Abstract
Configuration navigation and change-auditing is one of the most complex yet common tasks performed by network operators on a regular basis. Change-auditing router configuration files accurately is a challenging task due to presence of structure and hierarchy in the config content. Generic diff tools do not have the notion of context or syntactic structure while comparing files and produce diff reports (using minimum edit distance) that often do not match operator expectations. Moreover, these tools perform redundant (and expensive) comparison operations across contextually unrelated sections of the config file which makes them scale poorly even for config files of moderate size. On the other hand, vendor specific and customized diff solutions are not generic enough to be applied uniformly across a heterogeneous network. Also, modeling the configuration semantics for different vendors is a non-trivial and expensive process.
In this paper, we introduce GCNav, a system that helps network operators perform general or customized change-auditing at varying levels of granularity on the network. Unlike existing solutions, GCNav makes use of the inherent syntactic structure common to all config files and thereby remains generic without compromising on the accuracy of results. Our experience with the deployment of GCNav on a large operational customer-facing IP network shows that it is able to provide a generic, accurate and scalable solution for change-auditing router config files. Our results show that GCNav’s diff results matches operator expectation while generic diff tools reported at least some misleading diff in 95 % of the files analyzed. We also find that GCNav performs seven times faster than customized auditing tools making it a feasible solution for online and interactive config auditing.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Apel, S., Liebig, J., Brandl, B., Lengauer, C., Kästner, C.: Semistructured merge: rethinking merge in revision control systems. In: ESEC/FSE, Amsterdam (2011)
Caldwell, D., Lee, S., Mandelbaum, Y.: Adaptive parsing of router configuration languages. In: INM, Orlando (2008)
Caldwell, D., Lee, S., Sen, S., Yates, J.: Gold standard auditing for router configurations. In: LANMAN, Long Branch (2010)
Cisco contextual configuration diff utility. http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config-diff.html (2003)
Cisco ios xml reference. http://www.cisco.com/en/US/docs/ios-xml/ios/xmlpi/configuration/12-4t/xml-pi-12-4t-book.pdf
Cobéna, G., Abdessalem, T., Hinnach, Y.: A comparative study for xml change detection. Research Report, INRIA Rocquencourt (2002)
Cobena, G., Abiteboul, S., Marian, A.: Xydiff tools detecting changes in xml documents. In: ICDE, San Jose (2002)
Elmougy, S., Al-Adrousy, W.: A structured-based differencing method for version control system for java codes. In: ISSPIT, Luxor (2010)
Feamster, N., Balakrishnan, H.: Detecting BGP configuration faults with static analysis. In: Proceedings of NSDI, Boston (2005)
Gnu diff. http://www.gnu.org/software/diffutils/diffutils.html
Junos xml reference. http://www.juniper.net/techpubs/software/junos/junos94/swconfig-automation/advantages-of-using-the-junoscript-and-junos-xml-apis.html
Le, F., Lee, S., Wong, T., Kim, H., Newcomb, D.: Detecting network-wide and router-specific misconfigurations through data mining. IEEE/ACM Trans. Netw. 17(1), 66–79 (2009)
Leonardi, E., Bhowmick, S.: Xanadue: a system for detecting changes to xml data in tree-unaware relational databases. In: SIGMOD, Beijing (2007)
Liu, A.: Firewall policy change-impact analysis. ACM Trans. Intern. Technol. (TOIT) 11(4), 1–24 (2012)
Liu, A., Gouda, M.: Diverse firewall design. IEEE Trans. Parallel Distrib. Syst. 19(9), 1237–1251 (2008)
Mahajan, R., Wetherall, D., Anderson, T.: Understanding BGP misconfiguration. In: Proceedings ACM SIGCOMM, Pittsburgh (2002)
Narain, S.: Network configuration management via model finding. In: Proceedings LISA, San Diego (2005)
Sung, Y., Lund, C., Lyn, M., Rao, S., Sen, S.: Modeling and understanding end-to-end class of service policies in operational networks. In: SIGCOMM, Barcelona (2009)
Sung, Y., Rao, S., Sen, S., Leggett, S.: Extracting network-wide correlated changes from longitudinal configuration data. In: PAM, Seoul (2009)
The alcatel cli reference. http://enterprise.alcatel-lucent.com/docs/?id=12979
The lxml python toolkit. http://lxml.de/
Vanbever, L., Pardoen, G., Bonaventure, O.: Towards validated network configurations with ncguard. In: INM, Orlando (2008)
Wang, Y., DeWitt, D. J., & Cai, J. Y. (2003, March). X-Diff: An effective change detection algorithm for XML documents. In Data Engineering, 2003. Proceedings. 19th International Conference on (pp. 519–530). IEEE.
Xpath query language. http://www.w3schools.com/xpath/default.asp
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Narayanan, S.P., Lee, S., Sen, S. (2013). GCNav: Generic Configuration Navigation System. In: Al-Shaer, E., Ou, X., Xie, G. (eds) Automated Security Management. Springer, Cham. https://doi.org/10.1007/978-3-319-01433-3_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-01433-3_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-01432-6
Online ISBN: 978-3-319-01433-3
eBook Packages: Computer ScienceComputer Science (R0)