Accelerating ACL Configuration Update through Data Plane Analysis
Authors: 
Tianyi Kou, Haifeng Sun, 
Zirui Zhuang, Qi Qi, Jingyu Wang, Jianxin LiaoAuthors Info & Claims
Tianyi Kou, Haifeng Sun, Zirui Zhuang, Qi Qi, Jingyu Wang, Jianxin LiaoAuthors Info & ClaimsPages 48 - 50
Abstract
A novel method is designed to address the challenges associated with updating Access Control Lists (ACLs) in complex networks. Traditional approaches to ACL configuration often rely on comprehensive, network-wide Satisfiability Problem (SAT) solving, which is computationally intensive and inefficient for large-scale networks. We propose a method that significantly reduces the computational overhead associated with SAT solving in two aspects. Firstly, by contrasting the discrepancies between network forwarding behavior and intentions before and after updates in the data plane, it confines the SAT solving space to localized regions of the network. Secondly, it optimizes the solving process by utilizing the behavior of devices outside the localized regions, thereby decreasing both the frequency of calls to the SAT solver and the scale of the problems being solved. Preliminary evaluations in simulated network environments demonstrate that our method achieves substantial improvements in solving speed, achieving speed improvements of 31x to 59x for larger networks with up to 150 nodes. This approach promises to streamline network management tasks and enhance the reliability of ACL configurations in dynamic networks.
References
[1]
Ryan Beckett, Ratul Mahajan, Todd Millstein, Jitendra Padhye, and David Walker. 2019. Don't mind the gap: Bridging network-wide objectives and device-level configurations: brief reflections on abstractions for network programming. SIGCOMM Comput. Commun. Rev. 49, 5 (nov 2019), 104--106. https://doi.org/10.1145/3371934.3371965
[2]
Leonardo Mendonça de Moura and Nikolaj S. Bjørner. 2008. Z3: An Efficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference, TACAS 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings (Lecture Notes in Computer Science, Vol. 4963), C. R. Ramakrishnan and Jakob Rehof (Eds.). Springer, 337--340. https://doi.org/10.1007/978-3-540-78800-3_24
[3]
Niklas Een. 2005. Minisat-a SAT solver with conflict-clause minimization. Proc. Theory and Applications of Satisfiability Testing (SAT 05) (2005).
[4]
Dong Guo, Shenshen Chen, Kai Gao, Qiao Xiang, Ying Zhang, and Y. Richard Yang. 2022. Flash: fast, consistent data plane verification for large-scale network settings. In SIGCOMM '22: ACM SIGCOMM 2022 Conference, Amsterdam, The Netherlands, August 22 - 26, 2022, Fernando Kuipers and Ariel Orda (Eds.). ACM, 314--335. https://doi.org/10.1145/3544216.3544246
[5]
Siva Kesava Reddy K., Alan Tang, Ryan Beckett, Karthick Jayaraman, Todd D. Millstein, Yuval Tamir, and George Varghese. 2020. Finding Network Misconfigurations by Automatic Template Inference. In 17th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2020, Santa Clara, CA, USA, February 25-27, 2020, Ranjita Bhagwan and George Porter (Eds.). USENIX Association, 999--1013. https://www.usenix.org/conference/nsdi20/presentation/kakarla
[6]
Franck Le, Sihyung Lee, Tina Wong, Hyong S. Kim, and Darrell Newcomb. 2009. Detecting network-wide and router-specific misconfigurations through data mining. IEEE/ACM Trans. Netw. 17, 1 (2009), 66--79. https://doi.org/10.1145/1514070.1514076
[7]
Xingjian Liao, Haifeng Sun, Jingyu Wang, Qi Qi, Zirui Zhuang, Jianxin Liao, and Guang Yang. 2023. Solving Distributed ACL Policies Under Complex Constraints with Graph Neural Networks. In 31st IEEE International Conference on Network Protocols, ICNP 2023, Reykjavik, Iceland, October 10-13, 2023. IEEE, 1--12. https://doi.org/10.1109/ICNP59255.2023.10355624
[8]
Ajay Mahimkar, Ashiwan Sivakumar, Zihui Ge, Shomik Pathak, and Karunasish Biswas. 2021. Auric: using data-driven recommendation to automatically generate cellular configuration. In ACM SIGCOMM 2021 Conference, Virtual Event, USA, August 23-27, 2021, Fernando A. Kuipers and Matthew C. Caesar (Eds.). ACM, 807--820. https://doi.org/10.1145/3452296.3472906
[9]
Haohui Mai, Ahmed Khurshid, Rachit Agarwal, Matthew Caesar, Brighten Godfrey, and Samuel Talmadge King. 2011. Debugging the data plane with anteater. In Proceedings of the ACM SIGCOMM 2011 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Toronto, ON, Canada, August 15-19, 2011, Srinivasan Keshav, Jörg Liebeherr, John W. Byers, and Jeffrey C. Mogul (Eds.). ACM, 290--301. https://doi.org/10.1145/2018436.2018470
