towards validated network configurations with ncguard
play

Towards Validated Network Configurations with NCGuard Laurent V - PowerPoint PPT Presentation

Feb 02, 2024 •99 likes •364 views

Towards Validated Network Configurations with NCGuard Laurent V ANBEVER , Grgory P ARDOEN , Olivier B ONAVENTURE INL: IP Networking Lab (http://inl.info.ucl.ac.be,laurent.vanbever@uclouvain.be) Universit catholique de Louvain (UCL), Belgium

  1. Towards Validated Network Configurations with NCGuard Laurent V ANBEVER , Grégory P ARDOEN , Olivier B ONAVENTURE INL: IP Networking Lab (http://inl.info.ucl.ac.be,laurent.vanbever@uclouvain.be) Université catholique de Louvain (UCL), Belgium Internet Network Management Workshop October 19, 2008

  2. Agenda • Introduction • State-of-the art in network configuration • NCGuard: Towards new configuration paradigm • High-level representation • Validation • Generation • Conclusion • Demo session (1:30pm - 2:30pm)

  3. ge-0/0/1 10Gb ge-0/0/2 fe-0/0/0 fe-0/0/1 Introduction 100Mbit 100Mbit fe-0/0/0 fe-0/1/0 ge-0/0/0 10Gb ge-0/0/1

  4. Some networking facts • Configuring networks is complex , costly , and error- prone • Networks can be composed of hundreds to thousands of devices • Manual configuration, equipment-by-equipment • Trial-and-error approach • Diversity of vendor-specific languages (IOS, JunOS, etc.) • Syntax, semantic, and supported features sets are different • Low-level configuration languages • Lot of code duplication 4

  5. Consequences • Network misconfigurations are frequent • “ Human factors, is the biggest contributor — responsible for 50 to 80 percent of network device outages ” 1 • In 2002, 0.2% to 1% of the BGP table size suffer from misconfiguration 2 • Misconfigurations have led and still lead to large scale problems ( e.g. , YouTube in 2008) • Management costs keep growing due to the increasing complexity of network architectures 1 Juniper Networks, What’s Behind Network Downtime?, 2008 2 R. Mahajan, D. Wetherall, and T. Anderson, “Understanding BGP Misconfiguration,” in SIGCOMM ’02, 2002, pp. 3–16. 5

  6. Current Approaches: Static Analysis • Use pattern matching on configurations to detect misconfigurations 1 • Compare configurations to given specifications 2 • Pro & Con: • Very effective to detect some critical problems • Need a a priori specifications of what a valid network is • Difficulties encountered when analyzing heterogenous networks • Solution: use of an intermediate representation 1 A. Feldmann and J. Rexford. IP Network Configuration for Intradomain Tra ffj c Engineering. IEEE Network Magazine, 2001. 2 N. Feamster and H. Balakrishnan. Detecting BGP Configuration Faults with Static Analysis. In Proceedings of NSDI, 2005. 6

  7. Current Approaches: Data mining • Perform statistical analysis directly on configurations 1 • Infer network-specific policies, then perform deviation analysis 2 • Pro & Con: • Completely independent of a priori validity specifications • Too verbose, people are flooded with non-error messages. • Difficulties encountered when analyzing heterogenous networks • Solution: use of an intermediate representation 1 K. El-Arini and K. Killourhy. Bayesian Detection of Router Configuration Anomalies. In SIGCOMM Workshop on Mining Network Data, 2005. 2 F. Le, S. Lee, T. Wong, H. S. Kim, and D. Newcomb. Minerals: Using Data Mining to Detect Router Misconfigurations. In MineNet ’06: Proceedings of the 2006 SIGCOMM Workshop on Mining Network Data, 2006. 7

  8. Current Approaches: Design V ALIDATED ! B OTTOM -U P A PPROACH V ALIDATOR S PECIFICATIONS E RRORS & W ARNINGS I NTERMEDIATE R EPRESENTATION T RANSLATOR D EVICE 1 ... D EVICE 2 D EVICE N C ONFIG . C ONFIG . C ONFIG . Legend : P ROCESS I NPUT O UTPUT 8

  9. bgp { group ibgp { type internal; peer-as 100; local-address 200.1.1.1; neighbor 200.1.1.2; NCGuard: Towards new configuration paradigm 1 group ebgp { type external; peer-as 200; neighbor 172.13.43.2; } 1 http://inl.info.ucl.ac.be/softwares/ncguard-network-configuration-safeguard

