research-article

Safely and automatically updating in-network ACL configurations with intent language

Authors:

Bingchuan Tian,

Hongqiang Harry Liu,

Chunsheng Wang,

Haitao Zheng, and

Ben Y. ZhaoAuthors Info & Claims

SIGCOMM '19: Proceedings of the ACM Special Interest Group on Data Communication

August 2019

Pages 214 - 226

https://doi.org/10.1145/3341302.3342088

Published: 19 August 2019 Publication History

Abstract

In-network Access Control List (ACL) is an important technique in ensuring network-wide connectivity and security. As cloud-scale WANs today constantly evolve in size and complexity, in-network ACL rules are becoming increasingly more complex. This presents a great challenge to the updating process of ACL configurations: network operators are frequently required to update "tangled" ACL rules across thousands of devices to meet diverse business requirements, and even a single ACL misconfiguration may lead to network disruptions. Such increasing challenges call for an automated system to improve the efficiency and correctness of ACL updates. This paper presents Jinjing, a system that aids Alibaba's network operators in automatically and correctly updating ACL configurations in Alibaba's global WAN. Jinjing allows the operators to express in a declarative language, named LAI, their update intent (e.g., ACL migration and traffic control). Then, Jinjing automatically synthesizes ACL update plans that satisfy their intent. At the heart of Jinjing, we develop a set of novel verification and synthesis techniques to rigorously guarantee the correctness of update plans. In Alibaba, our operators have used Jinjing to efficiently update their ACLs and have thus prevented significant service downtime.

Supplementary Material

MP4 File (p214-tian.mp4)

Download
1183.14 MB

References

[1]

Beckett, R., Gupta, A., Mahajan, R., and Walker, D. A general approach to network configuration verification. In ACM SIGCOMM (SIGCOMM) (2017).

Digital Library

[2]

Beckett, R., Gupta, A., Mahajan, R., and Walker, D. Control plane compression. In ACM SIGCOMM (SIGCOMM) (2018).

Digital Library

[3]

Beckett, R., Mahajan, R., Milstein, T. D., Padhye, J., and Walker, D. Don't mind the gap: Bridging network-wide objectives and device-level configurations. In ACM SIGCOMM (SIGCOMM) (2016).

Digital Library

[4]

Beckett, R., Mahajan, R., Milstein, T. D., Padhye, J., and Walker, D. Network configuration synthesis with abstract topologies. In 38th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (2017).

Digital Library

[5]

Brucker, A. D., Brügger, L., Kearney, P., and Wolff, B. Verified firewall policy transformations for test case generation. In International Conference on Software Testing, Verification and Validation (ICST) (2010).

Digital Library

[6]

Cardwell, N., Cheng, Y., Brakmo, L., Mathis, M., Raghavan, B., Dukkipati, N., Chu, H.-k. J., Terzis, A., and Herbert, T. Packetdrill: scriptable network stack testing, from sockets to packets. In USENIX Annual Technical Conference (ATC) (2013).

Digital Library

[7]

Chen, F., Liu, A. X., Hwang, J., and Xie, T. First step towards automatic correction of firewall policy faults. ACM Transactions on Autonomous and Adaptive Systems (TAAS) 7 (2012).

Digital Library

[8]

Davis, M., Logemann, G., and Loveland, D. A machine program for theorem-proving. Communications of the ACM 5, 7 (1962), 394--397.

Digital Library

[9]

Davis, M., and Putnam, H. A computing procedure for quantification theory. Journal of the ACM (JACM) 7, 3 (1960), 201--215.

Digital Library

[10]

El-Hassany, A., Tsankov, P., Vanbever, L., and Vechev, M. T. Network-wide configuration synthesis. In 29th International Conference on Computer Aided Verification (CAV) (2017).

[11]

El-Hassany, A., Tsankov, P., Vanbever, L., and Vechev, M. T. NetComplete: Practical network-wide configuration synthesis with autocompletion. In 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI) (2018).