[10]
Shambwaditya Saha, Santhosh Prabhu, and P. Madhusudan. 2015. NetGen: synthesizing data-plane configurations for network policies. In Proceedings of the 1st ACM SIGCOMM Symposium on Software Defined Networking Research, SOSR '15, Santa Clara, California, USA, June 17-18, 2015, Jennifer Rexford and Amin Vahdat (Eds.). ACM, 17:1-17:6. https://doi.org/10.1145/2774993.2775006
[11]
Thomas J. Schaefer. 1978. The Complexity of Satisfiability Problems. In Proceedings of the 10th Annual ACM Symposium on Theory of Computing, May 1-3, 1978, San Diego, California, USA, Richard J. Lipton, Walter A. Burkhard, Walter J. Savitch, Emily P. Friedman, and Alfred V. Aho (Eds.). ACM, 216--226. https://doi.org/10.1145/800133.804350
[12]
Tibor Schneider, Rüdiger Birkner, and Laurent Vanbever. 2021. Snowcap: synthesizing network-wide configuration updates. In ACM SIGCOMM 2021 Conference, Virtual Event, USA, August 23-27, 2021, Fernando A. Kuipers and Matthew C. Caesar (Eds.). ACM, 33--49. https://doi.org/10.1145/3452296.3472915
[13]
Yu-Wei Eric Sung, Xin Sun, Sanjay G. Rao, Geoffrey G. Xie, and David A. Maltz. 2011. Towards systematic design of enterprise networks. IEEE/ACM Trans. Netw. 19, 3 (2011), 695--708. https://doi.org/10.1109/TNET.2010.2089640
[14]
Bingchuan Tian, Jiaqi Gao, Mengqi Liu, Ennan Zhai, Yanqing Chen, Yu Zhou, Li Dai, Feng Yan, Mengjing Ma, Ming Tang, Jie Lu, Xionglie Wei, Hongqiang Harry Liu, Ming Zhang, Chen Tian, and Minlan Yu. 2021. Aquila: a practically usable verification system for production-scale programmable data planes. In ACM SIGCOMM 2021 Conference, Virtual Event, USA, August 23-27, 2021, Fernando A. Kuipers and Matthew C. Caesar (Eds.). ACM, 17--32. https://doi.org/10.1145/3452296.3472937
[15]
Bingchuan Tian, Xinyi Zhang, Ennan Zhai, Hongqiang Harry Liu, Qiaobo Ye, Chunsheng Wang, Xin Wu, Zhiming Ji, Yihong Sang, Ming Zhang, Da Yu, Chen Tian, Haitao Zheng, and Ben Y. Zhao. 2019. Safely and automatically updating in-network ACL configurations with intent language. In Proceedings of the ACM Special Interest Group on Data Communication, SIGCOMM 2019, Beijing, China, August 19-23, 2019, Jianping Wu and Wendy Hall (Eds.). ACM, 214--226. https://doi.org/10.1145/3341302.3342088
[16]
Hongkun Yang and Simon S. Lam. 2016. Real-Time Verification of Network Properties Using Atomic Predicates. IEEE/ACM Trans. Netw. 24, 2 (2016), 887--900. https://doi.org/10.1109/TNET.2015.2398197
Index Terms
- Accelerating ACL Configuration Update through Data Plane Analysis
Recommendations
Policy Based ACL Configuration Synthesis in Enterprise Networks: A Formal Approach
ISED '12: Proceedings of the 2012 International Symposium on Electronic System DesignDue to extensive use of network services and applications, most of the enterprise networks today deploy policy based security devices (e.g. routers, firewalls, IPSec etc.) for controlling accesses to network resources based on organizational security ...
Debugging the data plane with anteater
SIGCOMM '11: Proceedings of the ACM SIGCOMM 2011 conferenceDiagnosing problems in networks is a time-consuming and error-prone process. Existing tools to assist operators primarily focus on analyzing control plane configuration. Configuration analysis is limited in that it cannot find bugs in router software, ...
Debugging the data plane with anteater
SIGCOMM '11Diagnosing problems in networks is a time-consuming and error-prone process. Existing tools to assist operators primarily focus on analyzing control plane configuration. Configuration analysis is limited in that it cannot find bugs in router software, ...
Comments
Information & Contributors
Information
Published In
August 2024
62 pages
ISBN:9798400707148
DOI:10.1145/3672199
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 04 August 2024
Check for updates
Author Tags
Qualifiers
- Short-paper
- Research
- Refereed limited
Funding Sources
Conference
ACM SIGCOMM '24
Sponsor:
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 71Total Downloads
- Downloads (Last 12 months)71
- Downloads (Last 6 weeks)10
Reflects downloads up to 10 Nov 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in