theophilus benson, aditya akella, david maltz university of wisconsin-madison, microsoft research 1
TRANSCRIPT
![Page 1: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/1.jpg)
1
Mining Policies From Enterprise Network
Configuration
Theophilus Benson, Aditya Akella, David Maltz
University Of Wisconsin-Madison, Microsoft Research
![Page 2: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/2.jpg)
2
Access control policies◦ Restrict communication between end-hosts
Secure network resources
Enterprise Network Policies
![Page 3: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/3.jpg)
3
Implementing policy◦ Low level command set◦ Different mechanisms
Global policy is difficult to discover◦ No documentation
Implementing Network Policies
access-list 9 10.1.0.0 0.0.255.255access-list 5 permit 146.151.176.0
0.0.1.255access-list 5 permit 146.151.178.0
0.0.1.255access-list 5 permit 146.151.180.0
0.0.3.255
route-map I1-Only permit 10 description using access-list 125 match ip address 125 set ip next-hop 128.2.33.225
ip prefix-list campus-routes seq 1 permit 72.33.0.0/16
ip prefix-list campus-routes seq 3 permit 144.92.0.0/16
ip prefix-list campus-routes seq 4 permit 146.151.0.0/16
ip prefix-list campus-routes seq 5 permit 198.51.254.0/
HR Depart.IT Depart. Finance Depart.
![Page 4: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/4.jpg)
4
Why discover a network’s policy?◦ Debug network problems◦ Guide network redesign
Motivation: Discovering Network Policies
![Page 5: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/5.jpg)
5
Manual inspection◦ Time consuming◦ Error prone
Extracting reachability sets◦ Too fined grained◦ Not human readable
Current Approaches for Discovering Network Policies
Networks
Mean file size
Univ-1 2535
Univ-2 560
Univ-3 3060
Enet-1 278
Enet-3 600
A B
CD
E
R(D,C)
R(B,C)
R(C,C)
![Page 6: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/6.jpg)
6
Solution: policy units◦ Equivalence class on the reachability profile over
the network
Example of Policies in an Enterprise
Host 1 Host 2 Host 3
Host 4 Host 5
![Page 7: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/7.jpg)
7
Background Motivation Extracting policy units Empirical study on 5 networks Conclusion
Outline
![Page 8: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/8.jpg)
8
Simulate control plane protocols◦ Discover shortest paths
Apply data plane restrictions R2 reachability sets
Discovering Policy Units 1: Extracting Router Reachability Set
HF
I
![Page 9: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/9.jpg)
9
Decompose each RRS into several subnet reachability set◦ Apply egress and ingress filters
S2 reachability sets
Discovering Policy Units 2:Extracting Subnet Reachability Set
SH
SF
SI
HF
I
![Page 10: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/10.jpg)
10
Find largest group of addresses with identical reachability profile
Hash each subunit
Discovering Policy Units 3:Extracting Subunit
SF SH SI
SI
SH
SF
![Page 11: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/11.jpg)
11
Extract policy units◦ Policy unit = subunit with same hash
4 policy units from 7 sub units
Discovering Policy Units 4:The Policy Units
SF
SH
SI
SI
SH
SF
![Page 12: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/12.jpg)
12
Name # Subnets
# Policy Units
Univ-1 942 2
Univ-2 869 2
Univ-3 617 15
Enet-1 98 1
Enet-2 142 40
Policy Units in Enterprises
• Policy units succinctly describe network• Two classes of enterprises
• Policy-lite: simple with few • Policy-heavy: complex with many
![Page 13: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/13.jpg)
13
4 units cover 70% of end points Policy-Heavy: Special cases exists
◦ E.g admins, networked appliances
Footprint of Policy UnitsName # Policy
Units
Univ-1 2
Univ-2 2
Univ-3 15
Enet-1 1
Enet-2 40
![Page 14: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/14.jpg)
14
“Default open”: network◦ Control plane filters
Verified units with operator
Policy Units in a Policy-lite Enterprise
![Page 15: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/15.jpg)
15
Dichotomy:◦ Default-open: data plane filters ◦ Default-closed: data plane & control plane filters
Policy Units in a Policy-heavy Enterprise
1 4 7 10 13 16 19 220
1000
2000
3000
4000
5000
6000
7000
8000
Config File
Nu
mb
er
of
Lin
es in
Con
fig
File
![Page 16: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/16.jpg)
16
Described a framework for extracting policy units
Analyzed policies of 5 enterprises Most users experience the same policy Network implement few policies
Conclusion
![Page 17: Theophilus Benson, Aditya Akella, David Maltz University Of Wisconsin-Madison, Microsoft Research 1](https://reader036.vdocuments.us/reader036/viewer/2022062511/551b17b15503462e578b5e20/html5/thumbnails/17.jpg)
17
Questions?
Thank You