  10. Starting point • Network configuration contrasts with numerous progress in software engineering • Requirements, specifications, verification, validation, new development schemes, etc. • In comparison, network configuration is like writing a distributed program in assembly language 1 • Current approaches do not solve the problem • Do not relax the burden associated to the configuration phase • Why not apply software engineering techniques to network configurations ? 1 S. Lee, T. Wong, and H. Kim, “To automate or not to automate : On the complexity of network configuration,” in IEEE ICC 2008, Beijing, China, May 2008. 10

  11. NCGuard Design N ETWORK S PECIFICATIONS R EPRESENTATION T OP - DOWN A PPROACH E RRORS & V ALIDATOR W ARNINGS J UNIPER T EMPLATE G ENERATOR C ISCO T EMPLATE D EVICE 1 ... D EVICE 2 D EVICE N C ONFIG . C ONFIG . C ONFIG . Legend : P ROCESS I NPUT O UTPUT 11

  12. Main concepts 1. High-level representation ( i.e. , abstraction) of a network configuration • Suppress redundancy • Vendor-independent 2. Rule-based validation engine • A rule represents a condition that must be met by the representation • Flexible way of adding rules 3. Generation engine • Produce the configuration of each device in its own configuration language 12

  13. Validation engine • After a survey of real network configurations, we found that many rules follow regular patterns • In NCGuard, we implemented the structure of several patterns, that can be easily specialized: • Presence (or non-presence) • Uniqueness • Symmetry • If a rule cannot be expressed as one of them: • Custom ( e.g., connexity test, network redundancy test, etc.) 13

  14. Rules representation Scope: All routers • Rules are expressed formally by using Routers the notions of scope and its descendants R1 R2 • A configuration node is an element of the high-level representation Interface Interface • Composed of fields so-0/0/1 so-0/0/1 • A scope is a set of configuration Interface Interface nodes loopback loopback • descendants(x) is a set of selected descendants(R1) : descendants(R2) : descendants of the scope’s element x all R1’s interfaces all R2’s interfaces : Configuration node 14

  15. Presence rule • Check if certain configuration nodes are in the representation Example: each router must have a loopback interface Routers Scope: All routers R1 R2 Interfaces of R1 Interface Interface Interfaces of R2 id: so-0/0/0 id: so-0/0/0 Interface Interface Interface Interface id: loopback id: loopback id: loopback id: loopback : Seeked node 15

  16. Presence rule Check if there is at least one configuration node respecting a given condition in each descendants set. ∀ x ∈ scope ∃ y ∈ descendants ( x ) : C presence ( T, y ) Example : each router must have a loopback interface ∀ x ∈ routers ∃ y ∈ interfaces ( x ) : y.id = loopback <rule id="LOOPBACK_INTERFACE_ON_EACH_NODE" type="presence"> <presence> <scope>ALL_NODES</scope> <descendants>interfaces/interface</descendants> <condition>@id='loopback'</condition> </presence> </rule> 16

  17. Uniqueness rule Check the uniqueness of a field value in a set of configuration nodes Example : uniqueness of routers interfaces identifiers Routers Scope : All routers R1 R2 Interface Interface Interface Interface Interface Interface Interface Interface id: so-0/0/0 id: loopback id: so-0/0/0 id: loopback id: so-0/0/0 id: so-0/0/0 id: so-0/0/0 id: so-0/0/0 Ids of R2’s interfaces are not unique Ids of R1’s interfaces are unique. The rule will failed . 17

  18. Uniqueness rule Check if there is no two configuration nodes with identical value of field ∀ x ∈ scope ∀ y ∈ d ( x ) : ¬ ( ∃ z � = y ∈ d ( x ) : y.field = z.field ) Example : uniqueness of routers interfaces identifiers ∀ x ∈ routers ∀ y ∈ interfaces ( x ) : ¬ ( ∃ z � = y ∈ interfaces ( x ) : y.id = z.id ) <rule id="UNIQUENESS_INTERFACE_ID" type="uniqueness"> <uniqueness> <scope>ALL_NODES</scope> <descendants>interfaces/interface</descendants> <field>@id</field> </uniqueness> </rule> 18

  19. Symmetry rule • Check the equality of fields of configuration nodes • Such rules can be checked implicitly by the high-level representation • Example: MTU must be equal on both ends of a link • Automatically checked by modeling it once at the link level • Instead of twice at the interfaces level • Hypothesis: duplication phase is correct 19