Digital Library

[12]

Fayaz, S. K., Sharma, T., Fogel, A., Mahajan, R., Millstein, T., Sekar, V., and Varghese, G. Efficient network reachability analysis using a succinct control plane representation. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2016).

Digital Library

[13]

Fogel, A., Fung, S., Pedrosa, L., Walraed-Sullivan, M., Govindan, R., Mahajan, R., and Millstein, T. A general approach to network configuration analysis. In 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI) (2015).

Digital Library

[14]

Gember-Jacobson, A., Akella, A., Mahajan, R., and Liu, H. H. Automatically repairing network control planes using an abstract representation. In 26th Symposium on Operating Systems Principles (SOSP) (2017), pp. 359--373.

Digital Library

[15]

Gember-Jacobson, A., Viswanathan, R., Akella, A., and Mahajan, R. Fast control plane analysis using an abstract representation. In ACM SIGCOMM (SIGCOMM) (2016).

Digital Library

[16]

Hajjat, M. Y., Sun, X., Sung, Y. E., Maltz, D. A., Rao, S. G., Sripanidkulchai, K., and Tawarmalani, M. Cloudward bound: Planning for beneficial migration of enterprise applications to the cloud. In ACM SIGCOMM (SIGCOMM) (2010).

Digital Library

[17]

Hallahan, W. T., Zhai, E., and Piskac, R. Automated repair by example for firewalls. In Formal Methods in Computer Aided Design (FMCAD) (2017).

Digital Library

[18]

Horn, A., Kheradmand, A., and Prasad, M. R. Delta-net: Real-time network verification using atoms. In 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI) (Mar. 2017).

Digital Library

[19]

Hwang, J., Xie, T., Chen, F., and Liu, A. X. Fault localization for firewall policies. In International Symposium on Reliable Distributed Systems (SRDS) (2009).

Digital Library

[20]

Jayaraman, K., Bjørner, N., Outhred, G., and Kaufman, C. Automated analysis and debugging of network connectivity policies. In Technical Report MSR-TR-2014-102 (2014).

[21]

Kazemian, P., Varghese, G., and McKeown, N. Header space analysis: Static checking for networks. In 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI) (2012).

Digital Library

[22]

Khurshid, A., Zhou, X., Zhou, W., Caesar, M., and Godfrey, P. B. VeriFlow: Verifying network-wide invariants in real time. In 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI) (2013).

Digital Library

[23]

Liu, A. X. Formal verification of firewall policies. In International Conference on Communications (ICC) (2008).

[24]

Lopes, N. P., Bjørner, N., Godefroid, P., Jayaraman, K., and Varghese, G. Checking beliefs in dynamic networks. In 12th USENIX Symposium on Networked System Design and Implementation (NSDI) (2015).

Digital Library

[25]

Narain, S., Levin, G., Malik, S., and Kaul, V. Declarative infrastructure configuration synthesis and debugging. J. Network Syst. Manage. 16, 3 (2008), 235--258.

Digital Library

[26]

Nelson, T., Ferguson, A. D., Yu, D., Fonseca, R., and Krishnamurthi, S. Exodus: Toward automatic migration of enterprise network configurations to SDNs. In 1st ACM SIGCOMM Symposium on Software Defined Networking Research (SOSR) (2015).

Digital Library

[27]

Panda, A., Argyraki, K., Sagiv, M., Schapira, M., and Shenker, S. New directions for network verification. In LIPIcs-Leibniz International Proceedings in Informatics (2015), vol. 32, Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik.

[28]

Panda, A., Lahav, O., Argyraki, K. J., Sagiv, M., and Shenker, S. Verifying reachability in networks with mutable datapaths. In 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI) (2017).

Digital Library

[29]

Quoitin, B., and Uhlig, S. Modeling the routing of an autonomous system with C-BGP. IEEE Network 19, 6 (2005), 12--19.

