Mining Policies From Enterprise Network Configuration

mining 1

http://dl.acm.org/citation.cfm?id=1644909

cited 20, 2015/12/06 23:17:15

ABSTRACT Few studies so far have examined the nature of reachability policies in enterprise networks… we introduce the notion of a policy unit, which is an abstract representation of how the policies implemented in a network apply to different network hosts. We develop an approach for reverse-engineering a network’s policy units from its router configuration. We apply this approach to the configurations of five productions networks, including three university and two private enterprises. Through our empirical study, we validate that policy units capture useful characteristics of a network’s policy. We also obtain insights into the nature of the policies implemented in modern enterprises.

Modern enterprises impose a variety of constraints on point-to-point network communication. These constraints limit an enterprise host’s ability to access various network resources, including other enterprise hosts and various servers. In most enterprises, these restrictions are realized using a combination of different mechanisms in multiple network devices, including ACLs in firewalls and other middle-boxes, policy maps and packet filters in routers, and VLANs which cut across multiple network routers.

The network’s high-level reachability policies — i.e. the specific rules that govern whether or not, and how, different network endpoints can communicate — are seldom “written down” explicitly.

Better understanding of enterprise reachability policies would have several benefits. In particular, it can inform the design of new approaches for implementing policies, such as clean-slate schemes [5, 4, 8, 2]¹.

… show a method for how the policies of a network can be automatically extracted from the static router configuration state of the network

policy unit concept offers operators a new way to view their networks

2. DEFINITIONS AND APPROACH

2.1 What are Policy Units?

Enterprises can differ significantly in the number and kind of policy units they implement.

2.2 Deriving Policy Units from Configuration

Our strawman approach described below applies to policy units implemented in Layer 3 in enterprise networks.

Our scheme works in three stages. First we calculate the extent of reachability between pairs of routers in the network, i.e., set of packets that can be exchange between routers. Then we calculate the reachability between pairs of subnets in the network. From this subnet-level information, we finally derive policy units using a geometric heuristic.

2.2.1 Router-Level Reachability Sets (RRS)

For the first stage, we employ a reachability analysis tool developed in our prior work [3]. The tool models the impact of both control and data plane mechanisms to compute the set of packets that can be exchanged between a pair of routers.

2.2.1 Router-Level Reachability Sets (RRS)

(2) Applying data plane constraints: This component models how the data plane ACLs defined in other routers on the path between a pair of routers, and filtering rules defined in on-path firewalls and middle-boxes, impact which packets are filtered before reaching the destination router.

2.2.2 Subnet-Level Reachability Sets (SRS)

2.2.3 Policy Unit Extraction

Using the formal definition from Section 2.1, we seek to find sets of IP addresses H such that each set is as large as possible, the sets partition the space of all IP addresses in the network, and for each IP address in set H the values of Pow(H × C1 × … × Cm × A) that map to it are identical.

4. APPLICATION TO NETWORK Management

Making informed changes to configuration.
Examining trends in network policy evolution.

reference

[2] H. Ballani and P. Francis. CONMan: A Step towards Network Manageability. In Proc. of ACM SIGCOMM, 2007. local post ✓

Ethane, Sane, A clean slate 4d approach, CONMan ↩