mining policies from enterprise network configuration
TRANSCRIPT
![Page 1: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/1.jpg)
Theophilus Benson, Aditya Akella, David Maltz
University Of Wisconsin-Madison,
Microsoft Research
1
![Page 2: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/2.jpg)
Access control policies◦ Restrict communication between end-hosts
Secure network resources
2
![Page 3: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/3.jpg)
Implementing policy◦ Low level command set
◦ Different mechanisms
Global policy is difficult to discover◦ No documentation
access-list 9 10.1.0.0 0.0.255.255
access-list 5 permit 146.151.176.0 0.0.1.255
access-list 5 permit 146.151.178.0 0.0.1.255
access-list 5 permit 146.151.180.0 0.0.3.255
route-map I1-Only permit 10description using access-list 125match ip address 125set ip next-hop 128.2.33.225
ip prefix-list campus-routes seq 1 permit 72.33.0.0/16
ip prefix-list campus-routes seq 3 permit 144.92.0.0/16
ip prefix-list campus-routes seq 4 permit 146.151.0.0/16
ip prefix-list campus-routes seq 5 permit 198.51.254.0/
HR Depart.IT Depart. Finance Depart. 3
![Page 4: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/4.jpg)
Why discover a network’s policy?◦ Debug network problems
◦ Guide network redesign
4
![Page 5: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/5.jpg)
Manual inspection◦ Time consuming
◦ Error prone
Extracting reachability sets◦ Too fined grained
◦ Not human readable
Networks Mean file size
Univ-1 2535
Univ-2 560
Univ-3 3060
Enet-1 278
Enet-3 600
5
A B
CD
E
R(D,C)
R(B,C)
R(C,C)
![Page 6: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/6.jpg)
Solution: policy units◦ Equivalence class on the reachability profile over
the network
Host 1 Host 2 Host 3
Host 4 Host 5 6
![Page 7: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/7.jpg)
Background
Motivation
Extracting policy units
Empirical study on 5 networks
Conclusion
7
![Page 8: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/8.jpg)
Simulate control plane protocols◦ Discover shortest paths
Apply data plane restrictions
R2 reachability sets
HF
I
8
![Page 9: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/9.jpg)
Decompose each RRS into several subnet reachability set◦ Apply egress and ingress filters
S2 reachability sets
SHSF
SI
HF
I
9
![Page 10: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/10.jpg)
Find largest group of addresses with identical reachability profile
Hash each subunit
SF SH SI
SI
SH
SF
10
![Page 11: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/11.jpg)
Extract policy units◦ Policy unit = subunit with same hash
4 policy units from 7 sub units
SF SH SI
SI
SH
SF
11
![Page 12: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/12.jpg)
Name # Subnets # Policy Units
Univ-1 942 2
Univ-2 869 2
Univ-3 617 15
Enet-1 98 1
Enet-2 142 40
• Policy units succinctly describe network• Two classes of enterprises
• Policy-lite: simple with few • Policy-heavy: complex with many
12
![Page 13: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/13.jpg)
4 units cover 70% of end points
Policy-Heavy: Special cases exists◦ E.g admins, networked appliances
Name # Policy Units
Univ-1 2
Univ-2 2
Univ-3 15
Enet-1 1
Enet-2 40
13
![Page 14: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/14.jpg)
“Default open”: network◦ Control plane filters
Verified units with operator
14
![Page 15: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/15.jpg)
Dichotomy:◦ Default-open: data plane filters
◦ Default-closed: data plane & control plane filters
0
1000
2000
3000
4000
5000
6000
7000
8000
1 3 5 7 9 11 13 15 17 19 21 23
Num
ber
of
Lin
es in C
onfi
g F
ile
Config File
15
![Page 16: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/16.jpg)
Described a framework for extracting policy units
Analyzed policies of 5 enterprises Most users experience the same policy
Network implement few policies
16
![Page 17: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/17.jpg)
Questions?
17
![Page 18: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/18.jpg)
19
![Page 19: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/19.jpg)
20
![Page 20: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/20.jpg)
21
![Page 21: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/21.jpg)
22
![Page 22: Mining Policies From Enterprise Network Configuration](https://reader033.vdocuments.mx/reader033/viewer/2022060122/55956d2f1a28ab6f678b470f/html5/thumbnails/22.jpg)
23
HR Depart.
Finance Depart.
IT Depart.