Digital Library

[30]

Selman, B., Mitchell, D. G., and Levesque, H. J. Generating hard satisfiability problems. Artificial intelligence 81, 1-2 (1996), 17--29.

Digital Library

[31]

Stoenescu, R., Popovici, M., Negreanu, L., and Raiciu, C. Symnet: Scalable symbolic execution for modern networks. In ACM SIGCOMM (SIGCOMM) (Aug. 2016).

Digital Library

[32]

Sung, Y. E., Rao, S. G., Xie, G. G., and Maltz, D. A. Towards systematic design of enterprise networks. In ACM CoNEXT (CoNEXT) (2008).

Digital Library

[33]

Velner, Y., Alpernas, K., Panda, A., Rabinovich, A., Sagiv, M., Shenker, S., and Shoham, S. Some complexity results for stateful network verification. In 22nd International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS) (2016).

Digital Library

[34]

Wang, A., Jia, L., Zhou, W., Ren, Y., Loo, B. T., Rexford, J., Nigam, V., Scedrov, A., and Talcott, C. L. FSR: formal analysis and implementation toolkit for safe interdomain routing. IEEE/ACM Transactions on Network (ToN) 20, 6 (2012), 1814--1827.

Digital Library

[35]

Yoon, M., Chen, S., and Zhang, Z. Minimizing the maximum firewall rule set in a network with multiple firewalls. IEEE Transactions on Computers 59 (2010).

Digital Library

[36]

Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C., and Mohapatra, P. Fireman: A toolkit for Firewall modeling and analysis. In IEEE Symposium on Security and Privacy (IEEE S&P) (2006).

Digital Library

[37]

Zaostrovnykh, A., Pirelli, S., Pedrosa, L., Argyraki, K., and Candea, G. A formally verified NAT. In ACM SIGCOMM (SIGCOMM) (2017).

Digital Library

[38]

Zhang, S., Ivancic, F., Lumezanu, C., Yuan, Y., Gupta, A., and Malik, S. An adaptable rule placement for software-defined networks. In 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (2014).

Digital Library

[39]

Zhang, S., Mahmoud, A., Malik, S., and Narain, S. Verification and synthesis of firewalls using SAT and QBF. In 20th IEEE International Conference on Network Protocols (ICNP) (2012).

Digital Library

Cited By

Xing JHsu KXia YCai YLi YZhang YChen A(2024)Occam: A Programming System for Reliable Network ManagementProceedings of the Nineteenth European Conference on Computer Systems10.1145/3627703.3650086(148-162)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3627703.3650086
Liu YZhang WLi LWu JXia YGao SZhang H(2024)Toward Autonomous Trusted Networks-From Digital Twin PerspectiveIEEE Network10.1109/MNET.2024.335318038:3(84-91)Online publication date: May-2024
https://doi.org/10.1109/MNET.2024.3353180
Li FHei CShen JLi QWang X(2024)Human-Intent-Driven Cellular Configuration Generation Using Program SynthesisIEEE Journal on Selected Areas in Communications10.1109/JSAC.2023.334538742:3(658-668)Online publication date: Mar-2024
https://doi.org/10.1109/JSAC.2023.3345387
Show More Cited By

Index Terms

Safely and automatically updating in-network ACL configurations with intent language
1. Networks
  1. Network properties
    1. Network reliability
  2. Network services
    1. Network management

Recommendations

Enforcing ACL Access Control on Android Platform
Information Security
Abstract
Android is an operating system with Linux kernel running on smartphone. Part of system resources are provided in the form of APIs offered by system service. Access permission to these resources for application is controlled in Android middleware ...
Read More
Practical Role-Based Access Control

This article presents access control from a general and a role-based perspective. The article's focus is role based Access Control from a practical vice a theoretical perspective. The article starts with some access control definitions and two secure ...
Read More
Access control lists in password capability environments

With reference to a protection system featuring active subjects that attempt to access passive, typed objects, we propose a set of mechanisms supporting the distribution, verification, review and revocation of access privileges. In our approach, a ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGCOMM '19: Proceedings of the ACM Special Interest Group on Data Communication

