Sanjai Narain

Declarative Infrastructure Configuration Synthesis and Debugging

There is a large conceptual gap between end-to-end infrastructure requirements and detailed component configuration implementing those requirements. Today, this gap is manually bridged so large numbers of configuration errors are made. Their adverse effects on infrastructure security, availability, and cost of ownership are well documented. This paper presents ConfigAssure to help automatically bridge the above gap. It proposes solutions to four fundamental problems: specification, configuration synthesis, configuration error diagnosis, and configuration error repair. Central to ConfigAssure is a Requirement Solver. It takes as input a configuration database containing variables, and a requirement as a first-order logic constraint in finite domains. The Solver tries to compute as output, values for variables that make the requirement true of the database when instantiated with these values. If unable to do so, it computes a proof of unsolvability. The Requirement Solver is used in different ways to solve the above problems. The Requirement Solver is implemented with Kodkod, a SAT-based model finder for first-order logic. While any requirement can be directly encoded in Kodkod, parts of it can often be solved much more efficiently by non model-finding methods using information available in the configuration database. Solving these parts and simplifying can yield a reduced constraint that truly requires the power of model-finding. To implement this plan, a quantifier-free form, QFF, is defined. A QFF is a Boolean combination of simple arithmetic constraints on integers. A requirement is specified by defining a partial evaluator that transforms it into an equivalent QFF. This QFF is efficiently solved by Kodkod. The partial evaluator is implemented in Prolog. ConfigAssure is shown to be natural and scalable in the context of a realistic, secure and fault-tolerant datacenter.

Integration of IP mobility and security for secure wireless communications

We present alternatives for the integration of Mobile Internet Protocol (Mobile IP) versions with IP Security (IPSec) to secure IP communications over the wireless link. We focus on network layer security and provisioning of security services while roaming to a foreign network, without having to trust the foreign network. Additionally, such a scheme does not require the correspondent host (CH) to participate in protecting the wireless link. We note, however, that end-to-end security can still be provisioned, should the end user and CH have the capability to do so. Finally, our implementation allows seamless mobility at the network layer, while supporting higher layer services and security features.

Verification and synthesis of firewalls using SAT and QBF

Firewalls are widely deployed to safeguard the security of networks and it is critical for enterprise networks to have firewalls to prevent malicious attacks and to guarantee the normal functioning of the network. Firewalls prevent dangerous packets from entering the inner network by looking up the Access Control List (ACL) to permit or drop certain packets. However, ACLs often suffer from redundancy problems, which can degrade the performance of firewalls and the network. The contribution of this paper is threefold: 1) we present a Boolean Satisfiability (SAT) based technique that can compare the equivalence and inclusion relationship between two firewalls, which is very valuable for the testing between a given firewall and an optimized one, 2) we present a technique to discover redundancies within a firewall, and 3) we formulate the ACL optimization problem as a Quantified Boolean Formula problem (QBF) and explore its practical application using a QBF solver.

Building autonomic systems via configuration

Large classes of autonomic (self-managing, self-healing) systems can be created by logically integrating simpler autonomic systems. The configuration method is widely used for such integration. However, there are few formalized tools in support of this method for specification, compilation, diagnosis, reasoning, and distributed provisioning. As a result, the practice of this method is very costly and can lead to security failures. This paper presents a technique called Service Grammar for building these tools based on a novel analysis of protocols and distributed algorithms in a domain of interest. The technique is illustrated in the context of a realistic adaptive virtual private network. We show how lower-layer adaptive protocols can be composed to create adaptive behavior at a higher layer.

Towards eliminating configuration errors in cyber infrastructure

It is well-documented that configuration errors account for 50% to 80% of downtime and vulnerabilities in cyber infrastructure. The ConfigAssure suite of tools has been developed to help eliminate these errors. These tools are for requirement specification, configuration synthesis, diagnosis and repair, verification, reconfiguration planning and visualization. These tools are being made available as a web service that is demonstrated.

Diagnosing configuration errors in virtual private networks

Traditional network fault management systems diagnose hard, localized errors such as fiber cuts or hardware/software component failures. It is quite possible, however, that network components work correctly yet end-to-end services do not. This happens if there are configuration errors, i.e., configuration parameters of components are set to incorrect values. Configuration is a fundamental operation for integrating components to implement end-to-end services. Configuration errors are frequent because transforming end-to-end service requirements into configurations is inherently difficult: in realistic networks there are many components, configuration parameters, values, protocols and requirements. Yet, such transformation is largely, manually performed. This paper describes a toolkit called Service Grammar to diagnose configuration errors. The toolkit is illustrated in the context of an IP virtual private network with routing and security services. It is based on the following assumptions: (1) every component has configuration parameters which can be set to definite values; (2) these values remain fixed during the normal operation of a component; and (3) the set of values of all configuration parameters in a network, called the configuration vector, determines the behavior of the network as a whole.

In-Band Update for Network Routing Policy Migration

Network operators often need to change their routing policy in response to network failures, new load balancing strategies, or stricter security requirements. While several recent works have aimed at solving this problem, they all assume that a fast and conveniently dimensioned out-of band network is available to communicate with any device. Unfortunately, such a parallel network is often not practical. This paper presents a technique for performing such updates in-band: it enables reconfiguration control messages to be sent directly within the fast production network. Performing such updates is hard because intermediate configurations can lock out the controller from devices before they are updated. Thus, updates have to be carefully sequenced. Our technique also minimizes the total update time by updating the network in parallel, whenever possible. Our technique takes into account in-band middle boxes, such as firewalls. We have implemented our framework using Integer Linear Programming, and experimentally validated it on problems of realistic scale.

Network Configuration Validation

To set up network infrastructure satisfying end-to-end requirements, it is not only necessary to run appropriate protocols on components but also to correctly configure these components. Configuration is the “glue” for logically integrating components at and across multiple protocol layers. Each component has configuration parameters, each of which can be set to a definite value. However, today, the large conceptual gap between end-to-end requirements and configurations is manually bridged. This causes large numbers of configuration errors whose adverse effects on security, reliability, and high cost of deployment of network infrastructure are well documented.

Guest editorial network infrastructure configuration

The nine papers in this special issue focus on network infrastructure configuration and some of the problems encountered in the areas of specification, diagnosis, repair, synthesis, and anonymization.

A toolkit for building secure, fault-tolerant virtual private networks

Dynamic coalition networks connect multiple administrative domains. The domains have a need to communicate, but have limited mutual trust. To establish communication services, these networks must be configured consistently with respect to global service requirements and security policies. The configuration must also be done in a way that respects the autonomy of the separate domains. Commercial network configuration tools do not provide sufficient functionality for this purpose. This document outlines a toolkit for solving these problems and reports on its deployment over a wide area network between Telcordia Technologies and BBNs TIC.