Global Verification and Analysis of Network Access Control Configuration

Network devices such as routers, firewalls, IPSec gateways, and NAT are configured using access control lists. However, recent studies and ISP surveys show that the management of access control configurations is a highly complex and error prone task. Without automated global configuration management tools, unreachablility and insecurity problems due to the misconfiguration of network devices become an ever more likely. In this report, we present a novel approach that models the global end-to-end behavior of access control devices in the network including routers, firewalls, NAT, IPSec gateways for unicast and multicast packets. Our model represents the network as a state machine where the packet header and location determine the state. The transitions in this model are determined by packet header information, packet location, and policy semantics for the devices being modeled. We encode the semantics of access control policies with Boolean functions using binary decision diagrams (BDDs). We extended computation tree logic (CTL) to provide more useful operators and then we use CTL and symbolic model checking to investigate all future and past states of this packet in the network and verify network reachability and security requirements. The model is implemented in a tool called ConfigChecker. We gave special consideration to ensure an efficient and scalable implementation. Our extensive evaluation study with various network and policy sizes shows that ConfigChecker has acceptable computation and space requirements with large number of nodes and configuration rules

Multi-region routing

Dissertação apresentada na Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa para a obtenção do grau de Mestre em Engenharia Electrotécnica e de ComputadoresThis thesis proposes a new inter-domain routing protocol. The Internet's inter-domain routing protocol Border Gateway Protocol (BGP) provides a reachability solution for all domains; however it is also used for purposes outside of routing. In terms of routing BGP su ers from serious problems, such as slow routing convergence and limited scalability. The proposed architecture takes into consideration the current Internet business model and structure. It bene ts from a massively multi-homed Internet to perform multipath routing. The main foundation of this thesis was based on the Dynamic Topological Information Architecture (DTIA). We propose a division of the Internet in regions to contain the network scale where DTIA's routing algorithm is applied. An inter-region routing solution was devised to connect regions; formal proofs were made in order to demonstrate the routing convergence of the protocol. An implementation of the proposed solution was made in the network simulator 2 (ns-2). Results showed that the proposed architecture achieves faster convergence than BGP. Moreover, this thesis' solution improves the algorithm's scalability at the inter-region level, compared to the single region case

ANCHOR: logically-centralized security for Software-Defined Networks

While the centralization of SDN brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against different threats. The literature on SDN has mostly been concerned with the functional side, despite some specific works concerning non-functional properties like 'security' or 'dependability'. Though addressing the latter in an ad-hoc, piecemeal way, may work, it will most likely lead to efficiency and effectiveness problems. We claim that the enforcement of non-functional properties as a pillar of SDN robustness calls for a systemic approach. As a general concept, we propose ANCHOR, a subsystem architecture that promotes the logical centralization of non-functional properties. To show the effectiveness of the concept, we focus on 'security' in this paper: we identify the current security gaps in SDNs and we populate the architecture middleware with the appropriate security mechanisms, in a global and consistent manner. Essential security mechanisms provided by anchor include reliable entropy and resilient pseudo-random generators, and protocols for secure registration and association of SDN devices. We claim and justify in the paper that centralizing such mechanisms is key for their effectiveness, by allowing us to: define and enforce global policies for those properties; reduce the complexity of controllers and forwarding devices; ensure higher levels of robustness for critical services; foster interoperability of the non-functional property enforcement mechanisms; and promote the security and resilience of the architecture itself. We discuss design and implementation aspects, and we prove and evaluate our algorithms and mechanisms, including the formalisation of the main protocols and the verification of their core security properties using the Tamarin prover.Comment: 42 pages, 4 figures, 3 tables, 5 algorithms, 139 reference

Monitoring and verifying network behavior using data-plane state

Modern computer networks are complex, incorporating hundreds or thousands of network devices from multiple vendors performing diverse functions such as routing, switching, and access control across physical and virtual networks (VPNs and VLANs). As in any complex computer system, these networks are prone to a wide range of errors such as misconfigurations, software bugs, or unexpected interactions across protocols. Previous tools to assist operators in debugging network anomalies primarily focus on analyzing control plane configuration. Configuration analysis is limited in that it cannot find bugs in router software, and is harder to generalize across protocols since it must model complex configuration languages and dynamic protocol behavior. This thesis studies an alternate approach: diagnosing problems through static analysis of a network's data-plane state. We call it data-plane verification. This approach can catch bugs that are invisible at the level of configuration files, and simplifies unified analysis of a network across many protocols and implementations. To prove the applicability and usefulness of data-plane verification, we designed and implemented two tools to rigorously check important network invariants, such as absence of routing loops, routing consistency of replicated devices, and other reachability properties. Our first tool, called Anteater, translates a network's data-plane state and invariants into boolean satisfiability problems, and checks them using a SAT solver. Our second tool, called VeriFlow, creates a device independent graph model of the network state, and uses standard graph traversal algorithms to detect invariant violations. We tested our tools with real world network data-plane traces, and with large emulated networks. Both of our tools were able to detect real bugs that went unnoticed to network operators for more than a month. Our tools helped them to narrow down the faulty configurations, and resolve those quickly. Results from emulated larger networks showed that the running time performance of our tools, especially that of VeriFlow, is good enough to detect bugs quickly before they can be exploited by outside attackers. Due to the fast response time of VeriFlow, it can be used in the emerging Software-Defined Networking (SDN) setting as a proactive tool to detect and filter out faulty configurations before they reach network devices