August 2019

526 pages

ISBN:9781450359566

DOI:10.1145/3341302

General Chairs:
Jianping Wu
Tsinghua University, China
,
Wendy Hall
University of Southampton, UK

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 August 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SIGCOMM '19

Sponsor:

SIGCOMM

SIGCOMM '19: ACM SIGCOMM 2019 Conference

August 19 - 23, 2019

Beijing, China

Acceptance Rates

Overall Acceptance Rate 554 of 3,547 submissions, 16%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

47
Total Citations
View Citations
2,038
Total Downloads

Downloads (Last 12 months)160
Downloads (Last 6 weeks)27

Other Metrics

View Author Metrics

Citations

Cited By

Xing JHsu KXia YCai YLi YZhang YChen A(2024)Occam: A Programming System for Reliable Network ManagementProceedings of the Nineteenth European Conference on Computer Systems10.1145/3627703.3650086(148-162)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3627703.3650086
Liu YZhang WLi LWu JXia YGao SZhang H(2024)Toward Autonomous Trusted Networks-From Digital Twin PerspectiveIEEE Network10.1109/MNET.2024.335318038:3(84-91)Online publication date: May-2024
https://doi.org/10.1109/MNET.2024.3353180
Li FHei CShen JLi QWang X(2024)Human-Intent-Driven Cellular Configuration Generation Using Program SynthesisIEEE Journal on Selected Areas in Communications10.1109/JSAC.2023.334538742:3(658-668)Online publication date: Mar-2024
https://doi.org/10.1109/JSAC.2023.3345387
Guo ZLi FShen JWang X(2024)NetCR: Knowledge-Graph-Based Recommendation Framework for Manual Network ConfigurationIEEE Internet of Things Journal10.1109/JIOT.2023.333701711:7(12941-12952)Online publication date: 1-Apr-2024
https://doi.org/10.1109/JIOT.2023.3337017
Dzeparoska KLin JTizghadam ALeon-Garcia A(2023)LLM-Based Policy Generation for Intent-Based Management of Applications2023 19th International Conference on Network and Service Management (CNSM)10.23919/CNSM59352.2023.10327837(1-7)Online publication date: 30-Oct-2023
https://doi.org/10.23919/CNSM59352.2023.10327837
Ma YWang ZChang CWu P(2023)BPFC-SDNsSecurity and Communication Networks10.1155/2023/11045652023Online publication date: 25-Jan-2023
https://dl.acm.org/doi/10.1155/2023/1104565
Sharma YBhamare DSastry NJavadi BBuyya R(2023)SLA Management in Intent-Driven Service Management Systems: A Taxonomy and Future DirectionsACM Computing Surveys10.1145/358933955:13s(1-38)Online publication date: 13-Jul-2023
https://dl.acm.org/doi/10.1145/3589339
Ge CGe ZLiu XMahimkar AShaqalle YXiang YPathak SCosta XHassanieh HAsadi ACox LPerino DWidmer JGiustiniano D(2023)Chroma: Learning and Using Network Contexts to Reinforce Performance Improving ConfigurationsProceedings of the 29th Annual International Conference on Mobile Computing and Networking10.1145/3570361.3613256(1-16)Online publication date: 2-Oct-2023
https://dl.acm.org/doi/10.1145/3570361.3613256
Li YHu XJia CWang KLi J(2023)Kano: Efficient Cloud Native Network Policy VerificationIEEE Transactions on Network and Service Management10.1109/TNSM.2022.322967520:3(3747-3764)Online publication date: Sep-2023
https://doi.org/10.1109/TNSM.2022.3229675
Sharma YBhamare DKassler ATaheri J(2023)Intent Negotiation Framework for Intent-Driven Service ManagementIEEE Communications Magazine10.1109/MCOM.001.220050461:6(73-79)Online publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1109/MCOM.001.2200504
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents