015. ACM. URL: http://doi.acm.org/10.1145/2676726.2677011 , doi:10.1145/2676726.2677011 . Michael R. Garey and David S. Johnson.
Computers and Intractability; A Guide to the Theoryof NP-Completeness . W. H. Freeman & Co., New York, NY, USA, 1990. Malvin Gattinger and Jana Wagemaker. Towards an analysis of dynamic gossip in NetKAT.In Jules Desharnais, Walter Guttmann, and Stef Joosten, editors,
Relational and AlgebraicMethods in Computer Science , pages 280–297, Cham, 2018. Springer International Publishing. Peyman Kazemian.
Header Space Analysis . PhD thesis, Stanford University, 2013. Peyman Kazemian, George Varghese, and Nick McKeown. Header space analysis: Static check-ing for networks. In
Presented as part of the 9th USENIX Symposium on Networked Systems De-sign and Implementation (NSDI 12) , pages 113–126, San Jose, CA, 2012. USENIX. URL: . Dexter Kozen. Kleene algebra with tests.
ACM Trans. Program. Lang. Syst. , 19(3):427–443, May 1997. URL: http://doi.acm.org/10.1145/256167.256195 , doi:10.1145/256167.256195 . Dexter C. Kozen.
Automata and Computability . Springer-Verlag, Berlin, Heidelberg, 1stedition, 1997. Karthik Lakshminarayanan, Anand Rangarajan, and Srinivasan Venkatachary. Algorithmsfor advanced packet classification with ternary CAMs. In
Proceedings of the 2005 Conferenceon Applications, Technologies, Architectures, and Protocols for Computer Communications ,SIGCOMM ’05, pages 193–204, New York, NY, USA, 2005. ACM. URL: http://doi.acm.org/10.1145/1080091.1080115 , doi:10.1145/1080091.1080115 . Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, JenniferRexford, Scott Shenker, and Jonathan Turner. Openflow: Enabling innovation in campusnetworks.
SIGCOMM Comput. Commun. Rev. , 38(2):69–74, March 2008. URL: http://doi.acm.org/10.1145/1355734.1355746 , doi:10.1145/1355734.1355746 . Muhammad Shahbaz, Sean Choi, Ben Pfaff, Changhoon Kim, Nick Feamster, Nick McKeown,and Jennifer Rexford. Pisces: A programmable, protocol-independent software switch. In
Proceedings of the 2016 ACM SIGCOMM Conference , SIGCOMM ’16, pages 525–538, NewYork, NY, USA, 2016. ACM. URL: http://doi.acm.org/10.1145/2934872.2934886 , doi:10.1145/2934872.2934886 . Steffen Smolka, Spiridon Eliopoulos, Nate Foster, and Arjun Guha. A fast compiler forNetKAT. In
Proceedings of the 20th ACM SIGPLAN International Conference on FunctionalProgramming , ICFP 2015, pages 328–341, New York, NY, USA, 2015. ACM. URL: http://doi.acm.org/10.1145/2784731.2784761 , doi:10.1145/2784731.2784761 . AppendixProof of Lemma 11
For all h , we have hd [ (cid:74) ⌈ e ⌉ (cid:75) ( h )] = (cid:74) ⌊⌈ e ⌉⌋ (cid:75) ( { hd h } )by Theorem 10. Hence for all H ⊆ H , [ h ∈ H hd [ (cid:74) ⌈ e ⌉ (cid:75) ( h )] = (cid:74) ⌊⌈ e ⌉⌋ (cid:75) ( hd H )On the other hand, Theorem 9 gives us (cid:74) e (cid:75) ( hd H ) = [ π ∈ hd H hd [ (cid:74) ⌈ e ⌉ (cid:75) ( π :: ⟨⟩ )] X:14 MatchKAT: An Algebraic Foundation For Match-Action for all H ⊆ H . Since h ≈ ( hd h ) :: ⟨⟩ for all h ∈ H , it is safe to rewrite the latter equation to (cid:74) e (cid:75) ( hd H ) = [ h ∈ H hd [ (cid:74) ⌈ e ⌉ (cid:75) ( h )] . Combining this with the second equation gives the required result.
Proof of Lemma 12 e ≡ e ′ ⇐⇒ ⌈ e ⌉ ≡ ⌈ e ′ ⌉ On the left we have MatchKAT terms operating on n bits. On the right are NetKAT termsoperating on n fields each containing 1 bit. Through exhaustion we can prove that everyaxiom in the MatchKAT world gives rise to a corresponding axiom (or derivable theorem) inthe NetKAT world, or vice versa, and hence a proof of equality in one produces automaticallya proof of equality in the other. Instead of going through the full proof for every axiom, wegive some reasons for why it works.KAT axioms are clearly present in both worlds, and ⌈·⌉ is a homomorphism.The packet algebra axioms are present in both as mentioned in Section 3.1.The axioms for manipulating match expressions are present in MatchKAT, but they arenot in NetKAT. However NetKAT has extra axioms of the forms i = k · i = k ≡ i = k , k ̸ = k ′ = ⇒ i = k · i = k ′ ≡ , and P k ( i = k ) ≡ . These, along with the axioms ofthe Boolean algebra, are sufficient to derive equivalents of match expression axioms astheorems. Proof of Theorem 14
A linear-bounded automaton M = ( Q, Σ , ⊢ , ⊣ , δ, s, t, r ) is composed of:Finite set of states Q .Tape alphabet Σ.Left ⊢ and right ⊣ tape-end markers.Transition relation δ ⊆ [ Q × (Σ ∪ {⊢ , ⊣} )] × [ Q × (Σ ∪ {⊢ , ⊣} ) × { L, R } ].Start s , accept t , and reject r states. M can be seen as a non-deterministic Turing machine where the tape is finite and markedon both ends by ⊢ and ⊣ . At the start, an input word is present on the tape, while the tapeis bound to a linear size n with respect to the length of the input. δ is restricted such thatthe end markers are unmodified and the tape head does not move off the ends of the tape.The automaton never transitions out of the accept or reject states once it enters them. Wewill further restrict Σ to two symbols { , } . This is without loss of generality with a linearincrease in the amount of tape required.A packet in the MatchKAT encoding of M contains the following bits: n bits that we will refer to by convience as tape , . . . , tape n , representing the tape.Bits state , . . . , state log | Q | to record the binary encoding of the current state.Bits head , . . . , head log n to record the binary encoding of the head position.Instead of referring to each state and head bit individually, we will assign and test for themcollectively for a particular Q state or tape head position. We then construct expressions inthe MatchKAT as follows:The setup expression α , which is an assignment of state with s , head with 1, and the tape fields as appropriate for the initial tape contents for a given input word.. . Long XX:15 The transition expression β , consisting of sums guarded by state × head × tape head conditions. For a packet in a given configuration, it rewrites it as per one action of thetransition relation.The decision expression γ , which is just a test for state = t .Consider the expression α ( β ∗ ) γ , which is not equivalent to ⊥ if and only M accepts thegiven word. For any non-empty set of input packets, α ( β ∗ ) constructs the set of all reachableconfigurations of M , while γ filters this set to include only the packets that contain the acceptstate. On the other hand, ⊥⊥