Segment Routing: a Comprehensive Survey of Research Activities, Standardization Efforts and Implementation Results

Fixed and mobile telecom operators, enterprise network operators and cloud providers strive to face the challenging demands coming from the evolution of IP networks (e.g. huge bandwidth requirements, integration of billions of devices and millions of services in the cloud). Proposed in the early 2010s, Segment Routing (SR) architecture helps face these challenging demands, and it is currently being adopted and deployed. SR architecture is based on the concept of source routing and has interesting scalability properties, as it dramatically reduces the amount of state information to be configured in the core nodes to support complex services. SR architecture was first implemented with the MPLS dataplane and then, quite recently, with the IPv6 dataplane (SRv6). IPv6 SR architecture (SRv6) has been extended from the simple steering of packets across nodes to a general network programming approach, making it very suitable for use cases such as Service Function Chaining and Network Function Virtualization. In this paper we present a tutorial and a comprehensive survey on SR technology, analyzing standardization efforts, patents, research activities and implementation results. We start with an introduction on the motivations for Segment Routing and an overview of its evolution and standardization. Then, we provide a tutorial on Segment Routing technology, with a focus on the novel SRv6 solution. We discuss the standardization efforts and the patents providing details on the most important documents and mentioning other ongoing activities. We then thoroughly analyze research activities according to a taxonomy. We have identified 8 main categories during our analysis of the current state of play: Monitoring, Traffic Engineering, Failure Recovery, Centrally Controlled Architectures, Path Encoding, Network Programming, Performance Evaluation and Miscellaneous...Comment: SUBMITTED TO IEEE COMMUNICATIONS SURVEYS & TUTORIAL

Resilient and Efficient Delivery over Message Oriented Middleware.

PhDThe publish/subscribe paradigm is used to support a many-to-many model that allows an efficient dissemination of messages across a distributed system. Message Oriented Middleware (MOM) is a middleware that provides an asynchronous method of passing information between networked applications. MOMs can be based on a publish/subscribe model, which offers a robust paradigm for message delivery. This research is concerned with this specific type of MOM. Recently, systems using MOMs have been used to integrate enterprise systems over geographically distributed areas, like the ones used in financial services, telecommunication applications, transportation and health-care systems. However, the reliability of a MOM system must be verified and consideration given to reachability to all intended destinations typically with to guarantees of delivery. The research in this thesis provides an automated means of checking the (re)configuration of a publish/subscribe MOM system by building a model and using Linear-time Temporal Logic and Computation Tree Logic rules to verify certain constraints. The verification includes the checking of the reachability of different topics, the rules for regulating the working of the system, and checking the configuration and reconfiguration after a failure. The novelty of this work is the creation and the optimization of a symbolic model checker that abstracts the end-to-end network configuration and reconfiguration behaviour and using it to verify reachability and loop detection. In addition a GUI interface, a code generator and a sub-paths detector are implemented to make the system checking more user-friendly and efficient. The research then explores another aspect of reliability. The requirements of mission critical service delivery over a MOM infrastructure is considered and we propose a new way of supporting rapid recovery from failures using pre-calculated routing Abstract tables and coloured flows that can operate across multiple Autonomous System domains. The approach is critically appraised in relation to other published schemes

Design and implementation of a fault-tolerant multimedia network and a local map based (LMB) self-healing scheme for arbitrary topology networks.

