Unraveling Network Configuration Management Theophilus Benson (U of Wisconsin) Aditya Akella (U of Wisconsin) Dale Carder (U of Wisconsin) Dave Maltz (Microsoft)
Agenda Why is documentation useful? Can we develop metadata for network configuration files? Can we utilize administrator s common practice? What we've learned Call for help
Change is Constant Technology evolves Network requirements adapts Operators are constantly tweaking Documentation lags implementation Uninformed changes lead to error Same policy different implementation New or unfamiliar operator collaborating networks; GENI
Tracking Changes: Operator s Toolbox Current Config management tools Maintains accountability for change Does not ensure correctness Other commercial network management tools Device discovery Automation of VLAN, and routing Coarse grained constraint checking Rest left to Home-grown tools
Why should we care? Benefits of a well documented network: Easier to make changes More informed operators are less likely to make less errors Easier to spot policy inconsistencies
Operational Insights Operators utilize templates Templates simplify and automate tasks A tool must go beyond tracking identical template to discovering and tracking modified/transformed templates Filtering, routing, and distribution are intertwined Must track references
Operational Insights (cont.) Devices have different roles A device s role is reflected by commands used in configuration file Device with identical or similar roles will have similar sets of configuration. Operators validate configuration through network operational state Use Set of packets allowed between devices (reachability set) to confirm intent
Discovering References IOS commands reference each other through label For example: an interface references an ACL through ACL s label References discovered using 2 steps: Parse configuration files and discover Labels Link stanza declaring labels with commands referencing labels
Dependency Example 1 Interface Vlan901 2 ip 128.2.1.23 255.255.255.252 3 ip access-group 9 in 4 5 Router ospf 1 6 router-id 128.1.2.133 7 passive-interface default 8 no passive-interface Vlan901 9 no passive-interface Vlan900 10 network 128.2.0.0 0.0.255.255 11 distribute-list in 12 12 redistribute connected subnets 13 14 access-list 9 permit 128.2.1.23 0.0.0.3 any 15 access-list 9 deny any 16 access-list 11 permit 128.2.0.0 0.0.255.255 Vlan901 Access-list 9 ospf 1 Access-list 12
Discovering Template & Roles A Template is a Cisco stanza that is used on several devices Template are discovered using datamining algorithms that detect code copy & pasting Roles are defined as devices with identical templates
Templates Example Config A Config B Config C Interface Vlan901 ip 128.2.1.23 255.255.255.252 ip access-group 9 in ip access-group 11 out Interface Vlan902 ip 128.2.1.28 255.255.255.252 ip ospf cost 23 no ip redirects no ip proxy-arp Router ospf 1 router-id 128.1.2.133 passive-interface defualt no passiver-interface Vlan901 no passiver-interface Vlan900 network 128.2.0.0 0.0.255.255 distribute-list in 12 redistribute connected subnets Interface Vlan900 ip 128.2.1.26 255.255.255.252 mtu 1000 Interface Vlan901 ip 128.2.1.24 255.255.255.252 ip access-group 9 in ip access-group 11 out Router ospf 1 router-id 128.1.2.133 passive-interface defualt no passiver-interface Vlan901 no passiver-interface Vlan900 network 128.2.0.0 0.0.255.255 distribute-list in 12 redistribute connected subnets Interface Vlan900 ip 128.2.1.25 255.255.255.252 mtu 1000 Interface Vlan902 ip 128.2.1.29 255.255.255.252 ip ospf cost 23 no ip redirects no ip proxy-arp Router ospf 1 router-id 128.1.2.133 passive-interface defualt no passiver-interface Vlan901 no passiver-interface Vlan900 network 128.2.0.0 0.0.255.255 distribute-list in 12 redistribute connected subnets access-list 12 permit 128.2.0.0 access-list 12 permit 128.2.0.0 access-list 12 permit 128.2.0.0
Templates Example Config A Config B Config C Interface Vlan901 ip 128.2.1.23 255.255.255.252 ip access-group 9 in ip access-group 11 out Interface Vlan902 ip 128.2.1.28 255.255.255.252 ip ospf cost 23 no ip redirects no ip proxy-arp Router ospf 1 router-id 128.1.2.133 passive-interface defualt no passiver-interface Vlan901 no passiver-interface Vlan900 network 128.2.0.0 0.0.255.255 distribute-list in 12 redistribute connected subnets Interface Vlan900 ip 128.2.1.26 255.255.255.252 mtu 1000 Interface Vlan901 ip 128.2.1.24 255.255.255.252 ip access-group 9 in ip access-group 11 out Router ospf 1 router-id 128.1.2.133 passive-interface defualt no passiver-interface Vlan901 no passiver-interface Vlan900 network 128.2.0.0 0.0.255.255 distribute-list in 12 redistribute connected subnets Interface Vlan900 ip 128.2.1.25 255.255.255.252 mtu 1000 Interface Vlan902 ip 128.2.1.29 255.255.255.252 ip ospf cost 23 no ip redirects no ip proxy-arp Router ospf 1 router-id 128.1.2.133 passive-interface defualt no passiver-interface Vlan901 no passiver-interface Vlan900 network 128.2.0.0 0.0.255.255 distribute-list in 12 redistribute connected subnets access-list 12 permit 128.2.0.0 access-list 12 permit 128.2.0.0 access-list 12 permit 128.2.0.0
Discovering Reachability Sets Reachability set is the set of packets accepted between two end points How to discover reachability sets Simulate routing protocol convergence Calculate impact of data plane and control plane filtering on packets sent along an valid path between two subnets
Reachability Example 192.168.147/24 Router R1 Router C Deny any 192.168.145.128/25 192.168.145/24 10.1.1/24 Router R2
Uses Error Detection: Changes to underlying documentation Planning changes Understand ripple effect of a change Understanding Network Evolution Changes in dependencies Changes in templates
Current Collaborators Microsoft BBN U of Wisconsin, Madison Northwestern U of Michigan, Ann harbor U of Minnesota
Preliminary Results Vestigial Stanzas Unused ACL ACL filtering removed Subnets Routing Misconfiguration Subnet redistributed by in appropriate device
Call To Action Try out our tools on your configuration files Provide us with feedback on what you found useful Thoughts and insights are welcomed configuration file Misconfiguration data
Questions??