Safely and automatically updating in-network ACL configurations with intent language

Tian, Bingchuan; Zhang, Xinyi; Zhai, Ennan; Liu, Hongqiang Harry; Ye, Qiaobo; Wang, Chunsheng; Wu, Xia; Ji, Zhiming; Sang, Yihong; Zhang, Ming; Yu, Dejian; Tian, Chen; Zheng, Haitao; Zhao, Ben Y.

doi:10.1145/3341302.3342088

Cited by 61 publications

(36 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The intent refining system introduces a feedback mechanism, which effectively improves the accuracy of intent recognition, but does not check the consistency of the network intent before the network policy is issued. A system for automatically generating ACL update plans based on the advanced intent of network operatorsałJinjing was proposed in [50]. Jinjing allows operators to express their update intent (such as ACL migration and flow control) in a declarative language called LAI, and Jinjing automatically synthesizes ACL update plans that meet their intents.…”

Section: B Enabling Idn Technologiesmentioning

confidence: 99%

A Survey on Intent-Driven Networks

et al. 2020

View full text Add to dashboard Cite

Software defined network and network function visualization enhance the network flexibility and management agility, which increase network fragility and complexity. However, the vast majority of network parameters are manually configured, which makes the configuration failures still inevitable. Future networks should be self-configuring, self-managing, and self-optimizing. Intent-driven network (IDN) is a self-driving network that uses decoupling network control logic and closed-loop orchestration techniques to automate application intents. At present, a unified definition of IDN has not yet been presented, and the research background and current status of IDN are not clear. Considering the emerging applications and research of IDN, in this article, we survey existing technologies, clarify definitions, and summarize features for IDN. Specifically, we discuss the basic architecture and key technologies of IDN. In addition, diversity gains and challenges are analyzed briefly. Finally, some future work is highlighted and wider applications of IDN are provided for further research.

show abstract

Section: B Enabling Idn Technologiesmentioning

confidence: 99%

A Survey on Intent-Driven Networks

et al. 2020

View full text Add to dashboard Cite

show abstract

“…Besides firewall, ACL (Access Control List) rules can be implemented directly in network devices, such as routers, to packet filtering. ACL is a collection of "permit" and "deny" conditions and the packets are permitted (or denied) based on their source and destination IP addresses, ports, and protocol (TIAN et al, 2019). Packets that come into a network device that contains ACL rules are compared to the set of rules sequentially until it has a match.…”

Section: Port 80mentioning

confidence: 99%

“…Jinjing (TIAN et al, 2019) allows operators to declare update intents (e.g., ACL migration) in a declarative language called LAI, and automatically synthesizes ACL update plans that meet their intents. Jinjing modeled the ACL configuration formally and designed an intent primitive to ensure the accuracy of the system operation.…”

Section: Intentsmentioning

confidence: 99%

See 1 more Smart Citation

A Bottom-Up Approach for Extracting Network Intents

Ribeiro

Jacobs

Parizotto

et al. 2020

Advanced Information Networking and Applications

View full text Add to dashboard Cite

Intent-Based Networking (IBN) is showing significant improvements in network management, especially by reducing the complexity by using intent-level languages. However, IBN is not yet integrated and widely deployed in most of the large-scale networks. Network operators may still encounter several issues deploying new intents, such as reasoning about complex configurations to understand previously deployed rules before writing an intent to update the network state. Large-scale networks may include several devices distributed in multiple hierarchical levels of its topology; each of these devices is configured using low-level, vendor-specific languages. Thus, inferring intents from these low-level configuration files can be an arduous and time-consuming task. Current solutions that derive high-level representations from bottom-up configuration analysis can not represent configurations in an intent-level. Moreover, they fail by not aggregating essential details to enhance the representation. In this work, we present a bottom-up process to extract intents from network configurations. To validate our approach, we develop a system called SCRIBE (SeCuRity Intent-Based Extractor), which decompiles security configurations from different network devices and translates them to an intent-level language called Nile. To demonstrate the feasibility of SCRIBE, we outline two case studies and evaluate our approach with dumps of real-world firewall configurations containing rules from various servers and institutions. Results show that our solution can represent configurations in intent-level and also maintain a high accuracy representing aspects of low-level configurations.

show abstract

“…This development is also not limited to academia. Large cloud providers, such as Alibaba [36], Amazon [2], and Microsoft [20], are developing and deploying network verification systems. However, as shown in Figure 1, each such tool today is a monolith, with its own model of the target functionality and its own analysis engine.…”

Section: Introductionmentioning

confidence: 99%

A General Framework for Compositional Network Modeling

Beckett

Mahajan

2020

Proceedings of the 19th ACM Workshop on Hot Topics in Networks

View full text Add to dashboard Cite

We advocate for an approach to network modeling and analysis based on a common intermediate language. Unlike today, where each tool builds a custom model and analysis engine for its target network functionality, we argue that network functionality should be expressed in a common language. This approach makes it easier to expand formal analysis to new functionality and analyze interactions between dependent functionalities (e.g., routing and packet filtering). We demonstrate the feasibility of this approach by developing an intermediate language called Zen and three different analyses for programs in that language. For representative data plane and control plane functionalities, we find that Zen reduces the modeling effort by an order of magnitude, while providing analysis performance that matches custom tools. CCS CONCEPTS • Networks → Network reliability; • Theory of computation → Program verification; • Software and its engineering → Model checking; Functional languages.

show abstract

Safely and automatically updating in-network ACL configurations with intent language

Cited by 61 publications

References 27 publications

A Survey on Intent-Driven Networks

A Survey on Intent-Driven Networks

A Bottom-Up Approach for Extracting Network Intents

A General Framework for Compositional Network Modeling

Contact Info

Product

Resources

About