by Arion Ko Kin Wa.Thesis (M.Phil.)--Chinese University of Hong Kong, 1997.Includes bibliographical references (leaves 101-[106]).Chapter 1 --- Introduction --- p.1Chapter 1.1 --- Overview --- p.1Chapter 1.2 --- Service Survivability Planning --- p.2Chapter 1.3 --- Categories of Outages --- p.3Chapter 1.4 --- Goals of Restoration --- p.4Chapter 1.5 --- Technology Impacts on Network Survivability --- p.5Chapter 1.6 --- Performance Models and Measures in Quantifying Network Sur- vivability --- p.6Chapter 1.7 --- Organization of Thesis --- p.6Chapter 2 --- Design and Implementation of A Survivable High-Speed Mul- timedia Network --- p.8Chapter 2.1 --- An Overview of CUM LAUDE NET --- p.8Chapter 2.2 --- The Network Architecture --- p.9Chapter 2.2.1 --- Architectural Overview --- p.9Chapter 2.2.2 --- Router-Node Design --- p.11Chapter 2.2.3 --- Buffer Allocation --- p.12Chapter 2.2.4 --- Buffer Transmission Priority --- p.14Chapter 2.2.5 --- Congestion Control --- p.15Chapter 2.3 --- Protocols --- p.16Chapter 2.3.1 --- Design Overview --- p.16Chapter 2.3.2 --- ACTA - The MAC Protocol --- p.17Chapter 2.3.3 --- Protocol Layering --- p.18Chapter 2.3.4 --- "Segment, Datagram and Packet Format" --- p.20Chapter 2.3.5 --- Fast Packet Routing --- p.22Chapter 2.3.6 --- Local Host NIU --- p.24Chapter 2.4 --- The Network Restoration Strategy --- p.25Chapter 2.4.1 --- The Dual-Ring Model and Assumptions --- p.26Chapter 2.4.2 --- Scenarios of Network Failure and Remedies --- p.26Chapter 2.4.3 --- Distributed Fault-Tolerant Algorithm --- p.26Chapter 2.4.4 --- Distributed Auto-Healing Algorithm --- p.28Chapter 2.4.5 --- The Network Management Signals --- p.31Chapter 2.5 --- Performance Evaluation --- p.32Chapter 2.5.1 --- Restoration Time --- p.32Chapter 2.5.2 --- Reliability Measures --- p.34Chapter 2.5.3 --- Network Availability During Restoration --- p.41Chapter 2.6 --- The Prototype --- p.42Chapter 2.7 --- Technical Problems Encountered --- p.45Chapter 2.8 --- Chapter Summary and Future Development --- p.46Chapter 3 --- A Simple Experimental Network Management Software - NET- MAN --- p.48Chapter 3.1 --- Introduction to NETMAN --- p.48Chapter 3.2 --- Network Management Basics --- p.49Chapter 3.2.1 --- The Level of Management Protocols --- p.49Chapter 3.2.2 --- Architecture Model --- p.51Chapter 3.2.3 --- TCP/IP Network Management Protocol Architecture --- p.53Chapter 3.2.4 --- A Standard Network Management Protocol On Internet - SNMP --- p.54Chapter 3.2.5 --- A Standard For Managed Information --- p.55Chapter 3.3 --- The CUM LAUDE Network Management Protocol Suite (CNMPS) --- p.56Chapter 3.3.1 --- The Architecture --- p.53Chapter 3.3.2 --- Goals of the CNMPS --- p.59Chapter 3.4 --- Highlights of NETMAN --- p.61Chapter 3.5 --- Functional Descriptions of NETMAN --- p.63Chapter 3.5.1 --- Topology Menu --- p.64Chapter 3.5.2 --- Fault Manager Menu --- p.65Chapter 3.5.3 --- Performance Meter Menu --- p.65Chapter 3.5.4 --- Gateway Utility Menu --- p.67Chapter 3.5.5 --- Tools Menu --- p.67Chapter 3.5.6 --- Help Menu --- p.68Chapter 3.6 --- Chapter Summary --- p.68Chapter 4 --- A Local Map Based (LMB) Self-Healing Scheme for Arbitrary Topology Networks --- p.70Chapter 4.1 --- Introduction --- p.79Chapter 4.2 --- An Overview of Existing DCS-Based Restoration Algorithms --- p.72Chapter 4.3 --- The Network Model and Assumptions --- p.74Chapter 4.4 --- Basics of the LMB Scheme --- p.75Chapter 4.4.1 --- Restoration Concepts --- p.75Chapter 4.4.2 --- Terminology --- p.76Chapter 4.4.3 --- Algorithm Parameters --- p.77Chapter 4.5 --- Performance Assessments --- p.78Chapter 4.6 --- The LMB Network Restoration Scheme --- p.80Chapter 4.6.1 --- Initialization - Local Map Building --- p.80Chapter 4.6.2 --- The LMB Restoration Messages Set --- p.81Chapter 4.6.3 --- Phase I - Local Map Update Phase --- p.81Chapter 4.6.4 --- Phase II - Update Acknowledgment Phase --- p.82Chapter 4.6.5 --- Phase III - Restoration and Confirmation Phase --- p.83Chapter 4.6.6 --- Phase IV - Cancellation Phase --- p.83Chapter 4.6.7 --- Re-Initialization --- p.84Chapter 4.6.8 --- Path Route Monitoring --- p.84Chapter 4.7 --- Performance Evaluation --- p.84Chapter 4.7.1 --- The Testbeds --- p.84Chapter 4.7.2 --- Simulation Results --- p.86Chapter 4.7.3 --- Storage Requirements --- p.89Chapter 4.8 --- The LMB Scheme on ATM and SONET environment --- p.92Chapter 4.9 --- Future Work --- p.94Chapter 4.10 --- Chapter Summary --- p.94Chapter 5 --- Conclusion and Future Work --- p.96Chapter 5.1 --- Conclusion --- p.95Chapter 5.2 --- Future Work --- p.99Bibliography --- p.101Chapter A --- Derivation of Communicative Probability --- p.107Chapter B --- List of Publications --- p.11