  20. Custom rule • Used to check advanced conditions • Expressed in a query or programming language Example: All OSPFs areas must be connected to the backbone <rule id="ALL_AREAS_CONNECTED_TO_BACKBONE_AREA" type="custom"> <custom> <xquery> for $area in /domain/ospf/areas/area[@id!="0.0.0.0"] let $nodes := $area/nodes/node where count(/domain/ospf/areas/area) > 1 and not(some $y in $nodes satisfies /domain/ospf/areas/ area[@id="0.0.0.0"]/nodes/node[@id=$y/@id]) return <result><area id="{$area/@id}"/></result> </xquery> </custom> </rule> 20

  21. Generation • High level representation is not designed to be translated into low level language • Intermediate representations are needed • Templates translate those intermediates representations into configuration files • Support of any configuration or modeling language ( e.g., Cisco IOS, Juniper JunOS, etc.) 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NV: A Framework for Modeling and Verifying Network Configurations LangSec 2020 David Walker

NV: A Framework for Modeling and Verifying Network Configurations LangSec 2020 David Walker

NV: A Framework for Modeling and Verifying Network Configurations LangSec 2020 David Walker Princeton University Collaborators Nick Giannarakis Devon Loehr Tim Thijm Ratul Mahajan Ryan Beckett Aarti Gupta (UW) (Microsoft) Language-Based

1.27k views • 57 slides
Dont Mind the Gap: Bridging Network-wide Objectives and Device-level Configurations Ryan

Dont Mind the Gap: Bridging Network-wide Objectives and Device-level Configurations Ryan

Dont Mind the Gap: Bridging Network-wide Objectives and Device-level Configurations Ryan Beckett (Princeton, MSR) Ratul Mahajan (MSR) Todd Millstein (UCLA) Jitu Padhye (MSR) David Walker (Princeton) Configuring Networks is Error-Prone

865 views • 64 slides
Comparison Comparison of the proposed configurations of the proposed configurations for the

Comparison Comparison of the proposed configurations of the proposed configurations for the

Comparison Comparison of the proposed configurations of the proposed configurations for the AGATA array for the AGATA array E.Farnea INFN Sezione di Padova 1. Geometries 1. Geometries 1. What kind of configurations are we considering? 2.

391 views • 15 slides
SAIL Project: Value Network Configurations in Information-centric Networking Tapio Lev

SAIL Project: Value Network Configurations in Information-centric Networking Tapio Lev

SAIL Project: Value Network Configurations in Information-centric Networking Tapio Lev (tapio.leva@aalto.fi) Aalto University SCALABLE &amp; ADAPTIVE INTERNET SOLUTIONS 31.1.2012 1 Put information about confidentiality here SAIL Project

428 views • 19 slides
Social Skills Research Validated Interventions 8/3/16 National Autism Conference Rachel

Social Skills Research Validated Interventions 8/3/16 National Autism Conference Rachel

7/27/2016 Social Skills Research Validated Interventions 8/3/16 National Autism Conference Rachel Kittenbrink, Ph.D., B.C.B.A Pennsylvania Training and Technical Assistance Network Why Social Skills? Autism Spectrum Disorder as in DMS-V

757 views • 49 slides
Verification of Delayed Differential Dynamics Based on Validated Simulation Mingshuai Chen 1 ,

Verification of Delayed Differential Dynamics Based on Validated Simulation Mingshuai Chen 1 ,

Problem Formulation Verification Shell Validated Simulation Experimental Results Concluding Remarks . . . . . . . . . . . . Verification of Delayed Differential Dynamics Based on Validated Simulation Mingshuai Chen 1 , Martin Frnzle 2 ,

569 views • 31 slides
Configurations in Lattices &amp; Multiple Mixing Alex Gorodnik (University of Bristol) joint work

Configurations in Lattices &amp; Multiple Mixing Alex Gorodnik (University of Bristol) joint work

Configurations in Lattices &amp; Multiple Mixing Alex Gorodnik (University of Bristol) joint work with Michael Bj orklund and Manfred Einsiedler Configurations in R d Configurations in R d = a large subset of R d . Question Does

1.05k views • 69 slides
configurations in course of accident Valery Strizhov Presentation outline Results of BSAF

configurations in course of accident Valery Strizhov Presentation outline Results of BSAF

