A General Approach to Network Configuration Analysis
12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2015), Oakland, CA, May 4-6, 2015.
Ari Fogel, Stanley Fung, Luis Pedrosa, Meg Walraed-Sullivan, Ramesh Govindan, Ratul Mahajan, Todd Millstein
We present an approach to detect network configuration
errors, which combines the benefits of two prior
approaches. Like prior techniques that analyze configuration files, our approach can find errors
proactively, before the configuration is applied, and
answer "what if" questions. Like prior techniques that
analyze data-plane snapshots, our approach can check a
broad range of forwarding properties and produce
actual packets that violate checked properties. We
accomplish this combination by faithfully deriving and
then analyzing the data plane that would emerge from
the configuration. Our derivation of the data plane
is fully declarative, employing a set of logical
relations that represent the control plane, the data
plane, and their relationship. Operators can query
these relations to understand identified errors and
their provenance. We use our approach to analyze two
large university networks with qualitatively different
routing designs and find many misconfigurations in
each. Operators have confirmed the majority of these
as errors and have fixed their configurations
accordingly.
[PDF | Implementation]