Quantifying and Verifying Network Reachability
نویسندگان
چکیده
Quantifying and verifying network reachability is important for security monitoring and auditing as well as many aspects of network management such as troubleshooting, maintenance, and design. Although attempts to model network reachability have been made, feasible solutions to computing network reachability have remained unknown. In this paper, we propose a suite of algorithms for quantifying reachability based on network configurations (mainly ACLs) as well as solutions for querying and verifying network reachability. We present a comprehensive network reachability model that considers connectionless and connection-oriented transport protocols, stateless and stateful routers/firewalls, static and dynamic NAT, PAT, etc. We implemented the algorithms in our network reachability analysis tool called Quarnet and conducted experiments on a university network. Experimental results show that the offline computation of reachability matrices takes a few hours and the online processing of a reachability query takes 0.075 seconds on average.
منابع مشابه
Quarnet: A Tool for Quantifying Static Network Reachability
Quantifying and verifying network reachability is important for security monitoring and auditing as well as many aspects of network management such as troubleshooting, maintenance, and design. Although attempts to model network reachability have been made, feasible solutions to computing network reachability have remained unknown. In this paper, we propose a suite of algorithms for quantifying ...
متن کاملReachability Monitoring and Verification in Enterprise Networks
Enforcing correct reachability is crucial for an enterprise network to achieve access control, privacy, security and so on. Many sophisticated mechanisms such as router ACLs and firewalls have been developed to enforce the desired reachability. In addition, many other factors such as network dynamics can also impact the network reachability. Thus it is challenging to configure the reachability ...
متن کاملApplication layer reachability monitoring for IP multicast
The successful deployment of multicast in the Internet requires the availability of good network management solutions. One of the first management tasks for multicast is to verify its availability in the network. This task is usually referred to as reachability monitoring. Reachability ensures that sources can reach all existing and potential group members. Reachability also implies that receiv...
متن کاملAutomatically verifying reachability and well-formedness in P4 Networks
P4 allows a new level of dynamism for routers beyond OpenFlow 1.4 by allowing headers and tables to be modified by software in the field. Without care, P4 can unleash a new wave of software bugs. Existing tools (e.g., VeriFlow, NetPlumber, Hassel, NoD) cannot model changes to forwarding behaviors without reprogramming tool internals or having users manually add new forwarding models. Further, a...
متن کاملVerifying Reachability in Networks with Mutable Datapaths
Recent work has made great progress in verifying the forwarding correctness of networks [19–21, 26]. However, these approaches cannot be used to verify networks containing middleboxes, such as caches and firewalls, whose forwarding behavior depends on previously observed traffic. We explore how to verify reachability properties for networks that include such “mutable datapath” elements. We want...
متن کامل