RUSSIAN ACADEMY OF SCIENCES Nuclear Safety Institute (IBRAE) Corium debris configurations

362 views • 17 slides
Configurations of Extremal Even Unimodular Lattices Scott D. Kominers Harvard Mathematics

Configurations of Extremal Even Unimodular Lattices Scott D. Kominers Harvard Mathematics

Configurations of Extremal Even Unimodular Lattices Scott D. Kominers Harvard Mathematics Department Brown University SUMS March 8, 2008 Configurations of ExtremalEven Unimodular Lattices p. 1/33 Key Terms Configurations of ExtremalEven

1.04k views • 86 slides
1 2/14/2019 Ask Questions Learning Objectives Learn about brief validated screening tools to

1 2/14/2019 Ask Questions Learning Objectives Learn about brief validated screening tools to

2/14/2019 ADOLESCENT SUBSTANCE USE ADOLESCENT SUBSTANCE USE SCREENING TOOLS: A REVIEW OF SCREENING TOOLS: A REVIEW OF BRIEF VALIDATED TOOLS BRIEF VALIDATED TOOLS HOSTED BY: HOSTED BY: ADOLESCENT SBIRT PROJECT, NORC at THE UNIVERSITY

499 views • 8 slides
Statically Inferring Performance Properties of Software Configurations Chi Li , Shu Wang, Henry

Statically Inferring Performance Properties of Software Configurations Chi Li , Shu Wang, Henry

Statically Inferring Performance Properties of Software Configurations Chi Li , Shu Wang, Henry Hoffmann, Shan Lu Configurations Explosion Tianyin Xu, Long Jin, Xuepeng Fan, Yuanyuan Zhou, Shankar Pasupathy, and Rukma Talwadker . Hey, You Have

891 views • 37 slides
Monte Carlo simulations of the 2D Ising model Stochastic sampling of spin configurations to

Monte Carlo simulations of the 2D Ising model Stochastic sampling of spin configurations to

Monte Carlo simulations of the 2D Ising model Stochastic sampling of spin configurations to estimate Spin configurations configurations; can sample very small fraction for large N Trivial Monte Carlo sampling fails at low T, because the sum is

332 views • 15 slides
Solving equations and inequalities using validated numeric methods Adam Strzebonski, Wolfram

Solving equations and inequalities using validated numeric methods Adam Strzebonski, Wolfram

Slide 1 of 21 Solving equations and inequalities using validated numeric methods Adam Strzebonski, Wolfram Research Inc., USA adams@wolfram.com 2 Talk1111.nb Slide 2 of 21 Abstract Validated numeric methods can be used to significantly speed

384 views • 24 slides
DeepMPLS: Fast Analysis of MPLS Configurations Using Deep Learning Fabien Geyer 1,2 and Stefan

DeepMPLS: Fast Analysis of MPLS Configurations Using Deep Learning Fabien Geyer 1,2 and Stefan

DeepMPLS: Fast Analysis of MPLS Configurations Using Deep Learning Fabien Geyer 1,2 and Stefan Schmid 3 IFIP Networking 2019 Tuesday 21 st May, 2019 3 Faculty of Computer Science, 1 Chair of Network Architectures and Services 2 Airbus Central

632 views • 25 slides
An electro-thermal DMOS model An electro-thermal DMOS model validated on pulsed measurements

An electro-thermal DMOS model An electro-thermal DMOS model validated on pulsed measurements

An electro-thermal DMOS model An electro-thermal DMOS model validated on pulsed measurements validated on pulsed measurements Bart Desoete AMI Semiconductor MOS-AK Bblingen, 24 March 2006 Silicon Solutions for the Real World Silicon

405 views • 22 slides
DOUBLE-HELIX TM (DH) COIL CONFIGURATIONS Dipole Quadrupole Trans ansvers rse ma magneti tic

DOUBLE-HELIX TM (DH) COIL CONFIGURATIONS Dipole Quadrupole Trans ansvers rse ma magneti tic

DOUBLE-HELIX TM (DH) COIL CONFIGURATIONS Dipole Quadrupole Trans ansvers rse ma magneti tic c fie ields: lds: Generated by modulated solen lenoid win inding ng patter terns ns 2 Unique Properties of DH Coil Configurations

466 views • 17 slides
SWIFT Predictive Fast Reroute upon Remote BGP Disruptions Laurent Vanbever ETH Zrich (D-ITET)

