The Cutting EDGE of Router Configuration

D. Caldwell, A. Gilbert, J. Gottlieb, A. Greenberg, G. Hjalmtysson, and J.

Rexford AT&T Labs—Research; Florham Park, NJ

Manual configuration: Type first, and ask questions later

Outline

• Motivation for automation• EDGE “bottom up” approach• Example functionality of the EDGE tool

– Inventory and network visualization– Configuration errors and warnings– Reverse engineering of local policies

• Software architecture– Data feeds and configuration parsing– Extracting tables and joining them– Presentation queries and GUI

• Conclusions

Manual Configuration

• Dangerous– Typo in routing policy: black hole– Wrong OSPF area: no traffic on link– Missing packet filter: DoS vulnerability

• Expensive– Delays in deploying equipment– Hiring and training skilled engineers– Lock-in to the router vendor

• Disruptive– Half of network outages (Yankee Group)– BGP routing anomalies (SIGCOMM’02)– Failures of Internet services (USITS’03)

Why is the Situation So Bad?

• Networking field: emphasis on speed & features– Not manageability and simplicity– Constant change, without revisiting the design– Oodles of complex protocols and tunable parameters

• Router vendors: lack of abstraction – Assembly language commands– Element-level configuration– Low-level mechanisms, not intent

• Network administrators: melting under complexity– Learning on the job– Struggling just to keep up– The path to automation is overwhelming

Our Goal: Automated Configuration

• How to transition an existing network?• How to get value as you move from here to there?• Our approach: detailed analysis of configuration data

DB interface Serial10/1/0/12:0 description CBB Customer ip address 12.7.35.1 255.255.255.252 ip access-group 666 in!router bgp 7018 neighbor 12.7.35.2 remote-as 18585 neighbor 12.7.35.2 route-map CUST-FACE in neighbor 12.7.35.2 route-map FULL-ROUTES out neighbor 12.7.35.2 distribute-list 13 in neighbor 12.7.35.2 soft-reconfiguration-inbound!

What is your AS number?What export policy do you want?Do you want a dynamic default?What are your address blocks?Do you need to receive communities?

query

template

RULES

configlet

Technical Questions (TQ)

interface <name> description <cust name> ip address <addr> <mask> ip access-group <acl> in!router bgp 7018 neighbor <ip> remote-as <asn> neighbor <ip> route-map CUST-FACE in neighbor <ip> route-map <outmap> out neighbor <ip> distribute-list <racl> in neighbor <ip> soft-reconfiguration-inbound [neighbor <ip> send-community]!

router

Lowering Barrier-to-Automation for Enterprises

• Large enterprise networks– Large stand-alone data networks– Retail, financial, health, business, etc.– Heterogeneity due to mergers and acquisitions– Stringent reliability and performance demands

Today EDGEInventory database

The network is the database

Extracted from the configuration files

Existing network

Mistakes and inconsistencies

Discord reports from analyzing config files

Local config rules

Poor (or no) documentation, policy violations

Reverse-engineered by data mining on the configuration files

Enablement and Debugging of Growing Enterprises

BOTTOM-UP APPROACH1. Inventory database

Extract summary information

Bootstrap the database2. Fixing config mistakes

Report errors & warnings Allows immediate fixes

3. Codifying local policies Reverse-engineer policies Aids in fixing inconsistencies

4. Automated configuration Explicitly enforce the rules Avoid future config mistakes

Webreports

DiscordsLow level

standard form (tables)

Abstractnetworkdatabase

polled

queries

Router configuration

Automation

fixRuns on many thousands of configs a day.

Network Inventory

• Equipment– Routers

• Model, OS version, available slots, protocol usage, …

– Interfaces • Media, speed, edge/core, protocol usage, …

• Address space – Network equipment and announced supernets– Network services (e.g., NTP and SNMP)– Packet/route filters and eBGP end-points

• Configuration commands– Histogram of configuration commands– Frequency of formats and options

Identifying the Topology

• Interfaces to links

• BGP end-points to sessions

12.7.35.0/30

12.7.35.1/30 12.7.35.2/30

neighbor 12.7.108.3 neighbor 12.123.37.250

12.123.37.250 12.7.108.3

Network Visualization

• Goal: automatic network design diagram– Input: router configuration files– Output: picture a network designer would draw

• Key ingredients from configuration– Layer-3 topology (e.g., routers and links)– Routing protocols and their attributes– Route injection, filtering, & aggregation policies

• Visualization software– Placement based on node degree, routing, … – GUI with browsing, zooming, attributes,…

Automatic classification– Red: high degree (dual hubs)– Blue: degree two (spokes)– Yellow: degree one (stubs)

Visualization clearly shows disconnected network, or missing configuration files

OSPF Topology

Area 0Area 1 Area 2

2

2

1

2

1

5

3

3

2 43

3 3

33

4

4 4

4

OSPF Example

hostname MyRouter!interface POS7/0 ip address 12.7.35.1 255.255.255.252 ip ospf cost 50!router ospf 2 network 12.7.35.0 255.255.255.0 area 9 passive-interface Serial2/1/0/3.1!

