Sanjai Narain
Information Assurance and Security Department
Telcordia Technologies, Inc.
narain@research.telcordia.com
DIMACS Workshop on Designing Networks for Manageability, November 11, 2009

To Satisfy End-To-End
Requirement
Set Up Physical Layer
Then Configure It
2
Confused? Here Is Help.

End-To-End Requirements
Requirement specification
Configuration synthesis
Diagnosis
Repair
Reconfiguration planning
Verification
Distributed configuration
Configuration file parsing
Why are these hard?
• Need to specify connectivity, security, performance and reliability
• Synthesis, reconfiguration planning and verification require searching very large spaces
• Security and functionality interact
• Components can correctly work in isolation but not together
• Removing one error can cause another
• Distributed configuration is not wellunderstood
• Hard to formalize configuration language grammar documented in hundreds of pages of English
Configurations

• Connectivity
– Incorrect addressing or IP, GRE, MPLS, IPSec links
• Security
– Incorrect firewall policies
• Performance
– Inconsistent QoS policies
• Reliability
– Single points of failure due to misconfigured routing protocols, in spite of diversity
–
Single points of failure across layers
• Interaction between security and performance
–
Packet dropping due to mismatched MTU and ICMP blocking
• Interaction between security and reliability
–
IPSec tunnels not replicated in HSRP cluster
• Interaction between security and connectivity
–
Static routes not directing packets into IPSec tunnels
• Lack of centralized configuration authority
– Static routes accumulated due to inefficient collaboration between network administrators

• Setting it [security] up is so complicated that it’s hardly ever done right. While we await a catastrophe, simpler setup is the most important step toward better security.
– Butler Lampson, MIT. Computer Security in the Real World.
IEEE Computer , June 2004
• …human factors, is the biggest contributor—responsible for 50 to 80 percent of network device outages.
– What’s Behind Network Downtime? Proactive Steps to Reduce Human Error and Improve
Availability of Networks, 2008. http://www.juniper.net/solutions/literature/white_papers/200249.pdf
• We don’t need hackers to break the systems because they’re falling apart by themselves.
– Peter G. Neumann, SRI. “Who Needs Hackers”, NY Times, September 7, 2007. http://www.nytimes.com/2007/09/12/technology/techspecial/12threat.html
•
Things break. Complex systems break in complex ways.
– Steve Bellovin, Columbia University. Above article
5

Hard
Requirement
First order logic: Alloy
Easier
• Project jointly with Sharad Malik, Princeton,
Daniel Jackson, MIT
Arithmetic
Quantifier-Free
Form
• QFF = Boolean combination of:
– x op y
– contained(a, m, b, n)
– where x , y , a , m , b , n are integer variables or constants and op is = , < , > , <= , >=
Kodkod
• Application-layer quantifier elimination with partial evaluation scales to networks of realistic size
FOL

Boolean quantifier elimination does not scale to large variable ranges
• Narain, 2005
• Narain, Kaul, Levin, Malik, 2008
• Narain, Talpade, Levin, 2010
Boolean
SAT
Solver
Solve millions of constraints in millions of variables in seconds

•
Specification: Security, functionality and configurations all specified as constraints
• Synthesis: Use Kodkod constraint solver
•
Diagnosis: Analyze UNSAT-CORE
• Repair: If x=c appears in UNSAT-CORE, it is a root-cause. Remove it and re-solve
•
Reconfiguration planning: Transform safety invariant into a constraint on times at which variables change from initial to final value. Solve.
•
Verification
– Represent firewall policy P as a QFF auth_P on generic packet header s,sp,d,dp,p
– P1 is subsumed by P2 if there is no solution to auth_P1  ¬auth_P2 .
– P1 is equivalent to P2 if P1 subsumes P2 and vice versa
– A rule R in P1 is redundant if P1-{R} is equivalent to P1
•
Parsing
– No grammar
– Parse file into a database of command blocks. Query these to extract needed information
7

• Trialed with major enterprise
• Diagnosis only product, IP Assure, deployed at Securities and Exchange
Commission.
– Non-invasive network testing
•
Currently, being transitioned to High Assurance Platform
– Integrates VMWare with SELinux
– Configuration complex
– Jointly with Trent Jaeger, Penn State, Sharad Malik and Daniel Jackson

• Optimal identification of configurations to change to prevent attacks: Ou, Homer, 2009
– Specification language: Datalog
– Uses properties of Datalog proofs and MinCost SAT solvers
• Firewall verification with BDD-based model-checking: Hamed, Al-Shaer, Marrero, 2005
• Symbolic Reachability Analysis:
– Answer questions e.g.:“Does firewall policy strengthening change the set of packets flowing from A to B?”
– Abstract algorithm by Xie, Zhan, Maltz, Zhang, Greenberg, Hjalmtysson, and Rexford, 2005
– Implementation of more general algorithm using BDD-based model-checking: Al-Shaer, Marrero, El-Atawy,
2009
• BGP policy verification in a higher-order logic, Isabelle: Voellmy, 2009
• Parsing with PADS/ML: Mandelbaum, 2007
• Parsing with ANTLR: Narain, Talpade, Levin, 2009

1.
Al-Shaer E, Marrero W, El-Atawy A, ElBadawy K (2009) Towards Global Verification and Analysis of Network Access Control Configuration. International Conference on Network Protocols
2.
Anderson P (2006) System Configuration. In Short Topics in System Administration ed. Rick
Farrow. USENIX Association
3.
Enck W, Moyer T, McDaniel P, Sen S, Sebos P, Spoerel S, Greenberg A, Sung Y-W, Rao S,
Aiello W, (2009) Configuration Management at Massive Scale: System Design and Experience.
IEEE Journal on Selected Areas in Communications
4.
Hamed H, Al-Shaer E and Will Marrero (2005) Modeling and Verification of IPSec and VPN
Security Policies , Proceedings of IEEE International Conference on Network Protocols.
5.
Homer J, Ou X (2009) SAT-solving approaches to context-aware enterprise network security management. IEEE JSAC Special Issue on Network Infrastructure Configuration
6.
Mandelbaum Y, Fisher K, Walker D, Fernandez M, and Gleyzer A (2007) PADS/ML: A functional data description language. ACM Symposium on Principles of Programming Language
7.
Narain S (2005) Network Configuration Management via Model-Finding. Proceedings of USENIX
Large Installation System Administration (LISA) Conference
8.
Narain S, Levin G, Kaul V, Malik, S (2008) Declarative Infrastructure Configuration Synthesis and
Debugging. Journal of Network Systems and Management, Special Issue on Security
Configuration, eds. Ehab Al-Shaer, Charles Kalmanek, Felix Wu
9.
Narain S, Talpade R, Levin G (2010) Network configuration validation. Chapter in “Guide to reliable Internet Services and Applications” eds Chuck Kalmanek, Richard Yang, Sudip Misra,
Springer
10. Voellmy A, Hudak P Nettle (2009) A domain-specific language for routing configuration.
Proceedings of ACM SafeConfig Workshop. http://bebop.cs.yale.edu/voellmy/nettle.html
11. Xie G, Zhan J, Maltz D, Zhang H, Greenberg A, Hjalmtysson G, and Rexford J (2005) On Static
Reachability Analysis of IP Networks. IEEE INFOCOM

• Configuration errors cause 50%-80% of down time and vulnerabilities
• To eliminate these, we need tools for synthesis, diagnosis, repair, reconfiguration planning, verification, distributed configuration, and parsing
• Modern formal methods based on constraint solving, BDD-based modelchecking and logic programming are being used to build these tools that solve configuration problems for real networks