SWIFT Predictive Fast Reroute upon Remote BGP Disruptions Laurent Vanbever ETH Zrich (D-ITET)

SWIFT Predictive Fast Reroute upon Remote BGP Disruptions Laurent Vanbever ETH Zrich (D-ITET) Munich Internet Research Retreat November 25 2016 Human factors are responsible for 50% to 80% of network outages Juniper Networks, Whats

2.04k views • 141 slides
A Systematic Analysis of the Juniper Dual EC Incident Stephen Checkoway With Jacob Maskiewicz,

A Systematic Analysis of the Juniper Dual EC Incident Stephen Checkoway With Jacob Maskiewicz,

A Systematic Analysis of the Juniper Dual EC Incident Stephen Checkoway With Jacob Maskiewicz, Christina Garman, Joshua Fried, Shaanan Cohney, Matthew Green, Nadia Heninger, Ralf-Philipp Weinmann, Eric Rescorla, Hovav Shacham Junipers

1.06k views • 76 slides
Through the Wormhole: Yves V ANAUBEL Tracking Invisible MPLS Pascal M RINDOL Jean-Jacques P

Through the Wormhole: Yves V ANAUBEL Tracking Invisible MPLS Pascal M RINDOL Jean-Jacques P

November 1st, 2017 Through the Wormhole: Yves V ANAUBEL Tracking Invisible MPLS Pascal M RINDOL Jean-Jacques P ANSIOT Tunnels Benoit D ONNET Agenda MPLS background Invisible MPLS tunnels Measurement Campaign and Results Agenda

679 views • 22 slides
Garden Gods OF THE Shuttle Routes Transportation Alternatives A. Circulator between Rock

Garden Gods OF THE Shuttle Routes Transportation Alternatives A. Circulator between Rock

Garden Gods OF THE Parking Options Transportation Alternatives Off-Site Parking On-Site at Rock Ledge Map - - + + Pros Cons Pros Cons No need to Need for additional Easy access to Need and cost to develop new shuttle,

63 views • 3 slides
OpenStack Powered by Tungsten Fabric Sukhdev Kapur Krzysztof Kajkowski Distinguished Engineer,

OpenStack Powered by Tungsten Fabric Sukhdev Kapur Krzysztof Kajkowski Distinguished Engineer,

OpenStack Powered by Tungsten Fabric Sukhdev Kapur Krzysztof Kajkowski Distinguished Engineer, Juniper Networks Director of Engineering, CodiLime Open Infrastructure Summit, Shanghai, November 2019 1 Tungsten Fabric Architecture Overview

346 views • 16 slides
:a-~ 1 0 ~ ~ \.)l :r v~ , :i; , : !. ~ - ~ ~ :~ &quot; ' ' ' ~ Pl ' ~ &quot;

:a-~ 1 0 ~ ~ \.)l :r v~ , :i; , : !. ~ - ~ ~ :~ &quot; ' ' ' ~ Pl ' ~ &quot;

. :a-~ 1 0 ~ ~ \.)l :r v~ , :i; , : !. ~ - ~ ~ :~ &quot; ' ' ' ~ Pl ' ~ &quot; lt l ) ' t:t. &quot;:t I{ ~ U.S . D rough l M onitor Septe mber 27, 201 1 Mnd l Y. $#.. 1t,. Z.ON J Southern Pl ai ns (IW ..-d \bid 1

407 views • 18 slides
Software Routers ECE/CS598HPN Radhika Mittal Dataplane programmability is useful New ISP

Software Routers ECE/CS598HPN Radhika Mittal Dataplane programmability is useful New ISP

Software Routers ECE/CS598HPN Radhika Mittal Dataplane programmability is useful New ISP services intrusion detection, application acceleration Flexible network monitoring measure link latency, track down traffic New protocols

929 views • 60 slides
FutureGrid Tutorial @ CloudCom 2010 Indianapolis, Thursday Dec 2, 2010, 4:30-5:00pm

FutureGrid Tutorial @ CloudCom 2010 Indianapolis, Thursday Dec 2, 2010, 4:30-5:00pm

FutureGrid Tutorial @ CloudCom 2010 Indianapolis, Thursday Dec 2, 2010, 4:30-5:00pm laszewski@gmail.com Gregor von Laszewski, Greg Pike, Archit Kulshrestha, Andrew Younge, Fugang Wang, and the rest of the FG Team Community Grids Lab

953 views • 70 slides

More recommend