Remote end is in 12.7.35.2/30

Interface participates in OSPF

Routing Protocol Consistency

• Warnings– OSPF interface has no cost metric– Non-OSPF interface has OSPF attributes– OSPF network matches no interfaces

• Errors– Remote end is a non-OSPF interface– Remote end has a different OSPF area

• Inventory– OSPF links and edge interfaces– Routers and links by OSPF area– Interfaces by OSPF cost

Referential Integrity Checks

• Duplicate IP addresses– Multiple interfaces with the same address

• Items used but not defined, and vice versa

– Packet filters, route filters, QoS policies, routing policies, AS path lists, etc.

interface Serial10/1/0/12:0

ip address 12.7.35.1 255.255.255.252

ip access-group 666 in

!

access-list 666 permit 12.34.158.0 0.0.1.255

access-list 666 permit 12.7.35.0 0.0.0.3

Using Data Mining to Infer Local Policies

• Pattern matching across routers– Equivalence: same config, same names– Synonym: same config, different names– Homonym: same name, different config

• Infer rules and report exceptions– “Finger daemon disabled”– “Edge interfaces have inbound packet filters”– “OSPF costs of 100 to hub1 and 200 to hub2”– “IPX interfaces have SAP encapsulation”

• Identifying “use cases”– Initial base configuration of each router– “Diffs” over time and across related routers– Common cases (e.g., adding link, new BGP session)

Data Mining Approaches

• Configuration files– Start with raw or lightly-parsed data– Look for patterns in the uninterpreted strings– Discover “templates” for flat parts of configuration

• Database tables– Start with a model of part of the data– Look for correlations between fields– Find features that tend to appear together

• Network graph– Start with a graph with edge/node attributes– Look for patterns in topology and attributes– Classify the graph and routing parameters

EDGE Software Design Principles

• Scalability– CVS repository for daily feed of configuration data– Automated data processing for hundreds of

networks– Precomputed tables underling interactive Web GUI

• Extensibility– Extensible configuration parser– Incremental additions to data models– Ease of adding new queries on existing data models

• Ease of development– Single low-level configuration parser– SQL database for running queries– XML specification of GUI functionality

EDGE Software Architecture

Raw router configuration data

Parsed configuration data

Extractors

Utility queries

Presentation queries

Web-based GUI

OSPF,EIGRP,

RIP

Referentialintegrity

developersmokestacks

Router Configuration Data

• Getting the configuration data– From a backup server (ssh, wget, ftp, etc.)– Directly from the router (poller, crawler)

• Mapping files to networks– Regular expressions on file names– E.g., “feed-foo/hp*” maps to Hewlett

Packard• Storing the raw files

– Committing the data by network into CVS• Checking data integrity

– Detecting duplicate configuration files– Identifying decommissioned routers

Parsing the Configuration Files

• Practical constraints– No public grammar exists for Cisco IOS– Too many commands to parse everything

• Solution: light, extensible parsing– Identify section boundaries

• Router, interface, router ospf, router bgp, etc.

– Parse key commands• Interface name, address, description, bandwidth

– Retain unparsed commands• Leave unparsed commands as strings

– Store results in Perl hash table• Support indexing and sequencing of data

Extractors

• Practical constraints– Huge breadth and depth of the data– Unstructured raw configuration data– Absence of predefined data models

• Solution: incremental data modeling– Extract low-level tables from the data

• Simple scripts using the Perl hash table or “grep”

– Small number of flat tables for data mining• Router, interface, BGP end-points, ACLs, names,

etc.

– Insert tables into an SQL database• Allow other queries to build on this data

Example Extractor: Referential Integrity

• Extract relevant commands– Definitions and references, by type and name

Router R/D Command Type Name

nyc72 def access-list ACL 666

nyc72 ref access-group

ACL 666

sfo35 ref neighbor route-map

BLOCK

chi19 def ip prefix-list prefix-list PEER

sea42 def class-map class-map Silver

sea42 ref class class-map Silver

Utility Queries

• Practical constraints– Some joined data needed by multiple

queries– Table joins are too slow to do on-demand

• Solution: precomputed utility tables– SQL queries built on extracted tables

• Run in advance, with results stored in database

– Building blocks for the “smoke-stacks”• Key constructs like link, OSPF interface, etc.

– Example: constructing the “links” table• Self-join on the “interface” table• Interface1 address in same network as interface2

Presentation Queries

• Practical constraints– Many different reports on the same data– Customizing column names and order of

rows

• Solution: XML specification of output– SQL query on the database

• Lightweight sub-selecting, summing, max, etc.• “ORDER BY” to control the order of rows

– Presentation niceties• Query title, description, and export to Excel• Renaming of columns to user-friendly terms• Click on table entry to run additional query

Example: Remote End in Different OSPF Area

interface OSPF network OSPF passive interface

link OSPF interface

Extractedtables

active OSPF interface

OSPF link with area mismatch

Utilitytables

Presentationquery result

Simple SQL queries

OSPF link

Software Status

• Runs daily for hundreds of networks– AT&T’s core backbone networks– Managed enterprise networks– New eVPN customers– Stand-alone enterprise customers

• Reports in the Web portal sites– Inventory and visualization– Routing protocols and policies– Referential integrity checks– ACL optimization and synonyms

Conclusion

• Moving beyond manual configuration– Manual configuration is bad

• Error-prone, expensive, and disruptive

– Migrating to automation is hard• No inventory DB, buggy network, and poor docs

– EDGE supports migration to automation• Bootstrap DB, report discords, and infer policies

• More innovation is needed– Data mining on existing data networks– Protocol models and best common practices– Better router configuration languages– Self-configuring protocols and mechanisms