Good Network Updates for Bad Packets: Waypoint Enforcement Beyond Destination-Based Routing Policies.

Networks are critical for the security of many computer systems. However, their complex and asynchronous nature often renders it difficult to formally reason about network behavior. Accordingly, it is challenging to provide correctness guarantees, especially during network updates. This paper studies how to update networks while maintaining a most basic safety property, Waypoint Enforcement (WPE): each packet is required to traverse a certain checkpoint (for instance, a firewall). Waypoint enforcement is particularly relevant in today's increasingly virtualized and software-defined networks, where new in-network functionality is introduced flexibly. We show that WPE can easily be violated during network updates, even though both the old and the new policy ensure WPE. We then present an algorithm WayUp that guarantees WPE at any time, while completing updates quickly. We also find that in contrast to other transient consistency properties, WPE cannot always be implemented in a wait-free manner, and that WPE may even conflict with Loop-Freedom (LF). Finally, we present an optimal policy update algorithm OptRounds, which requires a minimum number of communication rounds while ensuring both WPE and LF, whenever this is possible.