Fault Localization in Large-Scale Network Policy Deployment

TL;DR

This paper introduces SCOUT, an automated system for fault localization in network policies within SDN environments, effectively identifying faulty policy objects and underlying physical failures with high accuracy.

Contribution

The paper formulates a novel risk-based fault localization problem and develops SCOUT, a fully-automated system that improves detection accuracy in large-scale network policy management.

Findings

SCOUT detects faulty policy objects with low false positive rates.

The system accurately pinpoints physical failures causing policy faults.

Evaluation on real testbeds shows high effectiveness and efficiency.

Abstract

The recent advances in network management automation and Software-Defined Networking (SDN) are easing network policy management tasks. At the same time, these new technologies create a new mode of failure in the management cycle itself. Network policies are presented in an abstract model at a centralized controller and deployed as low-level rules across network devices. Thus, any software and hardware element in that cycle can be a potential cause of underlying network problems. In this paper, we present and solve a network policy fault localization problem that arises in operating policy management frameworks for a production network. We formulate our problem via risk modeling and propose a greedy algorithm that quickly localizes faulty policy objects in the network policy. We then design and develop SCOUT---a fully-automated system that produces faulty policy objects and further pinpoints physical-level failures which made the objects faulty. Evaluation results using a real testbed and extensive simulations demonstrate that SCOUT detects faulty objects with small false positives and false negatives.