One of the pitch points of open white-box networking is that it makes Ethernet switches extensible – something exploited by some packet boffins to build what they think is a better way to skin the network monitoring cat.
The researchers, from Brown University, are trying to overcome the mismatch between the limitations of old-style static network monitoring and the speed with which software-defined networking (SDN) can change networks.
Their answer: pick an appropriate query language, embed it into a white-box network switch using OpenFlow, then choose stateful metrics that tell sysadmins what they need to know about the network.
The TL;DR takeout here is, as stated in the abstract of their paper at Arxiv: getting the properties of individual packets doesn't provide enough detail; while capturing a digest of all network events and analysing them at a server is costly.
Also, they note, some protocols – ARP and DHCP, as well as bespoke SDN – need stateful monitoring.
Their “stateful runtime verification of network control programs” pumps the temporal queries into the switches instead of external boxes. They reckon this is fast (because it captures state transitions in real time), accurate (because there's less risk that events uploaded to a central server will be re-ordered), and cuts the load on a controller or monitoring server.
It also exposes what a switch is doing with a packet between ingress and egress “without resorting to unsound methods such as comparing payload-hashes”.
The queries themselves have a straightforward model: they comprise an ordered list of observations; observations either match a network event, or the lack of an event, in a given time period; observation types are either packet ingress or egress. Observations also contain trigger identifiers.
Keeping it simple means the monitoring regime is kept small enough to be packed into the switch operating system without sucking up processor power needed to keep the network running, the authors reckon.
The authors also note that by baking the analysis into the switches, their approach doesn't depend on the existence of an OpenFlow controller – it can be used in hybrid networks. ®