This work introduces a concept of explanations with respect to the violation of safe behaviours within software defined networks (SDNs) expressible in NetKAT. The latter is a network programming language based on a well-studied mathematical structure, namely, Kleene Algebra with Tests (KAT). Amongst others, the mathematical foundation of NetKAT gave rise to a sound and complete equational theory. In our setting, a safe behaviour is characterised by a NetKAT policy, or program, which does not enable forwarding packets from an ingress i to an undesirable egress e. We show how explanations for safety violations can be derived in an equational fashion, according to a modification of the existing NetKAT axiomatisation. We propose an approach based on the Maude system for actually computing the undesired behaviours witnessing the forwarding of packets from i to e as above. SDN-SafeCheck is a tool based on Maude equational theories satisfying important properties such as Church-Rosser and termination. SDN-SafeCheck automatically identifies all the undesired behaviours leading to e, covering forwarding paths up to a user specified size.

中文翻译：

---

解释NetKAT中的安全故障

这项工作引入了一种有关在NetKAT中表达的软件定义网络（SDN）中违反安全行为的解释概念。后者是一种基于经过充分研究的数学结构的网络编程语言，即带有测试的Kleene代数（KAT）。除其他外，NetKAT的数学基础产生了完善而完整的方程式理论。在我们的设置中，安全行为的特征在于NetKAT策略或程序，该策略或程序无法将数据包从入口i转发到不良出口e。我们展示了如何根据现有NetKAT公理化的修改，以方程式的方式得出安全违规的解释。我们提出了一种基于Maude系统的方法，用于如上所述实际计算见证数据包从i到e转发的不希望有的行为。SDN-SafeCheck是基于Maude方程理论的工具，该方程理论满足诸如Church-Rosser和终止的重要属性。SDN-SafeCheck会自动识别所有导致e的不良行为，涵盖高达用户指定大小的转发路径。